HIPAA May not Protect Compulsive Liars

At a recent networking event I heard a manager express frustration over managing an employee who got caught up in her own fairy tales that resulted in a very embarrassing termination. She told her co-workers that she was diagnosed with cancer and needed time off for surgery and treatment. The company responded with genuine concern and care, assuring her that she will have all the support and time off she will need. However, after an attempt to send her flowers to the hospital, they discovered that she was not there, and a little more probing confirmed that she never had cancer in the first place. Once I got over the ridiculousness of this lie, I started thinking about the implications of being able to determine whether someone is at the hospital… Is letting someone know that a patient is not at a particular hospital at a specific time considered Protected Health Information (PHI)? What about calling the hospital, asking for the room where Mr. Kravchenko is located and promptly being routed to my room? Isn’t the simple fact of agreeing to route the call already considered PHI?

I realize that this may not be the biggest or most prominent HIPAA violation for most hospitals, requiring some familiarity with the patient in order to make the inquiry effective. However, this also seems like this would allow for targeted inquiries into individual’s health records, all without having consent. I can also see how interested but not authorized parties can start checking for attendance to substance abuse or psychological treatments simply by calling at the time when the patient is suspected to be there. Obviously, HIPAA was not created to protect compulsive liars from being able to deceive their employers and it hard to feel bad for the person who would lie about being sick with a terminal disease. However, this example does highlight the need for staff at hospitals and out-patient facilities to be trained on handling incoming inquiries, including deliveries of balloons and flowers. This also means that hospitals may need to come up with a different / better way of handling incoming calls to patient rooms, and may even need to start using “passwords” before routing a call. While many such incidents are anecdotal and often do not create a lot of sympathy for the “patient”, this does highlight just how easy it is for unauthorized disclosure of PHI to happen.