I’ll Have a Brown Sugar Rosemary Latte and a HIPAA Breach, Please


Margaret C. Scavotto, JD, CHC
President, Management Performance Associates

The other day I stopped by my favorite local coffee shop for an afternoon pick-me-up. I ordered my guilty pleasure – a brown sugar rosemary latte – and sat down in the only available seat on the lobby couch to wait.

A few minutes later, a young woman came in and sat down next to me, opened her laptop, and began clack-clacking away (a common occurrence, as this coffee place is known as an unofficial co-working space).

I got up to get my latte, sat back down, and noticed that the woman was on the phone. I began reading an article about a recent HIPAA breach (in a moment you will learn the irony in this), and tried not to be distracted by her call. But, I couldn’t help but notice she seemed to be talking about a patient. She mentioned the patient’s name and birthday, and then scheduled an appointment for him. She went on to do this for several other patients. Then she called a few patients to check on their condition and well-being. I also couldn’t help but notice that she was typing information into some kind of EMR database.

If this was a cartoon, my head would have exploded at this moment.

When my disbelief faded into the reality that this person – perhaps some kind of caseworker or social worker – was, in fact, discussing patients and their health care information – I had a sinking feeling in my stomach. Does this really happen? Am I on some kind of brainy reality TV show for HIPAA professionals? How could two people sitting on the same couch have such different reactions to these phone calls? How could I be so appalled – and this woman be oblivious and even pleased to be accomplishing so much?

I’ll tell you why: awareness and training.

I think about HIPAA all the time. I follow HIPAA settlements and headlines daily, blog about them, and build training programs and policies around them. So, I see HIPAA everywhere.

I don’t know what kind of HIPAA training my couch neighbor has had. It could be she was trained extensively and chose to ignore the advice. Or perhaps it is more likely that she wasn’t trained on HIPAA – or at least, not recently – and not on protecting patient privacy when working remotely.

What about your staff? Would they know what to do?


  1. As someone who flies a lot for the SCCE and HCCA I see this frequently in airports and on planes.

    Organizations spend a fortune on privacy and then employees chat away on cellphone, not just about confidential patient information but all kinds of things about their business.

    Privacy screens on computers help, but they don’t block out everything. I will never forget in a previous job coming home from a legal conference and the sales person next to me had, obviously, been at the same event. She spent most of the flight writing up conversations she had with prospects. If my company had been a competitor of hers, it would have been a gold mine.

    Sadly, the only thing that would work is what few companies would do: say no business discussions or sharing of confidential information when in public places.

    Thanks for raising this issue.

  2. Adam,
    Thanks for taking the time to read, and to weigh in. Part of our culture is the convenience and ability to work anywhere, any time. But it is a HIPAA disaster (and a trade secret nightmare, as you aptly pointed out). Sometimes closing the laptop is common sense for more than one reason.

  3. At times I think that we are pushed to get too much done in the “work day” so without thinking we do things that we know not to do in order to show that we are ‘productive” and working? for our company and what the company wants us to do.

    • Carolyn, it’s the American way! There is so much pressure to be “productive” and “good employees” – so many HIPAA hypotheticals – of breaches – start with a well-meaning employees. It’s a challenging culture. Thank you for sharing your thoughts!

  4. You and I are very much alike, Margaret. I would have the same reaction as you! Some of my best friends work in the healthcare field and as a HIPAA fanatic myself, I try to avoid the stories they share at all costs. We work at different healthcare institutions and I like to think none of the employees at my institution would be doing this. Raising awareness is key! I would love to be a guest speaker (or a fly on the wall!) at one of their HIPAA trainings to see how different the trainings really are.

    • Jenna, I, too, am continuously surprised at how different healthcare space seems to be when it comes to HIPAA! As a professional and as a patient, it seems I’ve seen it all – and can really take for granted the constant HIPAA mindset. I really do think it will get easier for everyone when the training gets more pervasive and more practical! Thank you for weighing in.

  5. Excellent article pointing out a chronic issue taking place at thousands of coffeehouses, yoga studios and hospital lunch spots every day! I often wonder if the liberal use and non-filtering of cellphone conversations, or being oblivios that HIPAA integrity applies outside of office confines is to blame? I keep my compliance hat on at all times and have politely reminded those that I’ve overheard sharing confidential infomation that they need to be more observant of their surroundings and save their conversations to a more private environment. I agree with you that organizations need to firmly reinforce that no discussions should take place in public places. Breaches are committed by individuals, and each of needs to bear that responsibility

Comments are closed.