Patient privacy protection is a cornerstone of any patient bill of rights and is a major goal of any nurse or medical professional. Without privacy, the basis of trust necessary to facilitate patient healing simply can not occur. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) increasingly dominates the nursing landscape. Safeguarding private patient information is not just important. It is the law. HIPAA provides federal protection for personal health information that is held by the affected organizations (and their contractors) and gives patients a wide spectrum of rights related to that information. Such organizations include health care providers (doctors, nurses, etc.), heath plans (insurance, HMOs, etc.) or health care clearinghouses (entities that process nonstandard information) or student records at universities. An organization is required to know if it is an entity covered by HIPAA in order to comply with the law. Once the records are no longer needed, their appropriate and secure disposal are the responsible of the health care provider or other applicable entity in the health care chain. Any unauthorized disclosure of the patient information is that entities responsibility.
Comprehensive HIPAA training is essential to proactively following the law and effectively preserving patient privacy rights. Such training needs to be regular and standardized to make sure that it adheres to HIPAA standards. Every organization is responsible to make sure that its training program is up-to-date with information about the latest HIPAA updates and regulation. Included in any training program should be information about the significance of patient privacy and the grave implications of violating the law in terms of penalties and in impact upon the patient. In this arena, it is important for the health care provider to know who is authorized to have access to the sensitive patient information, whether it be the patient's friends, family members, friends, or others designated by the patient as involved in their care.
Privacy preservation is not just to be expected in the area of storage and in the transport of the information, but also in the area of disclosure of the information as well. Additionally, HIPAA is a system that specifies set methods of administrative, physical and technical safeguards for the affected organizations in order to use to facilitate the potentially conflicting goals of confidentiality, availability and integrity of Electronic Medical Records (EMR). EMR is becoming more technical with mandatory training for medical personnel in equipment, safeguarding EMRs and in the complications of outsourcing of EMR management to contractors. Security risks can also apply to Electronic Health Information transferred from Peer-to-Peer (P2P) file sharing applications. The Federal Trade Commission (FTC) has written a guide to P2P security issues to guide businesses which collect and store patient sensitive information. The FTC also covers the safeguarding of Electronic Protected Health Information on Digital Copier machines.
While all of the above responsibilities may seem impossible to carry out, in the following study, the author provided a possible pragmatic solution that provides leeway in certain situations with regard to HIPAA observance and enforcement by health care providers and related entities. When such violations do not result in actual harm, punishments might be a bit lighter that outright suspension or firing. In this way, the balance between protecting patient privacy and being overly zealous in enforcement of HiPAA.
B. Problem Identification
We all have been around the water cooler, the lunch room, the rest room, the hall way, the smoking area, or even online at work and enjoy hearing some salacious gossip about a fellow employee, friend or family member. While the information is about us or coworkers, it is not a problem. However, when that juicy gossip includes guarded patient information, it becomes literally a federal case in the form of a HIPAA.
Certainly, most doctors or nurses can remember talking over a serious patient issue in a relaxed setting and getting helpful advice. However, we have also probably heard nasty and vindictive comments about patients and their health problems. This is particularly the case if they are a difficult patient or if they have given the nurse, doctor, or orderly a hard time in the process. This is a risk with all hospital employees from the cook to the CEO, especially in the case of inexperienced new employees or student hospital interns.
This problem was recognized and analyzed in the October, 2010 issue of the journal of Academic Medicine when it published a study which analyzes data from 65 participant medical students to study unprofessional activity online. While the study was about the online activities of medical students, it reflects upon other medical personnel as well, particularly since many of these students will soon be in the health care workforce. As the journal notes, U.S. medical schools have alarmingly reported cases of unprofessional online content by their medical students. The 65 medical students took part in a qualitative study that explored medical students online posting activities in medical school.
While they say they avoided HIPAA violations (the study did not mention if it tested their HIPAA knowledge level) or illegal activities, students disagreed as to what constituted inappropriate postings. In this author's opinion, this could prove problematic when there are gray areas that require a person's best judgment. Students They felt that their postings were guided by common sense and that the schools were too intrusive into their privacy (ibid., 71). Certainly, such cavalier attitudes about private information online may change as the person changes and grows as a professional. However, it might not. This is a concern for hospitals as EMRs become more and more a rule in the health care environment.
Perhaps before this author describes what they feel is an appropriate solution to such a problem (or other casual work place violations of HIPPA), we should discuss two probable nonsolution situations. While HIPPA violation should always be taken seriously and patient information should always be safeguarded, some enforcement may be too zealous and actually counterproductive. In a 2010 legal case, a former UCLA Health System employee was the first person in the United States to be sentenced to federal prison for violating HIPAA by after pleading guilty to accessing and reading confidential medical records of supervisors and high-profile celebrities. According to the U.S. District attorney, he did not sell or use the information in any other way. ("Californian sentenced to," 2010). Certainly, this may too extreme. Perhaps the former employee should be fined, sued or in some other way punished. However, prison time does seem a bit much.
A similar situation is dealt with in the Notre Dame Law Review suggests what may be a more pragmatic solution, especially if there is no profit or the disclosure of patient information does not go too far. In September 2007, actor George Clooney and a female passenger were injured in a motorcycle accident. During the hospital stay, curious nurses and staff peeked into the patient medical records with no medical reason, resulting in 27 nurses and staff being suspended for one month without pay. Clooney expressed dismay at the severity of the punishment. After all, as the author states, was the hospital served without the services of 27 curious, but otherwise harmless employees for an entire month? (Brill, 2007, 2105).
As the journal author points out, the disclosure was harmless, but many are not. What is problematic is that there is no private cause of action or an individual remedy provided by HIPAA. If the violation is severe enough, it is up to the Department of Health and Human Services (HHS) to enforce a criminal conviction or for a hospital to discipline an employee (ibid., 2106).
While a hospital should can not fix HIPAA (this is up to Congress), they could show some leeway in the enforcement of the statute, especially if the patient does not want to proceed with disciplinary action or the incident did not result in actual harm. In this way, the act could be pragmatically enforced. Perhaps the patient themselves could be brought into the enforcement question by querying them or giving them options that they could choose from as to the employees disposition. In this way, it could have a sobering effect upon violators of HIPAA and preserve patient privacy while not being so draconian that it has a chilling upon patient care or a negative impact either way upon a health care institution's or its employees' professional reputations.
C. Research Support
As noted above, HIPAA has become a huge issue in the arena of EMR in all areas of medicine, including evidence-based nursing. Also, other areas of nursing have been touched. We will need to review some of the scholarly literature to view the parameters of this issue prior to proposing solutions. The new Obama administration's healthcare policies have a direct impact upon HIPAA in general and Act compliance in particular. The American Recovery and Reinvestment Act of 2009 also incorporates rule changes that privacy advocates and lawmakers have been seeking. For instance, patients may request an…