Share this article on:
The answer to the question is gossip a HIPAA violation is not straightforward because it depends on who is gossiping, who they are gossiping about, and what the content of the gossip is. It is important to know under what circumstances gossip is a HIPAA violation, because – when a violation occurs – there could be significant consequences for everyone.
Gossip is casual or unconstrained conversation about other people. It can be communicated verbally, in writing, or electronically; and while some gossip may be communicated in good faith, it frequently involves details that are not necessarily true – especially when gossip is second or third hand – or that have the intention of creating shock (which distinguishes gossip from rumor).
Despite research suggesting gossip can be beneficial, it can also be harmful. People´s mental health can suffer when they are the subject of gossip, or when they are a communicator confronted by the subject of the gossip. It can also be the case that details about an individual are released into the public domain which may have a negative impact the individual´s personal life.
When is Gossip a HIPAA Violation?
In the context of answering the question is gossip a HIPAA violation, one might automatically assume that releasing details about an individual into the public domain is a disclosure not permitted by the Privacy Rule and is therefore a violation of HIPAA, but that is not necessarily true. In order to be a violation of HIPAA:
- The gossip has to be spread by an individual governed by the HIPAA Privacy Rule,
- The gossip has to be about a patient who has rights under the HIPAA Privacy Rule, and
- The gossip has to contain at least one of the 18 identifiers that make health information PHI.
Generally speaking, an “individual governed by the HIPAA Privacy Rule” is a member of a Covered Entity´s or Business Associate´s workforce – workforce being defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
Therefore, if an individual who is not “under the direct control” of a Covered Entity or Business Associate gossips about a patient, it is not a violation of HIPAA. Similarly, if the subject of the gossip is not a patient who has rights under the HIPAA Privacy Rule, the gossip is not a violation of HIPAA; and, even if the individual is an employee of a Covered Entity and the gossip relates to a patient in their care, gossip is not a violation of HIPAA if none of the 18 identifiers are disclosed.
The Consequences of Gossip for Everyone
When gossip fulfils the criteria for being a HIPAA violation, it can have widespread consequences. Once information about a patient is shared, the sharer has no control over what happens to that information. It could be shared with colleagues, friends, and family members verbally, and one of the recipients of the information could publish it on social media. The social media post could get noticed by the press, and the unauthorized disclosure escalated to HHS´ Office for Civil Rights.
While an extreme example, the unauthorized disclosure of PHI could result in the individual´s employer being contacted by the Office for Civil Rights, undergoing an investigation, and having to implement changes to policies and procedures – which may result in “material change” HIPAA training for the entire workforce. In this scenario, the consequences of gossip being a HIPAA violation extend beyond just those who were involved in the unauthorized disclosure of PHI.
Undoubtedly in these circumstances, the originator of the gossip – and likely everyone under the control of the Covered Entity or Business Associate who subsequently shared it – will be subject to sanctions. Depending on the nature of the gossip and the harm it has caused, sanctions could range from a warning to termination – with possible loss of registration. There may also be legal consequences if the case is investigated by an Attorney General or the patient brings a civil action.
There are also the consequences to the patient to consider. Depending on what information has been revealed, the patient may suffer anything from mild embarrassment to identity theft. It is for this reason that the Privacy Rule prohibits disclosures of PHI other than for treatment, payment, or operations without patient authorization; and, when you look at the conditions for patient authorization, it is very unlikely gossip would meet them under any circumstances.
Gossip May Violate Other Workplace Policies
Even when gossip does not fulfil the criteria for being a HIPAA violation, it could still violate other workplace policies. Wary of the harm gossip can cause, many organizations have implemented no-gossip policies or policies that limit what can be discussed in “unconstrained conversation”. Therefore, members of Covered Entity´s and Business Associate´s workforces not only have to be aware of when is gossip a HIPAA violation, but also other workplace policies they may be subject to.