I received the call from one of our pain management clinics who had just received a call from an irate patient screaming profanities and accusing one of the staff of disclosing Protected Health Information (PHI) without authorization. So, I dug deeper and found out the whole story. An older female patient was being treated for work related low back injury and after her physical therapy session she walks over to fill her prescription for pain. When she walked up to the pharmacy window, she recognized the staff member as a neighborhood kid who grew up a couple of doors down. After the usual chit chat the staff member filled her prescription, and she was on her way. Later that afternoon the staff member is talking to her best friend from the same neighborhood and mentions the name of the patient who visited today and discloses that she was there for a physical therapy and psychological evaluation (required for all pain management patients). Little did she know that her best friend was this patient’s son’s ex girlfriend, and they also had a child together. So, without any delay the best friend calls her X and says “I just found out your mom is being treated for psychological problems and I do not trust my son at her house anymore. The boyfriend is upset and tells his new girlfriend what he had heard. Next thing we know, the new girlfriend and her mom, the patient, call the facility and start screaming, and threatening to complain to OCR for HIPAA violation and start a lawsuit. That’s when we got involved. We contacted the patient and her daughter and set up a meeting to try to mitigate the situation. After 16 hours of mitigation and several agreed to concessions with the patient. One of the concessions, as an example, was that her chart is now locked up and only accessible by one physician in the facility. We were finally able to resolve this issue without further escalation. Potential penalties avoided not including the cost of a lawsuit were estimated at over $100,000.
Do not discuss anything patient PHI along with their name, address, phone #, or any other identifying information (SS#, birth date, etc.) to anyone other than the clinic’s authorized staff
You may also share patient PHI with other healthcare organizations involved with the treatment of the patients
You may also share patient payment information only with payers (insurance companies, family members, etc.)
You may also share patient PHI with government agencies, such as the police presenting a court issued subpoenas, an attorney, or any agency with a court order.