Is telling a story about a patient a HIPAA violation?

by

The Health Insurance Portability and Accountability Act of 1996 was introduced with a variety of aims, from introducing new tax laws to reforming the health insurance market. However, it has now become synonymous with protecting patient privacy. But how far does the law stretch? Is telling a story about a patient a HIPAA violation? When can healthcare professionals and their colleagues share stories about their workdays? We will discuss when telling a story about a patient is a HIPAA violation here. 

Generally, whether a story counts as a HIPAA violation will depend on the nature of the story, who told the story, who the story was about and – crucially – whether the story contained any protected health information (PHI). PHI includes any information that relates to the past, present, or future medical condition of an individual (or the payment for that treatment) that contains one of the 18 HIPAA identifiers. If the information in the story is not individually identifiable, it is not protected by HIPAA. 

The HIPAA Privacy Rule has strict regulations on when PHI can be used and disclosed. Telling a story about a patient would not qualify as a permitted use of PHI, so any stories that do contain that information would be violating HIPAA. In 2020, a nurse was investigated by her hospital for sharing a story with a news outlet about her experience of working on wards during the COVID-19 pandemic, during which she disclosed the name of a patient that died. This was an innocent mistake that could have had serious consequences. 

However, stories that contain PHI are not automatically HIPAA violations. The story must be told by someone subject to HIPAA (that is, an employee, student, or volunteer of a Covered Entity or Business Associate) and about someone who is protected under HIPAA. With this in mind, it is essential that all CEs and BAs ensure that anyone under their direct control is correctly trained in HIPAA compliance. 

Any employee who does violate HIPAA by telling a story can be required to undertake more training or may be put on a probation period. In more severe circumstances, they may be suspended, lose their job, or even lose their license to practice. Caution should always be taken when disclosing work anecdotes. 

So, is telling a story about a patient a HIPAA violation? In some circumstances, yes. Employees should do their due diligence before recounting any stories from work. Storytelling can be a powerful form of communication, but it must be done in a HIPAA-secure manner.