Have you ever been walking through the hospital and overheard staff talking about patients? So have plenty of other people, according to new research that warns such overheard conversations can be a serious breach of patient confidentiality. The research was conducted at Purdue University in West Lafayette, IN, by Maria Brann, assistant professor of communication studies at West Virginia University in Morgantown, and Marifran Mattson, associate professor of communication at Purdue. Their work shows patient privacy is breached when hospital employees talk about patient cases in public areas, such as the cafeteria, or with people outside of work.1
"The country has recently invested a tremendous amount of resources in the nation’s largest set of federal privacy laws to prevent health care providers and institutions from divulging or selling patient information," Mattson says. "But we found that the daily conversations of physicians, nurses, hospital staff, and technicians can jeopardize the same kind of personal information. So not only is there a need for privacy laws, but also we see how challenging it is to maintain such laws in the simplest setting of people talking to each other."
Mattson says the research should be a warning to health care risk managers. She suggests they "seize the opportunities to teach privacy awareness and skills."
Frequent breaches of privacy
Mattson notes that hallway conversations can constitute breaches of HIPAA, which protects patients’ medical information and limits access to that information. Brann agrees, saying the research was prompted in part by what she observed while volunteering at a hospital as an undergraduate at Purdue. "I noticed several instances when health care providers would discuss patients’ information with other health care workers without being very discreet," she says. "Even though the study was conducted before the health insurance act was law, I don’t think we would see a great difference in our results."
For the study, Brann only recorded observations in places that were accessible by hospital visitors, such as hallways, elevators, waiting rooms, and cafeterias. Fifty-one patients also were interviewed about medical privacy. "Confidentiality breaches are occurring daily," she says. "While health care providers may not be malicious in their disclosures, they are still sharing patients’ most personal information with unauthorized individuals, which has the potential to create problems for the patients."
Staff talk freely at home
Brann notes that disclosure of patient information can lead to identity theft, discrimination, or social stigma if a medical condition or patient identification information is inadvertently revealed. The most common breach found in the study was in casual conversations between employees at workstations or in the cafeteria, where hospital personnel discussed health information about patients and co-workers.
Privacy also was violated when the public could overhear phone conversations with insurance companies or other medical consultants in which patients’ phone numbers, addresses, and Social Security numbers were given. In one extreme example, a receptionist even spoke to insurance companies on speakerphone.
Health care providers sharing information with their family members also was a concern. Many of the subjects interviewed in this study acknowledged that their family members and friends who work in health care shared patient stories. Most of the subjects justified their loved ones’ breaches of privacy as acceptable because their family members and friends were cautious about not revealing too many details. "Even without identifying the patient by name, there is cause for concern, especially in a smaller community," Mattson says.
"The most serious consequence is that people will find out about loved ones’ health problems from someone other than their health care pro-vider," she notes. "Just as concerning is that if patients realize their personal information is vulnerable, then they may be less likely to share important details with their physicians or nurses."
Brann and Mattson advise risk managers to remind health care staff about how easy it is to divulge patient information inadvertently. Most breaches occur without the speakers even realizing they are being careless with patient information, so simply making people aware of the danger is a big part of solving the problem, Brann says. "Health care providers need to pay attention to how they personally breach confidentiality laws, and patients need to bring breaches of privacy to the attention of their physician, nurse, medical assistant, or waiting room receptionist," she points out. "When you overhear a phone conversation in a waiting room where the receptionist is repeating personal information, such as Social Security numbers, gently remind the person or supervisor that you are concerned," Brann adds.
1. Brann M, Mattson M. Toward a typology of confidentiality breaches in health care communication: An ethic of care analysis of provider practices and patient perceptions. Health Commun 2004; 16(2):231-251.