Telling a story about a patient can be a HIPAA violation in a number of circumstances. Generally, whether a story counts as a HIPAA violation will depend on the nature of the story, who told the story, who the story was about and – crucially – whether the story contained any individually identifiable health information. If the information in the story is not individually identifiable, it is not protected by HIPAA.
The Health Insurance Portability and Accountability Act of 1996 was introduced with a variety of aims, from introducing new tax laws to reforming the health insurance market. However, it has now become synonymous with protecting patient privacy. But how far does the law stretch? Is telling a story about a patient a HIPAA violation? When can healthcare professionals and their colleagues share stories about their workdays?
The HIPAA Privacy Rule has strict regulations on when PHI can be used and disclosed. Telling a story about a patient would not qualify as a permitted use of PHI, so any stories that do contain that information would be violating HIPAA. In 2020, a nurse was investigated by her hospital for sharing a story with a news outlet about her experience of working on wards during the COVID-19 pandemic, during which she disclosed the name of a patient that died. This was an innocent mistake that could have had serious consequences.
However, stories that contain PHI are not automatically HIPAA violations. The story must be told by someone subject to HIPAA (that is, an employee, student, or volunteer working for a Covered Entity or Business Associate) and about someone who is protected under HIPAA. With this in mind, it is essential that all CEs and BAs ensure that anyone under their direct control is correctly trained in HIPAA compliance.
Any employee who does violate HIPAA by telling a story can be required to undertake more training or may be put on a probation period. In more severe circumstances, they may be suspended, lose their job, or even lose their license to practice. Caution should always be taken when disclosing work anecdotes.
So, is telling a story about a patient a HIPAA violation? In some circumstances, yes. Employees should do their due diligence before recounting any stories from work. Storytelling can be a powerful form of communication, but it must be done in a HIPAA-secure manner.