Whether it is a HIPAA violation to say someone is your patient is an event-specific determination that depends on factors such as who is speaking, who they are speaking to, and the context of the conversation. It may also be the case that a disclosure of this nature does not qualify as a HIPAA violation if it is incidental to a permissible disclosure.
Most questions that start “is it a HIPAA violation to …” without any context do not have a “yes” or “no” answer. For example, in the case of the question is it a HIPAA violation to say someone is your patient, the first thing that needs to be established is whether the person the question is about (i.e., the one who is speaking) is required to comply with HIPAA.
While it is safe to assume that the subject of the question works in healthcare (by the use of the word “patient”), it is not safe to assume they meet the HIPAA definition of a healthcare provider. If they do meet the HIPAA definition of a healthcare provider, it cannot be assumed that they qualify as a HIPAA covered entity or a member of a HIPAA covered entity’s workforce.
Healthcare Providers and HIPAA Covered Entities
Almost most people who work in healthcare come under the HIPAA definition of a healthcare provider, there are some that don’t who could feasibly refer to a client as a patient. These include career counsellors, mediation service providers, and life coaches who are sometimes referred to as therapists to distinguish licensed counsellors from unlicensed counsellors.
Thereafter, HIPAA healthcare providers only qualify as HIPAA covered entities if they conduct or subcontract electronic healthcare transactions for which the Secretary for Health and Human Services has adopted standards in Part 162 of the HIPAA Administrative Simplification Regulations. Healthcare providers that do not qualify as HIPAA covered entities include:
- Healthcare providers that bill clients directly rather than billing health plans or Medicare.
- Healthcare providers that conduct HIPAA covered transactions – but not electronically.
- Healthcare providers exempted from HIPAA – i.e., school psychotherapists.
If any of the above non-qualifying healthcare providers – or any members of their workforces – say that someone is their patient, it cannot be a HIPAA violation because HIPAA does not apply. However, it may be the case that other federal or state privacy regulations apply. For example, in publicly funded school systems, student health information is protected by FERPA.
Who Is the Healthcare Provider Speaking To?
Once it has been established that the person saying someone is their patient is required to comply with HIPAA, the next question to resolve is who the person is talking to. In most circumstances, members of HIPAA covered entities’ workforces are permitted to say somebody is their patient if they are talking to a colleague, family member, or public health official.
Circumstances in which it would be a HIPAA violation to say someone is your patient are usually public disclosures when no consent or authorization has been obtained from the patient for the disclosure. Examples include if a doctor publishes information about the patient on their website or on social media, or discloses the patient’s name when speaking to the media.
Events of this nature would qualify as a HIPAA violation because saying somebody is your patient implies a past or current treatment relationship. Disclosing their name would therefore qualify as an impermissible disclosure of Protected Health Information if the disclosure was not for a reason permitted by the HIPAA Privacy Rule or was not consented to by the patient.
What is the Context of the Conversation?
The HIPAA Privacy Rule permits disclosures of patients’ names for treatment, payment, and health care operations, and for other “uses and disclosures for which an authorization or the opportunity to agree or object is not required” (§164.512). These include disclosures required by law, disclosures for public health activities, and disclosures to report child abuse.
In all other circumstances, it would be a HIPAA violation to say someone is your patient unless the disclosure of the patient’s name was authorized by the patient or the patient’s personal representative. It may also be a HIPAA violation if more than the minimum necessary information is disclosed about the patient to achieve the purpose of the disclosure.
One further consideration is whether it is permitted to disclose the patient’s name without an attestation that the name will not be used to pursue legal action against the patient for obtaining or facilitating lawful reproductive health care. In this case, even if the name was disclosed for a permissible purpose, it would still be a HIPAA violation to say someone is your patient.
When Saying Someone is Your Patient is an Incidental Disclosure
An incidental disclosure of Protected Health Information is a secondary disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another disclosure permitted by the HIPAA Privacy Rule. However, an incidental disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the HIPAA Privacy Rule.
In the context of whether it is a HIPAA violation to say someone is your patient, an incidental disclosure could occur if – for example – two healthcare professionals were discussing their appointment schedules in a public environment. The discussion would be permitted because if it is for the purpose of health care operations, but the disclosures of patients’ names could be considered a violation of the minimum necessary standard.
However, because the disclosures could not reasonably be prevented at the time and in the circumstances, were limited in nature, and occurred because of another disclosure permitted by the HIPAA Privacy Rule, it is not – in this example – a HIPAA violation to say someone is your patient. Healthcare professionals requiring more information about this distinction are advised to seek additional HIPAA training or speak with their HIPAA Privacy Officer.
Image credit: Design_Stock, ADobeStock
