"A classic example”

Earlier this week an employee raised a concern about patient privacy after she saw a provider interviewing a patient about her health history in a way that could be overheard by others.

Yesterday John Conner, our HIPAA[1] Privacy Officer, sent an all-department e-mail to remind us how important it is to use only the minimum necessary information when communicating about patients.

He wrote about a situation involving a department that produces a list of patients to be treated each day. The list is used to check-off names as patients arrive for their appointments. Last week a patient reported being able to see information on the list, such as the diagnoses or treatments associated with other names.

John called the situation “a classic example” of not following the minimum necessary standard.[2] In other words, more information was included on the patient list than was necessary. A second problem was that the list was visible to others. Patient information must be protected from unauthorized access, including casual access by others.

“The event provides a valuable learning opportunity for us,” John wrote, and he asked employees to bring similar situations to the attention of their supervisors right away.

I responded to John with an e-mail, saying that his message reminded me of another situation that dates from pre-HIPAA days. The mother of a patient called me to complain about a lack of information privacy. Her son, who had been a patient the prior week, had left his blue jeans in the room when he was discharged. She called Security, which promptly contacted the nursing unit, and the lost jeans were found.

When the mother stopped at Security to pick up the clothing, she saw that they were stored in a clear plastic bag, marked “patient belongings.” The bag also contained the printed half-sheet with the patient’s name, address, age – and diagnosis.

“Why, Mr. Quinn,” the mother asked me, “did the security officer have to know that my son is HIV positive?” It was a good question, and as a result, CGH changed its then-policy of including the half-sheet to identify patient belongings.

I’d like to thank the employees who showed their interest in (and sensitivity to) patient privacy this week. Confidentiality is a subject we take very seriously, and – as is apparent – one we need to remind ourselves about constantly.[3]


__________________

[1] HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, a federal law that limits how hospitals and other health care providers may use health information that identifies an individual patient. The rule does not restrict the ability of doctors, nurses and other providers to share the information necessary to treat patients.

[2] HIPAA requires providers to use or share only the minimum amount of protected information necessary for a particular purpose. Information on HIPAA is available on this federal website: http://www.hhs.gov/news/facts/privacy.html

[3] For CGH policies on patient confidentiality, go to “Public Folders” on the CGH intranet, find “Manuals” and select “Hospital Policies.” “Hospital Policies” will take you to a number of headings. Select “09 Management of Information” and go to the subsection on “Confidentiality & Security.”