25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Patient Confidentiality and HIPAA

Posted By on Mar 18, 2024

Patient confidentiality and HIPAA compliance are not the same thing because although one of the primary goals of HIPAA is to protect individually identifiable health information from impermissible disclosures and unauthorized access, confidential patient information consists of more than just health information.  

One of the most common misconceptions about patient confidentiality and HIPAA compliance is that all patient information is automatically protected by HIPAA. It’s not. HIPAA automatically protects a patient’s health information, treatment information, and payment information. Any other information that could be used to identity the patient is only protected by HIPAA when it is maintained in the same data set as Protected Health Information (PHI).

In many cases, non-health information is maintained in the same data set as patients’ PHI. But there are plenty of exceptions. If, for example, a healthcare provider maintains a separate database of names, ages, genders, and email addresses for marketing purposes, the information could be considered confidential. However, because the marketing database does not contain PHI, any confidential non-health information is not protected by HIPAA.

This does not mean that confidential non-health information maintained in a separate database is not protected at all. Although the information may not be protected by HIPAA, all states have data privacy laws and/or breach notification laws – some with more stringent requirements than HIPAA. While some of these laws have exemptions for PHI, if confidential patient information is not protected by HIPAA, it is covered by the applicable state law.

Why Isn’t All Patient Information Kept Together?

In the context of patient confidentiality and HIPAA, it is not practical for covered entities to keep all confidential non-health information in a data set with PHI. This is because the Security Rule requires covered entities to limit access to PHI by assigning unique user IDs to each workforce member. Each user ID reflects the workforce member’s access permissions to PHI. Some workforce members have full access to PHI. Others have no access to PHI.

Workforce members with no access to PHI could be engaged in roles in which contact with patients is necessary – for example, marketing, transportation, or oxygen deliveries. Therefore, it is necessary for some patient information to be maintained in a separate database – which these workforce members have access to – in order for them to complete their roles. To have access to all a patient’s information would be a violation of the Security Rule.

The alternative to maintaining separate databases is for workforce members with no access permissions to PHI to interrupt workforce members with full access permissions to PHI in order to obtain non-health information such as a patient’s email, home address, or cellphone number. Not only is this impractical because of the disruption to workflows, but also because there has to be an audit trail of what happens to PHI once it has been disclosed.

Information Breaches of Patients’ Confidential Details

The procedures for notifying information breaches of patients’ confidential details vary according to the nature of the information breached and the HIPAA “status” of the organization responsible for the breach. Not all healthcare providers and insurance companies that pay medical costs are HIPAA covered entities, and business associates of HIPAA covered entities may notify breaches directly depending on the terms of a Business Associate Agreement.

When covered entities or self-reporting business associates are responsible for information breaches of patients’ confidential details – and the details include PHI – they must notify each affected individual, HHS’ Office for Civil Rights, and State Attorneys General. For information breaches affecting 500 or more individuals, local media channels must also be notified. In some circumstances, there may be further HIPAA breach notification requirements.

When an organization does not qualify as a covered entity – or the information breached does not include PHI – the procedures vary according to state breach notification laws. In all cases, it is necessary to notify affected individuals, but notifications to State Attorney Generals and/or the media may only be necessary if more than a certain number of details are breached. The timeframes for notifying information breaches of patients’ confidential details vary by state.

The Issue when Notifying a Breach in Patient Confidentiality

The issue when notifying a breach in patient confidentiality is determining whether confidential patient information has actually been acquired, accessed, used, or disclosed in a manner not permitted by the HIPAA Privacy Rule or by a state breach notification law. There are many examples of breach notifications being dismissed by HHS’ Office for Civil Rights because the events reported in the breach notification did not represent a breach in patient confidentiality.

While the dismissed notifications (which can be found in the Archive section of HHS’ Breach Report) can be attributed to an abundance of caution, it is harder to determine whether confidential patient information has actually been acquired, accessed, used, or disclosed following ransomware attacks. This is because it is not always possible to know if encrypted data has been exfiltrated; and, if so, whether it has been – or will be – used to cause harm.

With regards to breaches in patient confidentiality and HIPAA breach notification requirements, HHS’ Office for Civil Rights has published guidance stating  that, in the event of a ransomware attack, the attacker is presumed to have taken control of the data. Unless there is a low probability PHI has been compromised (via a risk assessment), a breach of PHI is presumed to have occurred and organizations must comply with the breach notification requirements.

Sources for Recent Violations of Patient Confidentiality

The most frequently referenced source for recent violations of patient confidentiality is HHS’ Breach Report. However, this source only provides information relating to notified breaches of PHI maintained by a covered entity or business associate. HHS’ Breach Report does not contain details of recent violations of patient confidentiality if the data breached is not PHI or if the organization at which the breach occurred is not a covered entity or business associate.

In addition, there is no information about the nature of data breached, and the “type of breach” and “location of breach” information is often inaccurate. In many cases, it is only possible to determine the nature of data breached, the actual cause of the breach, and the location of the breach once reports have been resolved and appear in the Breach Report Archive. For this reason, it can be beneficial to review breach reports published by State Attorneys General.

Most state OAGs publish details of reported breaches. These cover all recent violations of consumer confidentiality – not just recent violations of patient confidentiality – and may be subject to a reporting threshold. For example, the threshold for reporting in Oregon is when 250 consumers have been affected by a data breach. By comparison, the threshold for reporting in Texas is when just one Texan has been affected by a data breach anywhere in the country.

HIPAA Violations that have Jeopardized Patient Confidentiality

Because covered entities and business associates are required to notify ransomware attacks to HHS’ Office of Civil Rights as data breaches – even when patient confidentiality may not have been violated – and because it is not possible to determine the type of breach until reports are resolved and appear in the Breach Report Archive, it is not possible to know with any certainty of HIPAA violations that have jeopardized patient confidentiality until sometime after the event.

From the resolved HIPAA violations that have jeopardized patient confidentiality that currently appear in the Breach Report Archive –

  • In February 2024, Bay Area Anesthesia reported that a business associate experienced a cyberattack that affected the PHI of 15,196 individuals. Neither the covered entity nor business associate was fined, but Bay Area Anesthesia was required to provide complementary credit monitoring services to affected individuals and additional workforce training.
  • In December 2023, RevSpring – a provider of revenue cycle management and accounts receivables management services for several healthcare providers – reported that a software coding error had exposed the PHI of 1,053 individuals to the Internet. In response to the data breach, the business associate implemented additional Security Rule safeguards.
  • Also in December 2023, Neuromusculoskeletal Center of the Cascades reported that several employees had interacted with phishing emails – giving hackers access to a database containing the PHI of 19,373 individuals. In response to the breach, the covered entity provided complementary credit monitoring services and implemented additional safeguards.

Why is Patient Confidentiality Important?

Patient confidentiality is important because when patients trust that their personal information will remain confidential, they are more prepared to disclose personal information to healthcare providers. With more information, healthcare providers can make more accurate diagnoses and prescribe more appropriate courses of treatment – which results in increased patient compliance, fewer hospital readmissions, and better patient outcomes.

Better patient outcomes are not only beneficial to patients. Success in patient care can improve workforce morale and job satisfaction – which results in lower retention and recruitment costs for healthcare providers. Healthcare providers can also benefit from higher CAHPS scores and from the Hospital Readmissions Reduction Program – notwithstanding that positive patient reviews will give them a competitive advantage in the healthcare market.

Consequently, healthcare providers are advised to implement measures to ensure patient confidentiality and HIPAA compliance. In some cases, this may mean implementing measures beyond those required by HIPAA and state privacy laws, and covered entities or business associates who require help in maximizing patient confidentiality and HIPAA compliance are advised to seek advice from a compliance professional.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist