Is Telling a Story about a Patient a HIPAA Violation?

by

Telling a story about a patient is a HIPAA violation when a HIPAA Covered Entity or Business Associate, or a workforce member acting for them, discloses protected health information without a HIPAA-permitted basis or a valid HIPAA authorization.

When HIPAA Applies To Patient Stories

HIPAA applies to HIPAA Covered Entities and Business Associates, including their workforce members, when they create, receive, maintain, or transmit protected health information. HIPAA does not regulate a patient sharing their own information, or a person or organization that is not acting as a HIPAA Covered Entity or Business Associate.

When A Patient Story Becomes Protected Health Information

A patient story becomes protected health information when it relates to an individual’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care, and the individual is identified or reasonably identifiable. A story can identify a patient without using a name when it contains details that allow others to recognize the individual based on the facts, context, or setting.

Identifiers And Reidentification Risk

A story can disclose protected health information through direct identifiers such as name, address, photographs, account numbers, or full dates. A story can also disclose protected health information through indirect identifiers such as unique diagnoses, rare procedures, unusual events, small geographic settings, distinctive job titles, or combinations of timing and circumstances.

The HIPAA Minimum Necessary Rule applies to uses, disclosures, and requests for protected health information when the rule applies, and it limits the amount of information shared to the minimum necessary to accomplish the intended purpose.

De-Identified Information And Permissible Use

A story does not violate HIPAA when it meets the HIPAA de-identification standard and the information is not reasonably identifiable. Organizations should treat a narrative as potentially identifiable until a designated review confirms that the content meets an accepted de-identification method and that contextual details do not reidentify the patient.

Authorization Requirements For Storytelling

A HIPAA Covered Entity or Business Associate needs a valid HIPAA authorization when it uses or discloses protected health information for purposes not permitted by the HIPAA Privacy Rule. Patient stories used for publicity, fundraising communications that fall outside permitted parameters, social media, testimonials, or promotional materials often require authorization because the content involves protected health information and the purpose does not fit within treatment, payment, or health care operations.

Organizations should document the authorization, retain it in accordance with record retention practices, and ensure the disclosed content matches the scope and expiration terms of the authorization.

Training And Workforce Controls

All workforce members must receive HIPAA training. Annual HIPAA training is industry best practice. Training on HIPAA rules and regulations provides a foundation for workforce understanding before instruction on internal policies and procedures.

Organizations should maintain written policies that address patient anecdotes in presentations, case discussions, education materials, and social media activity, and they should apply sanctions for violations consistent with the HIPAA Privacy Rule administrative requirements.

Business Associate Responsibilities

A Business Associate may handle patient stories when it performs functions or services involving protected health information on behalf of a HIPAA Covered Entity. All staff must receive security awareness training. Staff with access to protected health information must receive HIPAA training. Annual HIPAA training is industry best practice.

Additional Business Associate training responsibilities include training staff on security incident reporting procedures, credential and access protection practices, secure handling of electronic protected health information under the HIPAA Security Rule, and contractual reporting obligations in Business Associate Agreements when an impermissible use or disclosure involves protected health information.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA