A current lawsuit includes allegations that the hospital failed to protect a nurse’s privacy after she contracted Ebola. To protect patients’ privacy in registration areas, do the following:
- Emphasize to staff the seriousness of patient privacy regulations.
- Use carpeting and sound-absorbing wall panels.
- Inform staff members that they can’t discuss medical information about anyone they know, if they learned the information through their job duties.
Nina Pham, the ICU nurse who contracted Ebola at Texas Health Presbyterian Dallas Hospital while treating the first patient diagnosed with Ebola, sued the hospital’s parent company, Texas Health Resources (THR) and said it failed to train and protect nursing staff. The suit also alleges that her record was “grossly and inappropriately accessed by dozens of people throughout the THR system.”
“We respected Ms. Pham’s privacy and acted only with her consent. We are not doing any interviews on this topic at the present time,” said Texas Health Resources spokesperson Wendell Watson.
Regardless of whether the allegations are proven to be true or false, the lawsuit spotlights the potential dangers when accused of failing to protect a patient’s privacy in registration areas. Hackensack (NJ) University Medical Center “has several layers that allow us to protect a patient’s privacy,” says vice president and chief compliance officer Thomas Flynn, FACHE. Patients can opt out of being listed in the hospital directory. In this case, registration staff members reply, if asked about the patient over the phone or at the front desk, that there is no information about the patient.
Inpatients also can be registered under an alias. “This protects the integrity of the record by medical record number,” explains Flynn. “But if you searched, you couldn’t find the record based on the patient name.” If a patient asks to be registered under an alias, a hospital staff member pages William Hunt, CHAM, CPC, director of the Admission Services Center. “Based on the reason for request, it will be granted or declined,” says Hunt. If approved, Hunt instructs an admission associate to change the patient’s last name. “All paperwork and the patient ID bracelet is reprinted with the changed information and delivered to the unit, with the patient signing a form which reflects this request,” says Hunt.
The department uses a “break-the-glass” system that restricts direct access of the patient’s medical record to only the assigned treatment team. “‘Break the glass’ draws its name from breaking the glass to pull a fire alarm. “It is meant to convey that we are providing emergency access to critical patient information,” explains Flynn. If others try to access the record, they would first receive a warning and then would have to click again to gain access. “This access then goes on a report,” says Flynn. “We’re still in the process of fully employing this functionality, but it is in place for the Ebola team.”
Many reasons for privacy
At Mercy Hospital Springfield (MO), the hospital’s electronic health record integrates the patient’s private status throughout hospital systems so the patient’s information won’t show up on public directories.
“It marks their records and name in red, so that anyone seeing the record will know that the patient wants to be private,” says patient access education specialist Kim Crouse, CHAM. “There are many reasons why patients decide to be private.” These reasons include abuse, family issues, or a hospital employee who doesn’t want their coworkers to know they are undergoing testing.
Crouse says these are her biggest challenges for providing patient privacy in registration areas:
- It is difficult to provide enough privacy so that patient information can be updated in a safe and secure manner.
“Space limitations or how the registration area is designed can have a huge impact on privacy or lack of privacy,” says Crouse. Carpeting and sound-absorbing wall panels have been installed in most admission and outpatient registration areas. “This helps keep sounds muffled and from echoing,” says Crouse. “Televisions or soft music in the background provide further ‘white noise.’”
- There is an ongoing need to train all patient access employees on patient privacy regulations.
In the first class for new hires, Crouse covers the protected health information communication tool, which the patient fills out to indicate who may receive verbal information regarding their care. “New hires are unable to have access to the [electronic health record] until it is completed,” says Crouse.
In addition, new hires are required to complete an online training module, developed internally, within 90 days. The online training explains the Health Insurance Portability and Accountability Act (HIPAA), as well as why privacy is important, what constitutes a privacy breach, and what the consequences are.
The biggest challenge is to make sure patient access staff understand how serious HIPAA is. “It’s ensuring the patient’s information, status, and location is private not just from the public, but co-workers as well,” emphasizes Crouse.
- Employees often are tempted to discuss information about friends or family.
“Education must be provided that if you learn information about their friend or loved one, you can’t discuss it with the patient or go and see them, if how you found out the information is through your job duties,” says Crouse.
To bring this point home, Crouse shares a personal story with employees. When her mother’s best friend was admitted, Crouse spoke with her while she was in the hospital. “She called my mom when she got home, wanting to know why she hadn’t called or come to visit,” she recalls. “Because I was unable to say anything, I had never told my mother.” Crouse explained to them that privacy regulations prevented her from doing so.
“My mother’s friend had several more admissions after that, but she always made a point to call me and state, ‘I want you to call your mother and let her know I am here,’” says Crouse. “It was her right as a patient to have someone notified.”
- Kim Crouse, CHAM, Education Specialist, Patient Access Quality, Control, and Education, Mercy Hospital Springfield (MO). Email: Kimberly.Crouse@mercy.net.