When a pharmacy learns of a HIPAA breach, it, and its business associates involved in the breach, are required to report the incident to the government.1
But not all violations are reportable and may not be considered a breach. HIPAA was passed by congress in 1996. Primarily a set of requirements aimed at insurance companies, the third section was to protect against release of confidential patient information. That third section was not completed when the bill was passed. The law gave Congress until August 21, 1999, to pass the section on comprehensive health privacy legislation.
If Congress did not enact such legislation after three years, the law required HHS to craft such protections by regulation. Perhaps not surprisingly, Congress did not meet the self-imposed requirement by 1999, so the job of writing HIPAA regulations fell to HHS.
When the regulations were written and the third section became effective, some problems became apparent. Originally by the strict terms of the regulations, a pharmacist could not hand a prescription to the patient’s next door neighbor who had been asked by the patient to pick it up. The pharmacy could not announce or post on an electronic board, “Baker, your prescription
is ready.” A hospital receptionist could not even tell the floral shop’s delivery person what room a patient was in and whether the patient was in the hospital.2
HHS began to recognize that some disclosures were not only convenient, but also valuable and necessary. HHS moved to solve such problems by making exceptions to the rules and announced:
. . . [The] potential exists for an individual’s health information to be disclosed incidentally. . . HIPAA Privacy . . . does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.3
In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying. This case is about incidental disclosures and only using the minimum necessary to accomplish a job.
In this scenario, the nurse was helping other technicians prepare for a medical procedure. She told them to wear gloves because the patient had Hepatitis C. A patient filed a complaint because they felt she was too loud and other patients could hear her. This is considered a privacy violation. However, if she had kept her voice down so no one could hear her except the technicians, she would have been working within the rule.
To be clear, the HIPAA rule does allow for incidental disclosures that occur when you are doing your job correctly. For example, a couple of patients can be checking in at a front desk with partitions or dividers, and conversations may be heard. If the clerks are taking reasonable safeguards to speak quietly, then anything a patient hears would be considered an incidental disclosure and not a violation. In addition, when conducting business, only disclose the minimum amount of medical information you need to get the job done.
In contrast, if reasonable safeguards or the minimum necessary standard is not used, a violation of the privacy rule will occur. The courts ruled that the nurse did not take reasonable safeguards of speaking quietly to warn her colleagues to wear the gloves. Additionally, the courts found she did not use the minimum amount of protected health information to accomplish the necessary purpose. In other words, she could have simply reminded the colleagues to wear gloves without using the term Hepatitis C.
The best way to prevent these situations from occurring is to train your staff. A well-trained staff will be able to maneuver through different situations including what this nurse encountered without compromising a patient’s privacy. Therefore, ensure all staff are provided initial HIPAA training when they begin employment. You can also conduct periodic training and send out privacy reminders. While patient privacy is important, protecting the organization from litigation is important also. We at HIPAAtrek believe training is paramount to a robust HIPAA compliance program and have created a compliance software program to provide you all the tools you need, including HIPAA training. I invite you to look at how we can help your organization by contacting our Senior Account Representative, Theresa Zemcuznikov at firstname.lastname@example.org and let her know you want to see our training platform. Until then, happy HIPAA trekking.