Ensuring Patient Confidentiality in Nursing

About

➀ Read and Learn

The following course content

Introduction

In order to provide the best care possible to patients, there must be a foundation of trust that the patient-provider relationship is built on. If the foundation is not stable, the rest of the relationship is at risk of crumbling. One way that trust is built is by maintaining patient confidentiality or privacy.  

When it comes to the medical field, the wrong medicines or treatments may be administered or performed. This could result in further complications. Medical conditions, treatments, and results can often be sensitive topics and things patients do not necessarily want shared with society for a variety of reasons. Patients rely on their providers to keep the information they communicate in confidence, and only sharing it under certain circumstances.  

With the ever-growing platform of social media and advancements in technology, there is a grey area that exists when it comes to patient confidentiality and what can and cannot be shared. The purpose of this course is to educate on the aspects of patient confidentiality and its importance.  

The Privacy Rule 

The Health Information Portability and Accountability Act of 1996 (HIPAA) became the groundwork for the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued by the U.S. Department of Health and Human Services (HHS). It was designed to meet the requirements set by HIPAA regarding how healthcare providers used and disclosed a patient's private health information. It also addressed patients having the right to know and dictate how their health information is utilized. Overall, the Privacy Rule's goal was to set clear boundaries when it came to properly protecting health care information while allowing the exchange of pertinent information to protect the health and well-being of the public (2). 

Many groups are included under HIPAA's term of "covered entities.” These entities have connections to personal health care information on a variety of levels. Groups such as healthcare providers, health plans, healthcare clearinghouses, and business associates are all covered entities. The protected information they encounter is anything that can or is believed to identify an individual: name, date of birth, address, and Social Security Number. Any past, present, or futured mental or physical health, condition, or payment and health care provisions for an individual are also classified as protected information (4). 

De-Identifying Patients to Ensure Patient Confidentiality

There are many steps involved in de-identifying a patient for those who use or share patient information, as it applies to HIPAA. De-identifying a patient is the act of removing as many identifiers as one can in order to eliminate the chances of an individual being recognized through the scenario or situation (3).  

There are two methods to de-identifying:  

1. Formal evaluation by a qualified expert.

A qualified expert must be a person with significant knowledge and experience with knowing scientific and statistical standards or methods to ensure patient information is not identifiable. They do this by determining if the risk of using the information is very small. They often document what methods they use to make the determination (3).  

2. The act of removing individual identifiers.

Many of these identifiers are things one would expect to be removed when identifying a patient, such as a name, age, date of birth, home address, Social Security Number, full-face photos, and phone numbers. However, some of them include any form of vehicle identifier—serial or license plate numbers—internet protocol (IP) addresses, biometric identifiers like finger or voice-prints, serial numbers or device identifiers, and web universal resource locators (URLs). An entire list of the 18 identifiers is located on the Department of Health and Human Services website (3).   

Neither of these methods are 100% perfect in their goal, but they decrease a patient's chance of being identified significantly. Once the patient has been de-identified, the information is no longer restricted by the Privacy Rule since all patient identifiers have been removed. This means that the information can be used without worry of violation (3). 

Professional Statements  

Over the years, professional medical organizations have released statements regarding patient confidentiality and how it pertains to their target audience. Many medical organizations such as the American Nurses Association (ANA) and the American Medical Associations (AMA) often create position statements to reflect the organization's overall stance and thoughts on a specific topic. These positions may be used to guide education, policies, or individual opinions on the topic.  

The ANA released a statement regarding patient privacy and confidentiality. As mentioned before, the ANA believes that the patient-provider relationship is important, and confidentiality is essential in that relationship. The organization supports legislation, standards, and policies that protect patient information. In the professional statement document, the ANA goes on to give recommendations regarding the protection of patient information. These recommendations support the patient's right to have protected information and to select who is the recipient of medical information. They encourage that patients be given information regarding HIPAA and the Genetic Information Nondiscrimination Act—an act passed in 2008 to prohibit individuals' discrimination based on genetic information (5). They acknowledge that the patient has the right to access their information and use it to make healthcare decisions. They note that patients should be notified when and how their information may be used. There is a heavy emphasis on not using patient information if consent has not been given unless there is an extenuating circumstance regarding legal requirements. This will be discussed in the next section (1).  

Since patient confidentiality is extremely important, the ANA supports healthcare organizations in creating safeguards to protect patient confidentiality. They also support organizations enforcing ways to alleviate violations done by health care workers and protect them from retaliation (1).   

Disclosure  

Overall, patient information is discouraged from being shared; however, there are several instances where the sharing of information is allowed. The patient may give the provider(s) or healthcare organization permission to share the information with whoever the patient decides. By providing consent, the patient is essentially waving the right to keep that information confidential but determines who can receive the information. This can be done through written or verbal consent, though most facilities require a written one. This written form is placed in the patient's medical records (6).  

If another healthcare agency or provider is going to be involved with the patient's care, medical information can be exchanged on a "need to know" basis. For example, if a patient is being transferred to another facility, the accepting nurse and care team would need a thorough report to ensure that they knew the patient and what had already been done for them regarding medical care (6).  

While protecting patient information is important, there are a few circumstances—called extenuating circumstances—that allow healthcare providers to share information regarding a patient without permission outside of the above reasons. Certain information is required to be reported to public health departments or authoritative organizations: communicable diseases, suspected child or elder abuse, gunshot wounds, release to insurance companies for payment, or worker's compensation boards after a claim has been submitted are allowed (6).  

In the case of protecting the public, healthcare providers can report patient information to a specific organization if it comes down to the health of the public. As mentioned above, testing positive for communicable diseases can be reported to public health departments 

It should be noted that one important exception applies to this rule. Making assumptions, especially about if a spouse has the right to know the medical history of a patient just because they are married, is not advised. Patients should be encouraged to inform their spouse about the information that may put the spouse at risk, such as sexually transmitted infections. If the individual's direct safety is threatened, then the provider can tell them (6).  

In order to protect society, healthcare providers have the duty to warn if they have detailed and documented proof that the patient is targeting a select individual or group. Providers are encouraged to document instances of threats, whether it be against them, another provider, or another individual outside of the healthcare setting. Often this is a legal or ethical duty to report the threat to the authorities or possibly warn the potential victim (6).  

If a provider is concerned about what can or cannot be disclosed at any time, it is encouraged that the provider consults hospital policies before releasing any information (6).  

Consequences of Disclosure Violations 

Healthcare providers may be subjected to a variety of consequences when it comes to the violation of HIPAA or the Privacy Rule. The healthcare provider and the facility in which they work may be subjected to civil suits in a variety of ways. Disclosing sensitive information or photos about the patient are a breach of legal duty—intentional or unintentional—are both forms of civil suits that can occur. Nurses may face disciplinary action from their state's board of nursing. With the ever-growing form of social media, boards of nursing have been cracking down on improper use of social media and breaches in patient confidentiality. Job loss and fines are other consequences that may occur by themselves or in addition to any of the others listed above (6).  

Patient Confidentiality in the Technology Era 

There are many forms of technology today and there are many ways patient confidentiality can be violated by using it. Cell phones have become a staple in nearly everyone's day-to-day life, so it would make sense that both healthcare providers and patients alike have them. While they are useful, cell phones can also cause problems. Unintentional or intentional filming or recording of patients or medical information can happen by staff, family members, or other patients. Family members or friends may call to ask about a patient, and it is important for the nurse to know hospital policy when it comes to verifying the identity of those calling and what information can be given over the phone. Verifying with the patient who can be told what information is important as well (6). 

Since charting has become electronic, many nurses are using computers, laptops, or tablets to complete their charting. Healthcare providers need to ensure that privacy is always maintained when utilizing these devices.  

Even though most things can be transferred via email, call, or secured text message, some information still needs to be transmitted via fax machine. Since there is room for human error, coversheets should be used along with a clear identifier that the information being sent is confidential. If a number is used often, it is encouraged that it is preprogrammed into the fax machine to help decrease the chance of the number being mistyped (6).  

Best Practices of Patient Confidentiality 

Overall, healthcare providers must make decisions on how to protect private information. Despite recommendations from professional organizations and policies from facilities, it is the provider's responsibility and decision on how to go about it. Sometimes there are several ways to solve the same problem. Best practices, like the ones listed below, can be used with hospital and Board of Nursing policies and rules (6). 

• Utilize coversheets for person notes regarding patient care or when faxing sensitive information. 
• Be mindful of what is said in semi-private rooms or rooms that have visitors. Curtains and walls are not soundproof. 
• Verify callers before providing any patient information as determined by hospital policy. Remember to also verify with the patient if able to do so. Some patients may not want family or friends to know about their condition. 
• Do not leave patient information in a place where it can be easily seen by others. This includes personal notes, electronic or printed medical records, unlocked communication devices, etc. 
• Ensure that all patient information is properly disposed of or destroyed prior to leaving work. 
• Be mindful of what is posted on social media and be aware of possible unintentional disclosure.  
• Provide education to staff regarding potential areas of misuse when it comes to patient information. Policies regarding improper use should be implemented. These policies should include email use, personal electronic data devices, and electronic transmission of data.
• Have staff and others who may need access to patient information such as students sign confidentiality agreements.  
• Refrain from speaking about patients or their private information in areas where information can be overheard, such as cafeterias, hallways, elevators, waiting rooms.  
• Ensure that policies are reviewed and updated periodically or as needed to reflect current healthcare laws and guidelines.  

This is not a comprehensive list, and healthcare providers must use common sense and caution when sharing private patient information. 

Summary  

The topic of patient confidentiality is very important to the patient-provider relationship. Without it, the entire relationship can deteriorate, leading to significant emotional and possibly physical damage. This can be detrimental to the patient and provider. It is important to follow hospital policy and healthcare laws regarding sensitive information. All healthcare providers are strongly encouraged to stay up to date on new legislation that may affect patient confidentiality.  

➁ Complete Survey

Give us your thoughts and feedback

➂ Click Complete

To receive your certificate