With nurses allegedly serving as sources to media outlets of private medical information on public figures, including Michael Jackson and Farrah Fawcett, the boundaries of protected health information have come into question.
Nurses are bound by many legal and ethical mandates. One important mandate is to maintain the confidentiality and privacy of patient information. This mandate is found in many sources.
The most recent underpinning of a patients privacy is the federal Health Insurance Portability and Accountability Acts (HIPAA) Standards for Privacy of Individually Identifiable Health Information and its companion rule, The Security Rule. The final privacy rule, published Aug. 14, 2002, and the final security rule, effective April 20, 2005, established a set of national standards for the protection of certain health information.
HIPAAs Basic Principles
The basic foundation of the privacy rule applies to all individually identifiable health information (referred to as protected health information or PHI) in any form or media, whether electronic, paper, or oral, that is held or transmitted by a covered entity (nurses and other healthcare providers are included). The covered entities may not use or disclose an individuals identifiable health information without the consent of the individual, except pursuant to HIPAAs regulations governing the release of PHI.
Examples of situations in which a covered entity can disclose PHI without an individuals consent include when a physician shares patient information with a consulting physician, when a paramedic shares information on a patient who has been transported to the ED with staff, or when information is shared to prevent a serious, imminent threat to public safety.
Facilities and healthcare providers must provide notice of their privacy practices that includes specific information as required by HIPAA, including the individuals rights under the rule and where a complaint can be filed if the individual believes his or her privacy rights have been violated.
Although not required by HIPAA, the individuals written consent for the use and disclosure of PHI for treatment, payment, and healthcare operations is obtained by most healthcare providers. The specific content of the consent form is left to the practitioner or entity to develop.
Authorization to disclose or use PHI not permitted by HIPAA for purposes other than treatment, payment, and healthcare operations requires the patient to provide specific, detailed permission for such use or disclosure. HIPAA requires that a valid authorization include the PHI to be used or disclosed and an expiration date after which the authorization is invalid. An example would be providing a prospective employer the results of a physical examination or a laboratory test.
Another touchstone of the rule is the minimum information standard. This requirement states that whatever the information shared under the rule, only that which is necessary to meet the purpose or use of the disclosure can be released.
The basic foundation of the security rule is that covered entities that electronically store or transmit PHI electronically must adopt a data security plan to ensure the privacy and security of an individuals PHI. The rule has been described as a behind the scenes rule that requires the covered entity to construct reasonable and appropriate safeguards to ensure the integrity, confidentiality, and availability of PHI.
Knowing the Rules
Nurses and other healthcare providers are covered entities under both rules, and especially so if they transmit health information in electronic form in connection with any transactions covered under the rule. HIPAA applies whether the nurse is a non-institutional provider (e.g., individual practitioner or group practice provider) or works in a hospital or other covered entity. In short, the privacy and confidentiality of PHI must be protected by the nurse whether the PHI is in oral form, written form, or electronically transferred.
What safeguards, then, should a nurse follow when a request for PHI of a person for whom he or she has provided care is received? First and foremost, the nurse must have a working and accurate knowledge of the privacy and security rule. This requires a careful reading of the rules, or a summary written and published by a reputable source. Publications and guidance briefs from the U.S. Department of Health and Human Services are best. Attending seminars and in-service programs on HIPAA is another good way to gain understanding of the rule. Consultations with a practitioners attorney or the facilitys risk-management department would also help in developing a working understanding of the rules.
HIPAA does allow the release or use of PHI concerning the patients care or payment for healthcare that is directly relevant to the involvement of a spouse, family member, or other person identified by the patient. In addition, if in an emergent situation, the entity or practitioner can share information with a family member or other person if, in the judgment of the practitioner, it is in the best interest of the patient. Institutional and private practice policies that conform with HIPAA rules and other applicable state privacy and confidentiality laws should provide guidance for the staff and private practitioners.
It is important for a nurse to assume that any request for the use or release of PHI is protected from disclosure by HIPAA until it is determined otherwise. As an example, a release of PHI to an attorney who calls asking about the patients treatment cannot be automatically shared. Rather, the nurse will need to check the patients medical record and determine whether the patient has provided authorization for the attorney to receive the information requested. If the patient has authorized the attorney to receive PHI, the nurse should follow the institutions policies and procedures when the release of information occurs.
When Reporters Come Calling
Should a nurse be contacted by the media for information about a patient or former patient, it is essential that the nurse first contact his or her supervisor and the institutions privacy officer. If any information can be released to the media, it is best done through the privacy officer or director of media communications, or, in the case of a practitioner in a private or other practice, after consultation with the practitioners attorney. The decision as to what can be released about an individual who is receiving treatment by a covered entity must be based on established policies and procedures that reflect HIPAA and other applicable state laws. For example, under HIPAA (and other applicable laws), an individual who is the agent for a patient under an executed durable power of attorney for healthcare may be able to provide consent/authorization for PHI to be released to the media. Clearly, this approval would be needed before a release of PHI.
It is important to note that no exceptions exist in the HIPAA rules for those who are public figures or famous. Likewise, when PHI relates to a deceased individual, HIPAA and other privacy and confidentiality rules still apply. For example, although HIPAA allows a covered entity to provide specified information about a deceased individual to certain persons (e.g., a coroner, medical examiner, or funeral director), no exception exists to share PHI with the general public without the required authorization from a legal representative.
Nurses who work in healthcare facilities should be actively involved on the facilities HIPAA privacy committees. Because the committees responsibility is to develop and implement the facilitys policies and procedures governing HIPAAs mandates, nursing can contribute realistic input concerning how the policies can be carried out efficiently and expeditiously. Policies and procedures under HIPAA also should be developed by the non-institutional practitioner.
Maintaining patient privacy and confidentiality is an ever-present legal and ethical duty of nurses. HIPAA is an important national federal floor (federal minimum) for the protection and disclosure of a patients PHI.
Other mandates requiring the protection of a patients health information exist as well, including the American Nurses Associations guide to the Code of Ethics for Nurses, the laws of confidentiality, nurse practice acts, and the laws of privacy. These state laws and ethical mandates are not rendered inoperative because of the passage of HIPAA. Rather, they augment the national standard.
In any circumstance, the nurse is duty-bound to prevent, insofar as humanly possible, any unauthorized release of an individuals identifiable health information.
Nancy J. Brent, RN, MS, JD, is a nurse attorney in private practice in Wilmette, Ill.
This article is not intended as specific legal or other advice. The readers is encouraged to seek out a specific legal or other opinion concerning the contents of this article should the need arise.