Loose lips sink ships and hospital QA departments
Loose lips sink ships and hospital QA departments
Plug data leaks, ensure confidentiality
By Patrice Spath, ART
Consultant in Health Care Quality and
Resource Management
Forest Grove, OR
Recently the public has become more concerned about unauthorized disclosure of their health care information. In a 1993 Harris-Equifax poll on health information privacy, 80% of the respondents indicated their concern about threats to privacy.1 But what do patients have to worry about? Quite a lot.
Consider this: Those who have access to patient records have access to the patient's age, sex, race, and occupation. They have financial information such as employment status and income, information about disabilities and special needs, and other eligibility criteria for federal or state subsidies. They have medical information such as diagnoses, treatment, and disease histories, including mental illness, drug or alcohol dependency, acquired immunodeficiency syndrome, and sexually transmitted diseases; and social information such as family status, sexual relationships, and lifestyle choices.
Follow security standards
To calm patients' fears about confidentiality breaches, all health care providers must follow effective security standards, especially those who deal with information all day long.
Utilization managers, discharge planners, quality assurance specialists, case managers, and others handle a large quantity of health record data each day. Free exchange of information among caregivers is a necessary part of patient care; however, it is important that material not be inadvertently shared with the wrong people. To expedite health plan authorizations, transfer pertinent patient care details to other providers, and answer family questions, caregivers can breach patient confidentiality without realizing it. Some of the common areas of exposure for QA/UR managers, discharge planners, and case managers are listed below. The potential for unauthorized data disclosure is high in these situations:
Be careful that conversations with physicians and other caregivers about a patient's condition are not overheard by the public. Even the patient's family members do not have the right to sensitive medical information without the patient's consent. Save your patient-specific conversations for private areas. Remember that discussions in the hospital hallways and elevators can be overheard.
In a study conducted by the University of Pennsylvania in Philadelphia, researchers took 259 elevator rides at five hospitals and took note of conversation topics.2 Thirty-nine inappropriate comments, as defined by the researchers, were overheard in 36 rides. Eighteen of the comments were violations of patient confidentiality, the most frequent type of inappropriate statement.
Other comments raised questions about a clinician's ability to provide high-quality care, were derogatory statements about the general quality of hospital care, or were derogatory remarks about patients. Physicians made 15 of the comments, nurses 10, and other employees the remainder.
Data collection worksheets a problem
Data collection worksheets can also be a source of unauthorized disclosures. If forms containing patient names and diagnoses are left exposed, anyone walking by can find out information they are not privileged to know. If your caregivers are posting clinical paths by the patient's bedside or outside the patient room, they may be inadvertently sharing the patient's diagnosis with the public. This can be especially harmful if the patient is seeking treatment for an AIDS-related illness, pregnancy termination, or psychiatric disorder. All forms that contain patient information that might be seen by the public should contain coded diagnoses or be maintained in a protective envelope or other secure environment.
When disposing of worksheets or clinical paths that will not be maintained as a permanent record form, be sure to shred them or tear them in half (at a minimum) before disposing of them. Waste baskets on patient care units and in nonclinical departments should not be a source of confidential information for hospital staff, the recycling company, or the garbage collection workers.
After the patient has left the facility, insurance companies, other providers, family members, and the patient themselves may request information out of their health records. Ideally, all post-discharge release of information is routed to the health information management department, where employees follow strict disclosure guidelines.
Discharge planners, case managers, and/or utilization review coordinators, however, may be contacted directly for information. While attempting to expedite insurance payment or continuity of care, those staff members may unintentionally disclose information that should not have been shared without prior consent of the patient. For example, health care data must be made available to health care providers and others if they have a legitimate need to know.
Be wary of lifestyle questions
The insurance company seeking information about a patient's lifestyle, mental health history, use of illegal drugs, or other behavior not widely socially approved, may be using the information for some other purpose than processing the current claim. Releasing such private information may hurt the patient financially, such as loss of employment and denied insurance.
Patients must be offered an opportunity to consent to disclosure of sensitive information. In some instances, the blanket consent signed by the patient at the time of hospital admission or when they applied for insurance benefits does not cover highly delicate personal data. Federal laws protect patient information related to alcohol and drug abuse. State laws may also impose additional confidentiality requirements upon records of mental health patients and records of the developmentally disabled. For more information about those federal and state laws, contact personnel in your hospital's health information management or medical records departments.
It is common for a company's human resource department to telephone discharge planners or case managers to follow up on injured employees. If the employee was not injured on the job, these requests should be made in writing with an authorization signed by the patient, prior to any release of information. Employers have no right to expected return-to-work dates or other health information about their employees unless the patient's condition was work-related.
The facsimile machine has greatly advanced the transfer of patients' medical information from provider to provider. It can be, however, a significant source of unauthorized disclosure. When faxing information to other caregivers for legitimate health care purposes, be sure to verify the caller is a bona fide provider. If the provider is unknown to you, confirm their identity in the telephone directory or through Directory Assistance. Do not transmit more than is necessary to fulfill the requester's needs. For example, insurance companies requesting patient diagnoses should not receive a copy of the entire hospital discharge summary if it contains personal history data unrelated to the patient's current condition. Remember, even diagnosis and procedure codes can be easily translated into English descriptions of a patient's lifestyle, mental health and alcohol abuse history, or other socially unacceptable behavior.
Computerized databases
Automated QA/UR files and discharge planner or case manager notes should be protected from unauthorized access with password protection or other security measures. Those who have access to the computer files, including secretaries or volunteers who may assist with data input, should sign a statement saying they agree to hold the information confidential. Printed reports should be shredded, incinerated, or otherwise destroyed when they are no longer needed. If data are uploaded to the hospitalwide computer system, all patient identifiers should be removed to prevent unauthorized access of patient-sensitive information.
QA/UR, discharge planning, and case management departments should have a confidentiality policy that defines how their files are protected against security breaches, how information releases are handled, and other aspects of information management. Listed below are the important points the Chicago-based American Health Information Management Association suggests should be covered in a departmental policy addressing confidentiality of patient health data:
* screening processes;
* employee awareness;
* physician awareness;
* patient awareness;
* access control;
* handling of sensitive data;
* sabotage and theft;
* electronically transmitted data;
* contractor/vendor agreements;
* disaster recovery.
The American Health Information Management Association has several publications related to confidentiality of health record information that would be useful for QA/UR professionals, discharge planners, and case managers when writing their confidentiality policies and procedures. The resources listed below, cost $22 each and can be ordered by calling (800) 335-5535:
* Maintenance, Disclosure and Redisclosure of Health Information (#155010);
* Guidelines for Faxing Patient Health Information (#151502);
* Managing Health Information Related to HIV Infection (#151501).
The patient information that QA/UR professionals, discharge planners, and case managers use every day must be guarded from unintentional disclosure. Unauthorized disclosures can create liability concerns. While no actual harm may come of confidentiality breaches, the greater concern is loss of patients' trust. Patients and families that overhear inappropriate hallway conversations or see private information left in full view of the public at nursing stations may be skeptical of your promises of high-quality patient care.
References
1. Louis Harris and Associates, Westin AF. The Equifax Report on Consumers in the Information Age. Atlanta: Equifax; 1990.
2. Ubel PA, et al. Elevator talk: Observational study of inappropriate comments in a public space. Am J Med 1995; 99:190-194. *
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.