Am I Breaking HIPAA

Updated:   Published

Am I Breaking HIPAA

I was venting on reddit about this coworker who was really rude to me. I discussed the situation and included a quote that the coworker said to me about the patient. I used general statements about the patient situation such as "the intubated patient became rowdy after we suction him, therefore I couldn't give them an adequate bath and their sacral wound care was a mess. This jerk nurse fussed at me because the patients gown was not tied on right and said "this patient is a mess, also you told me that his vent settings were 30 percent not 35". The co worker recognized my post on reddit and apologize to me through DM. Did I break HIPAA and am I in trouble for this

Specializes in VA-BC, CRNI.

What Information is Protected

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

the individual's past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information.14 De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.15

https://www.hhs.gov/HIPAA/for-professionals/privacy/laws-regulations/index.html

@Bug Out

I didn't use any of the 18 patient identifiers 

Names

All geographic subdivisions smaller than a state (street address, city, county, zip code)

Dates, including birthdate, admission date, discharge date, and date of death

Telephone numbers

Fax numbers

Email addresses

Social Security numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web URLs

IP addresses

Biometric identifiers; including fingerprints and voice

Full face photos

Any other unique identifying number, characteristic, or codes

the nurse only knew I was talking about them because of a quote I used. Therefore the patient's identity is still unknown to everyone except the nurse who privately messaged me. So would that mean that I didn't break any HIPAA laws, because technically didn't reveal any specific patient info

Specializes in Nurse Leader specializing in Labor & Delivery.

I would be more concerned about your organization's privacy and social media policy. 

klone said:

I would be more concerned about your organization's privacy and social media policy. 

I didn't use any names, facility names, location, or unit 

Specializes in OR, Nursing Professional Development.
LEMANS said:

I didn't use any names, facility names, location, or unit 

Your facility's policy may go beyond standard HIPAA rules and regs. 

Rose_Queen said:

Your facility's policy may go beyond standard HIPAA rules and regs. 

I read the policy and it lines up with not naming any names and it was posted  without my name. I think I am good. I just panicked a bit

Specializes in Research & Critical Care.

Nah you're fine. That could apply to any patient in the world.

That nurse sounds super petty, though. The gown wasn't tied right? Get outta here.

Specializes in Physiology, CM, consulting, nsg edu, LNC, COB.

No, you're not going to get your institution in trouble with the Feds for violating the privacy rule. Note that individuals are not bound as individuals by it, but if an individual violates privacy (as listed above) their institution gets hit for not training you properly and can fire you for not doing what they already explained to you about your responsibilities under that law. 

Next time you want to vent online, paraphrase or say something like, “… cranked on me for something ridiculously petty that had nothing to do c pt care.” That's general enough that approximately six hundred thousand jerk coworkers might recognize themselves as guilty of jerkitude...and won't make you stand out from the crowd.

Specializes in Nursing.

Why the need to vent online?  if you have a valid issue and it sounds like you do, then you should talk with your co-worker about it.

LEMANS said:

I read the policy and it lines up with not naming any names and it was posted  without my name. I think I am good. I just panicked a bit

My comment is not about HIPAA per se, but rather what could get you in trouble, including being terminated.

You put enough online that your coworker recognized it. I am not on fakebook but presumably there are others who read your posts and also know where you work.

Instead of apologizing, if that coworker (or different coworker who had access to see your post) had showed your post to admins I can almost promise you admins would not be happy. They don't want any dirt that is remotely associated with the corporation being out there--right or wrong on their part--and they typically come down on people for posting such things.

Hopefully we have enough IRL contact with actual/real confidantes that we don't need to post the details where several hundred of our BFFs can read it?

+ Join the Discussion