Is workplace gossip a HIPAA violation? The answer can depend on who the subject of the gossip is, what the gossip is about, and who is doing the gossiping. HIPAA does not cover topics such as who is up for promotion or who did what at the New Year’s Party, but there are circumstances in which workplace gossip can be a HIPAA violation.
Gossip is broadly defined as casual conversations about another person who is not party to it. Gossip can be verbal, digital, or written, and is often used as a means of forming social bonds. Indeed, there is evidence to suggest gossip is beneficial to society. Even so, there can be considerable harms associated with gossip. It may be malicious or sensationalist, or spread private information about the subject, threatening their mental health.
When is Workplace Gossip a HIPAA Violation?
In the context of when is workplace gossip a HIPAA violation, there are three criteria that distinguish social workplace gossip from gossip that violates HIPAA:
- The gossiper must be an individual subject to the HIPAA Privacy Rule inasmuch as they are a member of a Covered Entity´s workforce,
- The information being spread must pertain to a patient whose individually identifiable health information is protected by the Privacy Rule, and
- The information being spread must be considered protected under HIPAA and ordinarily maintained in a designated record set.
The first bullet point is important because complaints are often made to HHS´ Office for Civil Rights about individuals or businesses not subject to the HIPAA regulations. Therefore, if two employees of a business not subject to the HIPAA regulations are overheard gossiping about a colleague´s health, this workplace gossip is not a HIPAA violation.
With regards to the second bullet point, there are exceptions to when individually identifiable health information is protected by the Privacy Rule. For example, if two teachers are overheard informally discussing a pupil´s health, this is not a violation of HIPAA because students´ medical records are not covered by HIPAA. However, this is likely a violation of FERPA or other privacy law.
For the third bullet point, only information ordinarily maintained in a designated record set is considered Protected Health Information (PHI) under HIPAA. Therefore, if the gossip was about a colleague having an emotional support animal, and this individually identifiable (non-health) information was not maintained in a designated record set, the gossip would not be considered a HIPAA violation – although it may violate other workplace policies.
What Happens When Workplace Gossip Violates HIPAA?
The consequences of any HIPAA violation depend on the nature of the violation, the amount of harm caused, and how the harm is mitigated. With regards to workplace gossip, any disclosure of PHI that is not permitted by the Privacy Rule, is incidental to a permitted disclosure but beyond the minimum necessary or is not authorized by the subject of the gossip is technically a data breach.
In such circumstances, Covered Entities (and Business Associates where applicable) must notify the affected individual(s) and HHS´ Office for Civil Rights that a breach has occurred unless a “low probability of compromise” can be demonstrated by means of a risk assessment. The risk assessment should take into account at least the following factors:
- The nature of PHI disclosed in the gossip
- The person(s) to whom the disclosure was made
- Whether PHI was actually disclosed and, if so, the likelihood of it being further disclosed
- The extent to which the risk of further impermissible disclosures has been mitigated
Whether or not the workplace gossip constitutes a notifiable HIPAA violation under the Breach Notification Rule can also depend on who reported the impermissible disclosure of PHI, who the report was made to, and how quickly those involved in the workplace gossip were alerted to the violation and warned against repeating whatever gossip they had heard.
How to Mitigate the Risk of HIPAA Violations due to Workplace Gossip
The only way to mitigate the risk of HIPAA violations due to workplace gossip is to train all members of the workforce on what PHI is and what uses and disclosures of PHI are permitted by the Privacy Rule. Training must be enforced by a sanctions policy that explains the consequences of HIPAA violations (a requirement of HIPAA), and compliance should be monitored and documented to demonstrate a “good faith effort” to comply with HIPAA in the event of a notifiable data breach.