When Is Gossip a HIPAA Violation?
Carolyn Buppert, NP, JD
A reader asks: Is it against HIPAA regulations for a supervisor to tell other employees about an employee’s medical condition, such as diabetes, substance abuse problems, or cancer, without permission?
Response from Carolyn Buppert, NP, JD
Attorney, Law Office of Carolyn Buppert P.C., Bethesda, Maryland
How Was the Information Obtained?
Whether sharing your private information about your medical history is a violation of HIPAA (the Health Insurance Portability and Accountability Act of 1996) depends on how the supervisor obtained the information. If the supervisor accessed your medical records, then HIPAA would apply. If the supervisor has information about your medical conditions because you gave her that information or because you have discussed your health issues in the workplace, then HIPAA probably does not apply.
What HIPAA Covers
HIPAA requires “covered entities” (a person or organization who furnishes, bills, or is paid for healthcare in the normal course of business) to implement safeguards to ensure that an individual’s health information is used only for purposes related to treatment, payment, or healthcare operations, and that only the minimum amount of necessary information is disclosed. “Safeguards” include organizational policies that prohibit healthcare workers from accessing the records of individuals who are not their patients, prohibit a staff member from disclosing information about a patient to individuals who don’t need to know, and require password protection of the organization’s medical records. When healthcare workers access an individual’s record, they may use or disclose an individual’s health information only for purposes related to treatment, payment, or healthcare operations and may use only the minimum amount of information necessary to perform the work.
HIPAA covers all medical records and other individually identifiable health information used or disclosed by a covered entity (a hospital, facility, practice, or clinician) in any form, whether electronic, paper, or oral. Disclosures can be made only to individuals who need to know the information to treat the patient, obtain payment, or conduct the practice’s operations.
The HIPAA definition of healthcare operations includes:
Conducting quality assessment and improvement activities and population-based activities related to improving health or reducing healthcare costs;
Reviewing the competence or qualification of healthcare professionals; evaluating practitioner, provider, and health plan performance; and conducting training programs and accreditation, certification and licensing, or credentialing activities;
Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits;
Conducting or arranging for medical review, legal services, and auditing functions;
Business planning and development; and
Business management and general administrative activities of the entity.
Three Hypothetical Scenarios
In a setting where the nurse is both a patient and an employee, whether a HIPAA issue may be involved depends on the circumstances. Let’s look at 3 hypothetical scenarios.
Scenario 1. Your supervisor knows that you have had some issues with substance abuse because you told your colleague/friend about it and the colleague/friend told someone else, who then told your supervisor. Now, the supervisor has told someone else at work that you had a history of substance abuse and therefore shouldn’t be alone in the medication room. Or, perhaps the supervisor told an administrator about your history and recommended that you not be promoted. In this scenario, there is no HIPAA issue. The supervisor hasn’t obtained the information from your medical record.
Scenario 2. You were a patient of one of the clinicians at the multispecialty practice where you work. Your supervisor was not involved in your treatment, but he or she nevertheless accessed your medical record and read your problem list. The supervisor then told someone else at the practice about your problems. Here, we have a HIPAA issue. The supervisor did not have a valid reason to access your record for treatment — eg, payment or healthcare operations.
Scenario 3. Your supervisor was involved in your treatment. She conveyed the information she learned about you to someone who was not involved in your treatment and didn’t need to know the information for treatment, payment, or operational purposes. This is a HIPAA violation because the supervisor, in discussing your problems with others, is not limiting his or her use of your private information to what is necessary to treat you, to get payment, or to conduct operations.
What You Can Do
If you believe that your supervisor has violated HIPAA, you may report the matter to the Office of Civil Rights (OCR). You will report an organization, rather than an individual, because it is the organization’s responsibility to safeguard the records. The OCR can levy fines on organizations that violate the HIPPA rules. The OCR could fine the organization, and the organization could discipline the supervisor.
Department of Health and Human Services. Code of Federal Regulations. 45CFR 164.501. http://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/xml/CFR-2007-title45-vol1-sec164-501.xml Accessed June 27, 2012.
Medscape Nurses © 2012 WebMD, LLC