In 1996, HIPAA or the Health Insurance Portability and Accountability Act (HIPAA) was enacted into law. This law has had a significant impact on the health care industry including the need for numerous changes in the way we communicate with our patients, their families, and with each other. This law provides rights to patients and safeguards for employees. It affects everyone in a health care setting. Since the days in which the Nightingale Pledge was written, nursing has stressed the importance of confidentiality regarding all patient matters. The current Code of Ethics for Nurses (ANA, 2001) is clear in intent and meaning as it relates to the nurse’s role in promoting and advocating for patient’s rights related to privacy and confidentiality. For nurses, HIPAA is an endorsement of our previously articulated responsibility to our patients. The purpose of this article is to remind nurses of the importance of keeping patient information private. This reminder will come first as HIPAA is reviewed and the implications of this Act for nurses is discussed. The reminder will also come as challenges to maintaining privacy and strategies for promoting privacy are presented.
Key words: HIPAA, patient’s rights, Code of Ethics, confidentiality, health insurance
Privacy and confidentiality are basic rights in our society. Safeguarding those rights, with respect to an individual’s personal health information, is our ethical and legal obligation as health care providers. Doing so in today’s health care environment is increasingly challenging.
Every nurse understands and respects the need for patient confidentiality. As professionals, our connection to our patients and our colleagues depends on it. But, the truth is, advanced technology, new demands in health care, and developments in the world-at-large, make it more and more difficult to keep this promise. But keep it we must!
As nurses, through the Nightingale Pledge and all subsequent nursing codes, we have identified the need for confidentiality; we made this point long before national legislation was ever contemplated. The Code for Nurses, published by the American Nurses Association (ANA) Ethics Committees, "is the standard by which ethical conduct is guided and evaluated by the profession" (ANA, 1994, p.1). Provision 3 of the current Code of Ethics for Nurses states: "The nurse promotes, advocates for, and strives to protect the health, safety, and rights of the patient" (ANA, 2001). The interpretive statements, 3.1 and 3.2, are explicit in their language regarding privacy and confidentiality (ANA, 2001) (Exhibit A), and should be used by nurses to guide clinical practice and to set organizational policy.
As health care workers, we see and hear confidential information every day.
As health care workers, we see and hear confidential information every day. Our practice is full of this kind of information. Occasionally, we become so comfortable with patient information that it can be easy to forget how important it is to keep information private. Thus, it is important to review the Privacy Section of the Health Insurance Portability and Accountability Act (HIPAA) and use it to identify opportunities to better protect patient confidentiality. This article will remind nurses about the importance of keeping patient information private. This reminder will come first as HIPAA is reviewed and the implications of this Act for nurses are discussed. The reminder will also come as challenges to maintaining privacy and strategies for promoting privacy are presented.
Health Insurance Portability and Accountability Act
HIPAA, or the Health Insurance Portability and Accountability Act (Public Law 104-191), was the first national legislation to assure every patient across the nation protection of their health insurance information. The privacy portion of the new law limits those who may have access to a patient’s health information and how it may be used. Hospitals and providers may use this information only for treatment, obtaining payment for care, and for specified operational purposes like improving quality of care. They must inform patients in writing of how their health data will be used; establish systems to track disclosure; and allow patients to review, obtain copies, and amend their own health information.
HIPAA established standards and requirements for the electronic transmission of certain health information (eligibility requirements, referrals to other physicians, and health claims) (American Hospital Association, 2002). HIPAA protects a patient’s rights to the confidentiality of his/her medical information and, for the first time, creates federal civil and criminal penalties for improper use or disclosure of protected health information.
The health information or data contained in the record belongs to the patient.
Understanding the full meaning of the word confidentiality is key to ensuring a successful rollout of HIPAA and any policy or training that results from the introduction of this law. Confidentiality applies to protected patient information, including basic identifiers of the patient’s past, present, or future physical or mental health conditions, including the provision of health services and payment for those services. Under this law, patients are given significant new rights to understand and control how their health information and insurance is used or shared (American Hospital Association, 2002).
Before reviewing the implications of HIPAA for nurses, it is important to understand a patient’s health information (record) from a conceptual framework. The patient’s health record is the collection of all health information in all media generated on a patient under a unique personal identifier and across the continuum of care. The record is created for every patient who receives treatment, care, or services at each institution or health network, and is maintained for the primary purpose of providing patient care. In addition, it is used for financial and other administrative processes, outcome measurement, research, education, patient self-management, disease prevention, and public health activities. The record contains sufficient information to identify the patient, support the diagnosis(es), justify the treatment, document the course and results of treatments, and facilitate the continuity of each patient’s care. The health information or data contained in the record belongs to the patient even though the physical record (either electronic or paper) belongs to the institution.
HIPAA’s Implications for Nurses
...the reality of the world in which we practice raises troubling confidentiality questions.
Establishing and maintaining patients’ trust in their caregivers is critical to obtaining a complete history, an accurate health record, and carrying out an effective treatment plan. If a nurse fails to protect the patient’s privacy, the erosion in the relationship can have dire consequences to the nurse/patient relationship.
At the same time, the reality of the world in which we practice raises troubling confidentiality questions:
- Nurses are frequently put in the tenuous position of being asked for patient information by patient’s families and well-wishers. An example is another employee checking to see how a friend is doing. On the surface this seems harmless. But, is it really?
- A key patient safety initiative is better improved labeling of drugs and devices. IV bags and medicines are now routinely labeled with the patient’s name, a step we take to assure we are delivering the right care to the right patient. When they are discarded in open trash receptacles in patient rooms, have we compromised the patient’s confidentiality?
- Busy, frequently overcrowded, hospitals are less than perfect environments. Conversations with patients can easily be overheard. What can we do to lessen the chances of inadvertent disclosure?
- Are we confident that we have correctly determined who "needs-to-know" for every patient? How are we teaching the next generation of caregivers to think about confidentiality? Are there new tools we can give them?
- The consumer can access almost anything on the Internet today. Sophisticated search engines enable us to find everything ever written about any person or topic. Equally sophisticated efforts must be made by health care providers to prevent unauthorized access to patient information. How much information should we provide and what can we provide under HIPAA? What would our patients prefer?
Most of the time, if you have to ask, you probably don't need-to-know.
Our commitment to protecting patients’ privacy must advance from the abstract realm of tacit understanding to a more conscious, active, and visible place. We need to let our colleagues know that we will not engage in, nor will we tolerate in others, anything less than full compliance (personal communication, Massachusetts General Hospital Privacy and Confidentiality Committee, 2004)(Exhibit B).
There are two criteria to always come back to in discussions about confidentiality. One is to ask yourself, "What you would want if it were your medical information in question?" The other is to ask yourself, "Do I really need-to-know this information in order to do my job?" Most of the time, if you have to ask, you probably don’t need-to-know.
Challenges of Maintaining Privacy and Confidentiality
Knowing the difference between privacy and confidentiality can be confusing.
Knowing the difference between privacy and confidentiality can be confusing. Privacy is the right of individuals to keep information about themselves from being disclosed; that is, people (our patients) are in control of others access to themselves or information about themselves. Patients decide who, when, and where to share their health information. On the other hand, confidentiality is how we, as nurses, treat private information once it has been disclosed to others or ourselves. This disclosure of information usually results from a relationship of trust; it assumes that health information is given with the expectation that it will not be divulged except in ways that have been previously agreed upon, e.g., for treatment, for payment of services, or for use in monitoring the quality of care that is being delivered. With the increasing use of technology for the provision of care in our fast-paced clinical environments, maintaining privacy and confidentiality can be a daunting task.
The Impact of Technology
Electronic messaging and new computer technology, though quick and efficient, might not be as secure as we would want it to be. This is an unfortunate reality, but one we must consider. If it is not absolutely necessary to include patients’ names in electronic correspondences, then we should refrain from doing so. We must be smart and sensitive when communicating patient information, be it by fax, telephone, email, or other technologies yet to be developed (Ives Erickson, 1999). When communicating with another clinician, remember this:
- Others besides the addressee may process messages during addressee’s usual business hours or during addressee’s vacation or illness
- Electronic messages can occasionally go to the wrong party
- Electronic communication can be accessed from various locations
- Information written by one clinician may be sent electronically to other care providers
- The Internet does not typically provide a secure media for transporting confidential information unless both parties are using encryption technologies.
Fax machines are perhaps the least secure technology when it comes to transmitting patient information. Certain types of information are prohibited by law from being faxed outside of an institution without appropriate written authorization, e.g., genetic test results, HIV information, and sexual assault counseling. All fax cover sheets should contain the standard warning that reads: "The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify me immediately and destroy all copies of this message and any attachments."
Palm pilots, PDAs, and Blackberries are an exploding technology. Many clinicians have health information stored or available on these hand-held devices. Yet, how many users have their PDA’s password protected in order to prevent access if the device is inadvertently left somewhere?
Busy People Cutting Corners
It is not enough anymore to assume we’re maintaining confidentiality as we go about our daily work. There are too many opportunities for private information to be inadvertently read, faxed, overheard, transmitted, or otherwise unintentionally disclosed. As nurses and as leaders of the health care industry, we need to sharpen our awareness and redouble our efforts to protect our patients’ rights to privacy (American Hospital Association, 2002).
Each of us has witnessed situations that demonstrate this point. For example, as you’ve walked through a hospital, health center, or ambulatory practice, have you ever seen a trash bag that has been accidentally ripped open, and there on the floor in front of you is patient information? The person who discarded this information did so with the best of intentions, never foreseeing that it would re-surface in a torn-up trash bag. Confidential papers should be appropriately disposed of, e.g., torn or shredded, when they are no longer needed. Yet, how many times is this not done?
Now, think back on rides you’ve taken in an elevator along with other health care employees and a few visitors. How often have you overheard clinicians discussing a patient in a code situation, not mentioning the patient’s name, but talking in great detail about the specifics of the case? Though they never identify the patient by name, the discussion still breaches a very important aspect of our code of conduct. It creates the perception that we don’t care about confidentiality.
It is clear in confidentiality guidelines that, "Patient information should not be discussed where others can overhear the conversation (in hallways, on elevators, in the cafeteria, in restaurants, etc.). It is not okay to discuss clinical information in public areas even if a patient’s name is not used. This can raise doubts among patients and visitors about our respect for their privacy" (personal communication, Massachusetts General Hospital, Privacy and Confidentiality Committee, 2004). If you put yourself in the patient’s place, you’ll agree that this raises serious doubts about the employee’s commitment to confidentiality.
Strategies for Promoting Privacy
...it is the patient's right to decide what information is shared about them and when.
Many view the extra steps that may need to be taken by nurses in the commitment to assuring privacy to be a burden. But, in reality, who is better positioned than nurses to advocate for patient privacy and safety? Thinking with a patient-first philosophy, our work puts us in a position of strength. For example, on the patient care units, nurses routinely field calls from patients’ families and friends, and occasionally the media, who are inquiring about a patient’s status and prognosis. Nurses are strategically placed in managing this personal patient information. If it is a member of your organization’s public relations department, but a person you don't know, you can say, "I'll call you back in your office." This ensures that the person calling you is who he says he is. Remember: it is the patient’s right to decide what information is shared about them and when.
As nurses, we need to balance patient safety and treatment with a respect for privacy. If you must choose, always choose patient safety first.
In clinical care a patient’s condition can change at a moment’s notice. Imagine this situation -- a patient assigned to a semi-private room takes a sudden turn for the worse and it becomes apparent that death is near. Nurses are empowered to make the necessary changes in bed and room assignments to afford patients and families the privacy that is warranted in a particular patient care situation. Again, this puts nursing in a position of strength.
However, what if a private room can't be found and the patient's roommate objects to having the roommate's family spend the night because they feel unsafe? As nurses, we need to balance patient safety and treatment with a respect for privacy. If you must choose, always choose patient safety first. Use your professional judgment that moves this added demand from a perception of extra work to a position of strength in patient advocacy.
The following are other strategies to address confidentiality challenges facing nurses.
- Communication with family members – always keep the patient’s best interest in mind. This may translate into adequately informing long-distance family members so they are able to properly respond and support elderly or demented parent’s needs. Verify identity as legal guardian or executor, if necessary.
- Never assume you have the right to look at any type of health information unless you need it in order to do your job. HIPAA assumes there is a need-to-know. For example, co-workers’ phone numbers for personal reasons may be looked up by the interested party on the Internet or the phone book. Phone numbers needed for work-related reasons may be obtained from the supervisor or the employee database if you have been authorized for access. Always ask yourself, "Do I need-to-know this information?" Need-to-Know is defined as that which is necessary for one to adequately perform one's specific job responsibilities.
- Hold your colleagues as accountable as you hold yourself when it comes to respecting patient privacy. When you see a nurse or physician carrying progress notes on their tray in the cafeteria for others to see, gently and politely remind them to turn them over in the name of confidentiality. When you are hearing a conversation between two care providers in the elevator or the hospital shuttle, politely ask them to please continue their discussion in a private area.
- Be a privacy mentor to nursing students just starting out in the profession. For example, keep medical records closed on desktops, close out results on computer screens, send out text paging with minimum necessary information (last name first initial), restrict excessive printing of health information from computers, restrict the removal of all copies of health information from the hospital, even if reports have been de-identified.
- Stand up to peer pressure when friends or neighbors ask you to do a favor by obtaining for them copies of their records or copies of a family member’s records. Always get written authorization and follow proper procedure. In many organizations, failure to follow proper procedures regarding release of information may result in disciplinary action, up to and including termination of employment or suspension of privileges.
If in doubt when releasing health information to patients, confer with your health information services department or privacy office for advice and assistance. Use opportunities to share Confidentiality Quizzes (Exhibit C) in order to educate staff. There are guidelines in place to help reduce risk for you and the hospital while meeting patients’ needs – know and use these guidelines.
Nurses, physicians, and all who provide care, are entrusted with the patient’s health information solely to be of service to that patient.
Patient confidentiality is a sacred trust. Nurses are important in ensuring that organizations create an environment to safeguard patients’ rights to confidentiality. As stated in the ANA Code of Ethics, "The nurse advocates for an environment that provides for sufficient physical privacy, including auditory privacy for discussions of a personal nature and policies and practices that protect the confidentiality of information" (ANA, 2001). The table lists the website for this Code of Ethics along with other websites that can guide the nurse in maintaining patient privacy and confidentiality.
Our patient’s health record serves as the instrument of care. Increased regulatory scrutiny has emerged to protect the rights of the patient which, in turn, has allowed the patient to be the recognized owner of his or her care. Nurses, physicians, and all who provide care, are entrusted with the patient’s health information solely to be of service to that patient.
It is our duty to protect the well being of those who are entrusted to our care. Protecting the integrity of the nurse-patient relationship and patient rights is a sacred trust. It is also our duty to periodically remind other nurses of the importance of keeping patient information private. This reminder has come in this article as HIPAA has been reviewed and the implications of this Act for nurses have been discussed. The reminder has also come as challenges to maintaining privacy and strategies for promoting privacy have been presented…and presented again.Author Note: The authors would like to thank Deborah Colton, Marianne Ditomassi, Debra Adair, and Eileen Bryan.
Exhibit A. American Nurses Association Code of Ethics, Provision 3
Exhibit B. Confidentiality Reminders...
Exhibit C. Confidentiality Awareness Quiz
Source/Used with permission: Adapted from Massachusetts General Hospital Privacy and Confidentiality Committee, Eileen Bryan, Privacy Manager
Table. 1 Recommended Websites Discussing HIPAA
ANA Code of Ethics
U.S. Department of Health & Human Services
Centers for Medicare & Medicaid Services
Phoenix Health Systems
Washington Publishing Company
American Medical Association
American Academy of Family Physicians
Health Resources and Services Administration
TRICARE/Military Health System (Office of the Assistant Secretary of Defense)
American Hospital Association
Jeanette Ives Erickson, RN, MS
Jeanette Ives Erickson is Senior Vice President for Patient Care and Chief Nurse at the Massachusetts General Hospital, Assistant Professor at the Massachusetts General Hospital Institute of Health Professions, Teaching Associate at Harvard Medical School, Visiting Scholar at Boston College, and Senior Associate at The Institute for Nursing Healthcare Leadership. She is a graduate of Mercy Hospital School of Nursing, Portland, Maine; Westbrook College, Portland, Maine; and Boston University Graduate School of Nursing, Boston, Massachusetts.
Ives Erickson is a member of the American Organization of Nurse Executives (AONE) and was elected to the AONE Nominations Committee for 2002-2003. She is the inaugural recipient of AONE’s Prism Award in 2003 for the impact she has made in creating a culturally-sensitive environment for patients and staff. She was awarded an inaugural fellowship in the Robert Wood Johnson (RWJ) Executive Nurse Fellows Program in 1998. Today she is a member of the National Advisory Committee, and a member of the RWJ Executive Nurse Leadership Board, the newly formed RWJ alumni association. Ives Erickson was one of fifty-five successful women featured in Dr. Sylvia Rimm’s New York Times Bestseller, How Jane Won, published in 2001.
Sally Millar, RN, MBA
Sally Millar is presently Director of Patient Care Services Information Systems and the Office of Patient Advocacy at the Massachusetts General Hospital. She is also co-chair of the Partners Healthcare System Confidentiality Program. Sally’s clinical background has included Staff Nurse in the Cardiac Surgical Intensive Care Unit and Head Nurse in the Respiratory/Surgical Intensive Care Unit. Sally is a past-president of the Massachusetts Organization of Nurse Executives (MONE). In 1998 she was awarded the Elaine K. Sherwood Service Award from MONE. She was President of the American Association of Critical-Care Nurses in 1981 and was awarded lifetime membership in AACN. She received her RN Diploma from Saint Joseph Hospital School of Nursing, Joliet, IL and her MBA from Simmons College Graduate School of Management, Boston, MA.
Article published May 31, 2005
American Hospital Association (2002). HIPAA Privacy Standards. Retrieved January 21, 2005 www.hospitalconnect.com/hospitalconnect/jsp/keyissues.jsp?topic=HIPAA.
American Nurses Association (2001, February). Code of Ethics for Nurses. Retrieved March 24, 2005, www.nursingworld.org/MainMenuCategories/ThePracticeofProfessionalNursing/EthicsStandards/CodeofEthics/AboutTheCode.aspx.
U.S. Department of Health and Human Services Office for Civil Rights. (n.d.). Privacy and your health information. Retrieved March 24, 2005 from www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/consumer_summary.pdf