Is sharing patient stories a HIPAA violation?

Telling patient stories can constitute a HIPAA violation if they include identifying information, such as names or specific medical details, without patient consent. Healthcare providers must obtain authorization or de-identify information to share it. 

Understanding HIPAA and PHI protection

HIPAA protects the privacy and security of patient's health information. Protected health information (PHI) includes information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. Examples of PHI include names, addresses, birth dates, Social Security numbers, medical records, and biometric identifiers.

Related: What are the 18 PHI identifiers?

Identifying information and HIPAA compliance

The primary concern when sharing patient stories is whether it includes identifying information. According to HHS guidance on deidentification,  “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI…” However, if the information is listed with a health condition, health care provision, or payment data that links the individual to a treatment, then it is considered PHI. 

Even if a story includes fictional elements, it can still be a HIPAA violation if enough details are included to allow someone to recognize the patient.

Considerations based on context

HIPAA rules apply to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. 

The context of the story can also impact its ability to be shared. For instance, a doctor discussing a patient with a colleague involved in the patient's care is permissible because it falls under treatment-related communication.

However, a healthcare provider sharing a patient's story publicly, such as in a conference, article, or social media, without patient authorization, would likely be a HIPAA violation.

Permitted vs. restricted purposes for sharing

HIPAA permits information sharing for treatment, payment, and healthcare operations without patient authorization. Sharing for educational purposes or raising awareness requires practitioners to obtain consent or de-identify information. De-identification is frequently used for case studies or at conferences.

Providers should consider why they are sharing the information to determine if it aligns with HIPAA's permitted uses or if additional steps, like obtaining authorization, are needed.

Guidelines for obtaining patient consent

Obtaining written authorization from the patient is the safest way to share their story. A HIPAA compliant authorization form must include the following elements:

• A specific description of the information to be disclosed.
• The name of the person or organization authorized to make the disclosure.
• The name of the person or organization to whom the disclosure can be made.
• The purpose of the disclosure.
• An expiration date for the agreement.
• The patient’s signature and date.

De-identification 

If obtaining patient authorization is not feasible, healthcare providers can opt for de-identification, which entails the removal of all 18 types of identifiers outlined by HIPAA, including names, geographic information smaller than a state, and dates related to the individual.  

Read more: How to de-identify protected health information for privacy

Best practices to prevent HIPAA violations

• Obtain written authorization: The authorization should clearly outline what information will be disclosed, to whom, and for what purpose, along with any limitations or expiration dates.
• Ensure de-identification: If obtaining patient authorization is not feasible, all identifying information must be meticulously removed. 
• Use general terms: When discussing patient cases, use broad and nonspecific terms to avoid revealing identifiable details. 
• Train staff: Educate all staff members on HIPAA compliance principles and the significance of patient privacy. Regular training sessions should cover the proper handling of patient information, permissible uses under HIPAA, and maintaining confidentiality.

FAQs

Can patient stories be shared for research purposes without violating HIPAA?

Research involving patient stories must adhere to strict HIPAA guidelines. Typically, the de-identification of all personal identifiers is required unless explicit patient authorization is obtained.

Can healthcare providers share anonymous patient stories on social media?

Sharing anonymized patient stories on social media is permissible under HIPAA if all identifying information has been removed to prevent patient identification.

Related: FAQs: All about HIPAA and social media

Are there specific guidelines for using patient stories in marketing materials?

Yes, using patient stories in marketing requires explicit written consent from the patient. The consent should specify how the story will be used and to whom it will be disclosed.