Q&A: Inappropriate disclosure of PHI

Q: An employee in a psychiatric hospital’s billing department sees a fellow parishioner’s name. He calls other parishioners to tell them that this individual is a patient at the hospital, and they share this information on a prayer chain. Suddenly, several hundred people know that this parishioner is a patient in a psychiatric hospital. Is this an acceptable disclosure?

A: No. It is a HIPAA violation and likely a breach. The employee had good intentions, but he shared confidential information for personal reasons and not as part of his job. He may have seen the name inadvertently. However, looking at patient records for any nonbusiness reason, even with the best intentions, is a HIPAA violation and cause for dismissal and possible legal consequences. Similarly, if you look at the records for the right reasons but share the information with others who don’t have a right to know, you are also violating your organization’s policy and the law.

You should not share PHI with anyone without work-related needs and responsibilities. In this scenario, unless the patient has agreed to be listed in the organization’s patient directory, the employee should not even acknowledge that the person is in the hospital if a fellow parishioner inquires.