The Health Insurance Portability and Accountability Act (HIPAA) establishes requirements surrounding patient confidentiality.
Patient confidentiality refers to the right patients have to keep their records private. Physicians and medical professionals have moral and legal obligations to handle patients' protected health information (PHI) privately.
Patient privacy is even included within the Hippocratic Oath.
Despite all of this, though, a breach of patient confidentiality occurs every 62.5 hours. That’s equivalent to a HIPAA violation occurring about every 2.5 days.
Anyone who works in the healthcare industry knows that they should avoid HIPAA violations at all costs. It usually leads to large fines and can sometimes involve jail time. At a minimum, employee discipline is certainly one potential consequence of violating HIPAA.
How could breaches in confidentiality branches occur so often? How does no one realize it?
The reality is that it’s hard to maintain patient privacy. We’re curious creatures who are nosey and like to eavesdrop and gossip. Not to mention the bustling environment at some facilities, the high patient traffic sometimes leads to wandering eyes.
There are steps healthcare providers take to better prevent the unintentional disclosure of PHI. All of those steps stem from the same source, patient confidentiality. So how do you place better protections?
Well, the best way to start is by seeing some examples of patient confidentiality for yourself.
Table of Contents
Examples of Patient Confidentiality
There are many ways doctors and healthcare practices can protect patient privacy.
Believe it or not, the design and layout of your waiting rooms matters. Patients who’ve already checked in shouldn’t be able to view the names and other sensitive information of patients at the front desk. The layout of reception and the position of the chairs are important factors.
Below are some examples of techniques healthcare practices use to protect the privacy oath they have with their patients.
Scenario 1: Patient Check-In
Many practices have patients sign in when they enter the waiting room. Sometimes, there will be lots of blacked-out lines above where they sign from previous appointments throughout the day.
Other times, a patient will sign on whiteboard or stickers on the front desk that get erased or removed shortly after signing.
Why do healthcare practices have patients sign their names on removable mediums?
It’s all about patient confidentiality and keeping information out of eyesight. Covered entities need to remove the names and signatures of their patients from public view to protect their privacy.
Let’s say you sign in to see a psychologist. Let’s also say your coworker sees the same therapist and notices your name on the sign in sheet. That coworker could reveal to colleagues that you’re seeking help from a behavioral health professional.
In this fictitious scenario, negligence from the healthcare entity caused a breach in privacy. By blotting out the names or removing them from the list, healthcare providers can better protect their clients.
Scenario 2: Voicemail Messages
Many practices need to leave a HIPAA-compliant voicemail on patients’ phones. Voicemails help inform clients of upcoming appointments or that their test results are ready.
But, if the wrong person hears the voicemail, this could lead to a breach of confidentiality. Due to that risk, medical professionals usually keep their message vague. They mention the patient’s name, the doctor’s name and the name of the practice, and a call back number.
They don’t include appointment dates or times or specifics regarding procedures or tests conducted.
Including as little identifying information as possible on a patient voicemail decreases further decreases the risks associated with patient confidentiality.
Scenario 3: Lobby Privacy Windows
Do you remember earlier when I mentioned waiting room design?
I’ve already mentioned one physical protection your organization should include with blotting out and/or erasing names on your appointment sign-in sheet. But physical protections don’t end there.
Your front office staff likely makes and receives a lot of phone calls from patients (remember that whole section about voicemails?). Some of the calls that those staff members make have to include some private information by nature. How do you protect who those staff members are calling from those that are waiting for their appointment?
Privacy glass.
Privacy glass surrounding the main desk is another step that your practice could take to enhance your patients' protections. I know what you’re thinking, “Won’t these hinder my patient’s experience? It’s hard to interact with patients on a personal level through a window.”
They swivel open and close. That way your staff can still have conversations with your clients and close it to reduce the risk of eavesdropping during private calls.
Scenario 4: Disposal of Documents
Some practices still heavily rely on paper documents. How many? 86% of healthcare organizations use some form of electronic health record system (EHR). Based on that statistic, 24% still spend hours printing out PHI and filing it away.
Unfortunately, if these files aren’t disposed of securely, the sensitive information could fall into the hands of malicious individuals. Not to mention the risk associated with leaving sensitive documents on desks.
Disposing on paper PHI starts with shredding. But, having a few large shredding containers lead to stacks of "to shred'' piles across the office (risk alert). Piles of sensitive information isn’t what you want. Aside from the blatant risk of someone walking up and stealing each pile, they also open up the door to accidental disposal in your general trash (another risk alert).
The solution? Shredding containers. Placing these throughout your facility ensures better accessibility to employees, while cutting down on the risk associated with misorting sensitive documents in the general trash.
The best solution?
Switch from paper altogether.
Scenario 5: Patient Visitors
Healthcare providers need to take caution when discussing PHI in front of visitors.
For example, a doctor could accidentally disclose private information in front of a patient’s visitors. Not a big deal…unless of course the patient didn’t want the people visiting them to know those details.
How do you navigate this scenario? Consent.
Simply alert patients when they’re about to discuss PHI. This gives the patient a chance to excuse visitors from the room.
Patient consent is a good business practice many healthcare providers have to prevent a lawsuit.
Examples of Exceptions to Patient Confidentality
According to the American Academy of Family Physicians (AAFP), there are four exceptions to patient confidentiality.
First, a medical-care provider can disclose PHI to another physician. This can only happen when one doctor needs to ask another if the doctor needs advice on the treatment process.
Second, if there’s a compelling circumstance that affects the patient’s health and safety, such as an emergency.
Third, sometimes a court order or statute requires reporting of a specific diagnosis to a public health authority. This usually happens because of a trial or a police investigation.
Similarly, a court order or statute may require a doctor to release a medical record to law enforcement or another legal entity. These are probably issued for similar reasons to the situation above.
There are a few other reasons not outlined by the AAFP. The governing body who determines the scenarios of when it’s permissible to discuss PHI is the Department of Health and Human Services (HHS).
The other scenarios it included are…
Scenarios of abuse, negligence and domestic violence
Determinations of cause of death
Organ donation
Research that’s designed to contribute to generalizable knowledge
Essential government functions like national security activities
Workers compensation law
Limited data set
Scenario 1: Wanting to Harm Someone
Many patients who regularly see a psychologist, therapist, or psychiatrist suffer from behavioral ailments. Some experience seemingly random outbursts of rage and anger. Other people are more methodical and calculated with their emotions and actions.
If a patient reveals that they intend to harm someone, their mental health professional can legally disclose information about their patient to protect the individual in danger.
The mental health professional legally needs to protect the public from a valid, perceived threat.
Scenario 2 Child Abuse
If a healthcare provider finds concerning marks, bruises, or injuries, they’re legally obliged to contact the authorities. If a child’s well-being is in danger, a healthcare professional needs to breach patient confidentiality to protect the patient.
This could mean that the doctor calls child protective services and/or the police. According to the American Psychological Association (APA), some laws require psychologists to report ongoing domestic violence, abuse, or neglect of adolescents. The association doesn’t specify how the doctor should report the information or to who.
The APA goes on to explain that if an adult discloses that they endured abuse as a child, the healthcare professional is not bound to report abuse. However, if there’s abuse currently going on by the same perpetrator, healthcare professionals have to report the abuse.
Scenario 3: Second Opinions
Doctors have the right to breach patient confidentiality for clinical purposes. This means that doctors may discuss a diagnosis with colleagues if the disclosure is necessary for treatment.
When doctors need to share PHI amongst each other, they need to follow the Minimum Necessary Standard. This means that a healthcare professional may only share PHI to the least amount possible.
Healthcare professionals are also allowed to share confidential information if they are referring the patient to another practice or when speaking with a pharmacist. These disclosures are necessary for the successful treatment of a patient. Therefore, they’re legally permissible.
Scenario 4: Public Health Crisis
Healthcare professionals can disclose PHI, to the least amount necessary, if the disclosure can protect the general public from a health crisis.
What does this mean?
If someone in the hospital has a contagious disease that can have lasting side effects or a concerning mortality rate, the healthcare entity needs to tell the public about the situation. Any and every patient, visitor, and staff member could contract the disease, exposing more people in the public and at home.
According to the HHS, the HIPAA Privacy Rule recognizes that sometimes public health authorities and others responsible for ensuring public health and safety need to access PHI. The information helps other healthcare professionals protect their patients from the crisis at hand.
The Privacy Rule also recognizes that the public health reports made by covered entities help identify threats to public health.
Now, this doesn’t mean that doctors can declare that you are the one who contaminated everyone with an infectious disease. Nor do healthcare entities have the ability to disclose non-relevant information about you. In a public health crisis, doctors are only allowed to disclose information that can help protect the greater population.
Scenario 5: Elderly Neglect
Psychologists have the right to disclose information without the patient's consent to protect the patient.
This could mean that doctors share information with the family of elderly patients so that they can get the proper care.
Similarly, if a doctor determines that an elderly patient is enduring neglect, the healthcare professional may breach patient confidentiality. If the neglect is pervasive enough, the perpetrators could face a criminal trial. Therefore, a healthcare professional needs to disclose health information when elderly neglect is at hand.
Conclusion
There are plenty of safeguards and policies covered entities take to protect patient confidentiality. It can be a challenge for healthcare workers to remember all of these practices while actively treating patients.
One of the best ways to protect patient confidentiality is through training. If employees take regular HIPAA-related training courses, your staff are more likely to remember and comply with confidentiality policies.
For example, if healthcare staff take training about preventing employee gossip, the employees are less likely to engage in that behavior. This, in turn, helps protect patient confidentiality.
In this blog post we explore if HIPAA laws apply to employers and how.