Monday, November 8, 2010

What's a HIPAA violation?

Let's play with a hypothetical example today.

Say you and some classmates are given the assignment of tracking the health of an individual in a retirement community over the course of several months. There is a school website, with greatly restricted access of course, in which you participate in discussions about the overall project and complete assignments.

Then let's say that there is another sub-section of that same site where only you, your group members, and your professors can read what you post.

Now one day you're discussing with your classmates on this site about the next visit and you inadvertently use the first name of the individual you're tracking in the discussion.

Is this considered a HIPAA violation?

I ask because I was told, and corrected, by a professor that it was indeed a violation. For the life of me, I cannot seem to figure out how this would be and said prof has yet to respond to my email.

It's on a non-public webpage so restricted only six people can view it. It is a part of the pharmacy school, which is in turn part of a health care facility. No other relatable information was disclosed in the discussion, merely the slippage of the individual's name.

In all of the HIPAA training I have received over the years, I cannot see how that would be a violation of the law.

Am I missing something here?

4 comments:

Anonymous said...

I might be a little ignorant here but considering it was between healthcare professionals couldn't it be considered sharing information for the diagnosis or treatment of a condition? Wouldn't that be covered under HIPAA?

EasilyAmused said...

The HIPAA police are coming after youuuu!!!!
*jokes*

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Sounds like you're covered to me.

For all anyone knows, if someone outside the health care realm or even those within the access, it could be a made up name!

Anonymous said...

I would only think it was a violation if the rules work in the same way they do here that information can only be exchanged online if the system meets specific security and encryption rules, that may not have been met by the school website. There is also the issue of it not coming under the exchange of information between healthcare professionals(not yet qualified) or the necessary exchange of personal information(you said it was accidental so probably unecessary).

thats just my thoughts, but i cant see you actually being punished, they probably just want to stop a little mistake going unnoticed and becoming a bigger mistake later.

Misch said...

THAT Sir, is not a violation!