Why isn't this a HIPAA issue?

Nurses HIPAA

Published

Specializes in Hospice.

I'm a new grad, so I'm sure there is a reason why this isn't considered a HIPAA violation, since I assume a hospital has a better sense of HIPAA than a new grad. Let me explain:

I'm looking at a hospital website, and they have a link "email a patient." It's a form where you fill in the patient's name and your name, and then you can send a message. The page says that a volunteer will deliver the message for you.

Now, my first thought is: wouldn't this let someone determine if a person is hospitalized or not? Like, you're suspicious that your co-worker or ex or whoever is in the hospital, so you put their name in to send them a little "get-well" note...

I'm guessing that bcs it's not actually med info, it's ok? But I thought that even confirming someone is a patient at a particular location was a HIPPA risk.

Specializes in Critical Care.

HIPAA doesn't prohibit, and actually specifically allows, hospitals to acknowledge when someone is admitted to their hospital, unless the patient is a "do not announce" due to patient request or policy (mental health admit, suicide, OD, etc).

Specializes in Hospice.

Fabulous. I figured it had to be something like that. I just have all those Kaplan rationalizations still swimming in my head, where an answer would be wrong bcs "It acknowledges that the client is a patient at the hospital."

Thank you!

How would it do that? If the patient is not in the hospital, the info on the online form would be discarded, and how would you know that had occurred? Come to that, how would you even know if your message had been delivered by the volunteer?

You're not sending an email to a patient, you're filling out an online form. You can't use readnotify.com or other such service to confirm delivery of the email, because, again, you are not sending an email. So even if HIPAA doesn't care (and they don't, though hospitals may have policy on whom to exclude from their published lists) theres still no way to confirm or deny presence of a patient via this system. Sounds like risk mgmt worked with IT to set it up that way.

Specializes in Pedi.

If you're sending an email to a patient on a hospital's website, presumably you already know that the patient is in this hospital. It's not even close to a HIPAA violation to provide an avenue for people to communicate with patients. You have to fill out the patient's name, it's not like it's a drop down list where you see that Mary Smith is in room 402 and think "Oh, I know Mary, I didn't know she was in the hospital, let me send her a letter." The hospital isn't providing you with any information, this is no more a violation than it would be for you to mail a card to the hospital addressed to Mary Smith.

Specializes in Acute Care Pediatrics.

What Kel said.... also, if a patient is admitted to the hospital and wishes that no one know they are there - they should be given the option to completely "opt out" of the system. When a patient opts out at my facility, if someone were to come ot the desk and ask for room information for XYZ, they would have no record of that patient being admitted. I would assume it would be the same type of thing with an email.

Specializes in Psych ICU, addictions.

If the website just accepts messages for patients without verifying if someone is indeed a patient, then there's no HIPAA violation.

+ Add a Comment