Does Talking About a Patient Violate HIPAA

One main focus of HIPAA regulations is ensuring the privacy of the protected health information (PHI) of patients. Most people immediately think about the protection and security of PHI in physical or electronic (ePHI) formats, but what about when PHI is verbalized?

Does talking about a patient violate HIPAA? If so, what precautions do healthcare providers need to take to avoid breaching PHI?

Does Talking About a Patient Violate HIPAA? – Basics

As we’ve already said, maintaining the privacy of PHI is one of the key requirements of HIPAA Rules and Regulations. The HIPAA Privacy Rule is very clear about requiring access controls and a minimum necessary standard for information that is being shared.

What happens when a doctor is discussing a patient’s care in the hallway outside a treatment room? Or when patient information is posted on a whiteboard at a nurses’ station? Could this create a breach that would result in a violation of HIPAA?

Does Talking About a Patient Violate HIPAA? – Incidental Use and Disclosure

The HIPAA law actually addresses examples like this within the Privacy Rule through Incidental Use and Disclosure. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.

The Rule does require that the covered entity apply reasonable safeguards and implement the minimum necessary standard, where applicable, with respect to the primary use or disclosure. 

In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.

It is important to note that any disclosure that results from an underlying use or disclosure which violates the Privacy Rule would not be permitted under the incidental disclosure exemption.

Does Talking About a Patient Violate HIPAA? Maximize the Minimum

Even in situations governed by incidental use and disclosure, it’s always a best practice to use the minimum necessary information to facilitate communications. For example, when calling out a person in the waiting room for any reason, using the first name only, or the first name and middle initial minimizes the risk of PHI being breached. 

In the example of a whiteboard at a nurse’s station, using a room number or first name alone makes it harder to connect any PHI (such as pulse, blood pressure, and temperature) to a single individual.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image