Telling patient stories can constitute a HIPAA violation if they include identifying information, such as names or specific medical details, without patient consent. Healthcare providers must obtain authorization or de-identify information to share it.
HIPAA protects the privacy and security of patient's health information. Protected health information (PHI) includes information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. Examples of PHI include names, addresses, birth dates, Social Security numbers, medical records, and biometric identifiers.
Related: What are the 18 PHI identifiers?
The primary concern when sharing patient stories is whether it includes identifying information. According to HHS guidance on deidentification, “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI…” However, if the information is listed with a health condition, health care provision, or payment data that links the individual to a treatment, then it is considered PHI.
Even if a story includes fictional elements, it can still be a HIPAA violation if enough details are included to allow someone to recognize the patient.
HIPAA rules apply to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses.
The context of the story can also impact its ability to be shared. For instance, a doctor discussing a patient with a colleague involved in the patient's care is permissible because it falls under treatment-related communication.
However, a healthcare provider sharing a patient's story publicly, such as in a conference, article, or social media, without patient authorization, would likely be a HIPAA violation.
HIPAA permits information sharing for treatment, payment, and healthcare operations without patient authorization. Sharing for educational purposes or raising awareness requires practitioners to obtain consent or de-identify information. De-identification is frequently used for case studies or at conferences.
Providers should consider why they are sharing the information to determine if it aligns with HIPAA's permitted uses or if additional steps, like obtaining authorization, are needed.
Obtaining written authorization from the patient is the safest way to share their story. A HIPAA compliant authorization form must include the following elements:
If obtaining patient authorization is not feasible, healthcare providers can opt for de-identification, which entails the removal of all 18 types of identifiers outlined by HIPAA, including names, geographic information smaller than a state, and dates related to the individual.
Read more: How to de-identify protected health information for privacy
Research involving patient stories must adhere to strict HIPAA guidelines. Typically, the de-identification of all personal identifiers is required unless explicit patient authorization is obtained.
Sharing anonymized patient stories on social media is permissible under HIPAA if all identifying information has been removed to prevent patient identification.
Related: FAQs: All about HIPAA and social media
Yes, using patient stories in marketing requires explicit written consent from the patient. The consent should specify how the story will be used and to whom it will be disclosed.