In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying. This case is about incidental disclosures and only using the minimum necessary to accomplish a job.
In this scenario, the nurse was helping other technicians prepare for a medical procedure. She told them to wear gloves because the patient had Hepatitis C. A patient filed a complaint because they felt she was too loud and other patients could hear her. This is considered a privacy violation. However, if she had kept her voice down so no one could hear her except the technicians, she would have been working within the rule.
To be clear, the HIPAA rule does allow for incidental disclosures that occur when you are doing your job correctly. For example, a couple of patients can be checking in at a front desk with partitions or dividers, and conversations may be heard. If the clerks are taking reasonable safeguards to speak quietly, then anything a patient hears would be considered an incidental disclosure and not a violation. In addition, when conducting business, only disclose the minimum amount of medical information you need to get the job done.
In contrast, if reasonable safeguards or the minimum necessary standard is not used, a violation of the privacy rule will occur. The courts ruled that the nurse did not take reasonable safeguards of speaking quietly to warn her colleagues to wear the gloves. Additionally, the courts found she did not use the minimum amount of protected health information to accomplish the necessary purpose. In other words, she could have simply reminded the colleagues to wear gloves without using the term Hepatitis C.
The best way to prevent these situations from occurring is to train your staff. A well-trained staff will be able to maneuver through different situations including what this nurse encountered without compromising a patient’s privacy. Therefore, ensure all staff are provided initial HIPAA training when they begin employment. You can also conduct periodic training and send out privacy reminders. While patient privacy is important, protecting the organization from litigation is important also. We at HIPAAtrek believe training is paramount to a robust HIPAA compliance program and have created a compliance software program to provide you all the tools you need, including HIPAA training. I invite you to look at how we can help your organization by contacting our Senior Account Representative, Theresa Zemcuznikov at firstname.lastname@example.org and let her know you want to see our training platform. Until then, happy HIPAA trekking.