I recently saw an old episode of ER and did a double take at the publicly-facing patient board that listed full patient names, the reason for the ER visit, and curtain number. The episode revolved around Dr. Weaver’s attempt to protect patient confidentiality by implementing a comprehensive system of abbreviations and patient social security numbers on the board–a move not appreciated by the overworked staff. Yet, it got me thinking–when did patient privacy become an understood part of medical care and not an inconvenience?
Nearly every time we go to a medical visit, there are new forms to sign. How many of you are guilty of just signing without reading and turning the clipboard back in to the front desk? [I know I am]. If you’ve ever taken a good look at some of those forms, they often have to do with confidentiality and privacy of information. And, if you’re over 18 years old, you also use those forms to designate individuals to whom your private, medical information can be released–a spouse, parent, sibling, etc.
All of this is thanks to HIPAA, the Health Insurance Portability and Accountability Act of 1996. In 1996, health information technology was beginning to take off but there were no generalized set of standards for protecting the privacy of health information. [Hence the ER in ER being able to announce personal, medical information to the world on their board]. HIPAA directed the Secretary of HHS to develop regulations protecting the security and privacy of certain health information. The Security Rule, or the Security Standards for the Protection of Electronic Protected Health Information, established security standards for certain health information held or transmitted in an electronic fashion. The Privacy Rule, or the Standards for Privacy of Individually Identifiable Health Information, established standards for protecting certain health information.
The Privacy Rule applies to “covered entities,” defined as health plans, health care clearninghouses, and health care providers who electronically transmit any health information that is connected to other HHS standards. In effect, it applies to hospitals, physicians, and academic medical centers who transmit information to health plans for payment purposes. The Privacy Rule also recognizes that there are special circumstances for measured disclosure of personal health information (both identifiable and de-identified) for public health and research purposes.
While HIPAA does not require providers to refrain from conversing about patients at a nursing station, joint treatment area, over the phone, semi-private rooms, or during rounds, it does require reasonable precautions to be taken to protect patient information. These precautions can include low voices or moving off to the side of a hallway, but are not always possible–such as treating a patient who is hearing impaired.
In order for patients to trust medical providers with their sensitive health information, they need to know it won’t be shared without permission. The bottom line for medical students beyond the Privacy and Security Rules with HIPAA is be respectful of your patient’s health information [i.e. don’t have loud conversations on the elevator or in the hospital cafeteria].
Image from the CDC.