Is the federal Health Insurance Portability and Accountability Act (HIPAA) the only legal protection for patient confidentiality and security?
HIPAA is a federal law that protects the confidentiality and security of patient information. As a nurse, if you’re complying with this law and its regulations, you’re fulfilling your legal obligations relating to your patients’ confidentiality and the security of their health information.
However, HIPAA isn’t the only law that governs patient privacy. Respective state statutes also provide confidentiality, privacy, and security of patient health information.
In the following Minnesota case, an employee’s disclosure about a patient at the facility resulted in a lawsuit against the facility, which alleged a violation of a state law governing patient healthcare information.
Facts leading up to the lawsuit
The male patient suffered an injury while at work as a tree trimmer. A cut tree limb struck him in the chest. He immediately felt chest pain and was driven to a hospital.
He didn’t want to be in the facility directory, so the hospital, pursuant to its policy, placed his file as “confidential encounter.” This designation meant that a patient didn’t want “anyone to know he was a patient or otherwise receive information about him.”
The patient texted his former wife, telling her he was hospitalized due to a broken breastbone and a compression fracture in his neck. He also told her to tell their children he was hospitalized but didn’t want them to visit him.
The patient’s former wife texted him, but he didn’t respond. She then began calling hospitals to locate him, supplying the hospitals with her ex-husband’s name and birth date. On one call, an employee informed the wife that her ex-husband was hospitalized at a specific hospital in the system and provided his specific location to her.
The former wife arrived at the hospital where her ex-husband was hospitalized and asked to see him. The nurse on duty noted that the ex-husband’s file was marked as a “confidential encounter.” The nurse didn’t say the ex-husband was a patient and instead asked the former wife to wait at the triage window.
The nurse asked the patient if he wanted to see his former spouse, and he said he did. The nurse observed their interaction and noted that the patient seemed upset. When his ex-wife entered the room, an argument ensued, which continued after she left the facility.
The former wife returned to the hospital with their children because the patient told her he wanted to see his daughters. She was told by security that they were too young to visit their father. Another argument took place when the ex-wife went into the patient’s room, which continued through text messages afterward.
Patient files lawsuit and court renders decision
The male patient filed a lawsuit against the hospital system under a state statute (Health Records Act), allowing a suit to be filed if a healthcare provider “negligently or intentionally requests or releases a health record” in violation of the statute.
He alleged that the hospital violated the statute by telling his ex-wife he was a patient at one of its hospitals and was assigned a room and a bed. As a result of the disclosure, the patient alleged he suffered “emotional harm, anger, embarrassment, frustration, shame, and anxiety.”
The hospital responded to the allegations by filing a summary judgment Motion and arguing that, despite the fact that the disclosure was against its internal policy, it didn’t violate the Health Records Act.
The hospital also argued that summary judgment was warranted because the patient didn’t provide evidence that any damages he alleged were proximately caused by the disclosure.
The trial court held that the Health Records Act was not violated and granted the hospital’s summary judgment motion.
The patient appealed that decision.
Appellate court analysis and decision
The core issue in the appeal was whether a disclosure by a healthcare provider that a person is a patient and currently hospitalized is a health record disclosure, as defined in the state statute.
The court meticulously reviewed the state statute’s language. In doing so, it opined that:
- Despite the hospital’s position that a disclosure of a health record must be “information of a clinical nature,” the statute defines a health record to include any information that pertains to the provision of healthcare to a patient. So informing an individual that a person is hospitalized reveals that the person is under the hospital’s care and receiving treatment.
- Disclosing the specific facility and location within the facility of a patient meets the act’s definition of a health record’s information that “pertains, refers, or stands in some relation to the provision of healthcare to a patient.”
- The “provision of healthcare to a patient” section of a health record’s definition doesn’t only refer to “treatment received” or “actual care provided.”
- Consent of the patient is necessary for the release of medical record information unless a medical emergency exists or other exceptions to the requirement of consent are met .
The court held that the information released to the patient’s ex-wife was in violation of the state Health Records Act.
As a result, the trial court’s entry of summary judgment was in error. The case was reversed and sent back to the trial court for further proceedings.
What this case underscores for your practice
HIPAA is an especially important law for you to comply with in your nursing practice. So too is compliance with any state laws that protect a patient’s confidentiality, privacy, and security of health information.
One way to fulfill this obligation is to meticulously follow your facility’s policies and procedures governing a patient confidentiality and privacy of health information.
The case didn’t identify what the employee’s role was at the facility that shared the patient’s information, so it could’ve been an operator or a receptionist.
However, the case clearly stated that when the ex-wife came to the facility, a nurse followed the facility policy by not acknowledging the ex-husband was a patient and obtaining his permission before sharing any information with his former spouse.
The case's results, as it returns to the trial court for further proceedings, are unknown. Regardless of the outcome, the employee who informed the ex-spouse of the patient’s healthcare information may be named as a defendant in the lawsuit.
As a result, if you breach a patient’s confidentiality, you could be a defendant along with your employer when a lawsuit is filed.
It is also important to note that the nurse and other health team members didn’t get drawn into the relationship between the two ex-spouses. Policies and procedures were followed, documentation of the occurrences between the two took place, and no staff member intervened to attempt to resolve the issues the couple was dealing with.
Final thoughts on patient confidentiality
Because the legal concepts of confidentiality, privacy, and security of patient health information are extremely detailed and can often change without much notice, you need to keep abreast of your obligations in protecting them by attending CE courses that can help keep you current about those responsibilities.
In addition, you can serve on your facility’s compliance or ethics committee to further protect patients’ rights. Being an active member of such a committee helps you understand and meet your duties and contributes to helping your colleagues to do the same.
Patient confidentiality is also a mandate in your state nurse practice act. A breach of confidentiality can result in a professional licensing action against you by your state board of nursing. Be certain to comply with your practice act and rules governing patient confidentiality.
