My husband and I took our 1 year old son to the local hospital Emergency Room last night. My mother in law knew we might take him and when she couldn't get ahold of us via phone, she assumed we were at the hospital and called them. The hospital staff member acknowledged my son was a patient and confirmed we were in the facility.

My problem is not the fact that my mother in law obtained information. My problem is that the hospital staff had absolutely no proof this was, in fact, my mother in law. I have a mentally unstable ex-husband who has a history of domestic violence against me, violating restraining order, jail/probation time and death threats. My son's safety was put in jeopardy when the hospital staff told the person on the phone we were there.

I spoke to the privacy officer at the hospital, he openly admitted fault and stated he was writing a report and would re-train staff. He also left me a message on my answering machine admitting fault.

Now, I work in the medical field, and I have always been taught during HIPAA training that you cannot even acknowledge a patient is a patient without written consent.
However, I have never worked in a hospital setting. Does the HIPPA law exclude the emergency room department? I know the privacy officer already admitted fault, but before I file an official complaint and open that can of worms I wanted to get your opinion, since you all know so much about this matter.

Also, if I do file a complaint and it is investigated and the hospital and/or staff member is fined, do I receive any of that monetary compensation? I attempted a call to DHS but they had no available staff and would not allow me to leave a message.

Thank you for your help!

Did they give out any medical information beyond that he was a patient there

If all they said was that your son was a patient, they are not violating HIPAA. When you sign into a hospital there is a privacy clause we refer to as NoPub, (No Publication), meaning you don't want AnYONE to know you are there. If you did not sign for the no publicity clause they are allowed to release the info that, only, that your son was or was not a patient there.

No, they did not give out any medical information. They did acknowledge him being a patient, which the privacy offcer said was wrong of them.

They are supposed to neither confirm nor deny he is there. The privacy officer told me they are supposed to say "I can't tell you if he's here but I can take your phone # and have them call you".

Also, the hospital never even told me someone called looking for my son.

Also, if I do file a complaint and it is investigated and the hospital and/or staff member is fined, do I receive any of that monetary compensation?

In a word, NO. You do not receive any compensation.

I wonder why the hospital privacy officer confirmed it as a HIPAA violation and wrote up an incident report?

No, they did not give out any medical information. They did acknowledge him being a patient, which the privacy offcer said was wrong of them.

They are supposed to neither confirm nor deny he is there. The privacy officer told me they are supposed to say "I can't tell you if he's here but I can take your phone # and have them call you".

Also, the hospital never even told me someone called looking for my son.

I work in a hospital, so if you are in the US, I can tell you that they can acknowledge that your son was a patient unless you requested that he be considered NoPUB by the privacy policies of most hospitals.

No, if you file a complaint, the employee that did ( if they did do anything wrong) would get a warning, attend education classes. The hospital may review its policies.

But call a hospital and ask to be connected to a room where you know someone is at

I walk up to the front desk every day of a hospital and ask what room is "so and so" in and they give me that info. There is no money that you get

I work in a hospital, so if you are in the US, I can tell you that they can acknowledge that your son was a patient unless you requested that he be considered NoPUB by the privacy policies of most hospitals.


Thank you for this information! Do you know if this applies to in-patient only or if it applies to any and all entity under the hospital umbrella?

This hospital is a joke and the privacy officer admitted fault, filed an incident report and will re-train staff on this matter. Also, while speaking to him, ne never mention NoPUB. I will look into it.

Thank you :)

No, if you file a complaint, the employee that did ( if they did do anything wrong) would get a warning, attend education classes. The hospital may review its policies.

But call a hospital and ask to be connected to a room where you know someone is at

I walk up to the front desk every day of a hospital and ask what room is "so and so" in and they give me that info.

Thank you!

I don't want anyone to get into a heap of trouble, I am just very concerned for my son's safety. I want to prevent this from happening again, ending in something unimaginable happening.

I know in-patient is different, you can obtain the room #, confirm care, etc. But I wonder about the ER facility, if that's under the same scope since he was never in patient.

And to be honest the privacy officer needed to investigate before making any judgement, and often they are not up on the laws, I have seen many that believe a lot of things protected that are not.

Different hospitals may have different rules, even more stringent then HIPAA. That could be what the person was referring to. Or he just told you that to make you feel better.

But the purpose of HIPAA is to provide medical care providers with rules to follow. Any violation of those rules may result in fines and disciplinary action. But not cash awards to the victims.

Different hospitals may have different rules, even more stringent then HIPAA. That could be what the person was referring to. Or he just told you that to make you feel better.

But the purpose of HIPAA is to provide medical care providers with rules to follow. Any violation of those rules may result in fines and disciplinary action. But not cash awards to the victims.

Thank you for the response, it was helpful. Considering the experiences I have had previously with the personnel at this specific hospital, I wouldn't be surprised if this privacy officer was mis-informed. I don't believe he was trying to make me feel better as he had to put it in writing and ensure staff are corrected.

I do not personally want a cash reward as there were obviously no damages nor personal expenses incurred on my behalf because of this. I was curious though.

Thank you very much for this information, it has helped me make a decision. I am not going to file an official HIPAA violation report with DHS. I rest assured knowing (hoping?) this will be an educational opportunity for hospital staff and perhaps it will prevent something more severe from happening in the future.