Ensuring Patient Confidentiality in Nursing
- In this course we will learn about the various aspects of patient confidentiality, and why it is important for building patient-provider relationships.
- You’ll also learn the basics of de-identifying patients, professional statements, and disclosures.
- You’ll leave this course with a broader understanding of how to practice patient confidentiality in nursing.
Contact Hours Awarded: 2
BSN, RN, CEN, TNCC
Read Course | Complete Survey | Claim Credit
➀ Read and Learn
The following course content
In order to provide the best care possible to patients, there must be a foundation of trust that the patient-provider relationship is built on. If the foundation is not stable, the rest of the relationship is at risk for crumbling. One way that trust is built is by maintaining patient confidentiality or privacy.
When it comes to the medical field, the wrong medicines or treatments may be administered or performed. This could result in further complications. Medical conditions, treatments, and results can often be sensitive topics and things patients do not necessarily want shared with society for a variety of reasons. Patients rely on their providers to keep the information they communicate in confidence, and only sharing it under certain circumstances.
With the ever-growing platform of social media and advancements in technology, there is a grey area that exists when it comes to patient confidentiality and what can and cannot be shared. The purpose of this course is to educate on the aspects of patient confidentiality and its importance.
- What do you already know about patient confidentiality?
The Privacy Rule
The Health Information Portability and Accountability Act of 1996 (HIPAA) became the groundwork for the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued by the U.S. Department of Health and Human Services (HHS). It was designed to meet the requirements set by HIPAA regarding how healthcare providers used and disclosed a patient’s private health information. It also addressed patients having the right to know and dictate how their health information is utilized. Overall, the Privacy Rule’s goal was to set clear boundaries when it came to properly protecting health care information while allowing the exchange of pertinent information to protect the health and well-being of the public (2).
Many groups are included under HIPAA’s term of “covered entities.” These entities have connections to personal health care information on a variety of levels. Groups such as healthcare providers, health plans, healthcare clearinghouses, and business associates are all covered entities. The protected information they encounter is anything that can or is believed to identify an individual: name, date of birth, address, and Social Security Number. Any past, present, or futured mental or physical health, condition, or payment and health care provisions for an individual are also classified as protected information (4).
Think of where you work.
- What type of facility do you work in?
- What does your work consider patient identifiers?
- Is there anything you think should be added to that list when it comes to what can identify a patient?
De-Identifying Patients to Ensure Patient Confidentiality
There are many steps involved in de-identifying a patient for those who use or share patient information, as it applies to HIPAA. De-identifying a patient is the act of removing as many identifiers as one can in order to eliminate the chances of an individual being recognized through the scenario or situation (3).
There are two methods to de-identifying:
1. Formal evaluation by a qualified expert.
A qualified expert must be a person with significant knowledge and experience with knowing scientific and statistical standards or methods to ensure patient information is not identifiable. They do this by determining if the risk of using the information is very small. They often document what methods they use to make the determination (3).
2. The act of removing individual identifiers.
Many of these identifiers are things one would expect to be removed when identifying a patient, such as a name, age, date of birth, home address, Social Security Number, full-face photos, and phone numbers. However, some of them include any form of vehicle identifier—serial or license plate numbers—internet protocol (IP) addresses, biometric identifiers like finger or voice-prints, serial numbers or device identifiers, and web universal resource locators (URLs). An entire list of the 18 identifiers is located on the Department of Health and Human Services website (3).
Neither of these methods are 100% perfect in their goal, but they decrease a patient’s chance of being identified significantly. Once the patient has been de-identified, the information is no longer restricted by the Privacy Rule since all patient identifiers have been removed. This means that the information can be used without worry of violation (3).
Which version of de-identifying a patient do you think is better?
Have you ever had to de-identify a patient or patients?
What was it for?
Did you expect some of the listed identifiers to be on the list?
Over the years, professional medical organizations have released statements regarding patient confidentiality and how it pertains to their target audience. Many medical organizations such as the American Nurses Association (ANA) and the American Medical Associations (AMA) often create position statements to reflect the organization’s overall stance and thoughts on a specific topic. These positions may be used to guide education, policies, or individual opinions on the topic.
The ANA released a statement regarding patient privacy and confidentiality. As mentioned before, the ANA believes that the patient-provider relationship is important, and confidentiality is essential in that relationship. The organization supports legislation, standards, and policies that protect patient information. In the professional statement document, the ANA goes on to give recommendations regarding the protection of patient information. These recommendations support the patient’s right to have protected information and to select who is the recipient of medical information. They encourage that patients be given information regarding HIPAA and the Genetic Information Nondiscrimination Act—an act passed in 2008 to prohibit individuals’ discrimination based on genetic information (5). They acknowledge that the patient has the right to access their information and use it to make healthcare decisions. They note that patients should be notified when and how their information may be used. There is a heavy emphasis on not using patient information if consent has not been given unless there is an extenuating circumstance regarding legal requirements. This will be discussed in the next section (1).
Since patient confidentiality is extremely important, the ANA supports healthcare organizations in creating safeguards to protect patient confidentiality. They also support the that the organizations enforce ways to alleviate violations done by health care workers and protect them from retaliation (1).
Have you read the ANA’s statement on patient confidentiality before?
Are you in any professional organizations?
Do these organizations have any statements about patient confidentiality?
Are there any differences between them and the ANA’s statement?
Overall, patient information is discouraged from being shared; however, there are several instances where the sharing of information is allowed. The patient may give the provider(s) or healthcare organization permission to share the information with whoever the patient decides. By providing consent, the patient is essentially waving the right to keep that information confidential but determines who can receive the information. This can be done through written or verbal consent, though most facilities require a written one. This written form is placed in the patient’s medical records (6).
If another healthcare agency or provider is going to be involved with the patient’s care, medical information can be exchanged on a “need to know” basis. For example, if a patient is being transferred to another facility, the accepting nurse and care team would need a thorough report to ensure that they knew the patient and what had already been done for them regarding medical care (6).
While protecting patient information is important, there are a few circumstances—called extenuating circumstances—that allow healthcare providers to share information regarding a patient without permission outside of the above reasons. Certain information is required to be reported to public health departments or authoritative organizations: communicable diseases, suspected child or elder abuse, gunshot wounds, release to insurance companies for payment, or worker’s compensation boards after a claim has been submitted are allowed (6).
In the case of protecting the public, healthcare providers can report patient information to a specific organization if it comes down to the health of the public. As mentioned above, testing positive for communicable diseases can be reported to public health departments
It should be noted that one important exception applies to this rule. Making assumptions, especially about if a spouse has the right to know the medical history of a patient just because they are married, is not advised. Patients should be encouraged to inform their spouse about the information that may put the spouse at risk, such as sexually transmitted infections. If the individual’s direct safety is threatened, then the provider can tell them (6).
In order to protect society, healthcare providers have the duty to warn if they have detailed and documented proof that the patient is targeting a select individual or group. Providers are encouraged to document instances of threats, whether it be against them, another provider, or another individual outside of the healthcare setting. Often this is a legal or ethical duty to report the threat to the authorities or possibly warn the potential victim (6).
If a provider is concerned about what can or cannot be disclosed at any time, it is encouraged that the provider consults hospital policies before releasing any information (6).
What policies does your facility have when it comes to disclosing information?
How do you obtain consent for sharing information?
Have you ever shared information outside of the “need to know” basis with other providers when it comes to a patient?
Have you ever had to report a patient to another organization such as Child Protective Services or the county Department of Health? What was it for?
Consequences of Disclosure Violations
Healthcare providers may be subjected to a variety of consequences when it comes to the violation of HIPAA or the Privacy Rule. The healthcare provider and the facility in which they work may be subjected to civil suits in a variety of ways. Disclosing sensitive information or photos about the patient are a breach of legal duty—intentional or unintentional—are both forms of civil suits that can occur. Nurses may face disciplinary action from their state’s board of nursing. With the ever-growing form of social media, boards of nursing have been cracking down on improper use of social media and breaches in patient confidentiality. Job loss and fines are other consequences that may occur by themselves or in addition to any of the others listed above (6).
Think back to your hospital policies.
- Do you recall any consequences listed in the policy?
- Are you required to take education regarding patient confidentiality through work?
- What kinds of consequences do you think would be appropriate for violating patient confidentiality?
- What do you think of healthcare providers using social media at work?
Patient Confidentiality in the Technology Era
There are many forms of technology today and there are many ways patient confidentiality can be violated by using it. Cell phones have become a staple in nearly everyone’s day-to-day life, so it would make sense that both healthcare providers and patients alike have them. While they are useful, cell phones can also cause problems. Unintentional or intentional filming or recording of patients or medical information can happen by staff, family members, or other patients. Family members or friends may call to ask about a patient, and it is important for the nurse to know hospital policy when it comes to verifying the identity of those calling and what information can be given over the phone. Verifying with the patient who can be told what information is important as well (6).
Since charting has become electronic, many nurses are using computers, laptops, or tablets to complete their charting. Healthcare providers need to ensure that privacy is always maintained when utilizing these devices.
Even though most things can be transferred via email, call, or secured text message, some information still needs to be transmitted via fax machine. Since there is room for human error, coversheets should be used along with a clear identifier that the information being sent is confidential. If a number is used often, it is encouraged that it is preprogrammed into the fax machine to help decrease the chance of the number being mistyped (6).
Think of your work area.
- What types of devices does your facility to use to chart?
- What steps has the facility taken to protect patient information when it comes to these devices?
- What steps do you take to protect patient information?
- What things could be improved on when it comes to securing patient information?
Best Practices of Patient Confidentiality
Overall, healthcare providers must make decisions on how to protect private information. Despite recommendations from professional organizations and policies from facilities, it is the provider’s responsibility and decision on how to go about it. Sometimes there are several ways to solve the same problem. Best practices, like the ones listed below, can be used with hospital and Board of Nursing policies and rules (6).
- Utilize coversheets for person notes regarding patient care or when faxing sensitive information.
- Be mindful of what is said in semi-private rooms or rooms that have visitors. Curtains and walls are not soundproof.
- Verify callers before providing any patient information as determined by hospital policy. Remember to also verify with the patient if able to do so. Some patients may not want family or friends to know about their condition.
- Do not leave patient information in a place where it can be easily seen by others. This includes personal notes, electronic or printed medical records, unlocked communication devices, etc.
- Ensure that all patient information is properly disposed of or destroyed prior to leaving work.
- Be mindful of what is posted on social media and be aware of possible unintentional disclosure.
- Provide education to staff regarding potential areas of misuse when it comes to patient information. Policies regarding improper use should be implemented. These policies should include areas of email, personal electronic data devices, and transmission of data electronically.
- Have staff and others who may need access to patient information such as students sign confidentiality agreements.
- Refrain from speaking about patients or their private information in areas where information can be overheard, such as cafeterias, hallways, elevators, waiting rooms.
- Ensure that policies are reviewed and updated periodically or as needed to reflect current healthcare laws and guidelines.
This is not a comprehensive list, and healthcare providers must use common sense and caution when sharing private patient information.
From this list what do you already do to protect patient information?
From this list what would you add to your own list?
What would you add to this list regarding protection of sensitive information?
The topic of patient confidentiality is very important to the patient-provider relationship. Without it, the entire relationship can deteriorate, leading to significant emotional and possibly physical damage. This can be detrimental to the patient and provider. It is important to follow hospital policy and healthcare laws regarding sensitive information. All healthcare providers are strongly encouraged to stay up to date on new legislation that may affect patient confidentiality.
References + Disclaimer
- American Nurses Association. (2015, June). American nurses association position statement on privacy and confidentiality. https://www.nursingworld.org/~4ad4a8/globalassets/docs/ana/position-statement-privacy-and-confidentiality.pdf
- Emergency Nurses Association. (2014). Sheehy’s manual of emergency care. In B. B. Hammond & P. G. Zimmermann (Eds.), Sheehy’s Manual of Emergency Care (7th ed., pp. 3–4). Elsevier Health Sciences.
- U.S. Department of Health & Human Services. (2015, November 6). Methods for De-identification of PHI. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
- U.S. Department of Health & Human Services. (2013, July 26). Summary of the HIPAA Privacy Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
- U.S. Equal Employment Opportunity Commission. (2008). The Genetic Information Nondiscrimination Act of 2008 | U.S. Equal Employment Opportunity Commission. U.S. Equal Employment Opportunity Commission. https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008
- Westrick, S. J. (2014). In Essentials of nursing law and ethics (2nd ed., pp. 77–84). Jones & Bartlett Learning.
➁ Complete Survey
Give us your thoughts and feedback
➂ Click Complete
To receive your certificate