January 13, 2006
Answering questions about protecting patient privacy
Protecting
patient privacy is one of the most important ethical obligations in the
health care system today. And since the Health Insurance Portability and
Accountability Act (HIPAA) was introduced in 2003, protecting patient
information has become even more important — and more complicated.
Like many health care organizations, the MGH offers continuing education
about the HIPAA guidelines. Privacy breaches, however, continue to occur
— sometimes accidentally. To help clarify the hospital's confidentiality
policies and to help employees and staff avoid privacy breaches, specific
questions and answers about patient confidentiality will be published
regularly in MGH Hotline. The questions are answered by
Eileen Bryan, MGH HIPAA compliance specialist.
Q. Recently, an employee was hospitalized
with a serious illness. His coworkers were very concerned but heard no
news about his recovery. The employee's manager stated she was bound by
HIPAA and could not disclose any information. After a week of not hearing
any news, one of the coworkers checked her colleague's electronic medical
record just to see how he was doing. She also looked up his address so
that a card and gift could be sent to his home. While the employee had
the best intentions, this action was a serious privacy breach. How can
this kind of situation be avoided?
A. This kind of situation is challenging because it has no malicious
intent. The employee's coworkers were genuinely concerned, but they still
had no right to access his medical record. Varying degrees of disciplinary
action — up to termination — are taken in privacy breach cases,
including this one. Most likely, the manager in this case was in touch
with the employee-patient. To avoid a potential breach, it would be helpful
if the manager could have asked the employee-patient what, if any, information
she could share with his concerned colleagues. The manager also could
ask the employee-patient if he would feel comfortable with a gift and
card being sent to his home address. At the same time, colleagues need
to understand that some individuals are very private while others share
lots of personal information. But it's the individual's choice to share
information, and that decision should be respected. To make it easier
for employees who are patients or other MGH patients to keep friends,
family and coworkers apprised of their medical condition and recovery,
the hospital offers a password-protected website service called CarePages.
The free service allows patients to create their own website that they
can continuously update for others to see their treatment progress. The
site is located at www.massgeneral.org/carepages.