Is Gossip a HIPAA Violation?

Gossip can be a HIPAA violation – potentially resulting in a sanction for the gossiper – depending on who is gossiping, who they are gossiping about, and what the content of the gossip is. It is important to know under what circumstances gossip is a HIPAA violation because, when a violation occurs, there could be significant consequences for everyone.

In this article we outline when gossip is a HIPAA violation.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance. Use any form on this page to arrange for your copy of the checklist.

Gossip is casual or unconstrained conversation about other people. It can be communicated verbally, in writing, or electronically; and while some gossip may be communicated in good faith, it frequently involves details that are not necessarily true – especially when gossip is second or third hand – or that have the intention of creating shock (which distinguishes gossip from rumor).

Despite research suggesting gossip can be beneficial, it can also be harmful. People’s mental health can suffer when they are the subject of gossip, or when they are a communicator of gossip confronted by the subject of the gossip. It can also be the case that details about an individual are released into the public domain which may have a negative impact the individual’s personal life.

When is Workplace Gossip a HIPAA Violation?

In the context of answering the question is workplace gossip a HIPAA violation, one might automatically assume that releasing details about an individual into the public domain is a disclosure not permitted by the HIPAA Privacy Rule and is a violation of HIPAA, but that is not necessarily true. In order to be a violation of HIPAA:

• The gossip has to be shared by an individual governed by the HIPAA Privacy Rule,
• The gossip has to be about a patient who has rights under the HIPAA Privacy Rule, and
• The gossip has to contain at least one identifier that makes health information PHI.

Generally speaking, an “individual governed by the HIPAA Privacy Rule” is a member of a covered entity’s or business associate’s workforce – workforce being defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate”.

If an individual who is not “under the direct control” of a covered entity or business associate gossips about a patient, it is not a violation of HIPAA. Similarly, if the subject of the gossip is not a patient who has rights under the HIPAA Privacy Rule, the gossip is not a violation of HIPAA; and, even if the individual is an employee of a covered entity and the gossip relates to a patient in their care, gossip is not a violation of HIPAA if no identifiers are disclosed.

Gossip is usually about a named individual, so it is not often that no identifiers are disclosed. There is also a grey line between what constitutes gossip and what constitutes an anecdote (which may also be embellished with the intention of creating shock), and it is a best practice to prohibit any form of unnecessary disclosures by implementing a policy that states telling a story about a patient is a HIPAA violation – even if the patient is not named.

The Consequences of Gossip for Everyone

When gossip fulfils the criteria for being a HIPAA violation, it can have widespread consequences. Once information about a patient is shared, the sharer has no control over what happens to that information. It could be shared with colleagues, friends, and family members verbally, and one of the recipients of the information could publish it on social media. The social media post could get noticed by the press, and the unauthorized disclosure escalated to HHS’ Office for Civil Rights.

While an extreme example, the unauthorized disclosure of PHI could result in the individual’s employer being contacted by the Office for Civil Rights, undergoing an investigation, and having to implement changes to policies and procedures – which may result in “material change” HIPAA training for the entire workforce. In this scenario, the consequences of gossip being a HIPAA violation extend beyond just those who were involved in the unauthorized disclosure of PHI.

Undoubtedly in these circumstances, the originator of the gossip – and likely everyone under the control of the covered entity or business associate who subsequently shared it – will be subject to sanctions. Depending on the nature of the gossip and the harm it has caused, sanctions could range from a warning to termination – with possible loss of registration. There may also be legal consequences if the case is investigated by an Attorney General or the patient brings a civil action.

There are also the consequences to the patient to consider. Depending on what information has been revealed, the patient may suffer anything from mild embarrassment to identity theft. It is for this reason that the HIPAA Privacy Rule prohibits disclosures of PHI other than for treatment, payment, or healthcare operations without patient authorization; and, when you look at the conditions for patient authorization, it is very unlikely gossip would meet them under any circumstances.

Gossip May Violate Other Workplace Policies

Even when gossip does not fulfil the criteria for being a HIPAA violation, it could still violate other workplace policies. Wary of the harm gossip can cause, many organizations have implemented no-gossip policies or policies that limit what can be discussed in “unconstrained conversation”. Members of a covered entity’s or business associate’s workforces not only have to be aware of when is gossip a HIPAA violation, but also other workplace policies they may be subject to.

Is Gossip a HIPAA Violation? FAQs

What is a HIPAA violation?

A HIPAA violation is any failure to comply with the Administrative Simplification Regulations in 45 CFR Parts 160, 162, and 164. These regulations primarily stipulate implementation specifications to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and confidentiality of electronic Protected Health Information (PHI).

 Is workplace gossip a HIPAA violation?

Workplace gossip can be a HIPAA violation if it takes place in a covered entity’s or business associate’s workplace, if it concerns an individual whose individually identifiable health information is protected by the HIPAA Privacy Rule, and if the workplace gossip identifies the individual. Any other types of workplace gossip rarely qualify as HIPAA violations.

Is telling a story about a patient a HIPAA violation?

Telling a story about a patient can be a HIPAA violation if the person telling the story is a member of a covered entity’s workforce who is disclosing individually identifiable health information without the patient’s authorization. Even if it is not a HIPAA violation, the person telling the story could be in trouble if the disclosure violates state privacy laws or an employer’s no-gossip policy.

Is it a HIPAA violation to talk about a patient without revealing HIPAA identifiers?

It is not a HIPAA violation to talk about a patient without revealing HIPAA identifiers because you are not disclosing individually identifiable health information. However, it is important to be aware there are more than the 18 HIPAA identifiers listed under the requirements for deidentifying Protected Health Information (45 CFR §164.514). For example, if you talk about a patient’s emotional support animal, this information could be used to identify the patient and would be a HIPAA violation.

How long does a HIPAA violation investigation take?

How long a HIPAA violation investigation takes depends on the nature of the violation and if the investigation uncovers other non-compliant practices that also require investigation. For example, if HHS’ Office for Civil Rights investigates the failure to respond to a patient access request within 30 days, and finds out this is because a covered entity has not developed policies and procedures for responding to patient access requests, the agency may investigate what else the covered entity has not developed policies and procedures for.

Is nurses gossiping about patients a HIPAA violation?

Nurses gossiping about patients is a HIPAA violation subject to certain criteria being met. For example, the nurse must be a member of a covered entity’s workforce (not all healthcare providers are covered entities) and the content of the gossip must qualify as an impermissible disclosure of PHI insofar as it relates to patients’ individually identifiable health information.

Does talking about a patient violate HIPAA?

Talking about a patient can violate HIPAA depending on who is doing the talking, who they are talking to, and whether the conversation relates to a patient’s individually identifiable health information. However, even if the conversation does involve a patient’s individually identifiable health information, it may not be a violation of HIPAA if the conversation is a permissible disclosure allowed by the HIPAA Privacy Rule for (for example) treatment, payment, or healthcare operations.

Does HIPAA allow sharing patient stories?

HIPAA allows sharing patient stories in certain circumstances. For example, a healthcare organization can share patient stories for training, oversight, or quality control purposes without a patient’s authorization. It can also share patient stories for marketing purposes with a patient’s authorization. However, if a patient’s story is shared for a purpose not permitted by the HIPAA Privacy Rule or without the authorization of the patient, it is a HIPAA violation.

Is nurses talking bad about patients a HIPAA law violation?

Nurses talking bad about patients is a HIPAA law violation when the nurses are members of a covered entity’s workforce and when there is no justifiable reason for disclosing individually identifiable health information about the patient. However, many states have “duty to warn” laws that preempt HIPAA; and, if the “talking bad” disclosure was to warn colleagues of a potential threat to their health and safety, it may not be a notifiable disclosure under state law.

Can I get fired for an accidental HIPAA violation?

You can get fired for an accidental HIPAA violation if you have a history of accidental HIPAA violations or the accidental HIPAA violation was attributable to gross negligence on your part. In most cases, employers accept that accidents happen, and the most likely sanctions for accidental violations of HIPAA are a verbal warning and refresher training.

Does HIPAA apply to private individuals?

HIPAA applies to private individuals inasmuch as if you are a member of a health plan or registered with a healthcare facility, the health plan/healthcare facility has to protect the privacy of your individually identifiable health information. However, private individuals who do not qualify as a covered entity under HIPAA are not required to comply with the HIPAA laws.

Can a doctor discuss a patient with a family member?

A doctor can discuss a patient with a family member in multiple cases without violating HIPAA. In some cases, disclosures are permitted by the HIPAA Privacy Rule, while in others it is necessary to obtain a patient’s consent. However, it is important to note patients have the right to request that some or all of their Protected Health Information is withheld from some or all of their family members.

Can a non-medical person violate HIPAA?

A non-medical person can violate HIPAA because it is not only medical people that are required to comply with HIPAA. Every member of a covered entity’s or business associate’s workforce is required to comply with HIPAA and many non-medical people work for these organizations. Consequently, cleaners, receptionists, lawyers, data entry clerks, and website builders could all – in theory – violate HIPAA.

Can you talk about a patient without saying their name?

You can talk about a patient without saying their name, but – even so – you could still be violating HIPAA. If you discuss a patient’s health information and include any information that could be used to identify the subject of the health information, the health information becomes “individually identifiable health information” – which is protected by the HIPAA Privacy Rule.

Does HIPAA apply to coworkers?

HIPAA applies to coworkers when you and your coworkers work for a covered entity or business associate. In the context of whether gossiping about a patient with coworkers is a HIPAA violation, you are only allowed to discuss a patient for a reason permitted by the HIPAA Privacy Rule, and even then, you may have to comply with the minimum necessary standard.

Is a HIPAA violation a felony?

A HIPAA violation can be a felony according to an opinion published by the Attorney General’s Office of Legal Counsel in 2005. The opinion relates to criminal violations of HIPAA for knowingly and wrongfully disclosing individually identifiable health information under §1320d-6 of the Social Security Act; and, in the opinion, the Principal Deputy Assistant Attorney General notes a three-tiered penalty system exists

Tier 1 – for knowingly and wrongfully disclosing individually identifiable health information – is described as a misdemeanor offence. However, Tier 2 – for committing the offense under false pretenses – and Tier 3 – for intending to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm – are described as aggravated circumstances which qualify the offense as a felony.

What information can be shared without violating HIPAA?

Any information can be shared without violating HIPAA provided that the use or disclosure of information is permitted by the HIPAA Privacy Rule or is supported by a patient’s authorization. In most cases, the challenge to HIPAA compliance is not what information can be shared, but in what circumstances can information be shared.

Is it illegal to share someone’s medical information?

It can be illegal to share someone’s medical information depending on who is sharing it and the reason for sharing it. For example, organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) are allowed to share someone’s medical information for “permissible” uses and disclosures (i.e., treatment, payment, and health care operations).

If these organizations – or the people who work for them – share medical information for a reason not allowed by HIPAA, it is a civil offence. If they share medical information knowing it is a civil offence, it becomes a criminal offense under §1320d-6 of the Social Security Act which can be punished by a fine of up to $250,000 and a prison term of up to ten years.

Can doctors talk about patients to other doctors without violating HIPAA?

Doctors can talk about patients to other doctors without violating HIPAA provided the reason for a patient being discussed is permitted by the HIPAA Privacy Rule. In most circumstances, doctors may only talk about patients to other doctors if there is a direct treatment relationship between the doctors – i.e., when a family doctor discusses a patient’s condition with a specialist.

Can therapists report past abuse?

Not only can therapists report past abuse, in most states it is a legal requirement for therapists to report physical and mental abuse. No state laws have a statute of limitations for reporting abuse – only statutes that limit the length of time a victim can bring a civil case against the abuser. There is also no privacy law (including HIPAA) that prevents the reporting of past abuse.

Does HIPAA apply after death?

HIPAA applies after death for a period of 50 years. However, HIPAA does not stipulate retention periods for medical records as these are mandated by each state. Any Protected Health Information maintained by a covered entity or businesses associate after a person has died must be safeguarded from impermissible uses and disclosures as if the person was still alive.