With nurses allegedly serving as sources to media outlets of private medical information on public figures, including Michael Jackson and Farrah Fawcett, the boundaries of protected health information have come into question.
Nurses are bound by many legal and ethical mandates. One important mandate is to maintain the confidentiality and privacy of patient information. This mandate is found in many sources.
The most recent underpinning of a patient's privacy is the federal Health Insurance Portability and Accountability Act's (HIPAA) Standards for Privacy of Individually Identifiable Health Information and its companion rule, The Security Rule. The final privacy rule, published August 14, 2002, and the final security rule, effective April 20, 2005, established a set of national standards for protecting certain health information.
HIPAA's basic principles
The basic foundation of the privacy rule applies to all individually identifiable health information (referred to as protected health information or PHI) in any form or media, whether electronic, paper, or oral, that is held or transmitted by a covered entity (nurses and other healthcare providers are included). The covered entities may not use or disclose an individual's identifiable health information without the consent of the individual, except pursuant to HIPAA's regulations governing the release of PHI.
Examples of situations in which a covered entity can disclose PHI without an individual's consent include when a physician shares patient information with a consulting physician, when a paramedic shares information with colleagues on a patient who has been transported to the emergency department, or when information is shared to prevent a serious, imminent threat to public safety.
Facilities and healthcare professionals must provide notice of their privacy practices that include specific information as required by HIPAA, including the individual's rights under the rule and where a complaint can be filed if the individual believes his or her privacy rights have been violated.
Although not required by HIPAA, most healthcare providers obtain the individual's written consent for the use and disclosure of PHI for treatment, payment, and healthcare operations. The specific content of the consent form is left to the practitioner or entity to develop.
Authorization to disclose or use PHI not permitted by HIPAA for purposes other than treatment, payment, and healthcare operations requires the patient to provide specific, detailed permission for such use or disclosure. HIPAA requires that a valid authorization include the PHI to be used or disclosed and an expiration date after which the authorization is invalid. An example would be providing a prospective employer with the results of a physical examination or a laboratory test.
Another touchstone of the rule is the minimum information standard. This requirement states that whatever information is shared under the rule can be released only if it is necessary to meet the purpose or use of the disclosure.
The security rule's basic foundation is that covered entities that store or transmit PHI electronically must adopt a data security plan to ensure the privacy and security of an individual's PHI. The rule has been described as a "behind-the-scenes" rule that requires the covered entity to construct reasonable and appropriate safeguards to ensure the integrity, confidentiality, and availability of PHI.
Knowing the rules
Nurses and other healthcare professionals are "covered entities" under both rules, especially if they transmit health information in electronic form in connection with any transactions covered under the rule. HIPAA applies whether the nurse is a non-institutional provider (e.g., individual practitioner or group practice provider) or works in a hospital or other covered entity. In short, the privacy and confidentiality of PHI must be protected by the nurse, whether the PHI is in oral form, written form, or electronically transferred.
What safeguards, then, should a nurse follow when a request for PHI of a person for whom they have provided care is received? First and foremost, the nurse must have a working and accurate knowledge of the privacy and security rule. This requires carefully reading the rules or a summary written and published by a reputable source.
Publications and guidance briefs from the U.S. Department of Health and Human Services are best. Attending seminars and in-service programs on HIPAA is another good way to gain understanding of the rule. Consultations with a practitioner's attorney or the facility's risk-management department would also help in developing a working understanding of the rules.
HIPAA allows the release or use of PHI concerning the patient's care or payment for healthcare that is directly relevant to the involvement of a spouse, family member, or other person identified by the patient. In addition, in an emergent situation, the entity or practitioner can share information with a family member or other person if, in the judgment of the practitioner, it is in the best interest of the patient. Institutional and private practice policies that conform with HIPAA rules and other applicable state privacy and confidentiality laws should provide guidance for the staff and private practitioners.
It is important for a nurse to assume that any request for the use or release of PHI is protected from disclosure by HIPAA until it is determined otherwise. For example, a release of PHI to an attorney who calls asking about the patient's treatment cannot be automatically shared.
Rather, the nurse will need to check the patient's medical record and determine whether the patient has provided authorization for the attorney to receive the information requested. If the patient has authorized the attorney to receive PHI, the nurse should follow the institution's policies and procedures when the release of information occurs.
When reporters come calling
Should a nurse be contacted by the media for information about a patient or former patient, it is essential that the nurse first contact his or her supervisor and the institution's privacy officer. If any information can be released to the media, it is best done through the privacy officer or director of media communications, or, in the case of a practitioner in a private or other practice, after consultation with the practitioner's attorney.
The decision as to what can be released about an individual who is receiving treatment by a covered entity must be based on established policies and procedures that reflect HIPAA and other applicable state laws. For example, under HIPAA (and other applicable laws), an individual who is the agent for a patient under an executed durable power of attorney for healthcare may be able to provide consent/authorization for PHI to be released to the media. Clearly, this approval would be needed before a release of PHI.
It is important to note that no exceptions exist in the HIPAA rules for those who are "public figures" or "famous." Likewise, when PHI relates to a deceased individual, HIPAA and other privacy and confidentiality rules still apply.
For example, although HIPAA allows a covered entity to provide specified information about a deceased individual to certain persons (e.g., a coroner, medical examiner, or funeral director), no exception exists to share PHI with the general public without the required authorization from a legal representative.
Nurses who work in healthcare facilities should be actively involved in the facilities' HIPAA privacy committees. Because the committee's responsibility is to develop and implement the facility's policies and procedures governing HIPAA mandates, nursing can contribute realistic input concerning how the policies can be carried out efficiently and expeditiously. Policies and procedures under HIPAA also should be developed by the non-institutional practitioner.
Maintaining patient privacy and confidentiality is an ever-present legal and ethical duty of nurses. HIPAA is an important national "federal floor" (federal minimum) for the protection and disclosure of a patient's PHI.
Other mandates requiring the protection of a patient's health information exist as well, including the American Nurses Association's guide to the Code of Ethics for Nurses, the laws of confidentiality, nurse practice acts, and the laws of privacy. These state laws and ethical mandates are not rendered inoperative because of the passage of HIPAA. Rather, they augment the national standard.
In any circumstance, the nurse is duty-bound to prevent, insofar as humanly possible, any unauthorized release of an individual's identifiable health information.
