HIPAA—The Health Insurance Portability and Accountability Act What Rns Need to Know About Privacy Rules and Protected Electronic Health Information

CE_JulAug 10/11/11 9:31 PM Page 18

CE Home Study Course HIPAA—The Health Insurance Portability and Accountability Act What RNs Need to Know About Privacy Rules and Protected Electronic Health Information

This home study CE is part two of a two-part series. The HITECH Act focuses on the establishment of a national The first installment appeared in the July-August health infrastructure and on providing incentives for the adoption of 2011 issue of National Nurse and is required reading electronic health records (EHRs). It also provides for “enhanced” for successful completion of this home study privacy protections. This act now places both the HIPAA Privacy course. Rule and the HIPAA Security Rule as front and center issues for healthcare providers. Now, not only are you or your employer subject Description to civil and criminal penalties for HIPAA violations and non-com- his home study course provides a review of pertinent pliance, such non-compliance may actually prevent your employer HIPAA definitions, the legislative history, and intent of from receiving financial incentives for EHR adoption and from oth- relevant privacy rules and regulations as they relate to erwise obtaining full reimbursement down the road (i.e. as provided the collection, use, and disclosure of protected, individ- for in the HITECH Act). ually identifiable electronic health information. It HIPAA & HITECH Act—Words to the Wise. The HITECH Act describes the appropriate safeguards that RNs must substantially expanded the HIPAA Privacy and Security Rules and followT to protect the privacy of patients’ health information and dis- increased the penalties for HIPAA violations. Like the Privacy Rule, cusses the rationale and strategies for protecting RN professional the Security Rule gives covered entities significant discretion to ana- practice and credibility with the public. In addition, a selected review lyze their own uses of health information and, according to HHS of publicly reported HIPAA violations and penalties are included to standards, each covered entity has a perpetual duty to renew and increase awareness and help RNs avoid the risk of discipline by the modify its security provisions to ensure reasonable protection of employer, their professional licensing board, or the imposition of EPHI. If a covered entity discovers that an employee has violated the penalties and fines imposed by civil or criminal courts. privacy policies and procedures and/or EPHI security rules, it must Objectives: Upon completion of this home study RNs will be able to: discipline the employee and attempt to mitigate any potential harm Describe the intent of HIPAA regulation that may result. List identifying information that is protected under HIPAA According to the Privacy Rights Clearinghouse, there have been Describe how HIPAA affects provider communications and elec- more than 87 separate data breaches made public from Jan. 1 tronic medical records through June 10, 2011, which affected an aggregate Describe how HIPAA impacts patients’ right to of more than 5,000,000 individuals’ records. Unfor- privacy and confidentiality tunately, being compliant is not synonymous with Identify strategies to prevent privacy and data Submitted by the Joint being secure. Although the majority of the reported Nursing Practice breaches from occurring and reduce risk of personal, Commission, DeAnn data losses were not because of social media, privacy professional, and organizational liability McEwen, RN, and standards can easily be violated “when Facebook goes EHRs and Compliance Incentives. Ongoing Hedy Dumpel, RN, JD to the hospital” according to an August 2010 story in implementation of electronic health records (EHRs) the Los Angeles Times. In the article, National Nurses has raised many professional practice concerns with Provider Approved United’s (NNU) Communications Director Chuck by the California respect to surveillance, privacy, and security issues. Board of Registered Idelson warns, “People may think they’re protected so Historically, it is safe to say that if a healthcare Nursing, Provider that what they post can only be seen by a friend or provider indicated they were HIPAA compliant, what #00754 for 4.0 family member, but life has proved otherwise.” they likely meant was that they were attempting to contact hours (cehs). As hospitals and provider settings have grown comply with the HIPAA Privacy Rule (especially true Recognized by all more “wired” by the day, they have dramatically states with the for small providers). With the recent enactment of exception of Arkansas, increased their reliance on the electronic creation, The American Recovery and Reinvestment Act of Delaware, Massachu- transmission, and storage of data. Add to this the 2009 (ARRA) and the Health Information Technolo- setts, Montana, human factors of curiosity and fascination with gy for Economic and Clinical Health Act (HITECH North Carolina, and new technology. Many people using computers in Act 2009) contained within it, things have become South Carolina. their work settings are not techies or legal experts. even more interesting. They may have little intuition toward good security

18 NATIONAL NURSE WWW.NATIONALNURSESUNITED.ORG SEPTEMBER 2011 CE_JulAug 10/12/11 5:19 PM Page 19 CE_JulAug 10/11/11 9:31 PM Page 20

practices, such as logging off or locking their work stations, and using strong passwords. They may be naïve and lack understanding of the inherent danger and liability that comes with sharing passwords. Less technically savvy staff may be unaware that global posi- tioning technology and digital tagging of time and date of access and location of transmission from a portable or mobile device is discov- erable and can be used as evidence for auditing purposes and investigation of alleged wrongdoing by the user. In the legal arena, an appellate court has implied that a violation of the Privacy Rule may constitute a negligent breach of the fiduci- ary duty of confidentiality and a violation of professional standards. Therefore, a violation of the Privacy Rule can be used to establish the standard of care. HIPAA provides standards of conduct, and as such, when a nurse fails to comply with HIPAA, he or she may very well be judged to be negligent. However, given HIPAA’s complexity and the discretion that it affords covered entities, HHS has recognized the difficulty in abiding by the Privacy and Security Rules. Therefore, rather than first issuing a fine for a violation, it works with covered entities to write and file a plan of correction and assists them in achieving compliance. Health- care employers and risk-averse administrators may be less forgiving and many of them have adopted zero-tolerance policies for their employees. Many professionals are becoming concerned that a covered entities’ overly broad interpretation of HIPAA, and confusion as to what constitutes a reportable breach, will lead to selective retalia- tion, suspension, and firing of workers, rather than HHS-style education and mitigation. Nurses as a profession support patient confidentiality, as well as the right to due process and a fair hearing. Unfortunately, recent newspaper and network media reports have been replete with stories regarding unauthorized social media postings and access to patients’ protected health information and the consequences imposed on violators. Egregious breaches of patient privacy are rare but they need to be dealt with swiftly. There- fore, NNU strongly urges nurses never to post patient-related information online and avoid unauthorized use of PHI. Nurses must always honor the trust patients and the public have placed in them. We’ve known that the World Wide Web is not only a medium to facilitate entertainment and acquisition of new knowledge; it also Professionalism and Social Media: First, Do No Harm. provides unparalleled opportunities for exhibitionism, voyeurism, scholar and educator William Arthur Ward once said, “Curiosity and unwitting indiscretions. We are just beginning to understand is the wick in the candle of learning.” And in her book, Notes on the social costs in a digital age when so much of what we say and do, Nursing, Florence Nightingale wrote, “The most important practical or what others say about us becomes permanently and publicly lesson that can be given to nurses is to teach them what to observe— stored online in cyberspace. “The permanent memory bank of the how to observe.” Thus, curiosity in nurses is informed by the scientif- Web increasingly means there are no second chances—no opportu- ic method. When patients begin to exhibit subtle signs and nities to escape a scarlet letter in your digital past. Now, the worst symptoms of deterioration in their condition, their very lives often thing you’ve done is often the first thing everyone knows about you,” hang in the balance. Education and experience leads to skilled wrote New York Times columnist Jeffry Rosen in a July 21, 2010 inquiry, synthesis, and analysis of the patient’s condition, which may article titled “The Web Means the End of Forgetting.” lead to treatment decisions and effective life interventions. A recent survey by Microsoft revealed that 75 percent of human Contrast that with the old adage that says, “Curiosity killed the resource professionals and recruiters do online research about job cat!” More relevant to this discussion are the words of the ancient applicants. Many use a range of sites, including photo and video-shar- Greek philosopher Plato. He said, “To be curious about that which is ing sites, personal blogs, Web pages, search engines, Twitter, and not one’s concern, while still ignorant of one’s self is ridiculous.” The online gaming sites in addition to Facebook. In the same survey, 70 inference to be drawn from this is that critical thinking and reflec- percent of recruiters reported they rejected applicants because of the tive practice will help nurses maintain appropriate professional information found online, such as membership in or contributions to boundaries and standards of conduct. Idle curiosity and ignorance “controversial” groups. According to company spokespersons, all of the risks inherent in the use of social networking sites such as information published on these sites should be presumed available to Facebook, Twitter, and weblogs has the potential to kill your reputa- the general public. Legal experts agree that these public information tion and your career. sources can be legally used in criminal or other types of investigations.

20 NATIONAL NURSE WWW.NATIONALNURSESUNITED.ORG SEPTEMBER 2011 CE_JulAug 10/11/11 9:31 PM Page 21

Although invasion of privacy can result from a seemingly harm- patient called the clinic where the LPN worked and complained to less curiosity over the medical records of an “A-List” movie star, or the Arkansas district attorney. She was fired from her job, and her concern about coworkers, their children, or friends and family, it employer reported her to the nursing board, who sought revocation may not cause any actual damage. However, one can imagine situa- of her license. She was charged with violating HIPAA and with “con- tions in which the divulgence of private health information can spiracy to wrongfully disclose PHI for personal gain with malicious- result in extraordinary psychological hardship. The fact remains ly harmful intent in a personal dispute.” In a plea agreement with that HIPAA privacy and security violations constitute an uncon- the federal prosecutor, she pleaded guilty to one count of wrongful scionable breach of professional ethical and moral principles. disclosure of PHI. She also faced up to 10 years in prison and a fine of up to $250,000. In exchange for her plea to the lesser charge, Headline News: HIPAA Hall of Shame, charges against her husband were dropped. Violators Meet the Press. FEBRUARY 2009: A patient arrived in the emergency room at a all over the world, celebrities, scholars, political leaders, and hospital in Wisconsin with an object lodged in his rectum. Police everyday people are challenged for ways to preserve control of their received an anonymous call from an employee who said a nurse identities in a digital media world that never forgets or forgives. allegedly took pictures of a patient with her cell phone and posted The solutions for protecting our privacy may be technological, leg- them on her Facebook page. On investigation, police said the nurse islative, political, or judicial. Yet in an era of demands for full disclo- told them that she and a coworker snapped photos of the patient’s x- sure and calls for accountability and transparency, the French ray when they learned the foreign object was a sex device. Police said data-protection commissioner has reportedly called for a “constitu- a discussion about the incident was posted on her Facebook page, tional right to oblivion” to allow citizens to enjoy a greater degree of which she later voluntarily removed. The police referred the case to anonymity online and in public. Until such time as our social mores the FBI. and ethics lead us toward better control of ourselves, we should MAY 2009: California health regulators fined a hospital rightly expect more from each other as professionals than we do $250,000 for privacy breach in a multiple birth (“Octomom”) case. from technology. The fine was the first monetary penalty imposed and largest allowed SEPTEMBER 2007: Actor George Clooney and his girlfriend were under a new state law enacted in 2008 after widely publicized priva- injured in a motorcycle accident and taken for treatment to a hospi- cy violations occurred at UCLA Medical Center involving Farah tal in New Jersey. During Clooney’s hospital stay, several curious Fawcett, Britney Spears, California’s former First Lady Maria Shriv- staff members and nurses who were not directly participating in his er, and other celebrities. The state Department of Public Health care pried into his medical records. The hospital conducted an found that breaches of the so-called Octomom’s records extended investigation and suspended 27 staff members for one month with- beyond the hospital. out pay. Mr. Clooney was quoted as saying, “While I very much Workers at other hospitals and the chain’s regional office were believe in a patient’s right to privacy, I would hope that this could be among those implicated. A total of 23 employees, including two doc- settled without suspending medical workers.” tors, were identified as having accessed the patient’s records without DECEMBER 2008: An LPN employed at an Arkansas clinic authorization. Of the 23 employees, 15 were either terminated or accessed the medical records of the plaintiff involved in a lawsuit forced to resign under pressure, and eight faced other disciplinary against her husband, who had been in an auto accident. The patient actions. The doctors were not among those who were fired. The sec- had also suffered injuries in the accident and had joined in a lawsuit retary of California’s Health and Human Services issued a statement with other passengers seeking compensation for their injuries from that said, “It’s the hospital’s job to prevent these breaches from the LPN’s husband. Her husband had been complaining about the occurring, not just crack down after the fact.” upcoming legal proceedings and they were both suffering financial JULY 2009: Two employees, including an emergency room unit hardships with the loss of income. She gave her notes from the clerk, and the account services coordinator at a hospital in Arkansas patient’s chart to her husband, who then called the former clinic became curious about the status of a patient they processed on patient, saying he intended to use the information against him. The admission for whom they’d been ordered to set up an alias by the charge nurse. After the patient had been moved to ICU, hospital records showed the clerk accessed the patient records three times, and the account representative accessed the record twelve times HIPAA Privacy Rule [FAQs] subsequent to the transfer, even though they had no legitimate job- related reason to do so. Records also showed they had received hos- Questions to determine whether HIPAA applies to me: pital training on HIPAA privacy laws. They were subsequently fired Are you a healthcare provider, RN, MD, or hospital? If yes, go from their jobs. to next question. The medical director of the hospital was reportedly home watch- Do you transmit any health information in electronic form ing the TV news reports regarding the same patient, a local TV per- (Inter, Intra, Extranet)? If yes, go to the next question. sonality, who was beaten by an intruder at her home in October of Is the transmission in connection with a covered transaction 2008. He accessed patient records from his computer at home to (e.g. claim for payments)? If yes: determine if the news reports about the severity of her injuries were Congratulations! You are a covered entity & subject to the accurate. He admitted he accessed the files because he was curious, HIPAA Privacy Rule. and stated that he then logged off the computer admitting that he knew it was inappropriate for him to be looking at the patient’s file. He had received HIPAA training. His medical privileges were

SEPTEMBER 2011 WWW.NATIONALNURSESUNITED.ORG NATIONAL NURSE 21 CE_JulAug 10/11/11 9:31 PM Page 22

suspended for two weeks and he was required to complete an online to remove the post. The student promptly complied. The students HIPAA training module. were expelled from the community college in suburban St. Louis. Pursuant to plea agreements with the United States, all three The students’ dismissal was overturned by a federal judge who employees pleaded guilty to a misdemeanor violation of the health ordered the school to reinstate them. He focused on the fact that the information privacy provisions of HIPAA. Each additionally faced a mother was not identifiable and argued that there was implied con- maximum penalty of one year of imprisonment and a fine of not sent on the part of the instructor, and that the school’s response was more than $50,000, or both. In determining the actual sentences, overkill that violated the students’ due process rights. federal judges can consult advisory U.S. sentencing guidelines, but According to a press release issued by the college, “The entire they are not bound by them. college community is disappointed that the students have decided JANUARY 2011: A male nurse working at a hospital in Florida to abandon the academic appeals process and take their grievances was fired for allegedly looking at Tiger Woods’ medical records. The to the court for resolution. We regret that the students used such nurse was accused of peeking at Woods’ medical records three times poor judgment to take such a unique educational opportunity that during a 10-minute period, when the golfer was admitted after was presented in a private clinical setting and broadcast it on the crashing his car into a fire hydrant. The nurse in turn claimed some- Web. We teach our students to respect the confidentiality of patient one else used his code to access the records and subsequently filed a care, which extends beyond the hospital room and includes situa- lawsuit seeking reinstatement and $400,000 damages. He claimed tions when the nurse is not in the presence of the patient. The he was wrongfully terminated as the case against him was based actions of the students showed not only poor judgment, but also solely on circumstantial evidence. lack of respect and a complete disregard for the ethical standards of JANUARY 2011: A group of female nursing students posted a pic- the nursing profession. ture of themselves posing with a placenta from a recently delivered “We will do whatever we need to do to reassure the community mother during their lab course at a hospital in Missouri and posting that this behavior is not what we teach at the community college. it on Facebook. One student claimed she asked her nursing instruc- Because we cannot tolerate such unprofessional behavior in our stu- tor for permission to post the photo to share their learning experi- dents, we took what we believed to be appropriate action. The ence, but later that day the instructor called her back and asked her behaviors of the students were insensitive and disrespectful toward

References Journal of Issues in Nursing, 10(2). Retrieved on July 4, 2011 from http://www.medscape.com/viewarticle/506840 Brill, J., (2008). Giving HIPAA Enforcement Room to Grow: Frank-Stromoborg, J.D., & Ganschow, J.R., (2002) How HIPAA Why there Should Not (Yet) Be a Private Cause of Action, will change your practice, Nursing 32(9); 54. Notre Dame Law Review 83(5), 2105-2140. Gostin, L.O., (2000). Public Health Law: Power, Duty, Restraint. Cady, R. F., (2005). Nurse Executive’s Legal Primer. JONA’S 85-109; Berkeley, CA. University of California Press. Healthcare Law, Ethics, and Regulation 7(1), 10-20. Haas, J., Johnson County Community College responds to law- California Nurses Association/National Nurses Organizing suit. January 2, 2011. Johnson Count Community College Committee, (1998/2006) Board of Directors/Joint Nursing Press Release. Retrieved on July 24, 2011 from Practice Commission, Position Statement on Telenursing. http://www.jccc.edu/press_releases/2011/gen-lawsuit.html Conn, J. (2006) HIPAA, 10 years after. Modern Healthcare, Hennessy-Fiske, M., When Facebook goes to the hospital, 36(31), 26. patients may suffer: Social networking sites can bolster the Dimick, C., A guide to California’s breaches: First year of state image of medical facilities, but privacy standards can easily reporting requirement reveals common privacy violations. be violated. August 8, 2010. The Los Angeles Times. April, 2010. Journal of AHIMA, 81(4). 34-36. Retrieved on Retrieved July 24, 2011 from http://articles.latimes.com/ July 27, 2011 from http://library.ahima.org/ xpedio/ print/2010/aug/08/local/la-me-facebook-20100809 groups/ public/documents/ahima/ Henry, C., Nurses fired over cell phone photos of patient: Case bok1_046934.hcsp?dDocName=bok1_046934 referred to FBI for possible HIPAA violations. February 25, Dimick, C., Arkansas HIPAA violator sentenced. December 8, 2008. abc-wisn.com. Retrieved on July 24, 2011 from 2008. Journal of AHIMA. Retrieved on July 27, 2011 from http://www.wisn.com/r/18796315/detail.html http://journal.ahima.org/2008/12/08/arkansas-hipaa- Lo, B., Dornbrand, L., & Dubler, N. (2003). HIPAA and patient violator-sentenced/ care: The role for professional judgment. JAMA 293(14), Echegaray, C., Laptop Encryption Software: PhyData Notebook 1766-1771. Computer Theft Affects 1,500 Patients. June 30, 2011, National Institutes of Health. Protecting personal health infor- The Tennessean. Retrieved on July 4, 2011, from mation in research: understanding the HIPAA Privacy Rule. http://www.tennessean.com/article/20110630/NEWS/3063 Washington, D.C.: National Institutes of Health; 2004. 00073/Laptop-more-than-1-500-patients-data-stolen NIH Publication Number 03-5388. Retrieved from http:// Erikson, J.I., & Miller, S (2005). Caring for patients while privacyruleandresearch.nih.gov/pr_02.asp respecting their privacy; renewing our commitment. Online Ornstein, C., Kaiser Hospital Fined $250,000 for Privacy Breach

22 NATIONAL NURSE WWW.NATIONALNURSESUNITED.ORG SEPTEMBER 2011 CE_JulAug 10/11/11 9:31 PM Page 23

the mother and the human tissue involved. The fact that this story violated the Health Insurance Portability and Accountability Act of has so quickly gone viral is evidence itself of how damaging social 1996 (HIPAA) Privacy and Security Rules. The complaints alleged media can be if not used appropriately.” that university employees repeatedly and without permissible rea- APRIL 2011: A Massachusetts hospital agreed to pay the U.S. gov- son looked at the electronic protected health information of two ernment $1 million to settle potential violations involving the loss of celebrity patients between 2005 and 2008. protected health information (PHI) of 192 patients. Evidently a hos- The corrective action plan requires the university to implement pital employee, while commuting to work, accidently left documents Privacy and Security policies and procedures approved by OCR, to behind on a subway train. The documents contained protected conduct regular and robust trainings for all employees who use pro- health information such as billing encounter forms containing the tected health information, to sanction offending employees, and to name, date of birth, medical record number, health insurer and poli- designate an independent monitor who will assess compliance with cy number, diagnosis, and name of providers. An employee mistake the plan over three years. (The agreement specifies that it is neither resulted in costly violations. an admission of liability on the part of the university nor a conces- MAY 2011: A laptop containing more than 1,500 patient names sion on the part of HHS that the university is in violation of HIPAA.) and their personal information was stolen from a medical billing A review of these recent incidents should prompt you to consider company employee’s car. A medical billing and management compa- making an inquiry to locate and become familiar with your employ- ny located in Goodlettsville, Tenn., reported the laptop stolen from er’s health information privacy and security policies. Also, it’s the trunk of the worker’s vehicle at a mall on May 7, 2011. Since the instructive to review the primary purpose of patient records. incident, the company operates a toll-free call center to address A record is a valuable source of data that is used by all members questions and provide ID theft service at no cost to those affected. of the healthcare team. Its purposes include communication, legal The company has now encrypted and password-protected all the documentation, financial billing, education, research, and auditing- laptops, reinforcing proper safety protocols with the staff. monitoring. The patient record is a means by which healthcare team JULY 2011: A Southern California university agreed to an members communicate patient needs and progress, individual ther- $865,000 settlement with the Department of Health and Human apy and treatment, content of conferences, patient education, and Services (HHS) Office for Civil Rights (OCR) resolving allegations it discharge planning. The plan of care needs to be clear to anyone

in Octuplet Case, May 15, 2009, ProPublica. Retrieved on United States Department of Health and Human Services, July 3, 2011, from http://www.propublica.org/ article/ Office of Civil Rights. Health Information Privacy, Incidental kaiser-hospital-fined-250000-for-privacy-breach-in-octu- Uses and Disclosures. November 14, 2006. Retrieved July 4, plet-case-515 2011 from http://www.hhs.gov/ocr/privacy/hipaa/faq/inci- Ornstein, C., UCLA Health System Pays $865,000 to Settle dential_uses_and_disclosures/index.html Celebrity Privacy Allegations, July 7, 2007, ProPublica. United States Department of Health and Human Services, Retrieved July 10, 2011, from http://www.propublica.org/arti- Office of Civil Rights, News Release, February 24, 2011. cle/ucla-health-system-pays-865000-to-settle-celebrity- Retrieved July 3, 2011 from http://www.hhs.gov/news/ privacy-allegations press/2011pres/02/20110224b.html Pacheco, W., Tiger Woods: Nurse files lawsuit against Health Cen- United States Department of Health and Human Services, tral, saying he was wrongly accused of looking at Woods’ Office of Civil Rights. Privacy Brief. Summary of the HIPAA records. January 20, 2011, Orlando Sentinal. Retrieved July 24, Privacy Rule. Revised May, 2003. Retrieved July 4, 2011 from 2011 from http://articles.orlandosentinel.com/ http://www.hhs.gov/ocr/privacy/ 2011-01-20/news/os-tiger-woods-nurse-fired-20110120_1_ United States Department of Justice, News Release. July 20, defamation-lawsuit-tiger-woods-ocoee-hospital 2009. Doctor and two former hospital employees plead Pauker, S.G., & Pauker, S.P. (2004). Privacy vs. Safety: Is the guilty to HIPAA violation. United States Attorney Eastern tradeoff a bug or a feature of HIPAA. Agency for Healthcare District of Arkansas. Retrieved on July 27, 2011 from and Research and Quality, accessed July 1, 2011, from http://www.fbi.gov/littlerock/press-releases/ 2009/ http://webmm.ahrq.gov/case.aspx?caseID=57 lr072009.htm Rosati, K. (2002) HIPAA privacy: the compliance challenges United States Department of Justice. Memorandum Opinion for ahead, Journal of Health Law 35(1): 45. the General Counsel Department of Health and Human Rosen, J., The Web means the end of forgetting. July 21, 2011, Services and the Senior Counsel to the Deputy Attorney The New York Times. Retrieved July 24, 2011 from General on the Scope of Criminal Enforcement Under 42 http://www.newyorktimes.com/2010/07/25/magazine/25pri U.S.C. § 1320d-6 (June 1, 2005), Retrieved July 4, 2011, from vacy-t2.html?pagewanted=print http://www.usdoj.gov/olc/hipaa_final.htm. Standards for Privacy of Individually Identifiable Health Infor- Youngstrom, N., Surprises Arise as Hospitals Struggle with mation: Final Rule, 67, Federal Register, 55918 (2002). FTC’s Red Flags Rule. Report on Medicare Compliance. July Retrieved July 2, 2011, from http://www.hhs.gov/ocr/priva- 8, 2009. Retrieved on July 4, 2011 from http://www.imake- cy/hipaa/administrative/privacyrule/index.html news.com/accushred/e_article001484385.cfm?x=b11,0,w

SEPTEMBER 2011 WWW.NATIONALNURSESUNITED.ORG NATIONAL NURSE 23 CE_JulAug 10/11/11 9:31 PM Page 24

reading the chart. The record should be the most current and accu- Avoiding Breaches in Confidentiality and the Pitfalls of rate source of information about a patient’s healthcare status. Technology. There are many reasons why it’s important to keep one’s medical in 2006, the cna/nnoc Joint Nursing Practice Commission, records and PHI private. For instance, if personal health informa- together with National Director of Nursing Practice and Patient tion were accessible, employers might use the information to recruit Advocacy Hedy Dumpel, RN, JD reviewed their organizational the healthiest employees, and lenders might use the PHI to decide “Position Statement on Telenursing.” Subsection IX, “Privacy and whether or not to grant a loan. Medical identity theft is also a grow- Protection of Individually Identifiable Health Information,” includes ing concern that could jeopardize one’s health and even lead to legit- the following relevant problem statement: imate insurance claims being denied. “Electronic records make it easier to snoop or engage in chart Nursing standards and honest, ethical fact-finding should not be browsing, which creates some concerns since hospital mergers have compromised in the care planning and investigatory process, espe- made it more likely that employees will receive medical care from cially when the evaluation of a poor outcome may be the result of a their own institution. The most likely targets are certain patients, hos- system problem. Critical thinking attitudes, reflective practice, and pital employees, celebrities, and patients with a sensitive diagnosis.” applications in practice start with curiosity. Always ask why! Be pre- pared to question assumptions and confront bias and self-serving Indeed there are a growing number of news reports of citations, attitudes from peers and administrators. Recognize when your opin- arrests, criminal penalties, and fines for violations of patient confi- ions may conflict with those of the patient, your peers, or manage- dentiality and security breaches that have occurred in healthcare ment/supervisory personnel; review your position and decide how settings. CNA/NNOC’s position statement concludes with relevant best to proceed to maintain professional standards and achieve pro- recommendations, congruent with HIPAA guidelines, for prudent fessional goals and outcomes. and proactive RN practice and patient protection: Recognize when more information is needed to make a decision No disclosures of health information or genetic information and reach a conclusion. A clinical symptom or unexpected clinical without informed consent of patient and affected parties. Health- outcome can indicate a variety of problems that require a system- care and genetic information about consumers should be disclosed atic approach to problem-solving. Be wary of the easy or expedient for health purposes and/or research only. Under no circumstances answer. Use known scientific and practice-based criteria when can health information be used for hiring, firing, promotion, or to making assessments and evaluations. Be thorough and identify the deny affordable health insurance or in any other way infringe on risks for problems of the same type to help prevent reoccurrence. one’s civil rights. Bring colleagues together for a patient care conference during a Individuals or entities who legally receive health information staff meeting. Look for patterns and identify solutions. Do not must be required to safeguard the information or be subjected to compromise nursing standards, patient privacy and confidentiali- legal or disciplinary sanctions when trading such information for ty, or intellectual integrity when providing care or evaluating nurs- economic gains or undue advantage. ing care. There will be no sanctions against registered nurses or other healthcare workers for disclosing health information or records to Nursing Practice Considerations: authorized public officials for the purpose of patient advocacy and RN Duty and Responsibility. protecting the public interest. rns have a unique patient advocacy role in the healthcare delivery Encourage the use of technical security safeguards like audit system, and technology should only be used to enhance and aug- trails, security codes, scrambling devices, passwords, or electronic ment this unique role. Information technology is constantly evolv- blocks. Encryption of confidential information transmitted via ing, and as the development of telecommunications technology Internet or other online means. Support legislation to classify Med- continues its rapid evolution, particularly in healthcare, it is impor- ical Expert Systems (MES) as products, not services, giving injured tant that it is harnessed and controlled to best serve the privacy and patients the right to litigate any injuries resulting from the use of confidentiality needs of patients in the United States. Information such systems in the courts, pursuant to product liability principles. technology can neither substitute for nor eliminate the need for Sponsor or support regulations or legislation to assure the strictest independent professional judgment. Computers are not infallible, regulation of Medical Expert Systems (Class III) medical devices, where but many people tend to think that they are. such systems are to be marketed to the consumer for use without the It is the position of National Nurses’ United that electronic supervision and intervention of a registered nurse or physician. health records (EHRs), computerized physician order entry systems (CPOEs), and health information technology should be utilized to Conclusion enhance the provision of safe, therapeutic, and effective nursing care when it comes to information technologies, whether high tech or in the exclusive interests of the patient. Information and data collec- low tech, taking appropriate security measures to protect patient tion, storage, retrieval, and transmission technologies must not privacy and confidentiality remains a priority. Nurses must scrupu- interfere with the establishment of the RN-patient therapeutic rela- lously follow all HIPAA-related policies and procedures outlined by tionship or override the ability of the RN to document the nursing their employers and take every reasonable action to prevent unau- process, including physical exam and assessment, care planning, thorized people from viewing or having access to protected patient implementation, response to treatment interventions and evalua- health data. In the spirit of professionalism, nurses must put patient tion of care, and documentation of advocacy activities and consulta- well-being first and take responsibility for clinical practice. This tion with other treatment team personnel. includes questioning and working to change policies that don’t appear to be congruent with the intent of the law and published

24 NATIONAL NURSE WWW.NATIONALNURSESUNITED.ORG SEPTEMBER 2011 CE_JulAug 10/11/11 9:31 PM Page 25

HHS guidelines. Think twice before disclosing information to a A healthcare professional may discuss lab test results and plan third party. You don’t have to be tight-lipped about your patients; of care with a patient or other provider in a joint treatment area. you should consult with and share information with colleagues who A healthcare professional may discuss a patient’s condition or are directly involved in your patient’s care. treatment regimen in the patient’s semi-private room. In most cases you should consult with your manager, or your Healthcare professionals may discuss a patient’s condition facility’s compliance officer, regarding any apparent conflicts during training rounds in an academic or training institution. between the privacy rules and patient safety concerns. Many mis- In these circumstances, reasonable precautions could include conceptions arise from gaps in the regulations. These gaps are using lowered voices or talking apart from others when sharing pro- appropriately filled by professional judgment, informed by ethical tected health information. However, in an emergency situation, in a guidelines. In the context of inadvertent disclosure of confidential loud emergency room, or where a patient is hearing impaired, such patient information, the legal risks of good practice are very low. precautions may not be practicable. Covered entities are free to Social networks, blogs, and other forms of Internet communications engage in communications as required for quick, effective, and high- can enable nurses to have a professional presence online; however they quality healthcare. can create new challenges. Nurses should weigh a number of considerations when maintaining a presence in cyberspace. Privacy settings are Q: Does the HIPAA Privacy Rule require hospitals and doctors’ not absolute and once information or photos and videos are posted on offices to be retrofitted, to provide private rooms, and sound- the Internet, the content is likely to remain there permanently. proof walls to avoid any possibility that a conversation is over- If nurses view content posted by their colleagues that is offensive heard? and unprofessional, they have a responsibility to bring that informa- A: No. The Privacy Rule does not require these types of structural tion to the attention of the individual who posted it, so that he or she changes be made to facilities. can remove it and take other appropriate actions as necessary. If the Covered entities must have in place appropriate administrative, content appears to violate professional standards as discussed in the technical, and physical safeguards to protect the privacy of protected HIPAA Privacy and Security Rules and the individual does not take health information. This standard requires that covered entities appropriate action to resolve the situation, you should discuss the make reasonable efforts to prevent uses and disclosures not permit- matter with a union representative and the Professional Practice ted by the rule. The department does not consider facility restruc- Committee. Referral of the matter to the facility compliance officer turing to be a requirement under this standard. and/or other appropriate authorities may be necessary. Failure of For example, the Privacy Rule does not require the following the profession to regulate itself and hold its licensees accountable types of structural or systems changes: can undermine the public’s trust of nurses. Private rooms. Soundproofing of rooms. HHS Answers to Frequently Asked Questions Encryption of wireless or other emergency medical radio com- Q: Can healthcare providers engage in confidential conversa- munications which can be intercepted by scanners. tions with other providers or with patients, even if there is a pos- Encryption of telephone systems. sibility that they could be overheard? Covered entities must implement reasonable safeguards to A: Yes. The HIPAA Privacy Rule is not intended to prohibit limit incidental, and avoid prohibited, uses and disclosures. The providers from talking to each other and to their patients. Provisions of Privacy Rule does not require that all risk of protected health this rule requiring covered entities to implement reasonable safe- information disclosure be eliminated. Covered entities must guards that reflect their particular circumstances and exempting treat- review their own practices and determine what steps are reason- ment disclosures from certain requirements are intended to ensure able to safeguard their patient information. In determining what that providers’ primary consideration is the appropriate treatment of is reasonable, covered entities should assess potential risks to their patients. The Privacy Rule recognizes that oral communications patient privacy, as well as consider such issues as the potential often must occur freely and quickly in treatment settings. Thus, cov- effects on patient care, and any administrative or financial burden ered entities are free to engage in communications as required for to be incurred from implementing particular safeguards. Covered quick, effective, and high-quality healthcare. The Privacy Rule also rec- entities also may take into consideration the steps that other pru- ognizes that overheard communications in these settings may be dent healthcare and health information professionals are taking unavoidable and allows for these inciden- to protect patient privacy. tal disclosures. Examples of the types of adjustments For example, the following practices or modifications to facilities or systems are permissible under the Privacy Rule, if Patient Rights under that may constitute reasonable safe- reasonable precautions are taken to min- guards are: imize the chance of incidental disclosures HIPAA Privacy Rule Pharmacies could ask waiting cus- to others who may be nearby: tomers to stand a few feet back from a Healthcare staff may orally coordi- ■ Right to privacy/confidentiality counter used for patient counseling. nate services at hospital nursing stations. ■ Right to access to medical records In an area where multiple patient- Nurses or other healthcare profes- ■ Right to amend medical record staff communications routinely occur, sionals may discuss a patient’s condi- ■ Right to accounting of disclosures use of cubicles, dividers, shields, curtains, tion over the phone with the patient, a or similar barriers may constitute a rea- provider, or a family member. sonable safeguard. For example, a large

SEPTEMBER 2011 WWW.NATIONALNURSESUNITED.ORG NATIONAL NURSE 25 CE_JulAug 10/11/11 9:31 PM Page 26

clinic intake area may reasonably use cubicles or shield-type Possible safeguards may include: if the X-ray lightboard is in dividers, rather than separate rooms, or providers could add cur- an area generally not accessible by the public, or if the nursing tains or screens to areas where discussions often occur between doc- station whiteboard is not readily visible to the public, or any other tors and patients or among professionals treating the patient. safeguard which reasonably limits incidental disclosures to the Hospitals could ensure that areas housing patient files are super- general public. vised or locked. The above examples of possible safeguards are not intended to be Q: May physicians’ offices use patient sign-in sheets or call out exclusive. Covered entities may engage in any practice that reason- the names of their patients in their waiting rooms? ably safeguards protected health information to limit incidental uses A: Yes. Covered entities, such as physicians’ offices, may use and disclosures. patient sign-in sheets or call out patient names in waiting rooms, so Q. A hospital customarily displays patients’ names next to the long as the information disclosed is appropriately limited. The door of the hospital rooms that they occupy. Will the HIPAA Pri- HIPAA Privacy Rule explicitly permits the incidental disclosures vacy Rule allow the hospital to continue this practice? that may result from this practice, for example, when other patients A: Yes. The Privacy Rule explicitly permits certain incidental dis- in a waiting room hear the identity of the person whose name is closures that occur as a by-product of an otherwise permitted disclo- called, or see other patient names on a sign-in sheet. However, these sure—for example, the disclosure to other patients in a waiting room incidental disclosures are permitted only when the covered entity of the identity of the person whose name is called. In this case, dis- has implemented reasonable safeguards and the minimum neces- closure of patient names by posting on the wall is permitted by the sary standard, where appropriate. For example, the sign-in sheet Privacy Rule, if the use or disclosure is for treatment (for example, to may not display medical information that is not necessary for the ensure that patient care is provided to the correct individual) or purpose of signing in (e.g., the medical problem for which the healthcare operations purposes (for example, as a service for patient is seeing the physician). patients and their families). The disclosure of such information to Q: Are physicians and doctors’ offices prohibited from maintain- other persons (such as other visitors) that will likely also occur due ing patient medical charts at bedside or outside of exam rooms, or to the posting is an incidental disclosure. from engaging in other customary practices where the potential Incidental disclosures are permitted only to the extent that the exists for patient information to be incidentally disclosed to others? covered entity has applied reasonable and appropriate safeguards A: No. The HIPAA Privacy Rule does not prohibit covered enti- and implemented the minimum necessary standard, where appro- ties from engaging in common and important healthcare practices, priate. See 45 CFR 164.502(a)(1)(iii). In this case, it would appear nor does it specify the specific measures that must be applied to pro- that the disclosure of names is the minimum necessary for the pur- tect an individual’s privacy while engaging in these practices. Cov- poses of the permitted uses or disclosures described above, and there ered entities must implement reasonable safeguards to protect an do not appear to be additional safeguards that would be reasonable individual’s privacy. In addition, covered entities must reasonably to take in these circumstances. However, each covered entity must restrict how much information is used and disclosed, where appro- evaluate what measures are reasonable and appropriate in its envi- priate, as well as who within the entity has access to protected health ronment. Covered entities may tailor measures to their particular information. Covered entities must evaluate what measures make circumstances. sense in their environment and tailor their practices and safeguards Q: May mental health practitioners or other specialists provide to their particular circumstances. therapy to patients in a group setting where other patients and For example, the Privacy Rule does not prohibit covered entities family members are present? from engaging in the following practices, where reasonable precau- A: Yes. Disclosures of protected health information in a group tions have been taken to protect an individual’s privacy: therapy setting are treatment disclosures and, thus, may be made Maintaining patient charts at bedside or outside of exam rooms, without an individual’s authorization. Furthermore, the HIPAA Pri- displaying patient names on the outside of patient charts, or display- vacy Rule generally permits a covered entity to disclose protected ing patient care signs (e.g., “high fall risk” or “diabetic diet”) at health information to a family member or other person involved in patient bedside or at the doors of hospital rooms. the individual’s care. Where the individual is present during the dis- Possible safeguards may include: reasonably limiting access to closure, the covered entity may disclose protected health informa- these areas, ensuring that the area is supervised, escorting non- tion if it is reasonable to infer from the circumstances that the employees in the area, or placing patient charts in their holders with individual does not object to the disclosure. Absent countervailing identifying information facing the wall or otherwise covered, rather circumstances, the individual’s agreement to participate in group than having health information about the patient visible to anyone therapy or family discussions is a good basis for inferring the indi- who walks by. vidual’s agreement. Announcing patient names and other information over a facility’s How to HIPAA. The Office for Civil Rights, part of the public announcement system. Department of Health and Human Services, has a wide range Possible safeguards may include: limiting the information dis- of helpful information about HIPAA on its website, closed over the system, such as referring the patients to a reception http://www.hhs.gov/ocr/hipaa, including the full text of the desk where they can receive further instructions in a more confiden- Privacy Rule, a HIPAA Privacy Rule Summary, fact sheets, and tial manner. more than 200 Frequently Asked Questions, as well as many Use of X-ray lightboards or in-patient logs, such as whiteboards, other resources to help healthcare providers and others under- at a nursing station. stand the law.

26 NATIONAL NURSE WWW.NATIONALNURSESUNITED.ORG SEPTEMBER 2011 CE_JulAug 10/11/11 9:31 PM Page 27 Continuing Education Test HIPAA—The Health Insurance Portability and Accountability Act For continuing education credit of 4.0 hours, please complete the following test, including the registration form at the bottom, and return to: NNU/Nursing Practice, 2000 Franklin St., Oakland, CA 94612. We must receive the completed home study no later than Dec. 15, 2011 in order to receive your continuing education credit.

1. A covered healthcare provider who provides a healthcare 8. The advantages of HIPAA are that employees can change service at the request of an individual’s employer may not jobs without losing coverage as a result of preexisting cov- disclose the individual’s protected health information to the erage exclusions as long as they have had 12 months of employer for the purposes of workplace medical surveillance. continuous group health coverage. ❏ True ❏ False ❏ True ❏ False

2. A suggested best practice for safeguarding your personal 9. The Food and Drug Administration, the Centers for Disease computer password includes sharing it with your team leader. Control and Prevention, and the Occupational Safety and ❏ True ❏ False Health Administration are all considered public health authorities. 3. Computers are infallible and have eliminated the need for ❏ True ❏ False the independent, professional clinical judgment of the RN. ❏ True ❏ False 10. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996 by President 4. Covered entities and healthcare employers are required to George Bush after heated Congressional partisan debates. keep all policies and procedures regarding HIPAA compli- ❏ True ❏ False ance in written format. ❏ True ❏ False 11. The HIPAA Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when 5. Patient identifying information includes discharge data, fin- the covered entity has in place reasonable safeguards and ger prints, and county of residence and individuals’ identifi- minimum necessary policies and procedures to protect an able characteristics. individual’s privacy. ❏ True ❏ False ❏ True ❏ False

6. Protecting patient confidentiality was always the sole 12. The HIPAA Privacy Rule requires hospitals and doctors’ responsibility of physicians until passage of the Health offices to be retrofitted to provide private rooms to avoid Insurance Portability and Accountability Act (Public Law any possibility that a provider-patient conversation is 104-191) in 1996. overheard. ❏ True ❏ False ❏ True ❏ False

7. RNs have a unique patient advocacy role in the healthcare delivery system and as information technology evolves, it is important that it is harnessed and controlled to best serve the privacy and confidentiality needs of our patients. ❏ True ❏ False

Name:______

Address: ______

City:______State:______Zip: ______

Day phone with message machine: ______Email: ______

RN license #: ______Job Classification: ______

SEPTEMBER 2011 WWW.NATIONALNURSESUNITED.ORG NATIONAL NURSE 27