In the spirit of compare and contrast I agree that all of the facts aren't evident. On the face of it, though, I would say it is a violation on the part of Employee Y also. Let's say that Employee Y didn't learn that the minor was in the hospital from Employee X but from another source or by seeing the information in the EHR. Unless an authorization was present what is the reason for disclosing a patient's information to anyone that did not have a HIPAA need to know? It is not much different than I, as the employee, see my sister's child at a specialty clinic or at the admissions desk at the hospital and I call my sister to ask if she knew her child was at the clinic or hospital. That's a violation of minimum necessary and an unauthorized disclosure of PHI. I'd appreciate it if you could explain your reasoning as to why Employee Y did not violate HIPAA.
Chris Apgar, CISSP
CEO & President
(503) 384-2538 (o)
(503) 816-8555 (c)
(503) 384-2539 (f)
Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response
The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.
Thanks for the question. No, I'm not saying if the ER contacted the parent that it's a violation of HIPAA. I was giving more of an example of if an employee saw someone he or she knew in the ER as, say, a registrar, it would not be permissible to contact the parent. In this context it appears on the face of it that Employee Y contacted the parent because the patient was a half-brother.
Whether or not the ER could contact the parent if a minor was admitted gets rather complicated. As an example if the minor was of the age of informed consent, no friends and family form or authorization was present and it was not a case of harm to self or others or, say, a severe mental health crisis where the treating provider thought, in his or her professional judgement, he or she needed to contact the parents, it would not be permissible to contact the parents. Even that gets more complicated because of overlaying state law. HIPAA states that if state law allows or requires a disclosure, even if the minor at the age of informed consent, parents could be notified. I appreciate the question because, as with much of compliance, there's a lot of gray out there.
I would say it's an impermissible disclosure on the part of both employees. Employee X should not have told Employee Y that the minor was Employee Y's half-brother and Employee Y should not have contacted the father.