Coded wristbands prompt confidentiality concerns

More hospitals are adopting the use of color-coded wristbands for patients in an effort to improve safety by alerting anyone nearby that the person is a fall risk, for instance, or to provide quick recognition that the patient has a penicillin allergy or even a do-not-resuscitate order. But now there are growing concerns that the wristbands can violate the patient's confidentiality by displaying private information to anyone who sees the wristband.

But is the confidentiality risk real or overstated? Some legal experts and health care leaders say there is reason for concern but no reason to over-react. Don't fall into the trap of thinking that any release of information in a health care setting is automatically wrong, they say. Some information that otherwise would be confidential always is easy to discern from glancing at patients in a health care setting, they say, so the wristbands are no different in that regard.

A prudent plan for how to use the wristbands is needed, but don't overreact and strip this good idea of its usefulness.

Wristbands offer benefits

Wristbands have been the subject of some concern for the past few years, as health care leaders realized that they can pose dangers if not used carefully. Many risk managers have endorsed the use of color-coded wristbands on patients to identify allergies, susceptibility to falls, and other risks, but then providers realized that there was no standardization of the colors used.

That meant the same yellow wristband that means "penicillin allergy" in one facility could mean "do not resuscitate" (DNR) in another. With health care workers migrating from one facility to another as they change jobs or work at several sites, the situation was ripe for a tragic misunderstanding.

The Pennsylvania Patient Safety Authority in Harrisburg reports that near tragedy occurred when a patient was almost not resuscitated during cardiopulmonary arrest because she was incorrectly designated "DNR" with a colored wristband by a nurse who worked in multiple facilities and was confused about the meanings of different colors. That incident was a wake-up call for Pennsylvania hospital officials in northeastern and central Pennsylvania, who then worked together to develop standards for the use of color-coded patient wristbands in their facilities. Eleven facilities formed the "Color of Safety Task Force" to develop detailed protocols, including a policy manual and training resources, to reduce the risk of medical error when using color-coded wristbands.

The American Hospital Association (AHA) recently issued a warning about possible confusion from the wristbands and called on hospitals across the country to adopt a standardized coding system.

Confidentiality concerns legitimate

Some concerns about confidentiality regarding wristbands are well founded because the Health Insurance Portability and Accountability Act (HIPAA) requires that health systems disclose only the minimum patient information necessary for health care workers to do their jobs, notes A. Kevin Troutman, JD, an attorney with the law firm of Fisher & Phillips LLP in Houston. So risk managers must consider who really needs to know the information that is displayed by the wristbands. If the health care provider can determine that the information needs to be seen by all employees who encounter the patient — as is the case with a fall risk — then there is a good argument that including that information on a wristband does not violate HIPAA, he says. One might argue that other information, such as a DNR order, does not need to be known by the housekeepers and maintenance workers, for instance, and therefore should not be so visible.

Troutman notes that there is an inherent conflict between the goals of HIPAA and coded wristbands. HIPAA is all about minimizing the release of information, but the purpose of the wristbands is to make important information obvious to anyone near the patient. So unless you implement the coding system with care, HIPAA violations are possible, Troutman says.

"But when you take a good look at how you use this tool, it can be done without conflicting with the provisions of HIPAA," he says. "If you have determined that a housekeeper or a transporter does need to know about a particular risk, then there is not a violation. Determining exactly who needs to know and what is the best way to display that information creates more of a burden, and it may require some significant staff training."

The most concern about confidentiality comes with the DNR wristbands, says Cathy Munoz, RN, MJ, CPHRM, who develops clinical-focused risk mitigation strategies with Marsh Risk Consulting in Dallas, and works with facilities on process improvement. Patients can feel "branded" by a band that displays such a serious and private decision to the world, she says. The solution to those concerns is not so obvious, she says.

Some have suggested ways to obfuscate the DNR band by removing the obvious "DNR" or "Do Not Resuscitate" and replacing it with a symbol or a code word that would be understood only by key health care personnel. Munoz has heard suggestions for using doves, for instance, as a symbol to mean DNR but which would be a much softer appearance.

"I worry that that would just increase confusion," she says. "The purpose of the wristbands is to make the information very clear and easily understood, so if we start trying to blur the lines and make it less clear, we're defeating the purpose of the wristbands."

An additional concern is that the wristbands are visible not just to health care workers but also to anyone else in the vicinity — family members, other patients, vendors, anyone who happens to be in the health care facility and passes by the patient. Clearly those people do not need to know about the patient's allergies or DNR status, so isn't that a confidentiality breach?

Troutman says risk can be minimized by using color coding or symbols whose meaning is not obvious to nonhealth care personnel, but that can cause problems if the meaning is not clear to those who need to know. Even if the meaning of the wristband is clear to passersby, that may not necessarily constitute any HIPAA violation.

"We have to balance the practical with the technical requirements," he says. "If your main concern is the patient's safety and you have put some thought into how to best use these wristbands, you have to find a balance. If you've made a good-faith effort to comply with the HIPAA standards, I think you're going to be on solid ground even if someone can discern information from the wristbands."

Molly Procuniar, a nurse and health care subject matter expert for Standard Register's Document Systems group in Dayton, OH, points out that patients are more likely to be concerned about their health information being on display to visitors and strangers in the waiting room than whether you are violating HIPAA. But she also suggests that patients may not be nearly as concerned about the issue as risk managers and other health care administrators.

"Confidentiality is an important concern for patients, but I think patients are going to be much more interested in whether we are doing everything we can to provide good care and prevent any errors," she says. "Minimizing the release of private information should be a priority, but I think it would be a mistake to focus so much on that concern that we miss the opportunity to use wristbands in the most effective ways possible to improve patient safety. Standardizing the colors that everyone uses is the key first step there."

Procuniar says educating patients and family members should be an important part of any wristband system. Don't just slap a wristband on a patient without explaining its purpose and why it is important for that information to be easily seen rather than kept only in the patient's medical chart. Munoz also suggests that confidentiality concerns can be overcome by making the use of wristbands voluntary and obtaining consent from the patient or family.

"That becomes an opportunity to discuss why the wristbands are important, how they help protect the patient and ensure their wishes are carried out," she says. "Once you've explained that and obtained consent to use them, all the other concerns about confidentiality are minimized."

Troutman also cautions risk managers not to fixate too much on the idea that visitors and other nonhealth care personnel may learn something about a patient from the wristbands. Broadcasting private information is never a good idea, but he says anyone in the vicinity can glean certain information from a patient just by looking. Simply seeing the patient and the siuational details already tells the observer a lot, so true confidentiality doesn't exist even without the wristbands.

"If we see an elderly, frail patient making her way down the hall very slowly, we can pretty much guess that she's a fall risk. If I see a man in the cardiac unit with a big scar on his chest, I can be pretty sure he's got a heart problem," Troutman says. "So we don't want to get carried away with trying to comply with HIPAA to such an extreme that it becomes ridiculous and defeats the whole purpose. There has to be room for some common sense."


For more on confidentiality concerns and wristbands, contact:

• Cathy Munoz, RN, MJ, CPHRM, Marsh Risk Consulting, Dallas. Telephone: (214) 303-8608. E-mail:

• Molly Procuniar, Healthcare Subject Matter Expert, Standard Register, Dayton, OH. Telephone: (800) 755-6405. E-mail:

• A. Kevin Troutman, JD, Fisher & Phillips LLP, Houston. Telephone: (713) 292-5602. E-mail: