The trusted source for
healthcare information and
Maintain an effective confidentiality policy
By Patrice Spath, ART
Brown-Spath & Associates
Forest Grove, OR
Perhaps the most intimate, personal, and sensitive information maintained on people can be found in their health care records. Each day, case managers handle a large quantity of health record data. But consumers are concerned that the privacy of this information is in jeopardy.
Free exchange of information with case managers is a necessary part of patient care, but it is important that data not be inadvertently shared with the wrong people. The U.S. Senate currently is debating several bills aimed at guaranteeing the security and integrity of health data. Be careful you are not breaching patient confidentiality when sharing information with health plans or other providers and when answering family questions. Some of the common situations in which unauthorized data disclosure can occur are listed below:
• Discussions on patient care units.
Be careful that conversations with physicians and other caregivers about a patient’s conditions are not overheard by the public. Even the patient’s family members do not have the right to sensitive medical information without the patient’s consent. Save your patient-specific conversations for private areas. Remember that discussions in the hospital hallways and elevators can be overheard.
• Case management forms.
The forms used to gather patient data also could be a source of unauthorized disclosures. If reports containing patient names and diagnoses are left exposed, anyone walking by can find out information they are not privileged to know. If clinical paths are posted by the patient’s bedside or outside the patient’s hospital room, his or her diagnosis may be inadvertently shared with the public. This can be especially harmful if the patient is seeking treatment for an AIDS-related illness, pregnancy termination, or psychiatric disorder. All forms that contain patient information that might be seen by the public should contain coded diagnoses or be maintained in a protective envelope or other secure environment.
When disposing of worksheets or clinical paths that will not be maintained as a permanent record form, be sure to shred them or tear them in half (at a minimum) before disposing of them. Don’t let your wastebaskets become a source of confidential information that can easily be accessed by anyone (hospital staff, the recycling company, or garbage collection workers).
• Provider-to-provider communications.
The facsimile machine has greatly enhanced the transfer of patients’ medical information from provider to provider. However, it can be a significant source of unauthorized disclosure. When faxing information to other caregivers for legitimate health care purposes, be sure to verify the caller is a bona fide provider. If the provider is unknown to you, confirm the provider’s identity in the phone directory or through Directory Assistance. Don’t transmit more than is necessary to fulfill the requestor’s needs. For example, insurance companies requesting patient diagnoses should not receive a copy of the entire history and physical examination if it contains personal history data unrelated to the patient’s current condition.
• Post-discharge information release.
After the patient has left the facility, insurance companies, other providers, family members, and the patient herself may request information out of the patient’s health records. Ideally, all post-discharge release of information is routed to the health information management department, where employees follow strict disclosure guidelines. However, case managers may be contacted directly for information. While attempting to expedite insurance payment or continuity of care, these caregivers may unintentionally disclose information that should not have been shared without prior consent of the patient.
For example, the insurance company seeking information about a patient’s lifestyle, mental health history, use of illegal drugs, or other behavior not widely socially approved may be using the information for some other purpose than processing the current claim. Releasing such private information may result in harm to the patient, e.g., loss of employment or denied insurance. And remember, even diagnosis and procedure codes can easily be translated into descriptions of a patient’s life style, mental health and alcohol abuse history, or other socially unacceptable behavior.
It is common for a company’s human resource department to telephone case managers to follow up on injured employees. If the employee was not injured on the job, these requests should be made in writing, with an authorization signed by the patient prior to any release of information. Employers have no right to expect return-to-work dates or other health information about their employees unless the patient’s condition was work-related.
• Computerized data.
Automated case manager notes should be protected from unauthorized access with password protection or other security measures. Those who have access to the computer files, including clerks or volunteers who may assist with data input, should sign a statement saying they agree to hold the information confidential. Patient-specific reports should be shredded, incinerated, or otherwise destroyed when they are no longer needed.
Case management departments should have a confidentiality policy that defines how their files are maintained to prevent security breaches, how information releases are handled, and other aspects of information management. Listed below are important points to cover in a departmental policy addressing confidentiality of patient health data, according to the Chicago-based American Health Information Management Association (AHIMA):
• screening processes;
• employee awareness;
• physician awareness;
• patient awareness;
• access control;
• handling of sensitive data;
• sabotage and theft;
• electronically transmitted data;
• contractor/vendor agreements;
• disaster recovery.
AHIMA has several publications on confidentiality of health record information that would be useful for case managers when writing their confidentiality policies and procedures. Information about these resources can be found on AHIMA’s Web site at www.ahima.org. The Web site also includes a summary of each of the privacy bills now being debated in the U.S. Senate.
The patient information that case managers use every day must be guarded from unintentional disclosure. Unauthorized disclosures can create a risk of liability. While no actual harm may come of confidentiality breaches, the greater concern is loss of patients’ trust. Patients and families that overhear inappropriate hallway conversations or see private information left in full view of the public at nursing stations may be skeptical of your promises of high-quality patient care.
Patients must be offered an opportunity to consent to disclosure of sensitive information. In some instances, the blanket consent signed by the patient at the time of hospital admission or when the patient applied for insurance benefits does not cover highly sensitive personal data. Federal laws protect patient information related to alcohol and drug abuse. State laws also may impose additional confidentiality requirements upon records of mental health patients and developmentally disabled patients. For more information about these federal and state laws, contact personnel in your hospital’s health information management (medical record) department.