[ Friday, January 18, 2008 ]


Question from the Audience: Yes, young lady, you in the back. What's your question?

I have a question. I have done a search and haven't been able to find an
answer. Perhaps I'm just not typing in the correct words!I am a nurse and
I keep a public blog. In my blog, I sometimes tell stories from my shifts
in the hospital. I never identify any patient by name and often change
circumstances and gender as necessary to retain privacy for the patient. I have
a friend who sent me a fiery email today, telling me that she is terrified that
I'm breaking HIPAA violations and breaching confidentiality.Many people tell
stories. I'm no different. That said, it is CERTAINLY not my
intention to breach anyone's private information and I typically put a
disclaimer on my stories stating such. Can you tell me if I'm in the wrong
here? If so, I'll delete the information immediately.Thanks for the
blog... I found you on a search and learned some new things today!

Well, I'm so glad you asked that. I've blogged before about how medbloggers tread a tricky line, due to the possibility that they might disclose protected health information (PHI). If you're disclosing PHI on your blog, unless you have the consent of the patient (or you can reasonably claim the disclosure is for treatment, payment, or healthcare operations), you are causing a HIPAA violation; you probably aren't a covered entity, but your hospital is, you're their employee, and your acts count as the hospital's acts. It's probably a firing offense, too.

BUT, the question is whether you are disclosing PHI. For it to be (PHI), it has to be IIHI (individually indentifiable health information). To be IIHI, it has to either identify the individual or there must be a reasonable basis to believe the information can be used to identify the individual.

So that's the question: If I read your blog, could I figure out who you were talking about? For example, if you stated on your blog that you live in a city known for its rain, its coffee, and grunge music, and that the quarterback of the local pro football team came into the hospital recently and tested positive for HIV, that would be a disclosure of PHI even though you didn't mention Matt's name.

There's no magical formula for what or how much you can say before you reach that "reasonable basis" threshold, so the less identifying information you give the better. Further disguising the individual by fictionalizing facts and circumstances is also a good idea.

Jeff [11:01 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template