Patient Confidentiality


Article Author:
Steve Bhimji


Article Editor:
Pamela Hackert


Editors In Chief:
Bette Bogdan
Lori Kerley
Robin Geiger


Managing Editors:
Frank Smeeks
Scott Dulebohn
Erin Hughes
Pritesh Sheth
Mark Pellegrini
James Hughes
Richard Ciresi
Phillip Hynes


Updated:
10/27/2018 12:31:46 PM

Introduction

All healthcare institutions need to ensure privacy and security to maintain health data secure. In the age of information technology, this is truer than ever before.  In the past healthcare workers often collected patient data for research and usually only omitted the patient names. But this is no longer permitted, any protected health information (PHI) that can identify a patient has to be omitted like age, date of surgery, the specific type of procedure, gender, or hospital ID. The Health Insurance Portability and Accountability Act (HIPAA) was enacted into federal law to ensure that that patient medical data remains private.[1],[2],[3],[4],[5] HIPAA sets the minimum federal standards for both the security and privacy of protected health information (PHI). HIPAA was enacted to encompass three areas of patient care:

  1. Portability of insurance or the ability of a patient/worker to move to another place of work and  be certain that insurance coverage is not be denied
  2. Detection and enforcement of fraud and accountability
  3. Simplify administrative procedures in health care and other professions (this is an area where communication and transmission of records are done electronically). With improved technology, the role of wearable technology and androids to disclose PHI is now under scrutiny.

The penalties for failing to comply with HIPAA can be severe.

Whom does HIPAA apply?

HIPAA applies to all healthcare institutions and healthcare workers, who submit claims electronically. For example, if you are a healthcare worker and transmit or even discuss PHI with others not looking after a patient, without prior consent, then you violate HIPAA. HIPAA applies to everyone in a healthcare facility and includes the following:

  • Doctors
  • Nurses
  • Pharmacists
  • Administrative personnel
  • Foodservice
  • Clerical
  • Janitorial service
  • All other healthcare professionals

The HIPAA policies also apply to any interns and volunteers who work under supervision at a health clinic or hospital. Also, HIPAA rules also apply to third-party contractors like:

  • External laboratories
  • External imaging services
  • Outside computer repairman
  • Accredited agencies that conduct patient surveys
  • Medical equipment companies
  • Pharmaceutical salespeople

Definition of PHI

HIPAA broadly defines PHI as any health information that is transmitted or maintained in electronic media. It is also important to know that PHI is not only restricted to electronic transmission of media, but also any oral communications of individually identifiable health information constitutes PHI. For example, if a surgery resident speaks about a surgical procedure in an elevator full of people, that can be a HIPAA violation. The majority of medical records in healthcare institutions and clinics meet the definition of PHI, some of which include:

  • Admission profile
  • Billing records
  • Patient profile
  • Prescription records
  • Referrals
  • Discharge and follow up appointments

Hence all healthcare institutions and clinics must satisfy HIPAA standards for security and privacy.

There is a HIPAA rule that permits disclosure of PHI for healthcare operations, treatment, and payment. Another exception includes public health reporting. These exceptions cover the majority of clinical uses of PHI. Other disclosures demand explicit patient consent.

Function

Where is the HIPAA Rule Applicable?

The HIPAA privacy rule applies to almost every department in a medical facility, even the parking lot or the home internet. Unlike in the past, one no longer has the liberty to discuss patient issues while walking with a colleague to the car or dining in the cafeteria. In general, all PHI must be kept private. Only the bare minimum health information that is necessary should be disclosed during any health care service, and this also includes human resources. For example, when a pharmacist is about to dispense medication to a patient, he or she should only ask the patient if they know how to take the pill, when to take the pill, and to follow up with their healthcare provider. No in-depth discussion with the patient in full view of other people is permitted. This rule also applies to other healthcare providers who may be exchanging information with other healthcare workers who are also actively involved in patient care. For example, a radiologist may ask the ordering medical resident a few questions about why the patient is having the test, but he or she is no at liberty to discuss this with a third party who is not actively treating the patient. In all such matters, one must first obtain consent from the patient to determine if he or she is willing to permit the doctor to divulge medical information to others. This rule not only applies to verbal communication but all written and electronic text. [6],[7],[8]

In addition to HIPAA, many states have their own restrictive rules on privacy of PHI, which are far more stringent than HIPAA, particularly when the information concerns patients with infectious diseases like HIV, mental health problems, certain genetic disorders, and substance abuse.

Further, there are also several federal rules that are also much more stringent than HIPAA, when they pertain to substance abuse and drug addiction records. Finally, there is also a federal rule that governs how and when Medicaid or Medicare information can be used. However, this does not mean that HIPAA is void when other more stringent rules are in place. The chances are that HIPAA will most likely respond first if a healthcare professional breaches patient data. All healthcare workers must be aware of both HIPAA and the state and federal rules that govern PHI.

Contents and Authorizations

When a patient is admitted to a healthcare institution, he or she must be provided with the information on rights to privacy, what type of PHI will be shared and for what reason. This Notice of Privacy Practice is now a requirement of HIPAA for all patients, regardless of age or gender. The patient must sign this document, and one copy must be kept in the hospital files. This also indicates that the patient did receive the privacy notice. If for any reason, the patient cannot sign, the reason must be documented and witnessed. If another person signs the document, the reason why the individual is signing must be documented. Once a notice of privacy practices is signed, the healthcare institution does not need to ask the patient repeatedly for disclosure of PHI in the course of normal care. If the patient’s health situation changes or the patient has additional privacy concerns, this should be documented in the note. The patient may ask that no family member or friend is permitted to pick up his or her medications or that none of the medical staff discuss the health condition with family or friends

Security with Flexibility

The HIPAA security rule does provide all healthcare institutions with a practical and flexible format for implementing security measures. Some of these are mandatory requirements but others are flexible and allow the institution to implement security and privacy measures that are consistent with the organization’s resources, infrastructure, and functionality.

What are Some Exclusions to a Patient’s PHI?

There are several scenarios where disclosure of a PHI may be violating HIPAA, and they include the following:

  1. Mental health notes
  2. Any legal document that pertains to medical records
  3. Laboratory results, especially the results of sexually transmitted diseases

When Can PHI be Disclosed Without Consent?

  • If the patient cannot provide consent or is unavailable when disclosure is necessary for public health, by law, or regarding child abuse
  • Anytime there is an investigation of fraud by the US Department of Health and Human Services
  • When a healthcare worker is trying to obtain consent over the phone when the patient is not able to provide one

Images and Videos

It is important to understand that HIPAA violations not only occur after vocal or written disclosure of PHI but even after posting images. For example, cosmetic surgeons who routinely post preoperative and post-operative photos of patients, or surgeons who videotape surgical procedures must obtain consent from the patient. In addition, when not necessary, the face should be blanked. Professionals are also prohibited from using names of patients in case reports. Anything that can identify a patient is not permitted.

Specific HIPAA Rules That Pertain to PHI Security

  1. Ensure that there is integrity, confidentiality, and security of all electronic PHI that the healthcare institution creates, maintains, receives or transmits.
  2. Develop protection against any reasonably anticipated hazards or threats to the integrity of the security of such data
  3. Protect against any reasonably anticipated users of disclosure of which information that are not permitted or required
  4. Ensure compliance among the workforce
  5. Have flexibility in the system, so patient care is not compromised
  6. Covered entities may use any security that meets the minimal standards
  7. The type of security depends on the size, complexity, and capabilities of the covered entity

Issues of Concern

Risk Analysis

The HIPAA security requirements place significant emphasis on risk analysis, especially now that electronic healthcare technology is the norm. All hospitals not only have to work with their healthcare workers, but also third-party contractors, vendors, and solo practitioners; and they must identify and address the appropriate security options to ensure the security of data. The use of the internet is perhaps the biggest threat to the data leak. When transmitting data over the internet, the hospital IT must encrypt the data to ensure that it remains private. For example, a doctor who is an independent contractor and has a patient admitted to the hospital will transmit over the internet the patient's medical history to the hospital. However, this information must be encrypted to prevent leak and eavesdropping. Today, encryption of healthcare records is standard, and there are many software programs that one may use. [9],[10],[11],[12],[13],[6]

Use of Wireless Networks

These days many healthcare workers use wireless networks to access medical records. However, if many computers connect through a wireless network, then the encryption function of the wireless network must be activated. Furthermore, healthcare workers must be asked to stop using the unencrypted wireless network for communication because anyone within the vicinity can intercept them.

Storage of PHI Data

Another greatly concerning area is the storage of PHI on hard drives, especially portable devices like laptop computers and flash drives. Over the years, many privacy breaches have occurred as a result of stolen laptops and flash drives. To address this problem, healthcare workers should refrain from storing any patient data on their laptop, flash drives, or CDs. If the data is stored, it must be encrypted. Another option is to use the laptop only to view the data, but never to store the information. This has become possible with cloud technology and storage systems.

Passwords

All healthcare workers who use the computer to access patient records must have a secure password. The password should be unique and changed every 3 to 4 months. No one should share their password with other individuals. The information technology (IT) department must determine the quality of the password before access is granted to the system. The password must be sufficiently strong so that it cannot be guessed or even predicted with the available computer programs. The password must contain a combination of numerical and alpha characters with symbols to increase their complexity. Further, no worker should paste the password anywhere near the PC or leave a sticker with the password on a desk, as this defeats the purpose of security. However, passwords alone are not adequate for security measures and offer a very weak method of protection.

Unique User Identification

There have been many instances when both the healthcare worker and non-healthcare workers who were not involved in the care of the patient have accessed the medical records of celebrities and other important people. The purpose was to pass the documents to the tabloid magazines. Thus, HIPAA enhancements under the Health Information Technology for Economic and Clinical Health Act now require a system that will track all users the moment they sign on and off. The tracking system will show who signed on, when, what data they accessed, and if they downloaded any information. Thus the importance of assigning unique names and passwords that are never shared with anyone, otherwise tracking is not possible in the event of a data breach.

Stronger Authentication

Today many healthcare institutions have started to implement stronger authentication requirements. Besides the password, some systems also require a specific biometric feature to enter the system. Some hospitals have started to use fingerprints to identify the individual entering the system and others have started to incorporate facial recognition.

Selective Access

To ensure privacy and authenticate the computer used, some organizations have started to limit access based on their role in healthcare. For example, a laboratory technologist would only need access to the patient’s laboratory and he or she and so there is no need to provide them access to the patient’s medical history. Similarly, a pharmacist would only have access to the patient medications; whereas, an internist would have access to most of the medical information. Customized access is the new wave of the future, and so far, limited studies do show that it works in maintaining the security of patient data.

Electronic Health Records

HITECH was enacted to promote the widespread adoption and meaningful use of electronic health records (EHRs) and related technologies. Among other things, HITECH requires covered entities that implement an EHR to provide an audit trail accounting for all disclosures of information. When a patient asks for an electronic copy of their records, HITECH also stipulates that healthcare organizations provide the PHI maintained in an EHR. Therefore, an EHR is very broadly defined in the proposed rule as "any electronic data." Furthermore, healthcare entities must acknowledge and fulfill a patient's request that the healthcare provider not share PHI with a health insurance plan if the individual pays for the care out of pocket and in full.

Audits and Risk Assessment

Once a security system is in place, risk management should audit the system to look for any flaws and identify any gaps in maintaining the integrity, confidentiality, and security of PHI. All risks identified must go through a HIPAA compliant risk management process and the flaws rectified. Risk analysis is not a one-shot deal but must be conducted regularly because new technology is constantly introduced. This is also repeated whenever there is a change in clinical practice.

Dedicated IT Staff

All healthcare institutions should employ a person(s) who are dedicated to maintaining the security and privacy of PHI. In most cases, a team of IT professionals should ensure that everyone follows the established procedures and policies. Moreover, this team must ensure that all healthcare workers use the system appropriately. It is the job of the IT staff to conduct audits to ensure that everyone is HIPAA compliant regularly.

Obtain Authorizations

While HIPAA does permit the use of PHI for many hospital-based services like treatments, pharmacy operations, rehabilitation and outpatient care, any other use or disclosure of PHI must be authorized by the patient in writing before any PHI is disclosed. For example, there are protocols to follow when a patient is enrolled in a clinical trial. Plus, when patients want their medical records transferred to another unrelated physician or out of state, then a written consent must be obtained from the patient.

Third-Party Agreements

Ensure third-party business agreements are in place. Sometime a third party may need access to PHI to perform a service on behalf of the hospital. For example, the patient may be entering an outpatient rehabilitation unit, and the therapist requires medical records or the patient may be going for radiation therapy at another center. The rehabilitation center and the radiation clinic also need to comply with HIPAA rules. These third party entities must assure with an agreement that the requirement of HIPAA are understood and are being followed.

Inadvertent Disclosure

In the past, it was routine for healthcare workers to share patient information between family and friends sometimes out of concern or an attempt to help. Now, this is not acceptable, and a provider can violate the law. HIPAA does not permit deliberate or accidental disclosure of PHI for any reason. For example, a disgruntled healthcare worker can be held liable if he or she steals PHI and then closes the data for monetary gain or revenge purposes. Sometime the PHI disclosure may occur accidentally when the patient’s chart is left unattended in the lobby or the radiology suite. When a patient’s chart is taken along with the patient on the trolley, it is important to make sure that the transporter knows not to leave the chart lying anywhere for no reason.

Personal PHI

Under HIPAA, all patients are legally permitted to obtain copies of their PHI which includes billing and medical records over the past 6 years. Some exclusions cover legal documents, mental health notes or laboratory results. The healthcare provider may deny access to PHI if he or she believes that such access may harm the patient or others. A patient has to request, in writing, to obtain his or her medical chart.

Inform Patients of Privacy Practices

All healthcare facilities that are covered by HIPAA must document their private practice and share that information with patients. When patients ask for HIPAA information, they should be provided with the information and asked to sign a form to ensure that they have received the booklet.

Clinical Significance

Patient Rights under HIPAA

HIPAA rules give patients more rights of which they are not aware. The most important rights of patients under HIPAA include the following:

  • Right to receive a Notice of Privacy Practices
  • Right to restrict PHI disclosures
  • Rish to state how they want PHI to be handled and communicated to others. For example, the patient may want any message from the pharmacist or the hospital to be sent to his private home and not on his home phone number
  • Right to inspect and review their PHI. If the patient perceives to be anything erroneous in the PHI, they do have the right to request a change. The provider may accept or deny this request. For example, a nurse may have been diagnosed with bipolar disorder and after treatment may want this diagnosis to be deleted from the medical chart. This is not a request that can be accepted.
  • Right to obtain a copy of their PHI
  • Right to receive an accounting of where PHI disclosures have been made
  • The right to report to the Office of Civil Rights if the patient believes there has been any violation of disclosure

HIPAA and Communication with Patients

HIPAA recommends disclosing the minimal amount of information to ensure the privacy of patients. When speaking to a patient in a room with other patients, it is important not to divulge specific information other than greetings. If one has to communicate the results of a biopsy or surgery, then one may ask the patient to come to a private room for discussion. Even then, only disclose what is relevant. If the healthcare provider is faced with a situation where there are other patients, for example, in the recovery room or intensive care unit (ICU), the discussion should be broad and not detail any specific procedure or diagnosis. Similarly, in outpatient clinics, one should never discuss PHI in the hallway but wait until the patient is seated in a private room.

HIPAA permits disclosure of PHI to a spouse, parents, legal guardians, and other caregivers who are involved in the patient’s care without having a formal agreement from the patients. If there is ever a need to discuss something specific regarding the patient when other individuals are present, ask the patient if he or she has any objections.

When Can Information Be Shared?

Healthcare workers need to be aware that all PHI is covered under HIPAA for clinical purposes which include the following:

  • Discussing diagnosis, workup, and treatment with other healthcare professionals
  • Performing imaging and laboratory test and disclosing this information to other clinicians
  • Providing results of imaging test, or discuss the patient history when submitting surgical samples to those who perform further diagnostic tests
  • When referring a patient to another facility or obtaining a consult
  • When calling the pharmacist over the phone to dispense medication to a patient

As long healthcare providers are offering treatment, they are not restricted by HIPAA, as long as the patient has not made a request not to disclose data to any particular healthcare provider. However, caution must still be used. For example, when asking a phlebotomist to start an intravenous line on a patient needing chemotherapy medication, a physician does not have to divulge why the patient needs an intravenous line to the technologist.

  1. Similarly, when healthcare providers consult with other providers, the HIPAA privacy rule does not prohibit them from engaging in such concentrations. However, these conversations should be held away from the public and in private rooms. One should not obtain a telephone consult from a phone line in the cafeteria from where others can hear the conversation.
  2. Healthcare staff may communicate verbally at the nurse desk to coordinate activities.
  3. Also, a healthcare professional may discuss a patient's medical status over the phone with a provider, patient or other family members.
  4. Healthcare workers may discuss a patient's medical condition in an academic institution, or during rounds.
  5. In emergency situations, the Law does permit entities to engage in communication as required to ensure proper delivery of healthcare

Email Communications

All healthcare institutions may establish specific guidelines on email communication from patients. Some of the recommendations include the following:

  • The patient name should not be inserted in the subject guideline
  • Make sure that the patient email is correct
  • Only transmit the bare minimal information in an email
  • Have standard disclaimer at the end of every email
  • All emails must be encrypted
  • Do not use your non-work email to communicate with a patient. For example, you should never use Yahoo or Hotmail but use the email system set up by the institution.

Faxes

Like emails, there should be specific policies and guideline regarding the use of faxes to transmit medical information. Some of the recommendations include the following:

  • All fax machines must be located in a secure area away from the public, patients, and most healthcare workers
  • The first page of the fax should always be a disclaimer indicating what to do if the fax is sent to a wrong number
  • Unless an emergency, faxes should only be sent during working hours. The reason is that if any faxes arrive, they can be picked up and not left lying on the fax machine container
  • When sending faxes, it is important to correspond to the other party to ensure that they have picked up the fax

Computers

Today, computers play a critical role in healthcare and store a vast amount of PHI. Hence, these devices must be secure. Some of the recommendations for computer use including the following:

  • The computers should be key in a place where they are not accessible to the public or patients
  • The screen should not be visible to the patients or public
  • Each time, a healthcare provider should log in and log off, even if they are gone for a few minutes
  • All healthcare workers should have a unique password
  • The password should never be shared with anyone else

Clergy and Other Religious Figures

The HIPAA Privacy Rule permits religious figures and clergy to be informed of individuals belonging to their denomination that are in a hospital, as long as the patient has first been informed and has no objection. Patients should be asked about this preferences when they are first admitted to the hospital and asked to sign a paper whom they want as visitors and who should be notified.

During an emergency or when the patient is incapacitated, and the patient has not been able to provide consent, then disclosures can still occur. However, the disclosure has to be consistent with the individual's best interest in mind. One has to use not only good judgment but also involve administration and risk management in decision making. Everything should be documented as to why this course of action was undertaken.

Other Issues

Disposing of PHI

When disposing of the medical records, labels, prescription labels, the documents should be shredded or incinerated so that there is no chance that they will be reconstructed. Any PHI on a computer must be completely erased before disposing of the PC. The same applies to any CD or zip drive. The people who are in charge of shredding or disposing of the PHI must be properly selected to make sure that the records are destroyed and not just taken home.

Signed Consent

During business, pharmacies and hospitals may get signed authorization from patients before service, allowing them access to use their PHI during their care. However, this form has to contain the initiation and expiration date for the disclosure. The authorization only remains valid until the expiration date and can be renewed. So is a patient has signed an authorization for release of his medical records to a psychiatrist, then one can send the records during that time. But one is not allowed to send PHI to other healthcare works without any consent continuously. If the patient is not available or not able, then the risk analysis committee may disclose PHI without authorization, if it is a matter of life or death. Other cases where PHI may be disclosed are in cases of child abuse, elderly neglect or where there appears to be fraudulent activity.

Training Employees

It is imperative that the entire staff know about HIPAA. Thus, regular education seminars must be conducted. The teaching not only applies to regular staff but all interns and volunteers who come into contact with PHI. The staff must be fully trained and made aware of HIPAA rules that apply to them.

Reporting HIPAA Violations

In general, HIPAA violations must be self-reported to the Department of Health and Human Services (HHS). If a violation has affected more than 500 patients, the Department must be notified in writing within 60 days. If less than 500 patients have been affected than HHS has to be notified no later than 60 days after the calendar year ends. Penalties may increase if self-reporting is not done and the violation is discovered through the media.

Who Monitors Hospitals and Healthcare Workers for HIPAA Compliance?

The Office for Civil Rights (OCR) is the entity responsible for enforcing HIPAA privacy and security rules. The agency enforces rules in the following ways:

  1. Performs an investigation after receiving complaints from patients
  2. Will perform an audit to ensure compliance is maintained. OCR may select an institution at random for an audit
  3. Conduct education seminars and outreach to boost compliances. During these sessions, they may also perform an audit and catch everyone by surprise.
  4. May have read or heard in the media about PHI being discovered or disposed of improperly

The Investigation Protocol

Once OCR receives a complaint of HIPAA violation, it gathers the information and tries to determine if the privacy and security rules were violated. If the problem is a minor case of noncompliance, OCR will initially try and resolve the matter with the respective institution in the following ways:

  • Recommend voluntary compliance
  • Recommend some type of corrective action
  • Resolution agreement

For those institutions who fail to comply with HIPAA, there may be criminal and civil penalties. If the complaint received indicates a violation of the criminal provision of HIPAA, then the matter may be referred to the Department of Justice for further investigation.

Civil and Criminal Violations

When the healthcare institution fails to comply with the matter satisfactorily, OCR may impose civil monetary penalties that are based on the seriousness of the non-compliance. The amount of monetary fine is usually up to the discretion of the secretary of HHA and depends on the extent and nature of the harm that occurred as a result of the violation. In almost all cases, the secretary is not permitted to impose any civil penalty for a violation that is corrected within 4 to 6 weeks. All criminal violations of HIPAA are handled by the Department of Justice (DOJ), who on top of civil penalties may add other fines depending on the severity of the violation.

Criminal Violation of HIPAA Rules

Criminal penalties for HIPAA violations apply to the following entities:

  • All health coverage plans
  • Health care clearinghouses
  • All health care providers who transmit claims electronically
  • Medicare prescription drug card sponsors

Besides institutions, individuals can also be charged with criminal violations of HIPAA and this includes employees, directors, officers, nurses, secretaries and telephone operators. Even individuals not directly liable under HIPAA may be charged with abetting or conspiring. Finally, the HHS has the authority to exclude any individual or healthcare institution form participation in Medicare as either temporary or permanent.

Recent HIPAA Fines

  1. February 1, 2018: Fresenius Medical Care North America paid $3.5 million for 5 breaches because they did not heed HIPAA’s risk analysis and risk-management rules
  2. February 13, 2018, Filefax Inc. paid $100,000. The important point here is that HIPAA violations do not cease even when a business closes.
  3. June 18, 2018: MD Anderson Cancer Center paid $4.4 million for HIPAA violations.
  4. February 1, 2017: Children’s Medical Center in Dallas paid $3.2 million because of failure to timely assess risks.
  5. February 16, 2017: Memorial Healthcare System paid $5.5 million for not having audit control.
  6. April 24, 2017: Cardionet paid $2.5 million for not understanding HIPAA requirements.
  7. In 2014, Walgreens was fined $1.4 million for the impermissible disclosure of a patient’s PHI. A pharmacist shared a patient’s PHI with her husband and at least three other people.

The thing to understand is that no matter how big or small the institution or how many healthcare workers work in a clinic, even a solo healthcare worker can be penalized for HIPAA violations. While the monetary penalties are the icing on the cake, all such violations are published on cyberspace and this can quickly ruin the reputation of the facility or the healthcare provider.

Can Patients Sue a Healthcare Facility or a Healthcare Worker for Violating HIPAA?

For example, a pharmacist calls up the home of a patient but no one answers the phone. Then he leaves a message asking when you will be coming up to pick up your HIV medications. The patient can claim that no one in the home knew about his HIV status and now the pharmacist has disclosed his private health condition to everyone in the home. Can the patient sue the pharmacist?

When a healthcare worker or the facility has violated HIPAA rules, patients generally have no recourse except to report the matter to the OCR. In fact, HIPAA has created a right to privacy and does not allow for most patients to file lawsuits. However, if the HIPAA violation is due to gross negligence and professional malpractice, then such cases may be brought to court.

Avoiding HIPAA Violations

Prevent HIPAA violations is not difficult. First, get professional help from a HIPAA experts

  1. Develop a code of conduct booklet and write down all the policies and procedures that everyone must follow.
  2. Do not let anyone get away with violations of policies because, in the end, it is the healthcare professional who will have to face the legal system.
  3. If healthcare professionals or institutions already have HIPAA policies in effect and have suffered a HIPAA violation, consult with a HIPAA specialist to determine any deficiencies and corrective solutions. These individuals provide comprehensive education, tips, and offer seminars to the staff about HIPAA rules and regulations. It is money worth spent because violation of HIPAA is a very expensive ordeal.

Violation Amount/Violations of an Identical Provision in a Calendar Year

Did not know: $100 to $50,000; $1.5 million

Reasonable cause: $1,000 to $50,000; $1.5 million

Willful neglect (corrected): $10,000 to $50,000; $1.5 million

Willful Neglect (uncorrected): $50,000; $1.5 million

Pearls

  • HIPAA has been enacted to ensure the privacy and security of PHI.
  • Each healthcare institution may set up unique policies and procedures, but they must conform to HIPAA guidelines.
  • With evolving technology, one must keep updated with HIPAA and ensure that PHI remains protected.
  • Ensure that all the workers in the institute know the HIPAA policies and procedures.
  • Be stringent with workers who break HIPAA rules because eventually, there will be a cost.

Interested in Participating?

We are looking for contributors to author, edit, and peer review our vast library of review articles and multiple choice questions. In as little as 2-3 hours you can make a significant contribution to your specialty. In return for a small amount of your time, you will receive free access to all content and you will be published as an author or editor in eBooks, apps, online CME/CE courses, and an online Learning Management System for students, teachers, and program directors that allows access to review materials in over 500 specialties.

Improve Content - Become an Author or Editor

This is an academic project designed to provide inexpensive peer-reviewed Apps, eBooks, and very soon an online CME/CE system to help students identify weaknesses and improve knowledge. We would like you to consider being an author or editor. Please click here to learn more. Thank you for you for your interest, the StatPearls Publishing Editorial Team.

Patient Confidentiality - Questions

Take a quiz of the questions on this article.

Take Quiz
Working as part of a healthcare team, one must maintain patient confidentiality. In most circumstances, medical information about a teenager can be shared with which of the following individuals?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
When a provider hears two other providers discussing a patient's illness in a public area, what should be done?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Which of following conditions should NOT breach patient confidentiality?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A 15-year-old with dysuria presents with her mother. With the mother out of the room, the patient admits to unprotected sex for one year with her 15-year-old boyfriend. She states that her mother does not know that she is sexually active, and she requests that her mother not be informed. Diagnostic tests are done and appropriate antibiotics are prescribed. What should be done next?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
In which case is consent to share medical information not needed?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
In which of the following case scenarios can confidentiality be breached?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A 24-year-old intellectually disabled female lives at home with her parents who are planning on moving to a retirement community. The daughter wants to live independently so an occupational therapy evaluation is done including Allen Cognitive Level and Kohlman Evaluation of living skills. The patient would clearly not be able to live independently. What is the next best step in management?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
After a group session on the psychiatric unit a patient approaches you and says "I want to tell you something but I need you to keep it a secret." What is the best response?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A therapist receives a call from a patient's spouse who asks how the patient is doing. Select the best response.



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A patient is suing her employer for a work-related injury. The physical therapy notes cannot be reviewed by which of the following without the permission of the patient?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Which of the following is an example of a breach in confidentiality?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Which of the following terms refers to the nondisclosure of information except to those authorized to access it?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Select the confidential record that must be protected:



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A patient tests positive for HIV just before surgery. What should be done?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Two hospital employees are discussing a named patient's illness in the hospital coffee shop. What should be done?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
The brother of a patient says he is a physician and wants to see the chart. What should be done?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A patient is diagnosed with HIV. Which of the following prevents discussion of this with the spouse or partner.?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A 14-year-old patient presents to the clinic for a well child and voices that she would like to discuss birth control and sexually transmitted infections (STI) prevention because she is thinking of having sexual relations with her boyfriend. How should this be handled?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Who may receive sensitive information about patients from professionals?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
Select the information which DOES NOT belong in a case manager's report.



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up
A caregiver is approached by a colleague in the hall. The colleague wants to know how a hospitalized friend is doing and if his tests were improving. Which of the following is most appropriate?



Click Your Answer Below


Would you like to access teaching points and more information on this topic?

Improve Content - Become an Author or Editor and get free access to the entire database, free eBooks, as well as free CME/CE as it becomes available. If interested, please click on "Sign Up" to register.

Purchase- Want immediate access to questions, answers, and teaching points? They can be purchased above at Apps and eBooks.


Sign Up

Patient Confidentiality - References

References

Butler PW,Middleman AB, Protecting Adolescent Confidentiality: A Response to One State's     [PubMed]
Hunt M,Pal NE,Schwartz L,O'Mathúna D, Ethical Challenges in the Provision of Mental Health Services for Children and Families During Disasters. Current psychiatry reports. 2018 Jul 23     [PubMed]
Cramer R,Loosier PS,Krasner A,Kawatu J, State Laws Related to Billing Third Parties for Health Care Services at Public Sexually Transmitted Disease Clinics in the United States. Sexually transmitted diseases. 2018 Aug     [PubMed]
Minen MT,Stieglitz EJ,Sciortino R,Torous J, Privacy Issues in Smartphone Applications: An Analysis of Headache/Migraine Applications. Headache. 2018 Jul 4     [PubMed]
Berwick DM,Gaines ME, How HIPAA Harms Care, and How to Stop It. JAMA. 2018 Jul 17     [PubMed]
Gostin LO,Halabi SF,Wilson K, Health Data and Privacy in the Digital Era. JAMA. 2018 Jul 17     [PubMed]
Klann JG,Joss M,Shirali R,Natter M,Schneeweiss S,Mandl KD,Murphy SN, The Ad-Hoc Uncertainty Principle of Patient Privacy. AMIA Joint Summits on Translational Science proceedings. AMIA Joint Summits on Translational Science. 2018     [PubMed]
Cohen IG,Mello MM, HIPAA and Protecting Health Information in the 21st Century. JAMA. 2018 Jul 17     [PubMed]
Edemekong PF,Haydel MJ, Health Insurance Portability and Accountability Act (HIPAA) null. 2018 Jan     [PubMed]
Marting R, HIPAA: Answers to Your Frequently Asked Questions. Family practice management. 2018 Mar/Apr     [PubMed]
Wiles LL,Park EHE,Kim JJ, To Tell or Not to Tell: Nursing Students' Attitudes Toward Disclosing Patients' Protected Health Information. Computers, informatics, nursing : CIN. 2018 Mar     [PubMed]
Zargaran A,Ash J,Kerry G,Rasasingam D,Gokani S,Mittal A,Zargaran D, Ethics of Smartphone Usage for Medical Image Sharing. The Indian journal of surgery. 2018 Jun     [PubMed]
Lamas E,Coquedano C,Bousquet C,Ferrer M,Chekroun M,Zorrilla S,Salinas R, Patients' Perception of Privacy of Personal Data, Shared in Online Communities: Are We in the Presence of a Paradox? Studies in health technology and informatics. 2018     [PubMed]
Shay DF, The HIPAA Security Rule: Are You in Compliance? Family practice management. 2017 Mar/Apr     [PubMed]
Drolet BC, Text Messaging and Protected Health Information: What Is Permitted? JAMA. 2017 Jun 20     [PubMed]
Freundlich RE,Freundlich KL,Drolet BC, Pagers, Smartphones, and HIPAA: Finding the Best Solution for Electronic Communication of Protected Health Information. Journal of medical systems. 2017 Nov 25     [PubMed]
McKnight R,Franko O, HIPAA Compliance with Mobile Devices Among ACGME Programs. Journal of medical systems. 2016 May     [PubMed]

Disclaimer

The intent of StatPearls is to provide practice questions and explanations to assist you in identifying and resolving knowledge deficits. These questions and explanations are not intended to be a source of the knowledge base of all of medicine, nor is it intended to be a board or certification review of Nurse-Professional and Ethics. The authors or editors do not warrant the information is complete or accurate. The reader is encouraged to verify each answer and explanation in several references. All drug indications and dosages should be verified before administration.

StatPearls offers the most comprehensive database of free multiple-choice questions with explanations and short review chapters ever developed. This system helps physicians, medical students, dentists, nurses, pharmacists, and allied health professionals identify education deficits and learn new concepts. StatPearls is not a board or certification review system for Nurse-Professional and Ethics, it is a learning system that you can use to help improve your knowledge base of medicine for life-long learning. StatPearls will help you identify your weaknesses so that when you are ready to study for a board or certification exam in Nurse-Professional and Ethics, you will already be prepared.

Our content is updated continuously through a multi-step peer review process that will help you be prepared and review for a thorough knowledge of Nurse-Professional and Ethics. When it is time for the Nurse-Professional and Ethics board and certification exam, you will already be ready. Besides online study quizzes, we also publish our peer-reviewed content in eBooks and mobile Apps. We also offer inexpensive CME/CE, so our content can be used to attain education credits while you study Nurse-Professional and Ethics.