NursingWorld Home
NursingInsider: The Latest news for Nurses


Join/Renew ANA

FAQs

E-mail Lists: Sign up for lists from ANA

About ANA

ANA*NET
For ANA and CMA staff members only

NursingMall: One Stop Shopping for Nurses

spacer The American Journal of Nursing
arrow2003 AJN Table of Contents
arrowAJN Home Page
arrowOther ANA Columns this Month:
Washington Watch | Issues Update | Health & Safety

Issues Update
line
American Journal of Nursing - February, 2003 - Volume 103, Issue 1

Protecting Patient Information
Health care facilities gear up for privacy regulations.

By Susan Trossman, RN

Every day nurses and other health care professionals routinely share information about patients. Day-shift nurses pass on vital information to evening-shift nurses during report. Consulting physicians write their assessments in charts, which include information on everything from recent laboratory results to a patient’s insurance carrier.

But “routine” practices have taken a serious jolt lately as health care administrators and staff prepare for federal privacy regulations that take effect in April. The rules, which are the latest requirements of the Health Insurance Portability and Accountability Act (HIPAA), are designed to protect the way patient information is stored and conveyed, and dictate to whom it is revealed. The rules also give patients access to their medical records, as well as the ability to amend them.

“The premise of HIPAA is no different from the way nurses have been practicing since the time of Florence Nightingale,” said Beverly Essick, MSN, RNC, privacy program manager at Wake Forest University Baptist Medical Center in Winston-Salem, North Carolina. “Nurses believe patients have a basic right to privacy and confidentiality, and they have advocated these rights throughout nursing’s history.”

Current events, legislative history

Though not rampant, there have been instances, or at least attempts, to misuse patients’ health information. For example the ANA, the Iowa Nurses Association, and a local Planned Parenthood chapter recently prevented a county prosecutor from accessing the pregnancy records of women who used clinic services. The prosecutor was investigating the death of an infant found at a recycling center.

To protect consumers’ health information, Congress passed the 1996 HIPAA with a stipulation that federal legislators pass a privacy measure by August 1999. If Congress failed to do so—which it did—the 1996 law required the U.S. Department of Health and Human Services to create privacy regulations. The final regulations were published in December 2000, modified by the Bush Administration, and released in August 2002.

The process of compliance

Health care workers say the new privacy regulations are complicated, subject to varying interpretations, and sometimes panic inducing. (One rumor had it that hospitals would have to make all their rooms private.) Many administrators brought in consultants, sent staff to special seminars, or created full-time privacy officer positions to ensure HIPAA compliance because egregious violations can result in hefty fines and criminal charges.

Shands Hospital at the University of Florida in Gainesville hired a security and privacy officer two years ago to work with nursing and other hospital departments to comply with HIPAA regulations. As part of this effort, the hospital has reviewed, revamped, and created new policies—some still in draft form—to strengthen the way it protects patient information.

“We really have had to look at every single thing we do,” said Florida Nurses Association member Rose Rivers, PhD, RN, CNAA, vice president for Nursing and Patient Services at Shands. Determining exactly who needs to know what is a major priority. For example, should employees have access to patient information beyond their own unit or documentation that details a patient’s previous hospitalizations?

Another effort involves looking at how patient information is handled—be it printed copies of patient results, data on hard drives, or information transferred between databases, Rivers said. For example, a nurse or staff person who accompanied a patient to the radiology department would previously have left the patient’s chart on the counter but now must hand it to a department worker or leave it in a secure place.

With nurses’ input, Shands eliminated public displays of information that could identify patients easily, such as door tags with patients’ names and uncovered flow sheets at the bedside. And to monitor and prevent access of patient information by inappropriate personnel, computerized information is password protected.

In a recent policy change, all employees must review and sign a confidentiality agreement when hired and at every performance review. Additionally, legal, privacy, and security staff members have been working to ensure that all computer software has the capability of keeping patient information HIPAA secure. Contracts with vendors, nursing schools, and other educational programs are being reviewed and revised to specifically address patient privacy safeguards.

At Wake Forest University Baptist Medical Center, Essick said, staff members are reviewing new and revised policies, and hospital administration plans to test the new privacy and confidentiality practices for about a month before the regulations take effect.

The hospital’s HIPAA steering committee is reviewing all consent and authorization forms and examining when and by whom patient information is distributed as patients enter and move through the system.

To meet a training component of the privacy rule, Essick said, her facility will use various methods to educate its 10,000 employees and affiliated personnel on HIPAA compliance based on their positions. RN staff will receive both online and face-to-face training on the regulations and policy changes.

Nurses, for example, must know that complaints regarding privacy and confidentiality issues must be directed to the risk management department and that nurses could be held criminally responsible for breaches, Essick said.

“They also need to know how the regulations will affect them in their everyday lives,” she said. “We’re trying to take a reasonable approach with policy changes. We don’t want to dictate to every unit how they should practice.”

For example, Wake Forest’s HIPAA committee drafted a policy in which nurses must use two different means of verifying the identity of people who call the unit for patient information, such as asking them for a mother’s maiden name or the last four digits of a patient’s Social Security number, Essick said.

Nurses most likely will be responsible for meeting two other components of the privacy regulations, according to Tracey Miller, MS, MBA, privacy officer at Avera McKennan Hospital and University Health Center in Sioux Falls, South Dakota. As part of the admissions process, nurses will inform patients that they don’t have to be listed in the hospital directory and will explain how their information is protected and used, she said.

Miller said the nursing staff already had received information on best practices regarding patient privacy and confidentiality as part of the hospital’s preparation for its review by the Joint Commission on Accreditation of Healthcare Organizations. HIPAA just gives health care organizations another opportunity to raise awareness among nurses about how their practices affect patient privacy and confidentiality.

“For example, nurses tend to carry their brains in their pockets—those pieces of paper with patients’ plans of care that they use for report,” Miller said. “But what do they do with those papers at the end of their shift?

“Our goal is to ensure that nurses have the necessary awareness and tools to recognize privacy concerns, respond appropriately, and report accordingly to safeguard a patient’s right to privacy and confidentiality,” she said.

Nancy Davis, privacy director for the multifacility system Ministry Health Care based in Milwaukee, Wisconsin, agreed that becoming HIPAA compliant has been a process of self-examination.

“HIPAA gives us an opportunity to address issues that were already there,” Davis said. Before the regulations were issued, she said, many Ministry organizations had privacy policies in place. However, those policies did not specifically address all issues regarding the sharing of patient information with external groups, such as the media or clergy.

Particularly in smaller, less-anonymous hospitals, Davis said nurses sometimes were unsure about how much information to share with visiting clergy or how to approach a priest or minister who inadvertently breached patient confidentiality. HIPAA has now provided guidelines for clergy access.

And finally, nurse executives and privacy officers are banking on what they believe is the intent of HIPAA—that approaches to protecting patient information be reasonable and not interfere with patient care.

“We ultimately need to find a balance between providing highquality, safe care and protecting patients’ privacy,” Miller said. “A lot of that comes down to using common sense.”

To look at the ANA’s position statement on privacy and confidentiality, go to www.nursingworld.org. For more information on HIPAA’s privacy regulation, go to www.cms.gov.

Susan Trossman is senior reporter for the American Nurse at the ANA.

arrowReturn to the 2003 AJN Table of Contents

arrowReturn to the AJN Home Page

line
Search Contact ANA Join/Renew Membership Members Only Online CE
NursingInsiderspacerSpecial Offersspacernursesbooks.org
line
© 2008 The American Nurses Association, Inc. All Rights Reserved
Copyright Policy | Privacy Statement