February 17, 2006

Answering questions about protecting patient privacy

When the Health Insurance Portability and Accountability Act (HIPAA) was introduced in 2003, protecting patient privacy — already one of health care's most important ethical obligations — became even more complicated. Although the MGH offers continuing education about HIPAA guidelines, privacy breaches do occur — sometimes accidentally. To help employees and staff avoid breaches, MGH Hotline
regularly publishes questions and answers about patient confidentiality. The questions are answered by Eileen Bryan, MGH HIPAA compliance specialist.

Q. Recently, a male patient was dating a nurse practitioner. He came to the hospital for some tests and asked the nurse practitioner to review his results. After accessing his personal medical record, the nurse practitioner then showed the results to her attending physician. The physician invited the patient in for an undocumented professional consultation. Unfortunately, the personal relationship between the patient and the nurse practitioner ended soon after and not on good terms. The patient then reported this incident to the Office of Civil Rights as a breach of his private health information. An investigation of the situation showed that the nurse practitioner and attending physician had no written authorization from the patient allowing them to access his record. Although they both had the best intentions, these actions represented a serious privacy breach. How can this kind of situation be avoided?

A. This kind of situation is challenging because it involved a personal relationship beyond the normal patient-provider relationship. Verbal requests or permission — even from patients whom employees know on a personal level, or close colleagues or family members — are never enough for anyone to access a confidential medical record. Under HIPAA privacy regulations, all employees who view a patient's medical record must have documentation proving a treatment relationship or have written authorization from the patient. Hospital records are audited on a weekly basis, and lack of written authorization for staff access in a patient's record could result in varying degrees of disciplinary action — including termination. In this case, the nurse practitioner should have asked the patient to provide a written authorization for both she and the attending physician to access his medical record. HIPAA compliant authorization forms can be accessed from the MGH HIPAA website at intranet.massgeneral.org/hipaa/forms.asp.