Public Discussion of Patient Info Can Mean a HIPAA Violation

Here's a HIPAA hypothetical: Is it permissible for a provider, business associate, or subcontractor to discuss patient information via telephone in a public place?

The answer: No. A phone call constitutes the disclosure of  protected health information (PHI) in this situation. It can be analogized to reading a smartphone in an elevator where information that connects an individual to a medical condition, treatment, or billing can be read by the person standing next to you. The privacy and security of the PHI is compromised.

Considered in the context of the Breach Notification Interim Rule, a breach broadly means, "the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information (PHI)." 45 CFR 164.402. Moreover, "compromises the security or privacy of the PHI" translated to posing a substantial risk of financial, reputational, or other harm to the individual.

Subsequently, the Final Rules negate the "substantial risk of harm test" and replaced it with a standard that is more encompassing. In essence, any impermissible use or disclosure of PHI carries the presumption of a breach, unless the covered entity, business associate, or subcontractor demonstrates that the probability of the PHI being compromised is very low. This burden of proof, as expressed in the Omnibus Final Rule Preamble, resides with the individual who potentially breached the privacy and security of the PHI.

It is crucial to note that the sensitivity of the information is also considered.

As a take-away, the best course of action would be to wait until the provider is in his or her car to discuss the information. As long as there are no other passengers or the individual with them has authorization either directly or indirectly (e.g, a business associate agreement) to hear or view the information, this would mitigate the risk of a breach.