Did my friend violate HIPAA by telling me this?

Nurses HIPAA

Published

My friend works at a clinic and was emailing me today from her work email. In one message, she mentioned how she had just dealt with this man and his wife who wanted to make a consultation appointment and gave her a hard time (they are not patients at the clinic right now, but are in the system). She didn't mention names or anything, but at the end she did say how the wife's "godparents were the founders or something"

I mentioned how I probably shouldn't know that and now she's freaking out thinking she violated HIPAA and is afraid they'll find out because it was on her work email.

Did she violate HIPAA? If she did, what are the chances her work will find out?

JustBeachyNurse, LPN

13,952 Posts

Specializes in Complex pedi to LTC/SA & now a manager.

Her bigger issue may be using work email for personal communication.

Privacy/patient confidentiality and company policy were likely violated. It's borderline HIPAA if you happen to know who the goddaughter of the company founders are...

HIPAA requires patient identifiers to be protected: name, date of birth, address, and other identifying information

Discussing issues at work with a non-employee via company email likely violates company policy. Some companies run scanner bots on company email looking for data or information breaches. I worked in contract pharmaceutical research and it was made abundantly clear that no personal, non work-related communications sent via the company email were to be considered private and the company had every right to review any and all communication sent via the company email account. All servers were backed up so deleting was useless once the send button was hit...

virgo7598

140 Posts

Her bigger issue may be using work email for personal communication.

Privacy/patient confidentiality and company policy were likely violated. It's borderline HIPAA if you happen to know who the goddaughter of the company founders are...

HIPAA requires patient identifiers to be protected: name, date of birth, address, and other identifying information

Discussing issues at work with a non-employee via company email likely violates company policy. Some companies run scanner bots on company email looking for data or information breaches. I worked in contract pharmaceutical research and it was made abundantly clear that no personal, non work-related communications sent via the company email were to be considered private and the company had every right to review any and all communication sent via the company email account. All servers were backed up so deleting was useless once the send button was hit...

Turns out they're not even the founders, apparently they're the donors of the clinic who's name is on the building.

And IDK I think she's worked there for a few months and has emailed me before. She hasn't been caught yet so I hope she won't get in trouble :/

JustBeachyNurse, LPN

13,952 Posts

Specializes in Complex pedi to LTC/SA & now a manager.

Caught yet.... She shouldn't be so sure that she hasn't or won't be caught. She may not find out until disciplinary action

nurseprnRN, BSN, RN

1 Article; 5,114 Posts

I had something HIPAA-ish happen just last week. I picked up a voicemail of a call from a local provider office confirming an appointment with Dr. Mumblemumble for next Tuesday at 2pm. No patient name, no number to call back and I never heard of this doc, but I thought the office ought to know that the appt was not, in fact, confirmed so they could look in the book to see whose appt it was for Tuesday at 2pm and call that person. I looked up the doc name and found he was a psychiatrist, so contacting the patient would have been doubly important in my opinion.

So I called the office and told them what had happened, and the person who called me said, "So you aren't 'Jane Smith' ?"

I said, "OK, look, I am a nurse who's just trying to be helpful. And you have just revealed the name of a patient who has an appointment with a psychiatrist to someone who had no business knowing that. This is a HIPAA violation, you know that, right?"

She got flustered and after awhile said yes, she guessed she knew that.

I said, "OK, now, please be more careful and don't ever do that again. Because I'm bad with names I won't remember 'Jane's' name, and I won't report you. But this is a serious matter, someone else might not be so understanding, and your doc's practice could be in for a world of hurt because of what you did."

Sometimes people just do not think this is important enough to have it in the forefront of their thinking. Hope your friend doesn't get fired...but she might.

OCNRN63, RN

5,978 Posts

Specializes in Oncology; medical specialty website.
Turns out they're not even the founders, apparently they're the donors of the clinic who's name is on the building.

And IDK I think she's worked there for a few months and has emailed me before. She hasn't been caught yet so I hope she won't get in trouble :/

Work is for work, not personal emails. If an employee needs to email someone about something unrelated to work, wait till lunch break and use a personal phone.

caliotter3

38,333 Posts

Work is for work, not personal emails. If an employee needs to email someone about something unrelated to work, wait till lunch break and use a personal phone.

What is she doing wasting work time on personal matters anyway? Now that the two of you have discussed this, she should stop the practice immediately, mentally prepare herself for the day she gets hauled into the office to account for past behavior, and she might even consider looking for a new job, so she can leave before any future discovery and consequences. She will probably now lose sleep over this.

+ Add a Comment