PRIVACY,

SECURITY AND
CONFIDENTIALI
TY
PRIVACY AND SECURITY
LAWS
 Health Insurance Portability and Accountability Act (HIPAA)
 Health Information for Economic and Clinical Health Act (HITECH)
 Patient Safety and Quality Improvement Act of 2005 (PSQIA)
 “The nurse promotes, advocates for, and protects the rights, health, and safety of the patient” –
Code of Ethics for Nurses Provision 3, American Nurses Association 2015
 Maintaining an environment that protects both physical privacy as well as personal information
 The nurse does not disclose information to individuals not involved in care of the patient or allow
unauthorized access to patient information.
 Confidentiality may be limited in order to protect the patient or others or by laws or regulations.
To comply with ethical and regulatory standards, healthcare organizations develop policies to
ensure confidentiality of patient information
 Restrictions on using patient names or likenesses without permission
 Disclosing private acts about a patient
 Providing unfavorable or false statements to the public about a patient
 Causing unreasonable intrusion into a patient’s affairs
ETHICS VS. LAW
Ethics – branch of philosophy that is concerned with the values of human behavior, can be
subjective;
 it incorporates moral values and requires examination of the issues involved.

Law – objective rule.

 Ethical standards are foundational and rarely change. A law may change or be overturned
 A law may incorporate aspects of ethical behavior; so an ethical standard and a law may be essentially
the same
 Professional ethical codes of conduct are not law; but just as violation of a law can result in penalties
 Violations of ethical standards can also result in penalties, such as termination by an organization or
disciplinary action by a state licensing board
PROTECTED HEALTH
INFORMATION
3 Criteria to define PHI
1. Includes information that could reasonably identify the person such as name, address, date of birth,
and social security number
2. Includes past, current, or future information about the patient’s physical or mental conditions,
information about the provision of care, and information about payment for care.
3. Must be held or transmitted electronically by the covered entity or business associates.
HOW THE PHI WILL BE
OBTAINED BY OTHER
ENTITIES
1. Notice of Privacy Practices given to a patient upon first contact with a covered entity and at
other times upon request.
 Written in language easy for patients to understand
 Explain how the covered entity will use the protected health information

2. Authorization to share PHI

HIPAA ON PHI
 The law requires that access to the PHI will only be a need to know, and hat only the
minimum amount of information needed to accomplish the purpose be released.
 The nurse would have greater need for access to PHI than would a billing clerk
 A nurse not involve in an individual’s care would not have any need to know
 Patient care, public safety, or efficient operations should not be compromised by withholding
important information
HIPAA OF 1996D
HIPAA of 1996 allows for the incidental disclosure of PHI occurring as a routine aspect of
doing business
1. Calling a patients name in a clinic or having a patient information on a white board that is in a
public area, which is not routinely accessible to the public.
2. The covered entity must have implemented the minimum standards and reasonable safeguards
3. As long as only minimal information is given and no diagnostic information provided,
disclosure is considered incidental and authorization by the patient is not required.
 HCP’s who are covered by HIPAA and who give care to an employer’s employees can release
PHI to the employer only for purposes of workplace surveillance and for evaluating an
employee’s work-related injury or illness, in accordance with other legal requirements. The
employee must be provided with notice of the release of PHI.
 Protected information may be shard without authorization to public agencies such as the CDC
for surveillance of disease outbreaks.
 Most states require reporting of PHI for vital statistics and public health purposes
 PHI may also be shared with individuals who may have been exposed to communicable
diseases such as tuberculosis and syphilis
 PHI can be shared with appropriate legal entities in cases of suspected abuse and neglect
 With other facilities for the donation and transplantation of organs and tissues
 Agencies to protect an individual or the public from a serious threat, in worker’s compensation
cases, in legal proceedings about decedents, and in research
 If a state law conflicts with the federal law, the federal law has priority, unless the state laws
are more stringent
SECURITY
 The law establishes safeguards to minimize the inappropriate use and disclosure as well as incidental
disclosure of PHI.
 Three types of security safeguards required for electronic records:
 Administrative (policies, procedures, and actions)
 Physical
 Technical (access control, audit controls, integrity, entry authentication, and transmission security)
ACCESS
 Polices established disciplinary action for employees who violate confidentiality policies which can include
termination
 Physical safeguards for access (facility access controls, workstation use and security, device and media controls)

 Access may be restricted such as read only or read, edit, create and print
 Emergency plans must address access and restoration of data following an emergency or disaster
 Any repairs or modifications of the physical areas containing PHI are to be documented and retained
 Polices and procedures must specify proper use of workstations and devices including transfer, removal, disposal, and
reuse.
 Workstations, both in the facility and remote stations, should be in secure locations with restricted viewing by the
public or those without a need for access (privacy shields, automatic log off, screensaver mode)
 Inventory receipt and removal of devices that contain electronic PHI and for disposal of devices (hard drives,
magnetic tapes, disks, memory cards, and flash cards). Information must be deleted from any device that is to be
reused.
 Data backup and storage is required before equipment is moved
 All employees who have access to electronic PHI must have proper authorization.
 Training and education of security polices and procedures
 IMPLEMENT CONTROLS FOR
ACCESS, AUDITS, INTEGRITY
AND TRANSMISSION
 Access can be controlled through user identification, emergency access procedures, automatic log off and
encryption
 Emergency access enables a user to access records even if controls are in place if an emergency occurs (power
interruption)
 Automatic log off to prevent unauthorized viewing
 Encryption or scrambling of data is a way to protect data from being read while in transit. Only the use of user
identification and emergency access is required.
 Policies for disposal of PHI must be developed to ensure that both the patient and the environment are protected
 Audits are useful in the investigation of breaches and misuse
 Polices must address the unauthorized alteration or destruction of electronic PHI
 Procedures must be implemented to prevent unauthorized access to PHI (user or log-in ID, password, key cards,
and biometric identifiers such as fingerprints, face prints, or retinal scans)
 Firewalls, antivirus software, and encryption to protect unauthorized access to electronic PHI
PHI USE IN MARKETING,
FUND-RAISING AND
RESEARCH
 Authorization be given before PHI can be used in marketing
 Marketing is defined as communications that encourage a person to purchase a product or service.
 Face to face communication or gifts of nominal value provided by the covered entity do not require
authorization
 Disclosure of PHI to a foundation associated with the covered entity for purposes of fund-
raising is allowed
 Allowed use of patient information in research under defined conditions (reviewed by by IRB
or institutional review board (IRB)
ENFORCEMENT OF PRIVACY
 The American Recovery and Reinvestment Act of 2009 imposed civil monetary penalties if
violations are not corrected within 30 days, with finds ranging from $100 to $50,000 per violation
with a $1.5 million cap annually
 In 2005, the Department of Justice clarified that criminal penalties can be brought against individuals
who knowingly (has knowledge of actions that are forbidden), violate, obtain or disclose identified
health information
 $50,000 fine and 1 year in prison

 Obtains PHI under false pretense, the fine can increased up to $100,000 with an accompanying
sentence of up to 5 years in prison.
 Intent is for commercial or malicious harm – fine up to $250,000 and a 10 year prison sentence.
 Complaint can be filed with the healthcare provider or insurer or with Health and Human Services.
PATIENT SAFETY AND
QUALITY IMPROVEMENT ACT
OF 2005 (PSQIA)
 Created a voluntary system for reporting medical errors without fear of liability
 “The patient safety work product” – can be shared with HCPs and organizations within a
protected legal environment
 Goal – providing patient safety and quality of care
 PATIENT SAFETY ORGANIZATIONS (PSOs) – public or private, profit or non-profit
 The act established civil penalties for knowing or recless confidentiality violations of patient
safety.
 Civil penalties up to $11,000
HEALTH INFORMATION TECHNOLOGY FOR
ECONOMIC AND CLINICAL HEALTH ACT
(HITECH)
Goals
 Improve healthcare quality, reduce costs, promote public health, reduce health disparities, facilitate
health research, and secure patient health information.
HEALTH INFORMATION TECHNOLOGY
FOR ECONOMIC AND CLINICAL HEALTH
ACT (HITECH)
 Imposed restrictions on the sale of PHI
 If remuneration is received by the covered entity from a manufacturer for use of PHI, authorization
is required from the patient
 Sharing PHI for fund-raising for the covered entity is allowed, but information provided to the
patient must clearly sate the opt-out option
 Treatment cannot be withheld if the authorization is not given or if the patient chooses to opt out.
 A breach is presumed unless there is a low probability that PHI has been compromised following a
risk assessment
 The required risk assessment includes an assessment of the PHI involved, the person who used or to
whom the PHI was disclosed, whether the PHI was actually viewed, and the extent of the risk
ENFORCEMENT ACTIVITIES
 Office for Civil Rights withing the Department of Health and Human Services (DHHS) has
responsibility for enforcement of HIPAA’s civil penalties.
 Civil penalties can be imposed up to $25,000 (Complaint from individuals)
 Criminal provisions now apply to individuals not just a covered entity
 Example of Civil cases:
 Employee taking records home to failing to honor patient request for access to the record

 Criminal Cases – accessing PHI for financial gain or for simple snooping
 A physician and several hospital employees were individually fined and had perform community
service after inappropriately accessing records of a high-profile patient.
FILING COMPLAINTS AFTER
ENACTMENT OF THE HITECH
ACT
Complaints can be filed by anyone who thinks that a covered entity or a business associate
violated some aspect of the privacy or security rules.
Complaint must be submitted to the Office of Civil Right office in writing in paper or
electronically
UNRESOLVED ISSUES OF HEALTH
INFORMATION
 Inappropriate access
 Drop in research participation
 Telehealth issues with privacy
 Smartphones and Social media
 Never post or tweet about patients, even in general terms
 Avoid mixing professional and professional lives in social media
 Do not complain about work online