Course

Ensuring Patient Confidentiality in Nursing

Course Highlights


  • In this course we will learn about the various aspects of patient confidentiality, and why it is important for building patient-provider relationships.
  • You’ll also learn the basics of de-identifying patients, professional statements, and disclosures.
  • You’ll leave this course with a broader understanding of how to practice patient confidentiality in nursing.

About

Contact Hours Awarded: 2

Course By:
Kayla Cavicchio
BSN, RN, CEN, TNCC

Begin Now

Read Course  |  Complete Survey  |  Claim Credit

Read and Learn

The following course content

Introduction

In order to provide the best care possible to patients, there must be a foundation of trust that the patient-provider relationship is built on. If the foundation is not stable, the rest of the relationship is at risk of crumbling. One way that trust is built is by maintaining patient confidentiality or privacy.  

When it comes to the medical field, the wrong medicines or treatments may be administered or performed. This could result in further complications. Medical conditions, treatments, and results can often be sensitive topics patients do not necessarily want shared with society for a variety of reasons. Patients rely on their providers to keep the information they communicate in confidence, only sharing under certain circumstances.  

With the ever-growing platform of social media and advancements in technology, there is a gray area that exists when it comes to patient confidentiality and what can and cannot be shared. The purpose of this course is to educate learners on aspects of patient confidentiality and its importance.  

 

 

Quiz Questions

Self Quiz

Ask yourself...

  1. What do you already know about patient confidentiality?

The Privacy Rule 

The Health Information Portability and Accountability Act of 1996 (HIPAA) became the groundwork for the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued by the U.S. Department of Health and Human Services (HHS). It was designed to meet the requirements set by HIPAA regarding how healthcare providers used and disclosed a patient's private health information. It also addressed patients having the right to know and dictate how their health information is utilized. Overall, the Privacy Rule's goal was to set clear boundaries when it came to properly protecting health care information while allowing the exchange of pertinent information to protect the health and well-being of the public (2). 

Many groups are included under HIPAA's term of "covered entities.” These entities have connections to personal health care information on a variety of levels. Groups such as healthcare providers, health plans, healthcare clearinghouses, and business associates are all covered entities. The protected information they encounter is anything that can or is believed to identify an individual: name, date of birth, address, and Social Security number. Any past, present, or future mental or physical health, condition, or payment and health care provisions for an individual are also classified as protected information (4). 

 

Quiz Questions

Self Quiz

Ask yourself...

Think of where you work.

  1. What type of facility do you work in? 
  2. What does your work consider patient identifiers?
  3. Is there anything you think should be added to that list when it comes to what can identify a patient? 

De-Identifying Patients to Ensure Patient Confidentiality

There are many steps involved in de-identifying a patient for those who use or share patient information, as it applies to HIPAA. De-identifying a patient is the act of removing as many identifiers as one can in order to eliminate the chances of an individual being recognized through the scenario or situation (3). The following are two methods of de-identification. 

Formal Evaluation by a Qualified Expert  

A qualified expert must be a person with significant knowledge and experience in scientific and statistical standards or methods to ensure patient information is not identifiable. They do this by determining if the risk of using the information is very small. They often document what methods they use to make the determination (3).  

Removing Individual Identifiers 

Many identifiers are things one would expect to be removed when identifying a patient, such as a name, age, date of birth, home address, Social Security number, full-face photos, and phone numbers. However, some include any form of vehicle identifier (serial or license plate number), internet protocol (IP) addresses, biometric identifiers like finger or voiceprints, serial numbers or device identifiers, and web universal resource locators (URLs). An entire list of the 18 identifiers is located on the Department of Health and Human Services website (3).   

Neither of these methods are 100% perfect in their goal, but they decrease a patient's chance of being identified significantly. Once the patient has been de-identified, the information is no longer restricted by the Privacy Rule since all patient identifiers have been removed. This means that the information can be used without worry of violation (3). 

Quiz Questions

Self Quiz

Ask yourself...

  1. Which version of de-identifying a patient do you think is better? 
  2. Have you ever had to de-identify a patient or patients?
  3. What was it for?
  4. Did you expect some of the listed identifiers to be on the list? 

Professional Statements  

Over the years, professional medical organizations have released statements regarding patient confidentiality and how it pertains to their target audience. Many medical organizations such as the American Nurses Association (ANA) and the American Medical Associations (AMA) often create position statements to reflect the organization's overall stance and thoughts on a specific topic. These positions may be used to guide education, policies, or individual opinions on the topic.  

The ANA released a statement regarding patient privacy and confidentiality. As mentioned before, the ANA believes that the patient-provider relationship is important, and confidentiality is essential in that relationship. The organization supports legislation, standards, and policies that protect patient information. In the professional statement document, the ANA goes on to give the following recommendations regarding the protection of patient information (1, para 3). 

  • “Nurses should advocate for policies that ensure individuals’ right to privacy and protect against unwanted, unnecessary, or unwarranted intrusion into a person’s life.” 
  • “In the course of advocating for patients, nurses act to ensure privacy in the care environment as fully as possible so that patient privacy and confidentiality can be maintained.” 
  • “The patient’s right to confidentiality of individually identifiable health information is established statutorily with specific exceptions. Nurses should follow organizational policies that safeguard an individual’s right to decide to whom, the extent, and under what circumstances their individually identifiable health information will be disclosed.” 
  • “Violations of privacy and breaches of confidentiality threaten patient welfare. Nurses act to address practices and behaviors that risk patients’ privacy and confidentiality, escalating the concern as necessary per organizational policy.” 
  • “Confidentiality protections should extend not only to health records but also to other individually identifiable health information, including oral reporting, clinical research records, images, and mental health and substance use disorder therapy/treatment notes. This protection should be maintained in the treatment setting and in all other venues.” 
  • “Patients should receive accurate information regarding federal legislation (e.g., HIPAA, the Genetic Information Nondiscrimination Act [GINA], and the 21st Century Cures Act) that addresses individually identifiable health information and any limitations, exceptions, or implications associated with legislation affecting the right to privacy and confidentiality.”  
  • There is a heavy emphasis on not using patient information if consent has not been given unless there is an extenuating circumstance regarding legal requirements. This will be discussed in the next section.  

Since patient confidentiality is extremely important, the ANA supports healthcare organizations in creating safeguards to protect patient confidentiality. They also support the organizations enforcing ways to alleviate violations by health care workers and protect them from retaliation (1).  

 

Quiz Questions

Self Quiz

Ask yourself...

  1. Have you read the ANA's statement on patient confidentiality before? 
  2. Are you in any professional organizations? 
  3. Do these organizations have any statements about patient confidentiality?
  4. Are there any differences between them and the ANA's statement? 

Disclosure  

Overall, patient information is discouraged from being shared; however, there are several instances where the sharing of information is allowed. The patient may give the provider(s) or healthcare organization permission to share the information with whoever the patient decides (6). By providing consent, the patient is essentially waving the right to keep that information confidential but determines who can receive the information. This can be done through written or verbal consent, though most facilities require a written one. This written form is placed in the patient's medical records.  

If another healthcare agency or provider is going to be involved with the patient's care, medical information can be exchanged on a "need to know" basis (6). For example, if a patient is being transferred to another facility, the accepting nurse and care team would need a thorough report to ensure that they knew the patient and what had already been done for them regarding medical care.  

While protecting patient information is important, there are a few circumstances—called extenuating circumstances—that allow healthcare providers to share information regarding a patient without permission outside of the above reasons. Certain information is required to be reported to public health departments or authoritative organizations: communicable diseases, suspected child or elder abuse, gunshot wounds, release to insurance companies for payment, or worker's compensation boards after a claim has been submitted are allowed (8, 9).  

In the case of protecting the public, healthcare providers can report patient information to a specific organization if it comes down to the health of the public. As mentioned above, testing positive for communicable diseases can be reported to public health departments. 

It should be noted that one important exception applies to this rule. Making assumptions, especially about if a spouse has the right to know the medical history of a patient just because they are married, is not advised. Patients should be encouraged to inform their spouse about the information that may put the spouse at risk, such as sexually transmitted infections. If the individual's direct safety is threatened, then the provider can tell them (2).  

In order to protect society, healthcare providers have the duty to warn if they have detailed and documented proof that the patient is targeting a select individual or group. Providers are encouraged to document instances of threats, whether it be against them, another provider, or another individual outside of the healthcare setting. Often this is a legal or ethical duty to report the threat to the authorities or possibly warn the potential victim (2).  

If a provider is concerned about what can or cannot be disclosed at any time, it is encouraged that the provider consults hospital policies before releasing any information.  

 

Quiz Questions

Self Quiz

Ask yourself...

  1. How do you obtain consent for sharing information? 
  2. Have you ever shared information outside of the "need to know" basis with other providers when it comes to a patient? 
  3. Have you ever had to report a patient to another organization such as Child Protective Services or the county Department of Health? 
  4. What was it for?  

Consequences of Disclosure Violations 

Healthcare providers may be subjected to a variety of consequences when it comes to the violation of HIPAA or the Privacy Rule. The healthcare provider and the facility in which they work may be subjected to civil suits in a variety of ways (6). Disclosing sensitive information or photos about the patient is a breach of legal duty—intentional or unintentional. Nurses may face disciplinary action from their state's board of nursing. With the ever-growing form of social media, boards of nursing have been cracking down on improper use of social media and breaches in patient confidentiality. Job loss and fines are other consequences that may occur by themselves or in addition to any of the others listed above (6).  

 

Quiz Questions

Self Quiz

Ask yourself...

Think back to your hospital policies. 

  1. Do you recall any consequences listed in the policy?
  2. Are you required to complete education regarding patient confidentiality at work?
  3. What kinds of consequences do you think would be appropriate for violating patient confidentiality?
  4. What do you think of healthcare providers using social media at work?  

Patient Confidentiality in the Technology Era 

There are many forms of technology today and there are many ways patient confidentiality can be violated by using it. Cell phones have become a staple in nearly everyone's day-to-day life, so it would make sense that both healthcare providers and patients alike have them. While they are useful, cell phones can also cause problems. Unintentional or intentional filming or recording of patients or medical information can happen by staff, family members, or other patients. Family members or friends may call to ask about a patient, and it is important for the nurse to know hospital policy when it comes to verifying the identity of those calling and what information can be given over the phone. Verifying with the patient who can be told what information is important as well (6). 

Since charting has become electronic, many nurses are using computers, laptops, or tablets to complete their charting. Healthcare providers need to ensure that privacy is always maintained when utilizing these devices.  

Even though most things can be transferred via email, call, or secured text message, some information still needs to be transmitted via fax machine. Since there is room for human error, coversheets should be used along with a clear identifier that the information being sent is confidential (6). If a number is used often, it is encouraged that it is preprogrammed into the fax machine to help decrease the chance of the number being mistyped (7).  

 

Quiz Questions

Self Quiz

Ask yourself...

 Think of your work area.

  1. What types of devices does your facility to use to chart?
  2. What steps has the facility taken to protect patient information when it comes to these devices?
  3. What steps do you take to protect patient information?
  4. What things could be improved on when it comes to securing patient information?

Best Practices of Patient Confidentiality 

Overall, healthcare providers must make decisions on how to protect private information. Despite recommendations from professional organizations and policies from facilities, it is the provider's responsibility and decision on how to go about it. Sometimes there are several ways to solve the same problem. Best practices, like the ones listed below, can be used with hospital and Board of Nursing policies and rules (6). 

  • Utilize coversheets for person notes regarding patient care or when faxing sensitive information. 
  • Be mindful of what is said in semi-private rooms or rooms that have visitors. Curtains and walls are not soundproof. 
  • Verify callers before providing any patient information as determined by hospital policy. Remember to also verify with the patient if able to do so. Some patients may not want family or friends to know about their condition. 
  • Do not leave patient information in a place where it can be easily seen by others. This includes personal notes, electronic or printed medical records, unlocked communication devices, etc. 
  • Ensure that all patient information is properly disposed of or destroyed prior to leaving work. 
  • Be mindful of what is posted on social media and be aware of possible unintentional disclosure.  
  • Provide education to staff regarding potential areas of misuse when it comes to patient information. Policies regarding improper use should be implemented. These policies should include email use, personal electronic data devices, and electronic transmission of data.
  • Have staff and others who may need access to patient information such as students sign confidentiality agreements.  
  • Refrain from speaking about patients or their private information in areas where information can be overheard, such as cafeterias, hallways, elevators, waiting rooms.  
  • Ensure that policies are reviewed and updated periodically or as needed to reflect current healthcare laws and guidelines.  

This is not a comprehensive list, and healthcare providers must use common sense and caution when sharing private patient information. 

Quiz Questions

Self Quiz

Ask yourself...

  1. From the above list, what do you already do to protect patient information? 
  2. From this list, what would you add to your own list? 
  3. What would you add to this list regarding protection of sensitive information? 
  4. In your workplace, where can you find information about privacy laws? 

Conclusion 

The topic of patient confidentiality is very important to the patient-provider relationship. Without it, the entire relationship can deteriorate, leading to significant emotional and possibly physical damage. This can be detrimental to the patient and provider. It is important to follow hospital policy and healthcare laws regarding sensitive information. All healthcare providers are strongly encouraged to stay up to date on new legislation that may affect patient confidentiality.  

 

Quiz Questions

Self Quiz

Ask yourself...

  1. What steps do you take to protect patient information?  
  2. What policies does your facility have when it comes to disclosing information? 
  3. How often does your workplace updated staff on ways to protect patient information? 
  4. What are some teaching points for patients regarding protecting their information? 
  5. What are some ways to protect patient privacy in shared rooms? 
  6. What information from this course was most beneficial? 
  7. How will your practice change after reading this course? 

References + Disclaimer

  1. American Nurses Association. (2024, February). Privacy and confidentiality: ANA position statement. https://www.nursingworld.org/practice-policy/nursing-excellence/official-position-statements/id/privacy-and-confidentiality/  
  2. U.S. Department of Health & Human Services. (2022, October 19). Summary of the HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html 
  3. U.S. Department of Health & Human Services. (2022, October 25). Methods for De-identification of PHI. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html  
  4.  U.S. Department of Health & Human Services. (2022, March 31). Summary of the HIPAA Privacy Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html 
  5. U.S. Equal Employment Opportunity Commission. (2008). The Genetic Information Nondiscrimination Act of 2008 | U.S. Equal Employment Opportunity Commission. U.S. Equal Employment Opportunity Commission. https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008 
  6.  Tariq RA, Hackert PB. Patient confidentiality. [Updated 2023 Jan 23]. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-. Available from: https://www.ncbi.nlm.nih.gov/books/NBK519540/ 
  7. U.S. Department of Health & Human Services. (2022, December 28). Health information privacy: Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone? https://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/index.html 
  8. U.S Department of Health and Human Services. (2022, December 28) When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html 
  9. U.S. Centers for Medicare and Medicaid Services. (2023, November 16). Are you a covered entity? https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/hipaa/covered-entities 
 
 
Disclaimer:

Use of Course Content. The courses provided by NCC are based on industry knowledge and input from professional nurses, experts, practitioners, and other individuals and institutions. The information presented in this course is intended solely for the use of healthcare professionals taking this course, for credit, from NCC. The information is designed to assist healthcare professionals, including nurses, in addressing issues associated with healthcare. The information provided in this course is general in nature and is not designed to address any specific situation. This publication in no way absolves facilities of their responsibility for the appropriate orientation of healthcare professionals. Hospitals or other organizations using this publication as a part of their own orientation processes should review the contents of this publication to ensure accuracy and compliance before using this publication. Knowledge, procedures or insight gained from the Student in the course of taking classes provided by NCC may be used at the Student’s discretion during their course of work or otherwise in a professional capacity. The Student understands and agrees that NCC shall not be held liable for any acts, errors, advice or omissions provided by the Student based on knowledge or advice acquired by NCC. The Student is solely responsible for his/her own actions, even if information and/or education was acquired from a NCC course pertaining to that action or actions. By clicking “complete” you are agreeing to these terms of use.

 

Complete Survey

Give us your thoughts and feedback

Click Complete

To receive your certificate


Want to earn credit for this course? Sign up (new users) or Log in (existing users) to complete this course for credit and receive your certificate instantly.