HIPPA

HIPPA: CARING FOR YOUR PATIENTS WHILE RESPECTING THEIR PRIVACY 1

HIPPA: Caring for Your Patients While Respecting Their Privacy

William C. Young II

Mott Community College


HIPPA: Caring for Your Patients While Respecting Their Privacy

The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a topic that is often

discussed throughout our nursing education, and presents challenges to the healthcare system

every day. We have been advised to protect our patients’ privacy, but how do we accomplish

this while we provide care for them? Hospitals are often busy and overcrowded this creates a

difficult environment to conduct business. As we walk through the halls of any hospital, we can

overhear doctors and nurses discussing the patient’s name, age, health history and their treatment

plan. Look at any counter and you will find shift reports, medical files, and computer monitors

littered with protected health information. Walk into a patient’s room and look at the counter or

trash and notice used IV bags labeled with their personal information. Throughout the course of

one clinical rotation, without making an effort, one could find hundreds of violations.

Social media is another area that is becoming more utilized in the healthcare system. Nurses

network with other professionals and educate the public of current healthcare topics. This tool,

although useful, could become disastrous with the simple click of a button. It seems that every

day we hear about someone posting inappropriate information, sometimes this is a health

professional. Many times these are in violation of HIPPA and patient privacy. This could result

in lawsuits costing millions of dollars, the loss of your license, and possibly spending time in jail.

So how do we correct this? Are we doomed to fail at protecting this sensitive information? Are

we going to lose our licenses before getting a chance to use them? The more we know about

HIPPA and patient privacy, the better chance we have to provide care for our patients and protect

their information.


The best place to begin is to understand the definition of HIPPA. The U.S. Department Health

and Human Services (“Health Information Privacy,” 2015) defines HIPPA as a “US law

designed to provide privacy standards to protect patients' medical records and other health

information provided to health plans, doctors, hospitals and other health care providers.” These

standards provide patients with access to their medical records and more control over how their

personal health information is used and disclosed. The Privacy Rule was developed in 2002 to

further clarify exactly what information is protected within the healthcare system. The U.S.

Department of Health and Human Services clarifies this further by stating that;

The Privacy Rule protects all "individually identifiable health information" held or

transmitted by a covered entity or its business associate, in any form or media, whether

electronic, paper, or oral. The Privacy Rule calls this information "protected health

information (PHI)."

“Individually identifiable health information” is information, including demographic

data, that relates to:

the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the

individual,

and that identifies the individual or for which there is a reasonable basis to believe it can

be used to identify the individual. Individually identifiable health information includes

many common identifiers (e.g., name, address, birth date, Social Security Number).


(Wicks, 2013)

To summarize these regulations in clear concise terminology, everything directly related to a

patient, is protected information and falls under HIPPA and the Privacy Rule. Healthcare

professionals need to safeguard this information whenever possible. Trey Swann (2014), stated

that HIPPA violations costs “can range from $100 to $50,000 per record, with a maximum

penalty of $1.5 million per year for violations of an identical provision.” It is not uncommon for

a corporation to receive fines in excess of several million dollars. For individual healthcare

providers violations are expensive, penalties for non-compliance can cost up to $250,000 and up

to 10 years in prison (Swann, 2014). There are many ways, as nurses, we can protect this

information and avoid violations.

First we need to address our work station area, making sure that patient information is out of

public view and stored in a secure area. This includes shift-to-shift reports, patient medical files,

and all related documents. It is important to check for faxes, copies, labels, and new orders are

properly protected. At some healthcare facilities, all medical records are secured in locked

rooms or file cabinets to prevent unauthorized individuals from obtaining information. Although

this appears to be quite simple, it may be quite complex. Not only do we need to store our

patient records, we need to verity that these records, used by other health professional, are

secured when they are finished with them.

Routine conversation, an area often overlooked, could result in costly HIPPA violations. Basic

information can seem so insignificant that it can easily be mentioned in routine conversation but

should only be shared on a need to know basis. Jodi Jacobs (2003) stated that Health and Human

Services (HHS) Privacy Rule is not designed to prevent healthcare workers from talking with


peers or patients, but to have “reasonable safeguards” to protect PHI. She further states that

healthcare workers need to make reasonable effort to prevent disclosing information that does

not relate to the care provided (Jacobs, 2003). The volume level at which we speak, needs to be

appropriate to maintain clarity and privacy. All too often, healthcare staff are overheard talking

about a patient, with no regard to the sensitivity of what is being said. When discussing care,

instead of using patient names, it would be more appropriate using room numbers. During staff

change-of-shift report, we should attempt to find a secluded area with only those providing direct

care for the patient present. When we are discussing patient information, public areas such as

hallways, waiting areas, and elevators should be off limits. This information can easily

overheard by visitors or other patients.

Disposal of unneeded documents, used IV bags, among other information, must be handled with

caution. PHI should never be disposed of in an unsecured trash can. By disposing of this

information in a trash can becomes available to the public and is in direct violation. There are

many ways to dispose of PHI, such as, shredding or sealed containers specifically designed for

sensitive material. There are a wide range of HIPPA compliant methods available; however, it is

your responsibility to utilize them.

One of the most common HIPPA violations occurs with gossip, which is difficult to control.

This is why providing access to PHI should be limited to those individuals whose job requires

that information. Not only can you be found in violation, this can be very damaging to you and

your organization’s reputation. This is especially true in smaller communities, where “everyone

knows everyone”. The most common violations occur when communicating with your friends

and family. Often we are asked “how was your day” or “what happened at work”. This could


become a pitfall when we accidently share information that is confidential. The best way to

avoid this costly mistake is simple; keep your work at work. Although this may prove difficult

when speaking with family, however, we need to remember that it is our responsibility to protect

this information. Could you imagine how you would feel if other people were told about your

health history?

Electronic information is integrated within the healthcare system and provides quick access to

potentially life saving measures. With access to hundreds of current and past patients, we need

to be vigilant to only view information that directly assists with the care of our patient.

Remember that just because you work in a facility that may be caring for your family or friends,

unless you are directly providing care, you do not have rights to their PHI.

Electronic PHI disposal is unlikely to be your responsibility. However, if you are ever required

to dispose of this information it is extremely important to follow your facilities policies and

procedures. This may include erasing, deleting, or reformatting any information no longer

needed. Within many facilities you may witness healthcare personal using cell phones and

tablets for personal and professional reasons. Catherine Barrett (2013) wrote that, “a recent

survey of 600 U.S. hospital executives, physician organizations, health insurers, and

pharmaceutical/life sciences companies found that theft accounted for 66 percent of reported data

breaches over the past two years.” Because of their small size and high value, thieves tend to

look steal these items. Without the proper encryption, these devices could provide access to

hundreds of PHI violations. Although the uses for these devices are rapidly increasing, it is

important to remember that if your organization requires their use, use only company provided

equipment. Ultimately you are responsible for your actions. This will prevent the inadvertent


loss of PHI and possible HIPPA violations. Most hospitals have policies that prohibit the use of

personal devices. Even if your company does not, refrain from carrying yours on your person.

When giving an opportunity, such as a scheduled break, retrieve your phone to return personal

calls. This will provide the peace of mind knowing that you did not inadvertently violate HIPPA

regulations.

Social media has become a part in almost everyone’s lives. This technology allows for us to

keep in touch with others around the world. However there is a cost of using these outlets, which

may determine your future in healthcare. Steven Harris, wrote about a HIPPA violation as

follows:

An ED physician in Rhode Island was fired, lost her hospital medical staff privileges, and

was reprimanded by the Rhode Island Board of Medical Licensure and Discipline for

posting information about a trauma patient on her personal Facebook page. According to

the Rhode Island Board of Medical Licensure and Discipline, “[She] did not use patient

names and had no intention to reveal any confidential patient information. However,

because of the nature of one person’s injury … the patient was identified by unauthorized

third parties. As soon as it was brought to [her] attention that this had occurred, [she]

deleted her Facebook account.” Despite the physician leaving out all information she

thought might make the patient identifiable, she apparently did not omit enough.

(Harris, 2014)

Here are a few basic rules to keep you out of trouble on social media. 1) Never take picture of

patients or facility with your personal device. These images could be inadvertently uploaded. 2)


Do not discuss specific details about your job. If you feel the need to discuss work keep it

simple. A statement like, “I’m glad that I have the opportunity to help those in need.” 3) Do not

become “friends” with patients on social media. We have clear and defined boundaries that

advise against social interaction the patients. 4) Know your organization’s policy regarding

social media. These policies were established to prevent possible HIPPA violations. Lastly, 5) if

you are unsure if you should post something, don’t post it. You have worked too hard for too

long to jeopardize your career.

Patients have a basic right to privacy. Patient's have the right to decide to whom, when and to

what extent their private identifiable health information is disclosed. This information includes

their medical diagnosis, treatment, prescriptions, health insurance information, financial

information, and mental health records. A lack of privacy could lead to public humiliation,

embarrassment, and discrimination.

Nurses and other health care professionals that work with PHI must adhere to the policies,

procedures and laws designed to protect patient privacy and confidentiality. As a healthcare

provider, you have a responsibility to be compliant with HIPPA regulations. Whether you

disclose PHI intentionally or accidentally, it is considered a violation of HIPAA.

Remind your colleagues to avoid disclosure of information through routine conversation,

disposal of documents, improper use of electronic information, gossip or social media. We all

share the responsibility to protect our patient’s privacy. Don’t let a “simple” mistake define your

legacy as a healthcare provider.


References

Barrett, C. (2011, October). Healthcare Providers May Violate HIPAA by Using Mobile Devices to Communicate with Patients. Retrieved April 15, 2016, from http://www.americanbar.org/newsletter/publications/aba_health_esource_home/aba_health_law_esource_1110_barrett.html

Harris, S. M. (2014, June 1). How to Avoid Data Breaches, HIPAA Violations When Posting Patients' Protected Health Information Online - The Hospitalist. Retrieved April 15, 2016, from http://www.the-hospitalist.org/article/how-to-avoid-data-breaches-hipaa-violations-when-posting-patients-protected-health-information-online/?singlepage=1

Health Information Privacy. (2015, July 26). Retrieved April 15, 2016, from http://www.hhs.gov/hipaa

Jacobs, J. (2003, June). Oral Privacy and HIPAA: We Really Need to Talk. Retrieved April 15, 2016, from http://library.ahima.org/doc?oid=59139#.VxFPknohGzU

Swann, T. (2014, February 11). What Is the Penalty for a HIPAA Violation? Retrieved April 15, 2016, from http://www.healthworkscollective.com/tswann/148911/what-penalty-hipaa-violation

Wicks, A. (2013, January 25). Dodd-Frank Wall Steet Reform 285 in the last year. Retrieved April 15, 2016, from https://federalregister.gov/a/2013-01073

Documents

HIPPA