Is Telling a Story about a Patient a HIPAA Violation?
Whether telling a story about a patient is a HIPAA violation depends on who is telling the story, why the story is being told, what information about the patient is revealed in the story, and whether a patient has authorized a disclosure of PHI or exercised their right to restrict disclosures.
One of the objectives of the HIPAA Privacy Rule is to protect patient privacy. The HIPAA Privacy Rule tries to achieve this objective by stipulating which uses and disclosures of Protected Health Information (PHI) are permissible, which a patient should be given an opportunity to object to, and which require an authorization from the patient or their personal representative.
However, the HIPAA Privacy Rule does not apply to everybody. If a healthcare provider is not a covered entity, not a member of a covered entity’s workforce, or not a member of a business associate’s workforce, telling a story about a patient is not a HIPAA violation – even if health information about the patient is disclosed, because HIPAA does not apply to the healthcare provider.
Similarly, if an employee of a contractor for whom no Business Associate Agreement is necessary (i.e., a member of an agency’s environmental services team) reveals that they saw a famous person entering a healthcare facility for treatment, telling the story about the patient is not a HIPAA violation because the employee is not engaged for an activity regulated by HIPAA and is not required to comply with the HIPAA Privacy Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Even when a healthcare provider or workforce member is required to comply with the HIPAA Privacy Rule, there are still many circumstances when telling a story about a patient is not a HIPAA violation. This article explains some of the circumstances in which telling a story about a patient is not a HIPAA violation, but other circumstances may apply depending on the nature of the healthcare provider’s activities.
Why the Story is Being Told Matters
If a story about a patient is being told for a permissible use of PHI, the telling of the story is not a HIPAA violation. However, for some permissible uses of PHI, the minimum necessary standard applies; whereas, in other permissible uses, there is no limit on the amount of PHI that can be disclosed. For example:
- If a story about how a patient sustained their injuries is being told by a healthcare provider to a health plan in order to obtain an authorization for treatment, the minimum necessary standard applies even if both the healthcare provider and the health plan are covered entities under HIPAA.
- If a story about how a patient sustained their injuries is being told by a healthcare provider to another healthcare provider in order to provide treatment to the patient, the minimum necessary standard does not apply even if the two healthcare providers work for different covered entities.
Even for the same permissible use there can be times when telling a story about a patient is a HIPAA violation and times when it is not. For example, if a healthcare facility runs a training course for nursing students, trainees, or practitioners PHI can be disclosed permissibly as the training course is covered under “health care operations”.
If more than the minimum necessary PHI is disclosed in the training course it is a violation of HIPAA, unless the patient has authorized the healthcare facility to disclose more than the minimum necessary to add context to the training – in which case it is not. These are just some examples of how difficult it can be to determine whether telling a story about a patient is a HIPAA violation.
Why What Information is Revealed Matters?
In answer to the question, is telling a story about a patient a HIPAA violation if no PHI is revealed, most people would say “no”. However, if the events of the story could be used to identify the patient, and the story is not being told for a permissible use of PHI, this answer is incorrect. To find out why, it is necessary to review the definition of “individually identifiable health information” in §160.103 of the HIPAA General Rules. The [abridged] definition states:
Individually Identifiable Health Information is health information created or received by a health care provider, health plan, employer, or health care clearinghouse [that] relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual
(i) that identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
If a healthcare provider tells a story about a patient which contains no specific individually identifiable health information, the telling of the story could still be a HIPAA violation if the events related in the story could be used to identity a patient. Even if the story is embellished to make it an untruthful anecdote, the disclosure of PHI could be considered an impermissible use and a notifiable breach if the subject of the story can still be identified as a patient.
Conclusion: Is Telling a Story about a Patient a HIPAA Violation or Not?
There is no straightforward answer to the question, is telling a story about a patient a HIPAA violation or not because of the number of circumstances in which telling a story is not a HIPAA violation, and because of the issue of whether any information revealed in a story might be used to identify the individual. It can be difficult to ascertain whether a violation has occurred and whether a complaint or violation report is justified without knowing the full facts.
One scenario that has not yet been discussed is when a patient requests restrictions on the uses and disclosures of their PHI as they are allowed to do under §164.522 of the HIPAA Privacy Rule. If a patient has exercised their right to request privacy protections, the only time it is possible to talk about the patient without violating HIPAA is when the nature of the discussion is an exempted use such as when PHI is required for emergency treatment or a disclosure is required by law.
Although the distinction between what constitutes a HIPAA violation and what doesn’t may be clear to a trained workforce of compliant healthcare professionals with knowledge of restrictions and authorizations, the distinction may not be clear to the subject of the story or to anybody else who hears it and knows the identity of the patient – potentially resulting in complaints to HHS’ Office for Civil Rights for alleged impermissible disclosures of PHI and violations of HIPAA.
Although in some circumstances the complaints will be unjustified, if HHS’ Office for Civil Rights decides to investigate a complaint, the investigation can be disruptive. Due to this risk, it is often best to prohibit the telling of stories about patients for any unnecessary reasons. This prohibition should be notified to members of the workforce during HIPAA training, along with the reasons why any story telling about a patient could be – or could be perceived to be – a HIPAA violation.
Is Telling a Story about a Patient a HIPAA Violation FAQs
Does talking about a patient violate HIPAA?
Talking about a patient violates HIPAA if there is no permissible reason for the patient to be discussed and, during the discussion, information about the patient is disclosed that could be used to identify the individual. When there is a permissible reason for talking about a patient, the amount of PHI disclosed must be kept to the minimum necessary unless the reason for talking about the patient is exempted from the minimum necessary standard or the patient has authorized the disclosure.
Can you talk about a patient without saying their name?
You can talk about a patient without saying their name unless any information disclosed in the conversation could be used to identify the individual. This would be a violation of HIPAA unless the reason for talking about a patient is a permissible disclosure – in which case it would not matter whether the patient’s name was mentioned or not.
Is it a HIPAA violation to talk about a patient without identifiers?
It can be a HIPAA violation to talk about a patient without identifiers if the nature of the discussion would be impermissible under the HIPAA Privacy Rule and the information disclosed in the discussion could be used to identify the individual. With regards to this question, it is important to be aware that the so-called “18 HIPAA identifiers” are not what constitute PHI. Any information that could be used to identify an individual that is maintained in the same designated record set as their health information assumes Protected Health Information status.
How can you talk about a patient without violating HIPAA?
You can talk about a patient without violating HIPAA if you talk about the patient for a permissible reason. However, when you talk about a patient for a permissible reason, you also have to be aware of whether the minimum necessary standard applies and whether a patient has requested the disclosure of their health information is restricted.
Can doctors talk about patients without using names?
Theoretically, doctors can talk about patients without using names. However, if the doctor is a covered entity or a member of a covered entity’s workforce, and the information disclosed in the conversation could be used to identify the patient, talking about patients without using their names is still a violation of HIPAA.
Can a doctor discuss a patient with a family member?
A doctor can discuss a patient with a family member provided that – wherever possible – the patient has been given the opportunity to consent or object to the disclosure and the identity of the family member the doctor is talking with is verified. In most circumstances, the doctor is only allowed to disclose the minimum necessary PHI to the family member unless the patient has given their authorization for a more comprehensive disclosure.
Is saying a patient name a HIPAA violation?
Saying a patient name can be a HIPAA violation depending on who is saying the patient name, who the patient name is being said to, and the reason for saying the patient name. In most circumstances, saying a patient’s name by itself is not a HIPAA violation when the name does not relate to the patient’s health condition, treatment for the condition, or payment for the treatment. However, there are some circumstances in which saying a patient name is a HIPAA violation. For example:
Nurse 1: “Who is that in bed 4 with the broken leg?
Nurse 2: “That is Mr. Jones”.
Is telling a story about a patient on social media a HIPAA violation?
Telling a story about a patient on social media is a HIPAA violation if a valid authorization has not been obtained from the patient prior to the disclosure. In such circumstances, it is important the patient or their personal representative is aware that it may not be possible to withdraw the authorization once the social media post is published.
