When a Privacy Breach May or May Not Be a HIPAA Violation
Mrs. Johnson’s daughter called the hospital and left a message requesting an update on her mother’s condition. A little later a hospital employee returned the call to the patient’s home telephone number. No one was immediately available at the patient’s home, so the employee left a message on the home answering machine. The information left on the answering machine was correct, except the patient’s instructions were to contact her through her work number, not the home number, where others had access to the information on the answering machine. The hospital employee left detailed information, including the patient’s medical condition and treatment plan.
The Office of Civil Rights (OCR) investigated and charged the hospital with a violation of the Health Insurance Portability and Accountability Act (HIPAA). The message left on the answering machine violated the minimum necessary requirement of HIPAA and failed to follow the patient’s instructions which were designed to protect the patient’s privacy.
The hospital was required to develop and implement new procedures and training. Employees were to be trained to provide only the minimum necessary information in messages and to follow a patient’s instructions when leaving messages.
Most information is protected by HIPAA. This includes baby photos and Social Security numbers as well as medical charts. There are times, however, when some information may be provided, when complete privacy cannot be guaranteed (USDHHS (a), n.d.). When is a violation not a HIPAA violation?
HIPAA is enforced by the U.S. Secretary of Health and Human Services (HHS) and the Office of Civil Rights and, since the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH), state attorneys general. In 2015, the last year reported, over 17,000 HIPAA cases were resolved. When a hospital or a healthcare professional learns of a breach, it, and its business associates involved in the breach, are required to report the incident to the government and perhaps to the patient whose information was released (USDHHS (a), n.d.). The process is time-consuming, embarrassing, and expensive.
Not all privacy breaches are reportable, and they may not be considered a HIPAA violation.
HIPAA passed Congress in 1996. The law gave Congress until August 21, 1999, to pass comprehensive health privacy legislation. When Congress did not enact such legislation after three years, the law required the Department of Health and Human Services (HHS) to craft such protections by regulation. Since Congress did not meet the self-imposed requirement, the job of writing HIPAA regulations fell to HHS.
When the regulations became effective, problems became apparent. By original, strict terms of the regulations, a nurse could not hand a prescription to the patient’s next-door neighbor who had been asked to pick it up. Originally, a nurse could not announce, “Mrs. Johnson, your prescription is ready.” Nor could a hospital receptionist tell the floral shop’s delivery person what room a patient was in, and perhaps even whether the patient was in the hospital (USDHHS (a), n.d.).
HHS began to recognize that some disclosures made little sense and some releases were not even necessary. HHS then moved to solve such problems by making exceptions to the rules. HHS wrote:
“Many customary health care communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective health care. [However] the potential exists for an individual’s health information to be disclosed incidentally.” (USDHHS (a), n.d.).
HHS added, “The HIPAA Privacy…does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.” (USDHHS (b), 2002)
When is it a Violation And when is it An “Incidental Disclosure”?
Under updated rules, if the privacy violation is indeed an incidental disclosure, the incident need not be reported under HIPAA rules (USDHHS (c), 2014). Incidental use and disclosure of HIPAA information does not constitute a violation nor does it necessitate a report.
It is an incidental disclosure if the hospital “applied reasonable safeguards and implemented the minimum necessary standard” (USDHHS(b,c), 2002, 2014). In the example above about Mrs. Johnson, if the hospital employee and the hospital had limited the message left to the minimum necessary for Mrs. Johnson’s care, and had followed her instructions, it would not necessarily be a violation.
This article is not intended as legal advice and should not be used as such. When a legal question arises, the nurse should consult with an attorney familiar with nursing laws in his or her state.
Ken Baker is a pharmacist and an attorney. He teaches ethics at Midwestern University, Glendale, Arizona, campus, and risk management for the University of Florida. He consults in the areas of error reduction, communication, and risk management. Mr. Baker is an attorney, of counsel, with the Arizona law firm of Renaud Cook Drury Mesaros, a Professional Association.
United States Department of Health & Human Services [USDHHS (a)]. (n.d.). Health information privacy: All case examples.
United States Department of Health & Human Services [USDHHS (b)]. (n.d.). Health information privacy: Breach notification rule.
United States Department of Health & Human Services [USDHHS]. (2002). Health information privacy: Incidental uses and disclosures.
United States Department of Health & Human Services [USDHHS]. (2014). Health information privacy: HIPPA privacy rule and sharing information related to mental health.