Can workplace gossip ever be a HIPAA violation? Clearly, this will depend on a number of factors – who is the subject of the gossip, what the gossip is, and who is doing the gossiping. HIPAA does not cover topics such as who is up for promotion, or who did what at the New Year’s Party. However, it is important that employees understand what subjects be covered by HIPAA, and what gossip would be a HIPAA violation.
Gossip is broadly defined as casual conversations about another person (i.e. the subject of the conversation is not party to it). The communication can come in any form, be it verbal, digital, or written. Everyone gossips, and it is often used as a means of forming social bonds. Indeed, there is some evidence that gossip is beneficial to society. Even so, there are considerable harms associated with gossip, including workplace gossip. It may be malicious or sensationalist. It may also spread private information about the subject, threatening their mental health.
There are several criteria that distinguish usual workplace gossip from gossip that violates HIPAA:
- The gossiper must be an individual that is subject to the HIPAA Privacy Rule.
- The information being spread by the gossiper must pertain to a patient that is protected under the Privacy Rule.
- The information being spread must be considered PHI under HIPAA. That is, it must contain at least one of the 18 HIPAA identifiers (such as name, ZIP code, or email address) which means the information can be traced back to an individual.
The HIPAA Privacy Rule determines how protected health information (PHI) is used and how it is disclosed. Under the Privacy Rule, any disclosure of PHI to unauthorized individuals is considered a HIPAA violation, including any gossip that conveys PHI. It applies to all individuals “under direct control” of the covered entity (CE) or business associate (BA), including employees, volunteers, or contractors.
Even if these HIPAA-covered individuals are gossiping about a patient, it is not technically a HIPAA violation unless the information contains one of the 18 identifiers.
It is important to point out that, even if none of the criteria of a HIPAA violation are met, workplace gossip may still violate other workplace policies. These are often put in place by organizations to guard against the negative effects of gossip, which may include bullying, the decreased mental health of the subject of the gossip, and loss of privacy. Employees should therefore be aware of their own workplace policies.
There are additional consequences of workplace gossip if it does constitute a HIPAA violation. Healthcare information is particularly sensitive, and the lack of privacy associated with gossip can lead to severe outcomes for the patient (such as identify theft). This is why the Department for Health and Human Services takes HIPAA breaches so seriously. In severe cases (such as if the PHI is published on social media), the HHS’ Office for Civil Rights may launch an investigation.
These investigations have varied outcomes. The workplace may have to implement “material changes” to prevent further breaches, such as providing HIPAA training for their employees. Those directly involved in spreading the gossip are often sanctioned by their employer in line with the severity of the breach. This may range from additional training to termination of their contract (or even loss of registration). The patient may also choose to launch civil action against the CE or BA.
It is, therefore, better to prevent a breach before it occurs. One crucial way of safeguarding against breaches is by offering extensive HIPAA training to employees.