HIPAA Question

Heres the scenario.

I post a review, publicly, for a business on facebook saying my wife was seen by so and so

The business responds, publicly, saying I saw your wife in sept of 2014, without saying her name. I had not previously mentioned the date.

This is an eyecare place, if that makes a difference, and although he didnt mention my wifes name, he mentioned that she was the sister of… ‘jane doe’.

Is that a hippa violation?

Legal questions are best suited to IMHO.

I also fixed the acronym in the title.

General Questions Moderator

Thank you. Sorry about the wrong thread.

I missed my edit window, but the way I see it is he is providing information, when she was seen, that wasnt provided by me

And also providing ‘personal identifiers’ by saying its ‘jane does’ sister.

Yes, actually. This might be the first time ever that an “is this a HIPAA violation?” question actually was a HIPAA violation. Date of service, except for just the year, is considered Protected health information (PHI).


(Bolding mine)

“Jane Doe’s sister” is not PHI, oddly enough, although in a practical sense, it’s much more useful for identifying someone than the service date.

It depends on the particular business. An ‘eyecare center’ could take many forms. However, if they have an optometrist and they submit insurance claims electronically then they’re probably a covered entity and revealing your wife’s sister’s name is probably a violation. There are a lot of details to every part of that.

Naming the sister is also clearly a violation in spirit, if not the letter of the law.

Yes. This eye care center has an optometrist, and they do file insurance claims electronically. Any advice as to how to document this is appreciated. Currently I just have screen shots on my email

You can file a complaint online.

You said it was on Facebook, that would be your evidence.

Pursue this and report back here to follow up. I am curious. Good luck.

Any information a health care provider gives that could be reasonably used to identify an individual patient is a HIPAA violation – even if the only information is that she is their patient, regardless of the level of detail about her medical condition.

The “spirit of the law” is irrelevant, unless “Jane” is also a patient.

Thanks for the replies all! I havent fully decided what im going to do, as im not one to likes to drag things out and do court things. I have been talking with the owner privately, who was insistent that he has done nothing wrong since I ‘identified’ her prior, although only as my wife. He has not admitted wrongdoing, but has severely edited his response to include no personal indicators. Although I can tell he is starting to realize how serious his comments were

Ive learned a lot from you all! Thanks!

Not that it matters, because it seems clear that they did a HIPAA violation, but you kind of started it. If you didn’t want people to know your wife went there for her eyecare, why would you post exactly that?

Did you identify yourself by name and then mention your wife?

How else would they know the exact date of visit?

He might have described some sort of unusual eyeglass/contact prescription that the wife had.

A spouse who is not a health care provider has no duty to maintain health care privacy under HIPAA. The health care provider does.

HIPAA tends to be very generously interpreted by the courts. The release of inappropriate information by a medical provider doesn’t have to be egregious to be in violation for most cases. They are expected to know their responsibilities in this regard and are held to a higher standard than the general public would be.

I tend to agree with dizzee dee in that, technically, you opened the door by mentioning your wife in connection with the clinic in the first place. But I’d still bet that their contribution of information would meet the standard of a HIPAA violation. Certainly nothing worthy of a big fine or other penalty, but it would likely merit at least a warning.

This could still be a HIPAA violation, public knowledge doesn’t obviate a covered entity’s obligation to avoid release of private information.

My name is obviously attatched to my facebook, so its fair game. My wifes name is nowhere to be found on my page. The situation is actually more complicated bc ‘jane doe’, my sister in law, used to work there and hes wanting to group the review and her employement together. And he did provide ‘jane doe’s’ first and last name and with her relation to me, thus outing my wife.

It was more of a matter that he was making a business matter, a personal matter.

Again, I know its petty, but I was curious of the legality of the events that happened. At the very least ive learned a lot, and glad I dont have to follow hipaa rules!