What is an unauthorized disclosure of PHI?

. 2012 Mar-Apr;27(5):275-6.

Affiliations

• PMID: 22594058

PHI faux pas: social media and the unauthorized disclosure of PHI

Barry Herrin et al. J Med Pract Manage. 2012 Mar-Apr.

Abstract

The pervasiveness of social media in modern communication has created increased liability for healthcare providers when trying to safeguard patients' protected health information (PHI). This article addresses a few of the most basic but pervasive ways, including "friending," "tagging," and "blogging," that PHI is unthinkingly shared on social media platforms and the precautions that providers can take to avoid such unauthorized disclosures. It is recommended that healthcare providers: 1) require online "friends" to agree to a written disclosure before connecting; 2) avoid tagging or posting photos online that include images of patients; and 3) do not comment or write about a patient on any online platform or blog without written approval from the patient. Ultimately, it is imperative that healthcare providers implement and enforce detailed social-networking policies and integrate those policies with their human resources disciplinary policies in order to guard against HIPAA violations.

Similar articles

• Complying with the Health Insurance Portability and Accountability Act. Privacy standards.

  Shuren AW, Livsey K. Shuren AW, et al. AAOHN J. 2001 Nov;49(11):501-7. AAOHN J. 2001. PMID: 11760704

• HIPAA privacy regulations.

  Lusis I, Hasselkus A. Lusis I, et al. Semin Speech Lang. 2006 May;27(2):89-100. doi: 10.1055/s-2006-939941. Semin Speech Lang. 2006. PMID: 16673257 Review.

• Privacy and security compliance in the E-healthcare marketplace.

  Lutes M. Lutes M. Healthc Financ Manage. 2000 Mar;54(3):48-50. Healthc Financ Manage. 2000. PMID: 10847915

• Tweets, friends, and links: the use of social media by NICU health care providers.

  Smalls HT. Smalls HT. Neonatal Netw. 2012 Nov-Dec;31(6):407-8. doi: 10.1891/0730-0832.31.6.407. Neonatal Netw. 2012. PMID: 23134647

MeSH terms

LinkOut - more resources

• Research Materials

  • NCI CPTC Antibody Characterization Program

Many people have a “better safe than sorry” mentality when it comes to privacy and HIPAA breaches. Similar to how doctors, nurses, and technicians often consider incidental disclosures to be privacy violations, many privacy officers consider any impermissible disclosure to be a breach. However, there are three exceptions to a breach that all staff members should be aware of.

1.    Unintentional Acquisition, Access, or Use

The first exception to a breach is when an employee unintentionally acquires, accesses, or uses protected health information (PHI) in good faith within the scope of their authority, and they do not further disclose the PHI in a manner not permitted by the rule.

For example, a technician might accidentally open the wrong patient chart while carrying out her authorized duties. Her viewing of PHI was both unintentional and during the course of her duties; therefore, the exception applies. However, if the technician opened the chart to snoop, she is acting deliberately and not in good faith, making the viewing of PHI a breach.

Additionally, if the technician shares the PHI she accidentally saw in an unallowable way, such as gossiping, then this is a breach. The only time when it’s okay to further disclose the information is if it’s used for the patient’s treatment. In this case, the exception applies.

2.    Inadvertent Disclosure to an Authorized Person

The second exception to a breach is when a person authorized to access PHI accidentally shares PHI with another authorized person at the same organization, and PHI is not further disclosed in a manner not permitted by the rule.

For example, a nurse emails the wrong lab results to a doctor, and the doctor tells him that it’s the wrong file and deletes the email. The exception applies here because the disclosure was inadvertent, both the nurse and the doctor are authorized to access PHI, they both work at the same hospital, and the doctor didn’t further share the information.

3.    Inability to Retain PHI

The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it.

For example, a clinic mails explanation of benefits (EOB) letters to the wrong people, and the post office returns some of the letters unopened. Most likely, the addressees didn’t see or retain the information inside these envelopes, so the exception applies. However, the EOBs that weren’t returned should be treated as potential breaches.

The key to this exception is whether or not the unauthorized person is able to retain the information. For example, a pharmacy may hand out the wrong prescription, and the patient returns the prescription before leaving the building. In this case, the pharmacy can make an on-the-spot assessment as to whether the patient was able to retain any of the other patient’s information, such as their name or date of birth.

FREE download: The Beginner’s Guide to HIPAA Breach Management. In this step-by-step guide, we take you through the process of breach identification, risk assessment, notification, and documentation. Get yours now!

In Summary

Human errors are common, and not all disclosure errors threaten the privacy of PHI. If every impermissible disclosure was treated as a breach, healthcare would become gridlocked. Therefore, the HIPAA privacy rule allows these three exceptions to a breach.

Next time a potential breach comes to light, don’t jump to conclusions. First, gather all the facts and see whether or not an exception applies. If one does, document the incident and the exception you applied and keep it on record. If none of the exceptions apply, conduct the four-factor breach assessment to determine the risk level.

READ MORE: How to Track HIPAA Security Incidents Like a Pro

Gain Peace of Mind With the Right HIPAA Compliance Tool

When a potential HIPAA violation comes to your attention, you can use the Breach Risk Assessment Tool in our HIPAA management software to discover whether or not the incident was a breach. The tool will guide you through applying the exceptions to a breach and evaluating your risk level.

If a breach did occur, you can record the details in the Breach Notification Log with the click of a button. If a breach did not occur, you can record the incident in the Security Incident log, along with a description of what you did to mitigate the incident.

To learn more about how HIPAAtrek can help you create a culture of compliance at your organization, request a personalized demo or reach out to us at .

What is an example of a breach of PHI?

What can happen if there is an unintentional disclosure of PHI?

What is one way you can prevent unauthorized disclosure of PHI?

What is unauthorized access to patient information?