One of the biggest errors authors make in regards to writing about something medical is that their character violates HIPAA. HIPAA is a law that outlines a patient’s rights regarding their protected health information (PHI). I’ve blogged extensively on this topic and you can find these posts by following these links:
The simplest way to explain a HIPAA violation is that someone accesses a patient’s information when they are not directly caring for that patient and/or discloses protected health information about a patient publicly.
Two recent stories have highlighted each of these scenarios.
The first involves actor Jussie Smollett and several dozens of hospital employees accused of viewing his medical information at Northwestern Memorial Hospital in Chicago, Illinois. They were all fired, reportedly some didn’t even open the chart, but just “scrolled by” it. The point is, with today’s technology and electronic medical records, it is very easy to determine who has accessed someone’s health information. It’s basically tracked electronically. Unless you are directly involved in caring for a patient, it is illegal for you to look at their information. I can’t even access my own children’s medical charts at the hospital where I work unless I go through the proper channels, which is signing a release for them through medical records.
The second, and perhaps more frightening case, is of the nurse who disclosed a toddler was positive for measles in the pediatric ICU where she worked and then posted about it to an anti-vaxxer group she belonged to on social media.
She didn’t give the patient’s name, sex, or exact age so she should be okay, right? Many times, people think this is a way to get around HIPAA and sometimes they can be right— it depends on the volume of such a diagnosis. For instance, if my ER sees 5,000 patients a day (which is insane– I don’t know any ER that can even possibly do this) and I say we saw a patient with a rash (and that’s it) then that doesn’t necessarily signify the one I might be talking about because there were probably dozens of patients seen with a rash that day with that volume of patients. However, I will also say this could still be considered a HIPAA violation, but let me further illustrate my point.
The more unique and rare a medical diagnosis is, the more easily it would be to identify a patient even without disclosing name, sex, or age and that is this nurse’s first problem. There was probably only one patient in the PICU that had a medical diagnosis of measles. It had likely been in the news that there were measles cases in Texas (this is frequently disclosed for the public good to encourage vaccinations), but the nurse’s information narrows down the hospital, the general age group, and just how sick he was. Then neighbors can start thinking, “Hey, we live close to Texas Children’s and I haven’t seen Billy (totally made up name) in a while and he’s a toddler—” and then phone calls go out to Billy’s mom asking if he has measles. See?
The frightening aspect of the scenario, from a purely pediatric standpoint is, that even after seeing how sick this child was, she remained an anti-vaxxer and even mused about taking a swab from the ill child’s mouth and attempting to give wild measles to her own child! For one, I consider this child abuse. I truly cannot fathom in my mind how this nurse believes giving her child the real thing is preferred over a vaccine that can prevent the entire illness.
**The safest thing for ANY healthcare worker is to not discuss their patients at home or on social media no matter how vague they try to make the scenario.**
It is also the safest thing for authors who are writing these scenarios. As I’ve always said, you can have a character that violates HIPAA in your novel, but they must face repercussions for it. The positive side of this is that it increases the conflict in your story automatically. It also shows the reader that you’ve done your research.