In a recent Kentucky court case, a hospital fired a nurse for an alleged HIPAA privacy violation. The nurse had been helping a technician and physician prepare for a medical procedure, telling them to wear gloves because the patient had Hepatitis C. After the patient filed a complaint, the hospital decided that the nurse had violated HIPAA and fired her. What did she do wrong? In this case, we see the fine line between incidental disclosures and privacy violations.
What are Incidental Disclosures?
Let’s say a patient checks in at the front desk. Even though there’s a partition, the patient hears a name and date of birth as the clerk talks quietly on the phone. This is an incidental disclosure and not a HIPAA violation because reasonable safeguards were in place: a partition and the clerk speaking quietly.
In the Kentucky case, the nurse sued the hospital for firing her, claiming that the disclosure was incidental. But did she reasonably safeguard the patient’s privacy? The nurse didn’t lower her voice or take any other protective measure, even though others were present, so it wasn’t incidental.
Furthermore, healthcare staff must also use the minimum necessary standard to protect patient privacy. This means they may only use the minimum amount of information they need to get the job done.
In this case, the nurse didn’t need to tell the technician or physician to wear gloves, and she certainly didn’t need to name the patient’s condition. Because she didn’t take reasonable safeguards or use the minimum necessary standard, the nurse’s disclosure was not incidental but violated HIPAA’s privacy rule.
How Do I Avoid a Privacy Violation?
Train your staff. Staff members should be able to protect patient privacy as they carry out their work. Train them to recognize the difference between incidental disclosures and privacy violations. Well-trained staff members will not only protect patient privacy but also protect your organization from litigation.