ANA Position Statement: Privacy and Confidentiality

Effective Date: 2024
Status: Revised
Written by: ANA Center for Ethics and Human Rights
Adopted by: ANA Board of Directors

Purpose

The purpose of this position statement is to clarify nurses’ obligation to protect patients’ right to privacy and nurses’ duty of confidentiality. Recommendations to avoid breaches and violations are provided. Ongoing advances in technology, including electronic health records, medical and research databases, telehealth, social media, and other digital/web-based technologies have increased the risk of intentional and unintentional breaches of privacy and exposure of confidential information. Additionally, privacy rights can be affected by variability in state-based legislation. Concerns associated with technology-related breaches of confidential information are valid, yet the frequency of breaches that occur among clinicians during routine interactions in health care settings is of deeper concern.

Statement of ANA Position

The American Nurses Association (ANA) believes that protection of the right to privacy and the nurse’s duty to maintain confidentiality are foundational to the ethical obligation to respect individuals’ dignity and autonomy. This is a central means to foster and maintain the trusting relationship between health care providers and patients (ANA 2015). ANA supports legislation, policies, and standards that protect rights to privacy as well as assure confidentiality of individually identifiable health information.

Recommendations

In keeping with the profession’s commitment to patient advocacy and the trust that is essential to the high-quality care patients expect from nurses, ANA supports the following recommendations concerning the obligation to protect patient privacy and ensure confidentiality. Health Insurance Portability and Accountability Act (HIPAA) compliance is a necessary but insufficient safeguard to maintain confidentiality and protect privacy due to limited protections in the statute. Therefore, professional standards and ethical practice establish a higher bar and should be followed accordingly. The ever-expanding capacity of new technology, consumer health applications, social media, cybersecurity, artificial intelligence, emerging applied science, and state-based legislative variability can out-pace position statements. Therefore, nurses’ primary responsibilities in this context are to ensure patients understand their right to privacy and confidentiality, to think critically, to be alert to circumstances in which patients’ right to privacy and confidentiality may be at risk, and to act in ways that foster trust.

• Nurses should advocate for policies that ensure individuals’ right to privacy and protect against unwanted, unnecessary, or unwarranted intrusion into a person’s life.
• In the course of advocating for patients, nurses act to ensure privacy in the care environment as fully as possible so that patient privacy and confidentiality can be maintained.
• The patient’s right to confidentiality of individually identifiable health information is established statutorily with specific exceptions. Nurses should follow organizational policies that safeguard an individual’s right to decide to whom, the extent, and under what circumstances their individually identifiable health information will be disclosed.
• Violations of privacy and breaches of confidentiality threaten patient welfare. Nurses act to address practices and behaviors that risk patients’ privacy and confidentiality, escalating the concern as necessary per organizational policy.
• Confidentiality protections should extend not only to health records but also to other individually identifiable health information, including oral reporting, clinical research records, images, and mental health and substance use disorder therapy/treatment notes. This protection should be maintained in the treatment setting and in all other venues.
• Patients should receive accurate information regarding federal legislation (e.g., HIPAA, the Genetic Information Nondiscrimination Act [GINA], and the 21st Century Cures Act) that addresses individually identifiable health information and any limitations, exceptions, or implications associated with legislation affecting the right to privacy and confidentiality.
• Patients have the right to access personal health information and to supplement that information with what is necessary to make informed decisions, to correct erroneous information, and to address discrepancies that they perceive.
• Patients should receive written, clear notification of how their health records are used and when their individually identifiable health information is disclosed to third parties.
• The use or disclosure of individually identifiable personal or health information without an individual’s informed consent is prohibited. Exceptions should be defined in organizational policy and permitted only if a person’s life is endangered, if there is a threat to the public, or if there is an existing legal requirement. In the case of such exceptions, information should be limited to the minimum necessary for the situation.
• In the context of public health efforts or clinical, medical, nursing, or quality-of-care research, potential harms of the use of individually identifiable health information should be carefully considered.
• Organizations must develop appropriate administrative, training, physical, and technical safeguards to protect the confidentiality, integrity, and availability of individually identifiable health information.
• Strong and enforceable remedies for violations of privacy protections should be established, and health care professionals who report violations should be protected from retaliation.

Background

Continuous, rapid developments in the technology and legal landscapes have significant implications for individuals’ right to privacy and confidentiality. Health care professionals, insurers, researchers, marketers, software developers, and others routinely use technology-assisted approaches to record and transfer health data, which presents risks of unintentional or inadvertent breaches of confidential information. Legal privacy protections are not absolute, and state-based, health-related legislative variability introduces new complexity to ethical practice that aims to ensure trust in nurse-patient relationships. Despite the existence of laws and organizational policies intended to provide protection, patients may resist disclosing personal health information due to concern for loss or denial of health insurance, discrimination, or stigmatization, all of which impede safe, quality care. There must also be consideration for communities and populations who may be adversely impacted by disclosure of information.

History/Previous Position Statements

2015 Privacy and Confidentiality Position Statement

2006 Privacy and Confidentiality Position Statement

1999 Privacy and Confidentiality, House of Delegates

1995 Privacy and Confidentiality Related to Access to Electronic Data, House of Delegates

1991 Nursing and Human Immunological Virus, House of Delegates

1982 Computer-Based Patient Record and Implications for the Profession of Nursing, House of Delegates

1974 National Health Insurance, House of Delegates

Supportive Material
The Code of Ethics for Nurses with Interpretive Statements (2015): Provision 3, Interpretive Statement 3.1, “Protection of the Rights of Privacy and Confidentiality,” affirms the nurse’s role in safeguarding the right to privacy for individuals, families, and communities. The nurse advocates for an environment that provides sufficient physical privacy, including privacy for discussions of a personal nature. Nurses also participate in the development and maintenance of policies and practices that protect both personal and clinical information at institutional and societal levels. The nurse has a duty to maintain confidentiality of all patient information, both personal and clinical, in the work setting and off duty in all venues, including social media or any other means of communication (p. 9).

When using electronic communications or working with electronic health records, nurses should make every effort to maintain data and information security (p. 10). The nurse advocacy role is further delineated in Interpretive Statement 3.5, “Protection of Patient Health and Safety by Acting on Questionable Practice: When practices in the healthcare delivery system or organization threaten the welfare of the patient, nurses should express their concern to the responsible manager or administrator or, if indicated, to an appropriate higher authority within the institution or agency or to an appropriate external authority [with protections from retaliation] (p. 12).”

Nursing: Scope and Standards of Practice (2021): Domain 8, “Informatics and Healthcare Technologies,” includes: “Demonstrate appropriate use of information and communication technologies; Use information and communication technology in a manner that supports the nurse-patient relationship; Assess best practices for the use of advanced information and communication technologies to support patient and team communications; Employ electronic health, mobile health, and telehealth systems to enable quality, ethical, and efficient patient care; Use information and communication technologies in accordance with ethical, legal, professional, and regulatory standards, and workplace policies in the delivery of care; Identify common risks associated with using information and communication technology; Apply risk mitigation and security strategies to reduce misuse of information and communication technology; Demonstrate ethical use of social networking applications; Assess potential ethical and legal issues associated with the use of information and communication technology; Comply with legal and regulatory requirements while using communication and information technologies; Recommend strategies to protect health information when using communication and information technology; Educate patients and their caregivers/“care partners” on their right to access, review, and correct personal data and medical records; Promote patient and family engagement with their personal health data; Discuss how clinical judgment and critical thinking must prevail in the presence of information and communication technologies; Advocate for policies and regulations that support the appropriate use of technologies impacting health care; Deliver care using remote technology; Analyze the impact of federal and state policies and regulation on health data and technology in care settings” (pp. 46-48). Further, Domain 9, “Professionalism,” includes: “Safeguard privacy, confidentiality, and autonomy in all interactions” (p. 49).

American Nurses Association. Essentials of Genetic and Genomic Nursing: Competencies, Curricula Guidelines, and Outcome Indicator (2008): This document defines essential genetic and genomic competencies for all registered nurses and identifies areas of knowledge and clinical performance indicators associated with protection of privacy and confidentiality.

The United States Department of Health and Human Services (HHS) Privacy Rule and Security Rule: The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) went into effect in 2003 to implement the requirement of HIPAA with the goal “to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being” (HHS, 2003, p. 1). The Security Rule operationalizes the protections contained in the Privacy Rule by addressing required technical and nontechnical safeguards that secure individuals’ electronic protected health information.

The Joint Commission: The Joint Commission provides several accreditation programs based on the type of health organization or facility. Each of The Joint Commission’s accreditation programs has a specific set of standards, one of which is information management (IM). The IM standard emphasizes the importance of protecting the privacy of individually identifiable health information and monitoring access to that information.

The Genetic Information Nondiscrimination Act (2009): As noted in the International Society of Nurses in Genetics Position Statement, Privacy and Confidentiality of Genetic Information: The Role of the Nurse (2010), “Assuring privacy and confidentiality of genetic information demands continued vigilance on the part of all nurses as genetic technologies and discoveries are translated into clinical application and practice” (p. 1). This vigilance includes an awareness of the provisions in GINA. Signed into law in 2008, GINA has two parts: Title 1 prohibits health insurance providers from using genetic information to make decisions about an individual’s eligibility or coverage. Title 2 prohibits employers from using genetic information to make decisions about hiring, promotion, or other terms of employment. There are limited exceptions to both Title 1 and Title 2.

Summary

A fundamental principle of the nursing profession is respect for human dignity as outlined Provision 1 of the Code of Ethics for Nurses with Interpretive Statements. Among the powerful ways nurses live out this value is the protection of a patient’s right to privacy. This includes maintaining confidentiality of individually identifiable health information in any form, while at work and when off duty. Nurses recognize that quality care requires the communication of relevant patient information between health care professionals and health systems. The rapid evolution of communication, recording, and retrieval technologies poses challenges to the duty to maintain the confidentiality and security of this data and information. Evolving legislation can also have implications for patients’ right to privacy and confidentiality. Nurses must think critically about circumstances in which privacy and confidentiality may be at risk, advocate for patient’s rights, and promote patient autonomy and well-being.

Acknowledgment: ANA acknowledges Ethics Advisory Board members Heather Fitzgerald, DBe, MS, RN, Teri Chenot, EdD, MSN, RN, FNAP, FAAN, and Stacy Smith, MA, MLS, BSN, RN, HEC-C who contributed to the drafting of this revised document on behalf of the ANA Ethics Advisory Board.

Column Editor

Liz Stokes, PhD, JD, RN
Email: liz.stokes@ana.org

Liz Stokes is the Director of the American Nurses Association Center for Ethics and Human Rights and demonstrates expertise in writing public policy on ethical issues including medical marijuana, assisted death, intellectual disabilities, and women's reproductive health. She is an international speaker on the Code of Ethics for Nurses and is published in the Journal of Nursing Regulation and the Journal for Nurse Practitioners. Liz also serves as an Associate Editor for the Journal of Bioethical Inquiry. Liz's sphere of influence as a nurse-attorney combined with her education in bioethics enables a unique contribution to nursing, ethics, law, and policy.