Thursday, November 3, 2011

HIPAA, Heart Disease and TMI

Yesterday, I and another heart disease advocate worked all day at at table for WomenHeart, handing out information on women's heart health. My friend and I are both heart disease survivors.

At one point, a woman came up to our table and started telling me her story of postpartum cardiomyopathy. I said to her, "You really need to talk with _______," my fellow patient here; she's had post-partum cardiomyopathy, too."

My friend wrapped up the conversation she was having with another visitor, and I put the two of them together. I stood back and watched while they traded stories, exchanged contact information, and made a real connection with each other, since they had a shared diagnosis.

As our newest heart-sister walked away after hugging my friend, she said how great it was to be able to talk to someone else who'd been through the same thing.

Did I break a HIPAA rule by telling this new lady about my friend's diagnosis?

I don't know, but what happened yesterday wasn't unusual, at least in the patient communities that I participate in.

As longtime readers know, my own diagnosis is idiopathic SCAD (spontaneous coronary artery dissection), my right coronary artery repaired with six overlapping drug-eluting stents (DES). If you're curious, I can even tell you the make and model of these tiny bits of metal in my body -- Xience V, by Abbott Labs.

No one knows what causes SCADs, and there's no standard treatment. Some people who have dissections have a connective tissue disorder, some women are pregnant or have just given birth, and others, like me, just have them for no reason that we know of--that's the idiopathic category. As for treatment: some people get stents, some have bypass surgery, some are medically managed, and some get no fix (aka, the "watchful waiting" strategy).

When a new person shows up on the heart disease message board, sometimes one of us will say, "Oh, so-and-so has the same thing," same diagnosis, same treatment, same experience with side effects, whatever.

And we don't think anything of it; what we're doing, in our eyes, is accurately connecting patients with other patients who have something in common. Especially when we know that the one we're referring to may not check the message board very frequently anymore, we'll send an email: "So-and-so is new, has diagnosis/treatment X, and I know she'd like to hear from someone else in the same situation."

At Mayo's Social Media Summit a couple of weeks ago, there was a lot of discussion around HIPAA, patient disclosure, privacy, and keeping control of privileged health information. Which has me wondering, have we been inadvertently violating the law all this time and didn't realize it?

If so, how can we continue to support each other, while staying on the right side of HIPAA? Is HIPAA even concerned with patient-to-patient sharing, like we've been doing?

I honestly don't know. I'm freely admitting my ignorance on the subject and would love to hear various perspectives on the subject.


  1. I've always thought it applied to health care professionals.

  2. That's what I thought, too, until several side-conversations at Mayo the other week along the lines of, "Oh I busted my knee the other week--see, that's disclosing your own information. Versus, Frank broke his arm last night--that's disclosing someone else's confidential health information."

    And as peer-to-peer patient advocates, what, exactly, are we? Are we just friends, talking in an electronic living room? Are we some form of health education providers?

  3. Laura --

    Nice to meet you IRL @ Mayo.

    The short answer is that the actions you described do not violate HIPAA. You are not covered by HIPAA in this circumstance.

    A lot of folks don't understand HIPAA, and it's cited as the basis for a lot of stuff ... it's often a convenient excuse for not doing stuff people don't want to do.

    A good resource on HIPAA may be found on the website of the US Dept of Health and Human Services, Office of Civil Rights, which enforces these regs. I recommend starting here: For Consumers –

    OK, here's the longer answer:

    HIPAA requires that "covered entities" (CEs)- i.e., providers, payors, or health care [claims adjudication and payment] clearinghouses - not release "protected health information" (PHI) of individual patients to anyone, unless it's to other CEs for "treatment, payment or operations" (TPO) or to CEs' "business associates" (BAs) for TPO - and BAs don't get the PHI unless they've signed a "business associate agreement" (BAA) which imposes all the same obligations that are imposed on CEs by the regs directly. (BAs need to enter into BAAs with their subcontractors, too.) Every CE needs to give a notice of privacy practices (NPP) to patients up front, detailing how they use and share PHI in accordance with the regs.

    At #mayoragan, one situation that was discussed was the case of a nurse posting on Facebook "please pray for Timmy" or something like that, where Timmy is the newborn son of a co-worker who is a patient in her employer hospital's NICU. If she posts on her own Facebook, and her profile identifies her as an employee of the hospital, that's a potential problem for the hospital (her actions as an employee could be imputed to the hospital) and it's a potential problem for her as a licensed health care professional (she just posted PHI about a patient; further potential point of distinction: is she a nurse on the NICU? Is Timmy her patient?). If her personal Facebook does not in any way identify here as a hospital employee, then it's just a question of whether she has her friend's consent to share this information -- same as if she were sharing that information by telephone or in person with a friend, same as if she were not a nurse in the hospital or in the NICU. Now, if she posts on the hospital's Facebook page, this becomes a potential liability for the hospital, too. That's why hospitals should moderate, or scrub daily, their social media properties in accordance with posted policies and procedures/terms of use.

    Hope that's not too much information (or TMI, to finish up the alphabet soup of acronyms here), but since this seems to be a consistently recurring sort of question, I thought it would be worth addressing here.

    Bottom line, as peer-to-peer health advocates, you are not governed by HIPAA. If you step into another role, or inhabit more than one role simultaneously, and are a CE or have a closer connection to a CE (e.g. a peer health advocate network operating under the aegis of a health care provider network), then the answer may change.

    Keep on keepin' on.

  4. Thank you David, it was great to meet you, too!

    And thank you so much for the clear explanation of HIPAA (dangit, just typed it as HIPPA again, now you know why I put an image of hippos in the post).

    I spent some time wandering through the HIPAA FAQs but couldn't find what I was looking for, so I appreciate you breaking it down for me. And thank you for doing it without making me feel stupid. No, really -- explaining stuff like this without coming across as condescending is a talent, one that not a lot of people have.

    So, yes. Very much appreciated. I hope our paths cross again IRL sometime; otherwise, I'll see you on Twitter, etc. :)