Many years ago when I was an Intravenous (IV) Therapist in training at a major teaching hospital, I sat down to a thirty minute dinner break with my fellow IV team members in the hospital cafeteria. One of our team mates was late. She rushed to the table with her tray, and raced to tell us why she was delayed. Not only did she provide the team with chapter and verse of the patient she last saw, but also told us the patient's diagnosis, the tragedy surrounding the patient, the little boy she was leaving behind, and her youth.
After taking a breath and a sip of her coffee, my team mate was approached by a man wearing a beige trench coat and a long face. He proceeded to tell my colleague that she was telling the world about his loved one, her fatal medical diagnosis, and his agony. Tears streaming down her face, my co-worker apologized profusely, but the damage was done. Not only had she told a story she had no right to tell in public, she had driven a spear through the man's heart while he was attempting to get a cup of coffee in what he thought would be a place of respite.
Over thirty years later, I look back on that incident and wonder if we have really changed our behaviors. We now have a federal law called the Health Insurance Portability and Accountability Act of 1996 in effect to protect patients' health information and privacy. However, we still have breaches of the laws on a regular basis. Some of these breaches are directly related to the "security of electronic protected health information," some are related to billing issues, many are related to what we call loosely, "elevator conversations," i.e., unguarded conversations about patients in hallways, elevators, and even cafeterias, like the incident described above. Here are some examples of violations of patient privacy and confidentiality, some of which are more obvious than others.
- Leaving health information open in a screen and walking away from the computer;
- Accessing patient files when the provider is not responsible for the patient's care;
- Sending photographs of celebrities in hospitals to tabloids;
- Having public discussions about patients with other health care providers;
- Sending billing information for payment of health care services to a husband despite the patient's explicit request to have the bill sent to her because she is paying for the services;
- Taking protected information on mobile devices which are easily stolen.
By way of refreshing our collective memories, I'm taking a moment to remind readers that all health care providers have a duty to protect patient privacy and the organizations representing them have policies that address this issue.
The American College of Health Care Executives states:
"The American College of Healthcare Executives believes that in addition to following all applicable state laws and HIPAA, healthcare executives have a moral and professional obligation to respect confidentiality and protect the security of patients’ medical records. As patient advocates, executives must ensure their organization obtains proper patient authorization to release information or follow carefully defined policies and applicable laws in those cases for which the release of information without consent is indicated."
The American Medical Association states:
"The information disclosed to a physician by a patient should be held in confidence. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential information without the express consent of the patient, subject to certain exceptions which are ethically justified because of overriding considerations."
The American Nurses Association states:
"A patient's right to privacy with respect to individually identifiable health information, including genetic information, should be established statutorily. Individuals should retain the right to decide to whom, and under what circumstances, their individually identifiable health information will be disclosed. Confidentiality protections should extend not only to health records, but also to all other individually identifiable health information, including genetic information, clinical research records, and mental health therapy notes."
The American Dental Association states:
"The dentist has a duty to respect the patient's rights to self-determination and confidentiality.
This principle expresses the concept that professionals have a duty to treat the patient according to the patient's desires, within the bounds of accepted treatment, and to protect the patient's confidentiality. Under this principle, the dentist's primary obligations include involving patients in treatment decisions in a meaningful way, with due consideration being given to the patient's needs, desires and abilities, and safeguarding the patient's privacy."
Every health care provider is bound by codes of ethics and federal law to protect patient privacy. With few exceptions, patients have the right to keep their health information to themselves. As health care providers, we need to be vigilant about our behavior, the behavior of our colleagues, and our students.
Looking back on that moment in time when I was a student, knowing what I now know, I would have stopped my co-worker mid-sentence and pointed out where we were. Put yourself in that story. If you were the man in the cafeteria, wouldn't you want to grieve in peace?
Sharon B. Buchbinder, RN, PhD
Sharon Buchbinder is Professor and Program Coordinator for the MS in Healthcare Management at Stevenson University in the Graduate and Professional School and former chair of the Association of University Programs in Health Administration (AUPHA). She is also the author of three books from Jones and Bartlett: Introduction to Health Care Management (with Nancy H. Shanks), Career Opportunities in Health Care Management (with Jon Thompson) and Cases in Health Care Management (with Nancy H. Shanks and Dale Buchbinder.)
Here are some additional resources if you are interested in this topic.
American College of Healthcare Executives. (2012, November). Health information confidentiality. http://www.ache.org/policy/hiconf.cfm
American Dental Association. (2013). Principles, Code of Professional Conduct & Advisory Opinions. (2013). Section 1 — Principle: Patient Autonomy ("self-governance"). http://www.ada.org/688.aspx
American Medical Association. (2006, November). Code of ethics: Opinion 5.05: Confidentiality. http://www.ama-assn.org/ama/pub/physician-resources/medical-ethics/code-medical-ethics/opinion505.page
American Nurses Association. (2013). Position statements: Privacy and confidentiality. http://www.nursingworld.org/MainMenuCategories/Policy-Advocacy/Positions-and-Resolutions/ANAPositionStatements/Position-Statements-Alphabetically/PrivacyandConfidentiality.html
Cleveland Clinic, Department of Bioethics. (2000, November 28). Basic Bioethics For Residents, CCF Residency Programs. Respecting patients' rights. http://www.clevelandclinic.org/bioethics/education/residency/patientsrights4.html
Gibson, S. (2012, August 10). Don't be next: Lesson from 5 recent health data breaches. http://healthcaretechreview.com/it-security-mobile-devices/
HHS Office of Civil Rights. (2003, May). Summary of the HIPAA privacy rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
HHS Office of Civil Rights. (2006, March 14). FAQs. http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures/266.html
Parker-Pope, T. (2008, April 3). More celebrity snooping by hospital workers. New York Times. http://well.blogs.nytimes.com/2008/04/03/more-celebrity-snooping-by-hospital-workers/?_r=0
Powell, C. (2012, October 11). Akron General fires employees for patient privacy violations in hospital shooting case. http://www.ohio.com/news/akron-general-fires-employees-for-patient-privacy-violations-in-hospital-shooting-case-1.341300
Rose, R.V. (2013, August 8). Public discussion of patient info can mean a HIPAA violation. http://www.physicianspractice.com/blog/public-discussion-patient-info-can-mean-hipaa-violation
UT Health Science Center, San Antonio, Office of Regulatory Affairs & Compliance. (2013, August 14). Frequently Asked Questions. http://www.uthscsa.edu/hipaa/FAQs.asp