HIPAA Violation???

Nurses General Nursing

Published

On another site I sometimes post on, an employee at a nursing home has posted a message requesting cards for one of the nursing home's resident's 100th birthday. She posted the name and address and indirectly posted the resident's age and birthdate. Someone else, rather rudely, but possibly correctly, posted that this is a HIPAA violation.

I'm not really sure. I am our fire department's HIPAA Officer, so I try to keep up on things, but if I had to make a call on this one, I would have to call our attorney...and he would probably have to call a HIPAA expert...LOL.

What do you think???

I don't know if age is considered protected health information.

http://www.hhs.gov/ocr/AdminSimpRegText.pdf

"Health information means any information, whether oral or recorded in any form or medium, that:

(1)

Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(2)

Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

Up Vote Up Vote ×

Yes, it is a HIPPA violation because the nurse alone cannot grant such a request for disclosure.

Only the hospital, as an entity can do that and they only will to a signed waiver.

It was a nice gesture, and her heart is in the right place, but she needs to get that off the board before someone calls the facility and turns her in.

Up Vote Up Vote ×
Specializes in Mostly: Occup Health; ER; Informatics.
HIPAA no longer requires written consent. In fact, lack of objection can now be construed as consent. (read latest HIPAA updates). ...

Thanks for the thought, but that is not totally correct.

The "SUMMARY OF THE HIPAA PRIVACY RULE", which I accessed today at http://www.hhs.gov/ocr/privacysummary.pdf , states:

"A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule."

(Authorized Uses and Disclosures section, first sentence)

The verbal consent or lack of objection is for "the patient's care or payment for care", as stated in the "A HEALTH CARE PROVIDER'S GUIDE TO THE HIPAA PRIVACY RULE" published 9-16-2008 at http://www.hhs.gov/ocr/hipaa/provider_ffg.pdf. Care/treatment and payment are the exclusions (see above) to the written-authorization rule.

I'm no attorney-at-law, so don't take this as legal advice.:)

Up Vote Up Vote ×
Specializes in Community Health, Med-Surg, Home Health.

I think it is a HIPPA violation, especially if the name, date of birth and other intimate details were given. If the family wanted to celebrate, then, THEY should have done so, not the nurse. I don't think she had a malicious intent, either, however, during these times, anything is up for grabs. She should take it down. Let the nursing home or family take over this one...

Up Vote Up Vote ×

The more I think about it, the more I do not think it is an actual HIPAA violation. Age as well as address is generally public record. Stating that this patient was a resident could be close to crossing the line but again, I cannot find any specific clause in the HIPAA law that would say this.

HIPAA has been taught with fear which has promoted ignorance. HIPAA has been on the books for 5 years and I think the first and only business fined was about 2 months ago.

For those saying it is a HIPAA violation, what part of the statute has been broken? I am not really interested in what you have been taught, but can you provide references?

Up Vote Up Vote ×
Specializes in Cardiac/ED.

Well my 2 cents worth:

I say this falls in the "Give me a break please!" category.

We as a society have a long standing history of celebrating longevity in everything from work to marriage...Nursing homes often post who's birthdays are when on community boards...as they are considered "residents" more than patients I can't imagine any complaint being made or even held up to the scrutiny of the overly sensitive.

Congrats to this resident, and let them have their small celebrations, who knows how many more they may have.

Please remember often these residents have no one that comes in to visit and if it was not mentioned these poor folks would get no attention for their special day...as a person who's birthday has been forgotten I know how bad that feels.

P2

Up Vote Up Vote ×
Specializes in Informatics, Education, and Oncology.

I missed the part about the pt/family consenting????:confused:

https://allnurses.com/forums/f28/dept-hhs-issues-penalty-not-securing-protecting-patient-data-334284.html

https://allnurses.com/forums/f28/hipaa-privacy-guidance-334261.html

HIPAA no longer requires written consent. In fact, lack of objection can now be construed as consent. (read latest HIPAA updates). As long as the patient and/or family agreed to this there is no violation. Also name and address are publicly available info and since the facility is the patient's home it's not really PHI, just demographics. In the case of 100th birthdays, these are often publicized and as long as the patient has no objection, there should be no problem.

Obviously, SS#, dx, meds etc are always PHI, no matter what the setting.

Up Vote Up Vote ×
Specializes in Mostly: Occup Health; ER; Informatics.
The more I think about it, the more I do not think it is an actual HIPAA violation. Age as well as address is generally public record. Stating that this patient was a resident could be close to crossing the line but again, I cannot find any specific clause in the HIPAA law that would say this....

For those saying it is a HIPAA violation, what part of the statute has been broken? I am not really interested in what you have been taught, but can you provide references?

Age, address, name... these are protected! See below.

From the SUMMARY OF THE

HIPAA PRIVACY RULE published by the U.S. Dept. of Health & Human Services:

"Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. ...

Individually identifiable health information" is information, including demographic data...that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Reference: 12 OCR Privacy Rule Summary 4 Last Revised 05/03, 45 CFR Part 160 and Part 164, Subparts A and E (available at http://www.hhs.gov/ocr/hipaa).

Any questions? :specs:

Up Vote Up Vote ×
Specializes in Emergency & Trauma/Adult ICU.
Isn't there an automatic violation because of the age. When we did care plans/ clinical write ups, we were not allowed to give the age of any client over 80 (just put over 80) even though we did not give names (we made up names) because some one could figure out who the person is by the condition and because not many people live past 80..

No, HIPAA is not different for people over age 80 than those under age 80.

The edits in your care plans/clinical write ups were the preference of your instructors. As a licensed nurse you will communicate accurate data about patients including age.

Not many people live past 80? Wow - who am I taking care of all day long?? ;) According to the Census Bureau 2006 data, 6.1% of the US population is aged 75 & up. That's 6.1% of 300 million people, or about 18 million people. It's the fastest-growing segment of the population. In my county, 11% of the population is over age 75. Average life expectancy in the US is now 78 -- that means a lot of people live longer than that.

http://factfinder.census.gov/servlet/STTable?_bm=y&-geo_id=01000US&-qr_name=ACS_2006_EST_G00_S0101&-ds_name=ACS_2006_EST_G00_

http://www.cdc.gov/nchs/fastats/lifexpec.htm

Up Vote Up Vote ×
Age, address, name... these are protected! See below.

From the SUMMARY OF THE

HIPAA PRIVACY RULE published by the U.S. Dept. of Health & Human Services:

"Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. ...

Individually identifiable health information" is information, including demographic data...that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Reference: 12 OCR Privacy Rule Summary 4 Last Revised 05/03, 45 CFR Part 160 and Part 164, Subparts A and E (available at http://www.hhs.gov/ocr/hipaa).

Any questions? :specs:

See but it isnt clear to me either. Here is what I found on the website

"6) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.--The term 'individually identifiable health information' means any information, including demographic information collected from an individual, that-- "(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

"(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and--

"(i) identifies the individual; or

"(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual."

See demographic data is an identifier but in the above statement it says "AND." So I am still unsure age in absence of health information is considered a HIPAA violation.

Up Vote Up Vote ×

I don't think I explained it well. Demographic data including age is IDENTIFIABLE health information but not considered protected health information.

Up Vote Up Vote ×
Specializes in ER.

Name and age are public record, if she had said patient was confined to a wheelchair- yep that would be inappropriate.

Address...up for grabs I think, depending on whether the patient has chosen to be listed on the census at the NH.

Also, technically, it's not a HIPPAA violation unless it's reported. I say no harm, no foul.

Up Vote Up Vote ×
+ Add a Comment