NEW YORK NURSE: September 2007

Confusion over privacy issues

How can RNs stay out of trouble?

by MARK GENOVESE

Penny*, a registered nurse represented by NYSNA, received word while on duty that her aunt had been brought to the hospital’s emergency room. She immediately rushed down to see her.

Confused, the aunt asked: “Can you find out what they’re doing with me?” Penny read her chart and explained everything. However, a co-worker saw Penny pick up the chart and reported her. Penny was suspended. Although NYSNA was able to reduce the penalty to a written warning, this incident is an example of how common it is to misinterpret the 1996 Health Insurance Portability and Accountability Act (HIPAA).

NYSNA nursing representatives report that the law is sometimes used as an excuse to deny requests for information or to discipline employees who are branded “troublemakers.”

While admitting a patient, Rachel*, an active member of her LBU, received a call from a woman claiming to be the patient’s wife. Rachel was cautious. Two weeks before, an RN had given information over the phone to a patient’s wife. When the patient’s girlfriend came to the unit, the RN learned the two were separated. Rachel did the best she could in her hectic unit to verify the caller’s identity, asking: “Do you live with him?” This angered the caller, who filed a complaint. Rachel was suspended.

Where to draw the line?

Administered by the U.S. Department of Health and Human Services (HHS), HIPAA is intended to protect employees from losing their health insurance when leaving their jobs. It also protects patients’ personal data while allowing family and healthcare providers to access necessary information. Compliance has been mandatory since 2003.

“Determining where to draw the line has caused considerable confusion,” said Carol Lynn Esposito, associate director of NYSNA’s Economic and General Welfare program. “It’s part of an RN’s role to balance the need to protect the patient’s confidentiality with the benefit of communicating with others who provide care.” But HIPAA penalties provide an incentive to err on the side of caution: a violation can carry a civil fine of up to $25,000, plus a criminal penalty of up to 10 years in prison and an additional $250,000 in fines.

“Many healthcare advocates have questioned whether the federal government has provided adequate guidance,” Esposito said. Congress is working on clarifying the law. Meanwhile, some professional associations have tried to fill in the gaps. The American Nurses Association Code of Ethics says RNs must promote, advocate for, and strive to protect a patient’s health, safety, and rights. HIPAA also calls for deference to state law if that law is stricter, as is the case in New York (see sidebar).

HIPAA mandates only minimum standards. A facility is permitted to have stricter policies by which RNs must abide. In Penny’s case, NYSNA successfully established that management didn’t give nurses adequate instruction on how to implement HIPAA. Although Penny’s actions were permissible under HIPAA because the patient asked her to obtain the information, she received a warning because she had violated the hospital’s policy prohibiting anyone who is not directly involved in providing care from seeing a patient’s chart.

“Nurses who are represented for collective bargaining by their professional associations should always contact their representative for help in dealing with these issues,” Esposito added.

What can you disclose and to whom?

So far, no penalties have been levied against healthcare providers for HIPAA violations. The majority of complaints have concerned patients who were denied access to their own information, adult children seeking information about elderly parents, or information sent to the wrong place via fax or e-mail.

HIPAA allows you to use your professional judgment to determine if it is appropriate to disclose information, provided you also follow hospital policy. These guidelines, although not a substitute for professional legal advice, can help you stay out of HIPAA trouble.

Interactions

• You may respond to questions from family, friends, and clergy involved in the patient’s care – unless the patient objects. HIPAA allows this on the theory that consent is implied. Objections don’t need to be in writing, but you should try to discuss this issue. “However, this is only what HIPAA permits, and not necessarily what a facility permits,” said Sara Corello, attorney for Spivak Lipton, LLP. “Many hospitals will allow disclosure of basic information, such as condition, to those who ask by name, but not necessarily any other questions. Also, there are particular laws that apply to certain conditions, such as HIV status.”
• You don’t need the patient’s consent to disclose personal health information to other healthcare providers for treatment purposes, when referring a patient to a community provider, or to allied providers to facilitate billing.
• Public health authorities can be provided with information for reports and investigations, but identifying factors must be removed if information is distributed without consent. You cannot reveal confidential information to reporters, but can discuss general health issues. Your facility may require that public health authority or press inquiries be directed to a particular department.
• Follow your facility’s procedures for calling a patient’s last name in a waiting room or leaving messages on an answering machine.
• Information may be disclosed to address threats to public health or safety, but remember to check your facility’s procedures for handling such special circumstances.

Work Environment

• Under New York state law, patients’ full names cannot be posted outside their rooms. Only initials should be used. Nursing practice guidelines require that you check patient armbands to ensure the correct patient is receiving care.
• Medical records may be placed in wall bins outside exam room, but should be turned toward the wall.
• If a dry-erase board is in public view, personal information cannot be written on it. This would be a violation of New York tort law.
• You should make sure you close file folders, place clipboards face down, close drawers and doors, shut down computer screens and dispose of information in the proper bins, properly shredded.

Use Common Sense

• Don’t take records home, share passwords or codes, discuss clients in public places, or leave a computer unattended with information on a screen.
• Follow proper security for remote computer access and make sure all e-mail addresses and fax numbers are accurate.
• Patients may be videotaped for teaching purposes if you obtain their written consent and don’t identify them.
• Keep signed permission forms from patients on file.

“Again, remember that it is essential that you familiarize yourself with the hospital’s privacy policies, which may be more restrictive than HIPAA’s requirements,” Corello said.

NYSNA offers help

NYSNA’s online course, “HIPAA: What Does It Mean for Nurses?” can help you understand this issue. For more information visit www.elearnonline.net.

* Not her real name

:: Publications | :: About NYSNA | :: NYSNA Home