To clarify the HIPAA law:
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12 “Individually identifiable health information” is information, including demographic data, that relates to:
* the individual’s past, present or future physical or mental health or condition,
* the provision of health care to the individual, or
* the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13
So any hospital that releases the fact of birth in that hospital has confirmed health care was provided to that individual, and is liable under the law:
A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment.89 The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.
It doesn't matter if it was many years ago, or even if the patient involved was dead. It actually can get rather ridiculous, and at the least there should be a statute of limitiations on it, but as far as I know, there isn't.
Thanks for providing this.
ML/NJ