Upholding patient confidentiality policy is a fundamental obligation for any nurse in any setting.
I have discussed this topic in several blog posts, including "What happens when a nurse breaches patient confidentiality" and "Protecting a patient's confidentiality does matter". Most often, a breach can happen when a nurse shares patient information with a person who is not a member of the healthcare team or when a patient's electronic medical record is accessed for a personal reason when a nurse is not providing care. A nurse discovered how far-reaching the obligation to uphold patient confidentiality policy is in the case of Leach v. Iowa Board of Nursing. The nurse, who was employed in the hospital's ICU, remotely accessed patient census lists 11 times when not at work. The lists contained private health information, including patient names, ages, diagnoses, medications and other personal information.
When a supervisor discovered the nurse accessed the lists, she was questioned. The nurse's reason for checking the lists was to determine ICU staffing and whether she would be required to work her assigned shifts.
The nurse was told her actions were in violation of the hospital's "information security policies" when employees were in a remote location and did not seek authorization. Moreover, the supervisor informed the nurse that any access had to be "necessary to complete her job responsibilities." The nurse was disciplined, suspended for two 12-hour shifts and required to repeat a Health Insurance Portability and Accountability Act learning module.
Supervisor files complaint with state board
After a board investigation on the alleged breach of the patient confidentiality policy, probable cause was determined to proceed to a hearing. The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients' confidentiality and privacy rights in violation of the state's nurse practice act and administrative rules. A contested hearing took place, and the board found the nurse:
- Accessed the patient lists for her own purpose to determine if she would work the next day or be placed on call.
- Did not use information from the lists for any other purpose.
- Did not share the information with anyone else.
- Did not read any personal information on the lists.
- Was not authorized to access the lists from a remote location.
- Did not need the information to perform her duties as an ICU nurse.
As a result of these findings, the board found by a "preponderance of the evidence" (its burden of proof) the nurse's conduct was unethical. Because the board believed the nurse did not understand her conduct was a violation of the patient confidentiality policy and the hospital determined the behavior was not a HIPAA breach, the discipline imposed was the least severe sanction -- a citation and a warning. The nurse filed for a judicial review of the board's ruling. The district court dismissed the nurse's petition.
Disciplined nurse appeals decision
The nurse asked an appeals court to reverse the district court ruling, alleging she never shared the information with someone else and the board's finding of a violation of the nurse practice act and rules was "irrational, illogical or wholly unjustifiable." She further alleged there was no substantial evidence that she read any of the patients' protected health information.
The appellate court was very clear about the fact the board had the authority to discipline the nurse under the nurse practice act and its rules for unethical conduct. It also emphasized proof of actual injury (to a patient) need not be established.
The court opined that despite the nurse's emphasis on what she did not do, her conduct was a violation of hospital policies to protect patient confidentiality. Also, the court said she knew or should have known about those policies. The court could not say the board's determination was "irrational, illogical or wholly unjustifiable." The board of nursing is vested with rule making and interpretative authority of the nurse practice act and its rules. As a result, the court viewed the board's application of law and fact to this case "through the prism of our deferential standard of review." The district court decision of the petition for judicial review was upheld. As a result, the board's discipline remained.
How to avoid a similar outcome
The nurse in this case made an error in judgment in seeking out the ICU patient lists to determine her work schedule. Unfortunately, that error led to serious and costly ramifications. In this case, the nurse could have simply asked permission to access the lists, or even more simply, called the ICU charge nurse to determine if she would be needed for her assigned shift. Other guidelines for nurses to consider include:
- Know your workplace patient confidentiality policy and adhere to it.
- Know your HIPAA obligations.
- Remember any violation of your state's nurse practice act and/or rules does not require patient injury.
- Know what your nurse practice act, patient confidentiality policy and other rules about protecting patient privacy.
- Know and adhere to ethical requirements governing patient confidentiality and privacy under the American Nurses Association's Code of Ethics for Nurses with Interpretive Statements.
- Judicial review of a board of nursing decision is an option, but know that unless a decision is inconsistent with the powers and authority of the board, it will be upheld by the court.
- Even though a discipline might be the least severe, it is still a discipline that affects a nurse professionally.
Take these courses to learn more about protecting patient confidentiality and your license:
HIPAA and Confidentiality: Practice May Change, But Principles Endure (1 contact hr) In this course, you will learn about parts of HIPAA, especially as they concern nursing and other health professionals and the protection of healthcare information. Because you play a key role in the production of healthcare information, you play a key role in its protection.
Social Media: The Implications for Healthcare Professionals (0.75 contact hr) The fundamental function of Facebook (and other social networking sites, such as Twitter) is allowing "friends" to share information. In healthcare, Facebook posts can influence the hiring process, violate patient privacy and result in termination of employment. This module informs healthcare professionals of the risks of social networks, which break down the walls separating our personal and professional lives.
Social Media for the Professional Nurse (1 contact hr) The goal of this course is to inform nursing professionals about how to best use social media to enhance their careers while avoiding potential pitfalls
Protect Yourself: Know Your Nurse Practice Act (0.5 contact hr) Because the practice of nursing is a right granted by a state to protect those who need nursing care, nurses have a duty to patients to practice in a safe, competent, and responsible manner. This requires nurse licensees to practice in conformity with their state statutes and regulations. This course outlines information about nurse practice acts and how they affect nursing practice.
