- Nurses deal with private information all day every day, from nursing stations and offices to exam rooms to patient bedsides to operating rooms. However, due to their focus on a patient’s health and their constant contact with patient data, many may become desensitized to the importance of HIPAA compliance and protecting the digital and physical paper trail.
But the fact remains: all patient information is confidential and federally protected.
The Health Insurance Portability and Accountability Act (HIPAA), and specifically the Privacy and Security Rules, outline how individuals, including nurses, at covered entities should collect, use and handle protected health information (PHI).
The Privacy Rule requires that covered entities limit the circumstances where PHI may be used or disclosed. The Security Rule requires “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
The good news is that there are a number of simple ways nurses can help improve the security and privacy of patient information no matter what they are doing in the facility.
The biggest adjustment that spans all tasks, facilities and responsibilities is improving situational awareness.
For nurses, discussing patient care is essential in most cases, and the potential exists for an individual’s health information to be disclosed incidentally. But as outlined in the incidental disclosure clause of the Privacy Rule, “certain incidental uses and disclosures of protected health information [are permitted] to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.”
This can include speaking quietly when discussing patient information with colleagues or a patient’s family, especially in a public area. It may also include using privacy filters on device screens to help protect patient information from being seen on a screen by a passersby glancing from a side-angle.
Despite the huge increase in electronic health records, healthcare facilities still heavily rely on paper files. Whether it is printed lab results or information faxed over from a hospital or other provider organization, information exists in hard copy in a number of different situations.
Physical safeguards should not be overlooked when working toward HIPAA compliance.
When dealing with hard copy documents, papers or files shouldn’t be left lying at the nurse’s station. They should instead be stored in a secure drawer or file cabinet. Storage or record rooms also should be kept locked when unattended, and access should be limited to only essential and authorized personnel.
When a physical document is no longer needed for record purposes, nurses should properly dispose of it by shredding or placing in a locked bin to be shredded later.
Access to electronic systems
The digitization of medical records has the potential to improve the quality and efficiency of care for patients by making information more readily available to care providers. But it has also created significant challenges in helping keep information private and secure.
From desktop monitors at a nursing station to a laptop on a mobile cart to a tablet in an exam room, PHI is more accessible now in the form of EHRs and is displayed on exponentially more device screens.
This means the risk of data theft by visual hacking may have also increased. Defined as the viewing or capturing of sensitive or confidential information for unauthorized use, the threat of visual hacking will continue to increase as more and more information is collected and accessible in a digital format.
HIPAA states that healthcare providers must implement “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.”
It could include validating a person’s need to access certain information or include the use of privacy filters to help give organizations more flexibility to place devices in locations that maximize productivity while helping to protect sensitive information from side-angle views.
A Team Effort
There’s no doubt that nurses play a crucial role in protecting patients and their PHI. But the effort is not solely on these caregivers. All healthcare staff needs to commit to following security and privacy policies to help create the first line of defense in protecting confidential patient information.
Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group consultancy, brings expertise in security, privacy, and health IT from over 20 years inside the healthcare industry, including establishing security programs at Massachusetts General Hospital and Beth Israel Deaconess Medical Center/CareGroup in Boston. She is a nationally recognized HIPAA security and privacy expert, and a frequent speaker and author on these topics.