Despite best intentions, it's possible for a provider to accrue HIPAA violations through negligent behavior, especially online. Stolen or hacked electronic health data is certainly a risk for modern practitioners, but so are online interactions through social media or other channels that may be in good faith. Ann Reisman wrote about the ethical problems practitioners could encounter while trying to avoid disclosing personal information in an article for The Atlantic.
In her piece, Reisman specifically questions whether using real patient case histories for articles, essays or stories constitutes a HIPAA breach. Even when names and other important identifiers are anonymized, she argues that a conversation between doctor and patient could be assumed by the latter to be private: Abstract details without specific ties to real people could still technically be considered as links back to them, and therefore, breaches of trust and privacy.
"Patients rightly assume that their conversations with healthcare providers are confidential, and while there's an implied consent that relevant information may be noted in the medical record, no one expects a rendition of a seemingly privileged conversation to appear in a magazine or newspaper article," Reisman writes.
She also refers to the 18 HIPAA identifiers that constitute Protected Health Information or PHI. These include items that should be easy to avoid in anecdotes, such as device identifiers, phone numbers and Social Security Numbers, but also broader things like geographical locations and elements of the dates. A casual reference to this information could be all it takes to reveal personal details, and in some cases, the rules about exactly how to remove these identifiers could be vague.
Healthcare consulting firms help medical entities correct bad practices that might lead to serious fines and penalties from the government.