Confidentiality

The Heath Insurance Portability and Accountability Act (HIPAA) of 1996 provides standards for health information transactions and the confidentiality and security of patient data.  It is enforced with civil penalties of $100 per violation up to $25K per year.  Criminal penalties are possible for wrongful disclosure ($50K and/or 1 year in prison) and intent to sell information ($250K and/or 10 years in prison).

Confidentiality means that only certain people have access to the information and that the information is otherwise secure from access.

Privacy refers to the right of the individual to control who has access to their information and to require the approval of the individual before access is granted.

• Heathcare institutions and offices can use and disclose patient information for purposes of treatment, healthcare operations, and payment without the authorization of the patient.  Healthcare operations usually include quality assurance, utilization review, education, and research.  Other uses usually require the authorization of the patient.  Most healthcare institutions and offices have a HIPAA policy statement the individual must sign before the patient is seen.  This statement will spell out what the patient information may be used for.  Signing the statement grants authorization.
• Patients must receive notification of their privacy rights.
• The healthcare provider must only disclose the minimum necessary information for a given situation or application.
• The patient has the right to a copy of his/her medical records and to request amendments to incorrect records.  The healthcare provider must supply the copy within a reasonable time period and at a reasonable cost.
• Patient data used in research is required to be de-identified unless otherwise authorized by the patient.  Common identification for research purposes is the use of a patient number and/or patient initials.
• The healthcare provider must have procedures in place for safeguarding patient data.  These include fireproof storage of data, a data backup and recovery system, and monitored access.

Practices that help to maintain patient confidentiality:

• Keep patient related telephone discussions private.
• Keep patient related conversations with other staff members private.
• Staff members should never discuss patient related information among themselves that is not directly related to patient care.
• Staff members should take care to not provide patient related information to anyone who is not authorized by the patient to receive the information.  There are exceptions to the patient's general right to privacy, but the exceptions can only be authorized by the physician.
• When providing information to a patient or a third party, especially by telephone, some method of positive identification should be used.
• Written patient records should not be left out where the records can be viewed by other individuals.  If a record is placed on a surface in a public area, the record should be turned over, or a cover sheet should be used, so that no patient identifiable information is visible.
• A patient record placed in a "chart holder" should be placed so that only the blank back page of the record is visible.
• Computer screens with patient information should be arranged such that the screen is not visible to the public.
• Patient records of a temporary nature (e.g. pull lists and daily schedules) should be shredded when no longer needed.
• Fax and e-mail transmissions should not be sent unless the person receiving the communication has been positively identified.
• Fax and e-mail transmissions of patient related information should include a statement of confidentiality.