HIPAA.... violation or not....

Published

I am a nursing student. During class I mentioned a first and middle name of a pt in class but did not give any information that I knew it from the hospital setting. All I said is a woman named her child ___ ____. Its a small town and it was one students niece which she stated in class and then went and filed a HIPPA complaint to the woman over the program. I was kicked out of the program for this. Is there anything I can do to fight this??? I need some serious help!!!!

Specializes in Med/Surg, Geriatric, Hospice.

Since when is a name private medical information?

Oy vey.

Us nurses are such criminals aren't we.. :icon_roll

Up Vote Up Vote ×
I thought even with birth announcements the parents had to sign or verbal state that it was okay to release the information of the child's birth?

Maybe not? I know I had to sign a form agreeing to the announcement.

Either way I meant to say I do wish you the best with your situation.

Having the baby photos on many sites can be 'pubic' or friends/family only . The hospital doesn't just post the photos. It's the parent's choice.

Up Vote Up Vote ×

What medical information was revealed?

Up Vote Up Vote ×
Specializes in ED, CTSurg, IVTeam, Oncology.

As others mentioned, disclosure of just a name is NOT a HIPAA violation. As a matter of fact, hospitals usually confirm the names of patients in their institutions, and give a condition (guarded vs stable), along with their room number if you want it. However, if the class discussion then delved into the child's birth weight, APGAR, et cetera, then you've crossed over the line.

Up Vote Up Vote ×
Specializes in family practice.
What medical information was revealed?

Apparently OP said she never gave any medical information (infact no information at all), just stating that a mother named her child Mary Jane/John Doe...not even the last name.

OP i hope this classmate was also disciplined because how many info discussed in class has she told other relatives or acquaintances of hers.

Up Vote Up Vote ×
Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.

Identifiers

This lists the identifiers specifically appearing in the HIPAA privacy regulations. The presence of any one of these identifiers renders health information individually identifiable.

HIPAA De-identification requires removal of all such identifiers as specifically defined in the regulations. It is not equivalent to the more general concept associated with the term 'anonymous'.

The following identifiers of the individual or of relatives, employers, or household members of the individual the asterisk I* indicates permitted in a limited dataset 164.514(e)(2)):

(A) Names (unless specifically released by written permission)

(B)* All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

[Limited dataset must exclude postal address information other than town or city, state and zip code]

©* All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers

(E) Fax numbers

(F) Electronic mail addresses

(G) Social security numbers

(H) Medical record numbers

(I) Health plan beneficiary numbers

(J) Account numbers

(K) Certificate/license numbers

(L) Vehicle identifiers and serial numbers, including license plate numbers

(M) Device identifiers and serial numbers

(N) Web Universal Resource Locators (URLs)

(O) Internet Protocol (IP) address numbers

(P) Biometric identifiers, including finger and voice prints

(Q) Full face photographic images and any comparable images (unless written permission obtained)

®* Any other unique identifying number, characteristic, or code, except as permitted by paragraph © of this section; If the algorithm for creating a "code" is disclosed to the recipient of the information, then the code is considered a unique identifier. The code is also considered a unique identifier if it is generated from any of the identifiers, or pieces of the identifiers, listed above.

Up Vote Up Vote ×
Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.

http://hipaa.wisc.edu/trainingstudents.html

In order for PHI to be considered de-identified under the Privacy Rule, all of the following identifiers of the patient or of relatives, employers, or household members of the patient, must be removed:

  1. Name;
  2. Geographic subdivisions smaller than a state (i.e., county, town, or city, street address, and zip code) (note: in some cases, the initial three digits of a zip code may be used);
  3. All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note: ages and elements may be aggregated into a single category of age 90 or older);
  4. Phone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social security number;
  8. Medical record number;
  9. Health plan beneficiary number;
  10. Account number;
  11. Certificate/license number;
  12. Vehicle identifiers and serial numbers;
  13. Device identifiers and serial numbers;
  14. URLs;
  15. Internet protocol addresses;
  16. Biometric identifiers (e.g., fingerprints);
  17. Full face photographic and any comparable images;
  18. Any other unique identifying number, characteristic, or code; and
  19. Any other information that could be used alone or in combination with other information to identify the individual.

Safeguarding PHI

The Privacy Rule requires you to "safeguard" PHI at your training site. Use the following practices to ensure Privacy Rule compliance.

  • If you see a medical record in public view where patients or others can see it, cover the file, turn it over, or find another way to protect it.
  • When you talk about patients as part of your training, try to prevent others from overhearing the conversation. Whenever possible, hold conversations about patients in private areas. Do not discuss patients while you are in elevators or other public areas.
  • When medical records are not in use, store them in offices, shelves or filing cabinets.
  • Remove patient documents from faxes and copiers as soon as you can.
  • When you throw away documents containing PHI, follow the facility procedures for disposal of documents with PHI.
  • Never remove the patient's official medical record from the training site.
  • Avoid removing copies of PHI from the training site; if you must remove copies of PHI from the training site, e.g., to complete homework, take appropriate steps to safeguard the PHI outside of the training site and properly dispose of the PHI when you are done with it. You should not leave PHI out where your family members or others may see it. All copies of PHI should be shredded when they are no longer needed for your training purposes.

The U.S. Department of Health and Human Services has issued another set of HIPAA rules (the Security Rules) regarding safety and security of electronic data files and computer equipment. In the next few months you will be hearing more about electronic safeguards and how the HIPAA Security Rules may affect you at clinical training sites.

Use Only the Minimum Necessary Information

When you use PHI, you must follow the Privacy Rule's minimum necessary requirement by asking yourself the following question: "Am I using or accessing more PHI than I need to?" If you are unsure of the PHI you may use or access while providing health care for a patient at your training site, please contact your preceptor, supervisor or the HIPAA Privacy Officer at your training site

Discussing PHI With a Patient's Family Members

Before you may discuss a patient's condition, treatment or other PHI with his or her family member, it must be determined if the patient would object to such a disclosure. You should confirm with your supervisor that the patient has agreed to allow or in some other way has expressed no objection to such disclosures before you may discuss a patient's condition, treatment, or other PHI with his/her family members.

Patients' Rights Under the Privacy Rule

Each training site covered by the HIPAA Privacy Rule will have policies and procedures for implementing the following patient rights under the Privacy Rule:

  • The right to request alternative communications. Under the Privacy Rule, patients can ask to be contacted in a certain way. For example, a patient may ask a nurse if she/he can leave a message on the patient's home voicemail instead of contacting the patient at work. If a patient's request is reasonable, as is the previous example, the health care provider or facility must follow it.
  • The right to look at (and obtain copies of) records. Patients can ask to read their medical and billing records, and have copies made.
  • The right to ask for changes to medical and billing records. Each facility must review and consider all requests for changes to medical and billing records.
  • The right to receive a list of certain disclosures. Your training site must make and keep a list of certain disclosures of PHI (excluding disclosures for treatment, payment, and health care operations) that are made without patient authorization. Patients have the right to see and receive a copy of this list.
  • The right to request restrictions on how PHI is used and disclosed. Patients can ask health care providers and facilities to limit the ways they make use of and disclose the patient's PHI for treatment, payment, and health care operations. Providers and facilities are not required to agree to such requests. You, as a trainee, must never agree to such restrictions on behalf of the training site.
  • The right to receive a "Notice of Privacy Practices". Each health care facility that provides direct patient care must give every patient/client a copy of their Notice of Privacy Practices. The notice describes their privacy practices and the Privacy Rule. The facility must make reasonable efforts to have each patient sign a form acknowledging he or she received the notice. We recommend that you obtain a copy of the Notice of Privacy Practices from your training site and become familiar with it.

It's a touchy subject.......and HIPAA is a Federal mandate and has a very limited state by state variation. I think the OP needs to check her schools HIPAA training and policies as these both have come from nursing schools.....

just saying......:smokin:

Up Vote Up Vote ×

Must have some very unusual name to have sparked this interest. And merely stating a name without any actual health info doesn't seem to be the issue, but possibly just gossiping might be the issue.

Up Vote Up Vote ×
Specializes in PICU, ICU, Hospice, Mgmt, DON.

My thought is like merlee's, was the name in some way so unusual and did the OP mock it in some way, or make fun of it, thereby causing the person to become angry and report it. It sounds like there may be more to this story then we have been told.

Up Vote Up Vote ×
Specializes in Intermediate care.

Yes it is a violation of the baby. The fact you stated their name is violation, even though you didn't share information. This would be no different then be going to someone after work and saying

"Hey Sally Sue is in the hospital. she was my patient. But i can't share anymore than that."

^What if "sally sue" didn't want that information shared with anyone? Violation!!!!!!! i DID share information about "sally sue" i shared she was in the hospital.

Up Vote Up Vote ×

Never and I say Never talk about others, including clinical experience using names of any kind, not even a nickname because I have found, the world is very small and someone always knows the other!

Sorry you got kicked out, but you know the Hippa Law! You are a student and you should have been severely reprimanded, maybe not kicked out, but hey, you do know the Hippa thing, right?

Up Vote Up Vote ×
Specializes in Emergency, Telemetry, Transplant.
but you know the Hippa Law!

Yeah, that one too! :p

Anyway, I have a few thoughts here. If the name of the baby was published in the newspaper (or some other publication) then just saying the name, with no other health information, is not a HIPAA violation per se. If the OP said the name and then said something about the baby's health/treatment, then it would be a violation.

The problem here might be saying the name to somehow ridicule the name. It seems wierd to me to just mention, "oh yeah, I saw there was a lady who named her baby 'Karen Ann.'" (for those wondering, I don't have a friend or pt that I know has that name :) I mention this to avoid further violations). It seems much more likely that the name was brought up because it was unusual/funny sounding/etc. In that case, I can see why the classmate was upset that someone seemed to be making fun of her relative for the name they chose for their child. That is not a HIPAA violation, but it is really bad taste and worthy of a reprimand...although, probably not to be dismissed from the program.:twocents:

Up Vote Up Vote ×
+ Join the Discussion