Is every unauthorized disclosure of a patient’s health information a breach under HIPAA? No

Is every unauthorized disclosure of a patient’s health information a breach under HIPAA?  No.  Whether a HIPAA breach occurs depends on whether the patient information disclosed poses a significant risk of financial, reputational, or other harm to the individual.  If no significant risk, there is no breach and no duty to report.  Let’s take a look at a quick example.

One Tuesday afternoon at Imaginary Family Medicine, Nurse May Kamistake emerged from the back office into the waiting room, and said in an inquisitive tone “John?”  Right away a middle-aged heavy set man stood up, smiled, and followed May into the back.  John stepped onto the scale, had his temperature taken, and followed May into an examination room.  May asked John about his day, and proceeded to examine the chart.  She said “well, your test results came back and unfortunately, among other things, your cholesterol level is something we’re a little concerned about.”

“I don’t understand” John responded.

“Well, your LDL level is at 200, putting you in the ‘very high’ category, which is something we think you should work on” May explained.  “Do you exercise regularly?”

Sounding confused, John said “I don’t understand, I haven’t had any blood work done yet.  I’m here because I have a sore throat?”

“Are you John Ingreatshape?” May asked.

“Ah, no, I’m John Neverworksout.  You must have the wrong John.”

Turns out May pulled the wrong chart as John Ingreatshape also had an appointment Tuesday afternoon, but must not have noticed Nurse May calling his name.

Question: Is this a HIPAA violation?  Is Imaginary Family Medicine required to disclose this “breach” of private health information to John Ingreatshape? To the federal government?  To anyone else?

Answer:  As lawyers always say, it depends; however, in this case there was probably no HIPAA violation, and Imaginary Family Medicine does not need to disclose the potential breach of John Ingreatshape’s private health information to John individually, to the government or to anyone else.  John Ingreatshape’s cholesterol level is clearly private health information, and it was obviously wrongly disclosed to an individual other than John Ingreatshape.   That said, under the HIPAA regulations a “breach” is defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.”  That definition has been clarified to explain that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”  Thus, whether a breach has occurred depends on whether Nurse May Kamistake’s accidental disclosure of John Ingreatshape’s private health information to John Neverworksout would pose a significant risk of financial, reputational, or other harm to the John Ingreatshape.  With these limited facts, there does not appear to be any harm as there is nothing to suggest these two people even know each other or anything about each other.  Of course, if we change the facts a little bit, the outcome may be different.  Suppose he’d said “Huh, no, I’m John Neverworksout, but I know John Ingreatshape - he works at my gym as a personal trainer.  High cholesterol you say, what causes that anyway, I would think someone who eats right and exercises a lot like John would be as fit as a fiddle?” In that case, a breach would have likely occured, and Imaginary should probably disclose the apparent breach to John Ingreatshape individually, but not to the federal government or anyone else.


Have questions? I’m here to help.