Privacy and confidentiality are basic rights in our society. Safeguarding those rights, with respect to an individual’s personal health information, is our ethical and legal obligation as health care providers. Doing so in today’s health care environment is increasingly challenging.

Every nurse understands and respects the need for patient confidentiality. As professionals, our connection to our patients and our colleagues depends on it. But, the truth is, advanced technology, new demands in health care, and developments in the world-at-large, make it more and more difficult to keep this promise. But keep it we must!

As nurses, through the Nightingale Pledge and all subsequent nursing codes, we have identified the need for confidentiality; we made this point long before national legislation was ever contemplated. The Code for Nurses, published by the American Nurses Association (ANA) Ethics Committees, "is the standard by which ethical conduct is guided and evaluated by the profession" (ANA, 1994, p.1). Provision 3 of the current Code of Ethics for Nurses states: "The nurse promotes, advocates for, and strives to protect the health, safety, and rights of the patient" (ANA, 2001). The interpretive statements, 3.1 and 3.2, are explicit in their language regarding privacy and confidentiality (ANA, 2001) (Exhibit A), and should be used by nurses to guide clinical practice and to set organizational policy.

As health care workers, we see and hear confidential information every day.

As health care workers, we see and hear confidential information every day. Our practice is full of this kind of information. Occasionally, we become so comfortable with patient information that it can be easy to forget how important it is to keep information private. Thus, it is important to review the Privacy Section of the Health Insurance Portability and Accountability Act (HIPAA) and use it to identify opportunities to better protect patient confidentiality. This article will remind nurses about the importance of keeping patient information private. This reminder will come first as HIPAA is reviewed and the implications of this Act for nurses are discussed. The reminder will also come as challenges to maintaining privacy and strategies for promoting privacy are presented.

Health Insurance Portability and Accountability Act

HIPAA, or the Health Insurance Portability and Accountability Act (Public Law 104-191), was the first national legislation to assure every patient across the nation protection of their health insurance information. The privacy portion of the new law limits those who may have access to a patient’s health information and how it may be used. Hospitals and providers may use this information only for treatment, obtaining payment for care, and for specified operational purposes like improving quality of care. They must inform patients in writing of how their health data will be used; establish systems to track disclosure; and allow patients to review, obtain copies, and amend their own health information.

HIPAA established standards and requirements for the electronic transmission of certain health information (eligibility requirements, referrals to other physicians, and health claims) (American Hospital Association, 2002). HIPAA protects a patient’s rights to the confidentiality of his/her medical information and, for the first time, creates federal civil and criminal penalties for improper use or disclosure of protected health information.

The health information or data contained in the record belongs to the patient.

Understanding the full meaning of the word confidentiality is key to ensuring a successful rollout of HIPAA and any policy or training that results from the introduction of this law. Confidentiality applies to protected patient information, including basic identifiers of the patient’s past, present, or future physical or mental health conditions, including the provision of health services and payment for those services. Under this law, patients are given significant new rights to understand and control how their health information and insurance is used or shared (American Hospital Association, 2002).

Before reviewing the implications of HIPAA for nurses, it is important to understand a patient’s health information (record) from a conceptual framework. The patient’s health record is the collection of all health information in all media generated on a patient under a unique personal identifier and across the continuum of care. The record is created for every patient who receives treatment, care, or services at each institution or health network, and is maintained for the primary purpose of providing patient care. In addition, it is used for financial and other administrative processes, outcome measurement, research, education, patient self-management, disease prevention, and public health activities. The record contains sufficient information to identify the patient, support the diagnosis(es), justify the treatment, document the course and results of treatments, and facilitate the continuity of each patient’s care. The health information or data contained in the record belongs to the patient even though the physical record (either electronic or paper) belongs to the institution.

HIPAA’s Implications for Nurses

...the reality of the world in which we practice raises troubling confidentiality questions.

Establishing and maintaining patients’ trust in their caregivers is critical to obtaining a complete history, an accurate health record, and carrying out an effective treatment plan. If a nurse fails to protect the patient’s privacy, the erosion in the relationship can have dire consequences to the nurse/patient relationship.

At the same time, the reality of the world in which we practice raises troubling confidentiality questions:

• Nurses are frequently put in the tenuous position of being asked for patient information by patient’s families and well-wishers. An example is another employee checking to see how a friend is doing. On the surface this seems harmless. But, is it really?
• A key patient safety initiative is better improved labeling of drugs and devices. IV bags and medicines are now routinely labeled with the patient’s name, a step we take to assure we are delivering the right care to the right patient. When they are discarded in open trash receptacles in patient rooms, have we compromised the patient’s confidentiality?
• Busy, frequently overcrowded, hospitals are less than perfect environments. Conversations with patients can easily be overheard. What can we do to lessen the chances of inadvertent disclosure?
• Are we confident that we have correctly determined who "needs-to-know" for every patient? How are we teaching the next generation of caregivers to think about confidentiality? Are there new tools we can give them?
• The consumer can access almost anything on the Internet today. Sophisticated search engines enable us to find everything ever written about any person or topic. Equally sophisticated efforts must be made by health care providers to prevent unauthorized access to patient information. How much information should we provide and what can we provide under HIPAA? What would our patients prefer?

Most of the time, if you have to ask, you probably don't need-to-know.

Our commitment to protecting patients’ privacy must advance from the abstract realm of tacit understanding to a more conscious, active, and visible place. We need to let our colleagues know that we will not engage in, nor will we tolerate in others, anything less than full compliance (personal communication, Massachusetts General Hospital Privacy and Confidentiality Committee, 2004)(Exhibit B).

There are two criteria to always come back to in discussions about confidentiality. One is to ask yourself, "What you would want if it were your medical information in question?" The other is to ask yourself, "Do I really need-to-know this information in order to do my job?" Most of the time, if you have to ask, you probably don’t need-to-know.

Challenges of Maintaining Privacy and Confidentiality

Knowing the difference between privacy and confidentiality can be confusing.

Knowing the difference between privacy and confidentiality can be confusing. Privacy is the right of individuals to keep information about themselves from being disclosed; that is, people (our patients) are in control of others access to themselves or information about themselves. Patients decide who, when, and where to share their health information. On the other hand, confidentiality is how we, as nurses, treat private information once it has been disclosed to others or ourselves. This disclosure of information usually results from a relationship of trust; it assumes that health information is given with the expectation that it will not be divulged except in ways that have been previously agreed upon, e.g., for treatment, for payment of services, or for use in monitoring the quality of care that is being delivered. With the increasing use of technology for the provision of care in our fast-paced clinical environments, maintaining privacy and confidentiality can be a daunting task.

The Impact of Technology

Electronic messaging and new computer technology, though quick and efficient, might not be as secure as we would want it to be. This is an unfortunate reality, but one we must consider. If it is not absolutely necessary to include patients’ names in electronic correspondences, then we should refrain from doing so. We must be smart and sensitive when communicating patient information, be it by fax, telephone, email, or other technologies yet to be developed (Ives Erickson, 1999). When communicating with another clinician, remember this:

• Others besides the addressee may process messages during addressee’s usual business hours or during addressee’s vacation or illness
• Electronic messages can occasionally go to the wrong party
• Electronic communication can be accessed from various locations
• Information written by one clinician may be sent electronically to other care providers
• The Internet does not typically provide a secure media for transporting confidential information unless both parties are using encryption technologies.

Fax machines are perhaps the least secure technology when it comes to transmitting patient information. Certain types of information are prohibited by law from being faxed outside of an institution without appropriate written authorization, e.g., genetic test results, HIV information, and sexual assault counseling. All fax cover sheets should contain the standard warning that reads: "The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify me immediately and destroy all copies of this message and any attachments."

Palm pilots, PDAs, and Blackberries are an exploding technology. Many clinicians have health information stored or available on these hand-held devices. Yet, how many users have their PDA’s password protected in order to prevent access if the device is inadvertently left somewhere?

Busy People Cutting Corners

It is not enough anymore to assume we’re maintaining confidentiality as we go about our daily work. There are too many opportunities for private information to be inadvertently read, faxed, overheard, transmitted, or otherwise unintentionally disclosed. As nurses and as leaders of the health care industry, we need to sharpen our awareness and redouble our efforts to protect our patients’ rights to privacy (American Hospital Association, 2002).

Each of us has witnessed situations that demonstrate this point. For example, as you’ve walked through a hospital, health center, or ambulatory practice, have you ever seen a trash bag that has been accidentally ripped open, and there on the floor in front of you is patient information? The person who discarded this information did so with the best of intentions, never foreseeing that it would re-surface in a torn-up trash bag. Confidential papers should be appropriately disposed of, e.g., torn or shredded, when they are no longer needed. Yet, how many times is this not done?

Now, think back on rides you’ve taken in an elevator along with other health care employees and a few visitors. How often have you overheard clinicians discussing a patient in a code situation, not mentioning the patient’s name, but talking in great detail about the specifics of the case? Though they never identify the patient by name, the discussion still breaches a very important aspect of our code of conduct. It creates the perception that we don’t care about confidentiality.

It is clear in confidentiality guidelines that, "Patient information should not be discussed where others can overhear the conversation (in hallways, on elevators, in the cafeteria, in restaurants, etc.). It is not okay to discuss clinical information in public areas even if a patient’s name is not used. This can raise doubts among patients and visitors about our respect for their privacy" (personal communication, Massachusetts General Hospital, Privacy and Confidentiality Committee, 2004). If you put yourself in the patient’s place, you’ll agree that this raises serious doubts about the employee’s commitment to confidentiality.

Strategies for Promoting Privacy

...it is the patient's right to decide what information is shared about them and when.

Many view the extra steps that may need to be taken by nurses in the commitment to assuring privacy to be a burden. But, in reality, who is better positioned than nurses to advocate for patient privacy and safety? Thinking with a patient-first philosophy, our work puts us in a position of strength. For example, on the patient care units, nurses routinely field calls from patients’ families and friends, and occasionally the media, who are inquiring about a patient’s status and prognosis. Nurses are strategically placed in managing this personal patient information. If it is a member of your organization’s public relations department, but a person you don't know, you can say, "I'll call you back in your office." This ensures that the person calling you is who he says he is. Remember: it is the patient’s right to decide what information is shared about them and when.

As nurses, we need to balance patient safety and treatment with a respect for privacy. If you must choose, always choose patient safety first.

In clinical care a patient’s condition can change at a moment’s notice. Imagine this situation -- a patient assigned to a semi-private room takes a sudden turn for the worse and it becomes apparent that death is near. Nurses are empowered to make the necessary changes in bed and room assignments to afford patients and families the privacy that is warranted in a particular patient care situation. Again, this puts nursing in a position of strength.

However, what if a private room can't be found and the patient's roommate objects to having the roommate's family spend the night because they feel unsafe? As nurses, we need to balance patient safety and treatment with a respect for privacy. If you must choose, always choose patient safety first. Use your professional judgment that moves this added demand from a perception of extra work to a position of strength in patient advocacy.

The following are other strategies to address confidentiality challenges facing nurses.

• Communication with family members – always keep the patient’s best interest in mind. This may translate into adequately informing long-distance family members so they are able to properly respond and support elderly or demented parent’s needs. Verify identity as legal guardian or executor, if necessary.
• Never assume you have the right to look at any type of health information unless you need it in order to do your job. HIPAA assumes there is a need-to-know. For example, co-workers’ phone numbers for personal reasons may be looked up by the interested party on the Internet or the phone book. Phone numbers needed for work-related reasons may be obtained from the supervisor or the employee database if you have been authorized for access. Always ask yourself, "Do I need-to-know this information?" Need-to-Know is defined as that which is necessary for one to adequately perform one's specific job responsibilities.
• Hold your colleagues as accountable as you hold yourself when it comes to respecting patient privacy. When you see a nurse or physician carrying progress notes on their tray in the cafeteria for others to see, gently and politely remind them to turn them over in the name of confidentiality. When you are hearing a conversation between two care providers in the elevator or the hospital shuttle, politely ask them to please continue their discussion in a private area.
• Be a privacy mentor to nursing students just starting out in the profession. For example, keep medical records closed on desktops, close out results on computer screens, send out text paging with minimum necessary information (last name first initial), restrict excessive printing of health information from computers, restrict the removal of all copies of health information from the hospital, even if reports have been de-identified.
• Stand up to peer pressure when friends or neighbors ask you to do a favor by obtaining for them copies of their records or copies of a family member’s records. Always get written authorization and follow proper procedure. In many organizations, failure to follow proper procedures regarding release of information may result in disciplinary action, up to and including termination of employment or suspension of privileges.

If in doubt when releasing health information to patients, confer with your health information services department or privacy office for advice and assistance. Use opportunities to share Confidentiality Quizzes (Exhibit C) in order to educate staff. There are guidelines in place to help reduce risk for you and the hospital while meeting patients’ needs – know and use these guidelines.

Summary

Nurses, physicians, and all who provide care, are entrusted with the patient’s health information solely to be of service to that patient.

Patient confidentiality is a sacred trust. Nurses are important in ensuring that organizations create an environment to safeguard patients’ rights to confidentiality. As stated in the ANA Code of Ethics, "The nurse advocates for an environment that provides for sufficient physical privacy, including auditory privacy for discussions of a personal nature and policies and practices that protect the confidentiality of information" (ANA, 2001). The table lists the website for this Code of Ethics along with other websites that can guide the nurse in maintaining patient privacy and confidentiality.

Our patient’s health record serves as the instrument of care. Increased regulatory scrutiny has emerged to protect the rights of the patient which, in turn, has allowed the patient to be the recognized owner of his or her care. Nurses, physicians, and all who provide care, are entrusted with the patient’s health information solely to be of service to that patient.

It is our duty to protect the well being of those who are entrusted to our care. Protecting the integrity of the nurse-patient relationship and patient rights is a sacred trust. It is also our duty to periodically remind other nurses of the importance of keeping patient information private. This reminder has come in this article as HIPAA has been reviewed and the implications of this Act for nurses have been discussed. The reminder has also come as challenges to maintaining privacy and strategies for promoting privacy have been presented…and presented again.

Author Note: The authors would like to thank Deborah Colton, Marianne Ditomassi, Debra Adair, and Eileen Bryan.

Exhibit A.   American Nurses Association Code of Ethics, Provision 3

3. The nurse promotes, advocates for, and strives to protect, the health, safety, and rights of the patient. 3.1 Privacy The nurse safeguards the patient's right to privacy. The need for health care does not justify unwanted intrusion into the patient's life. The nurse advocates for an environment that provides for sufficient physical privacy, including auditory privacy for discussions of a personal nature and policies and practices that protect the confidentiality of information. 3.2 Confidentiality Associated with the right to privacy, the nurse has a duty to maintain confidentiality of all patient information. The patient's well being could be jeopardized and the fundamental trust between patient and nurse destroyed by unnecessary access to data or by the inappropriate disclosure of identifiable patient information. The rights, well being, and safety of the individual patient should be the primary factors in arriving at any professional judgment concerning the disposition of confidential information received from or about the patient, whether oral, written or electronic. The standard of nursing practice and the nurse's responsibility to provide quality care require that relevant data be shared with those members of the health care team who have a need to know. Only information pertinent to a patient's treatment and welfare is disclosed, and only to those directly involved with the patient's care. Duties of confidentiality, however, are not absolute and may need to be modified in order to protect the patient, other innocent parties, and in circumstances of mandatory disclosure for public health reasons. Information used for purposes of peer review, third-party payments, and other quality improvement or risk management mechanisms may be disclosed only under defined policies, mandates, or protocols. These written guidelines must assure that the rights, well being, and safety of the patient are protected. In general, only that information directly relevant to a task or specific responsibility should be disclosed. When using electronic communications, special effort should be made to maintain data security. (ANA, 2001)

Exhibit B.  Confidentiality Reminders...

Keep confidential all patient information including (but not limited to): patient's name, physical or psychological condition, emotional status, financial situation, and demographic information. Share patient information on a "need- to-know" basis according to medical necessity. Be mindful of your surroundings when discussing patient information. Avoid discussing patients in public places such as elevators, hallways, shuttle buses, public transportation, or social events. Keep confidential papers, reports, computer disks, and data in a secure place. Retrieve confidential papers from fax machines, copiers, mailboxes, conference rooms, and other publicly accessible locations as quickly as possible. Use technology such as fax machines and e-mail only to support patient care activities. Do not fax information to attorneys, employers, or patients. Always tear or shred paper copies of documents containing patient information. It is the responsibility of all staff to keep patient and hospital information totally confidential. Source/Used with permission: Massachusetts General Hospital, Boston, MA.

Exhibit C. Confidentiality Awareness Quiz

A patient named John has just completed his procedure and is wheeled into the recovery area. The nurse comes to talk with John about the procedure and to discuss discharge plans. There are other patients around them and a closed privacy curtain only separates them. Should the nurse have this discussion with the patient in the recovery room? Answer: Yes, this is considered an "incidental disclosure." It is unrealistic for care to always be provided in a private room. Incidental disclosure is when patients hear health information during the normal course of providing health care. This is not considered a HIPAA violation. Robert is the pastor of your church. He comes to you as you are leaving the Sunday service and tells you about a parishioner who is now an inpatient at your hospital. You are very goods friends with the pastor and he asks you to find out what her diagnosis and prognosis is. Because of your position you have access to this information. Can you look this up because your pastor asked you to? Answer: No, this is considered a breach of that patient’s confidentiality. If asked about anyone who is a patient, simply reply, "I’m sorry, out of respect to that patient, that information is confidential. Of course, if Mr. X tells me it is OK to share his health information, then I’m happy to do that An environmental worker is scrubbing the floor in a semi-private room when the nurse comes in to talk to a patient about discharge plans. The environmental worker overhears the nurse even though the curtain was pulled around for privacy. The worker recognizes the patient as a teacher at her son’s school. She hears the nurse tell him he has cancer and only weeks to live. The worker feels very badly and wants to tell her son and husband. What should the environmental worker do? What are the risks here? Answer: The environmental worker has to pretend that she never heard anything about this patient or that she even knows he is in the hospital. The worker should have signed an annually-signed confidentiality agreement that acknowledges she will keep any information she sees or hears in the course of doing her job confidential. You are an Orthopedic nurse at your hospital. Your spouse is here as an inpatient following exploratory surgery. You finish your work and go up to your spouse’s room to visit. Your spouse has not awakened from the procedure at this point. You go out to the nurses’ station and pull the chart. Is this allowed because you are her spouse and practice at this hospital? Answer: No, being the spouse does not give you special access, nor does having access to your hospital’s health system give you authorization. You must have a signed "Authorization to Release Information" form signed by your spouse giving you authorization to review the protected health information. One of your nurse colleagues is expecting and it’s been decided that you will organize the baby shower. Not having access to co-workers addresses, you only look in the demographics portion of the electronic medical record to obtain this information. You do not look at any clinical information. Would this be OK? Answer: No, even demographic (address, phone number, etc) information is considered protected health information under the privacy regulations and should not be accessed without approval of the patient. You are a nurse manager and one of your staff needs to be out on a medical leave for a minor procedure. She is expected to return in a week but calls and states she will need an additional week. You see her surgeon in the hallway the next day and ask him about the procedure and the additional time out of work. As her employer, do you have the right to ask this information? Answer: No. This is personal and protected health information that should not be requested without patient consent, even for employment reasons. There are no special privileges afforded to managers regarding the specific details of an employee’s health status. You have a very good friend who is a nurse practitioner and is away from the hospital on vacation. While she is out, her breast biopsy results come back. Because she had told you she was having this procedure, you felt it would be the right thing to do out of concern to look up her results and call her with this information. Is this appropriate? Answer: No, just because a colleague chooses to disclose certain portions of her health information with you, it does not mean you have the right to continue and follow up on any related results or findings. A patient came into the ED to be treated for depression. When asked by the triage nurse for his reason for the visit the patient refused to tell her until she would agree to take him to a confidential room to discuss one-on-one, rather than be interviewed at her own desk which was partitioned from the waiting area and the public. The nurse refused to take the patient to an individual room to speak to him so he reported that she had breached his confidentiality. Would this be a violation that the Office of Civil Rights (OCR) would penalize the hospital for? Under HIPAA, violations to the regulations may be investigated by the Department of Health and Human Services Office of Civil Rights (U.S. Department of Health and Human Services, n.d.). If an individual or organization is found to be non-compliant, penalties may occur, such as fines and imprisonment. Answer: No. They would review the hospital policy on triaging patients in the ED, they may even come by to see the area in which patients are interviewed. However, the OCR knows the urgent issues that arise in the ED and allows for flexibility in carrying out hospital operations that are both safe and appropriate for the patient and the staff. One of the roles of the triage nurse is to assess the patient's safety before bringing them to a room alone, this is optimal patient care in an ED situation. Because the triage desk was also constructed in a way to offer some separation and privacy to the patients being interviewed, this would also be in the hospital’s favor. Had she stood openly in the waiting room among other patients discussing details of his health information they would find fault with the lack of privacy measures. Source/Used with permission: Adapted from Massachusetts General Hospital Privacy and Confidentiality Committee, Eileen Bryan, Privacy Manager

Table. 1    Recommended Websites Discussing HIPAA
ANA Code of Ethics	www.nursingworld.org/MainMenuCategories/ ThePracticeofProfessionalNursing/EthicsStandards/ CodeofEthics/AboutTheCode.aspx
U.S. Department of Health & Human Services	www.hhs.gov
Centers for Medicare & Medicaid Services	www.cms.hhs.gov
Phoenix Health Systems	www.hipaadvisory.com
Washington Publishing Company	www.wpc-edi.com
American Medical Association	www.ama-assn.org
American Academy of Family Physicians	www.aafp.org
Health Resources and Services Administration	www.hrsa.gov
TRICARE/Military Health System (Office of the Assistant Secretary of Defense)	www.tricare.osd.mil/hipaa
American Hospital Association	www.hospitalconnect.com/aha/key_issues/hipaa

Authors

Jeanette Ives Erickson, RN, MS
E-mail: jiveserickson@partners.org

Jeanette Ives Erickson is Senior Vice President for Patient Care and Chief Nurse at the Massachusetts General Hospital, Assistant Professor at the Massachusetts General Hospital Institute of Health Professions, Teaching Associate at Harvard Medical School, Visiting Scholar at Boston College, and Senior Associate at The Institute for Nursing Healthcare Leadership. She is a graduate of Mercy Hospital School of Nursing, Portland, Maine; Westbrook College, Portland, Maine; and Boston University Graduate School of Nursing, Boston, Massachusetts.

Ives Erickson is a member of the American Organization of Nurse Executives (AONE) and was elected to the AONE Nominations Committee for 2002-2003. She is the inaugural recipient of AONE’s Prism Award in 2003 for the impact she has made in creating a culturally-sensitive environment for patients and staff. She was awarded an inaugural fellowship in the Robert Wood Johnson (RWJ) Executive Nurse Fellows Program in 1998. Today she is a member of the National Advisory Committee, and a member of the RWJ Executive Nurse Leadership Board, the newly formed RWJ alumni association. Ives Erickson was one of fifty-five successful women featured in Dr. Sylvia Rimm’s New York Times Bestseller, How Jane Won, published in 2001.

Sally Millar, RN, MBA
E-mail: smillar@partners.org

Sally Millar is presently Director of Patient Care Services Information Systems and the Office of Patient Advocacy at the Massachusetts General Hospital. She is also co-chair of the Partners Healthcare System Confidentiality Program. Sally’s clinical background has included Staff Nurse in the Cardiac Surgical Intensive Care Unit and Head Nurse in the Respiratory/Surgical Intensive Care Unit. Sally is a past-president of the Massachusetts Organization of Nurse Executives (MONE). In 1998 she was awarded the Elaine K. Sherwood Service Award from MONE. She was President of the American Association of Critical-Care Nurses in 1981 and was awarded lifetime membership in AACN. She received her RN Diploma from Saint Joseph Hospital School of Nursing, Joliet, IL and her MBA from Simmons College Graduate School of Management, Boston, MA.

---