Workplace gossip is a HIPAA violation if it involves telling a story about an individual whose individually identifiable health information or any personal details stored in the same data set as their health information is protected by the HIPAA Privacy Rule.
Is workplace gossip a HIPAA violation when it is only natural that colleagues will chat with each other? Obviously, it will depend on the nature of the gossip. For example, talking about what happened at a workplace party would not usually be a violation. But even when the topics of discussion are healthcare-related, there is not a straightforward answer to the question is workplace gossip a HIPAA violation. Understanding when workplace gossip constitutes a HIPAA violation is vital, as it could result in significant consequences.
Gossip is ubiquitous, and some even say that it is beneficial for the functioning of society. Gossip is usually some form of casual communication about a third party and can be digital, verbal, or written. Despite how common it is and the fact that it may confer benefits and strengthen relationships, there are considerable harms associated with gossip. The information may have passed through a number of hands and contain significant inaccuracies. It may also be sensationalist or contain personal and private information about the subject. This, in particular, may damage the mental health of the person being gossiped about.
But can workplace gossip be a HIPAA violation? The HIPAA Privacy Rule governs how Protected Health Information (PHI) is used and – crucially – disclosed, potentially leaving scope for workplace gossip. However, to be considered PHI, information must meet a specific set of criteria.
For workplace gossip to fall under the remit of HIPAA, the following conditions must be met:
- The person gossiping must be subject to the HIPAA Privacy Rule. This usually means that they are employed by the covered entity (CE) or business associate (BA). The Privacy Rule goes beyond covering traditional employees, and actually covers anyone who is under the “direct control” of the CE or BA: the Privacy Rule applies to “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
- The subject of the gossip must be a patient who is protected under HIPAA
- The information must qualify as PHI and contain one of the 18 identifiers required to render information PHI. Even if the gossip is about a patient, if it does not contain an identifier, it is not a HIPAA violation.
If these conditions are met, then workplace gossip is a HIPAA violation. This can have severe consequences. This is in part due to the nature of gossip – it spreads quickly, so it is hard to predict who will hear it and how they may use it. In the age of social media, information can be shared with all of an individual’s contacts at once, exacerbating the problem.
In extreme cases, this could be picked up by media outlets – at which point it may become an issue for the Department of Health and Human Services’ Office for Civil Rights. The office could then launch an investigation into the gossiper’s employer. The consequences of such an investigation depending on the circumstances, but could range from mandatory HIPAA training for the entire workforce (“material change” training) or sanctions for those that spread the gossip. In severe cases, the original source of the gossip may receive a warning, have their contract terminated or lose their registration, depending on the severity of the violation. There may also be legal consequences.
Of course, the patient whose privacy was violated may also suffer the consequences of the HIPAA violation. Again, these can range in severity depending on the information that was shared, each of them unjust. It is for these very reasons that the HIPAA Privacy Rule exists.
It is worth noting that, even if workplace gossip is not a HIPAA violation, its risky nature means may still violate other workplace policies. Alongside HIPAA training, employees should also be versed in their employer’s own policies.