The answer: Is this a HIPAA violation?
We see this question asked so often. This is some definitive information from the Office of Civil Rights, OCR, the government agency responsible for the health Insurance Portability and Accountability Act. I have added some clarifying material as noted.Identifiers
This lists the identifiers specifically appearing in the HIPAA privacy regulations. The presence of any one of these identifiers renders health information individually identifiable.
If none of these is a part of the information, it is not possible to identify the individual and no HIPAA violation occurs if the information is used
HIPAA De-identification requires removal of all such identifiers as specifically defined in the regulations.
It is not equivalent to the more general concept associated with the term 'anonymous.'
(A) Names (unless specifically released by written permission)
(B)* All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
[Limited dataset must exclude postal address information other than town or city, state and zip code](C)* All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers
(E) Fax numbers
(F) Electronic mail addresses
(G) Social security numbers
(H) Medical record numbers
(I) Health plan beneficiary numbers
(J) Account numbers
(K) Certificate/license numbers
(L) Vehicle identifiers and serial numbers, including license plate numbers
(M) Device identifiers and serial numbers
(N) Web Universal Resource Locators (URLs)
(O) Internet Protocol (IP) address numbers
(P) Biometric identifiers, including finger and voice prints
(Q) Full face photographic images and any comparable images (unless written permission obtained)
(R)* Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; If the algorithm for creating a "code" is disclosed to the recipient of the information, then the code is considered a unique identifier. The code is also considered a unique identifier if it is generated from any of the identifiers, or pieces of the identifiers, listed above.
The Privacy Rule requires you to "safeguard" PHI at your training site. Use the following practices to ensure Privacy Rule compliance.
If you see a medical record in public view where patients or others can see it, cover the file, turn it over, or find another way to protect it.
When you talk about patients as part of your training, try to prevent others from overhearing the conversation. Whenever possible, hold conversations about patients in private areas. Do not discuss patients while you are in elevators or other public areas.
When medical records are not in use, store them in offices, shelves or filing cabinets.
Remove patient documents from faxes and copiers as soon as you can.
When you throw away documents containing PHI, follow the facility procedures for disposal of documents with PHI.
Never remove the patient's official medical record from the training site.
Avoid removing copies of PHI from the training site; if you must remove copies of PHI from the training site, e.g., to complete homework, take appropriate steps to safeguard the PHI outside of the training site and properly dispose of the PHI when you are done with it. You should not leave PHI out where your family members or others may see it. All copies of PHI should be shredded or otherwise destroyed when they are no longer needed for your training purposes.
The U.S. Department of Health and Human Services has issued another set of HIPAA rules (the Security Rules) regarding safety and security of electronic data files and computer equipment, about electronic safeguards and how the HIPAA Security Rules may affect you at clinical training sites.
Use Only the Minimum Necessary Information
When you use PHI, you must follow the Privacy Rule's minimum necessary requirement by asking yourself the following question: "Am I using or accessing more PHI than I need to?" If you are unsure of the PHI you may use or access while providing health care for a patient at your training site, please contact your preceptor, supervisor or the HIPAA Privacy Officer at your training site
Disclosing PHI to a Patient's Family Members
Before you may discuss a patient's condition, treatment or other PHI with his or her family member, it must be determined if the patient would object to such a disclosure. You should confirm with your supervisor that the patient has agreed to allow or in some other way has expressed no objection to such disclosures before you may discuss a patient's condition, treatment, or other PHI with his/her family members.
This does not mean that you cannot receive information from these persons, only that you cannot give them any PHI without permission. You could be exposed to suit if you refused to listen to and record information that was later found to be important, and the patient was harmed by this omission.
Each training site covered by the HIPAA Privacy Rule will have policies and procedures for implementing the following patient rights under the Privacy Rule:
The right to request alternative communications.
Under the Privacy Rule, patients can ask to be contacted in a certain way. For example, a patient may ask a nurse if she/he can leave a message on the patient's home voicemail instead of contacting the patient at work. If a patient's request is reasonable, as is the previous example, the health care provider or facility must follow it.
The right to look at (and obtain copies of) records.
Patients can ask to read their medical and billing records, and have copies made.
The right to ask for changes to medical and billing records.
Each facility must review and consider all requests for changes to medical and billing records.
The right to receive a list of certain disclosures.
Your training site must make and keep a list of certain disclosures of PHI (excluding disclosures for treatment, payment, and health care operations) that are made without patient authorization. Patients have the right to see and receive a copy of this list.
The right to request restrictions on how PHI is used and disclosed.
Patients can ask health care providers and facilities to limit the ways they make use of and disclose the patient's PHI for treatment, payment, and health care operations. Providers and facilities are not required to agree to such requests. You, as a trainee, must never agree to such restrictions on behalf of the training site.
The right to receive a "Notice of Privacy Practices."
Each health care facility that provides direct patient care must give every patient/client a copy of their Notice of Privacy Practices. The notice describes their privacy practices and the Privacy Rule. The facility must make reasonable efforts to have each patient sign a form acknowledging he or she received the notice. We recommend that you obtain a copy of the Notice of Privacy Practices from your training site and become familiar with it.
An indispensable source for answers is found here:
http://www.hhs.gov/ocr/privacy/hipaa/faq/index.htmlLast edit by Joe V on Apr 17, '12 : Reason: formatting for easier reading
GrnTea is a legal nurse consultant for a nurse-owned consulting company. She has many years experience in critical care, case management, nursing education, and and legal nursing, and particularly enjoys empowering nurses with information.
GrnTea has 'since Florence was a probie' year(s) of experience and specializes in 'legal, teaching, LCP, CM'. From 'out in the country'; Joined Apr '11; Posts: 11,720; Likes: 29,259.1Apr 16, '12 by GrnTea, BSN, MSN, RNappreciate the reformatting but i am concerned that some of my remarks may now appear as if they are ocr's words, and they aren't. i specifically made them in a different color to differentiate them. oh, well.0Apr 19, '12 by CloveryI wasn't sure if I should reply to this post or ask this question in a separate thread, so mods can feel free to move this if appropriate.
I have a question about article (C):* All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
I see that it's asterisked so I'm not sure if this is an exception? For example my paper would read something like this:
K.M. male 64 years, admitted 4/17/12, chest x-ray 4/19/12 confirmed PICC line placement, urine culture 4/18/12, etc.
I did check the site you linked to but it was still unclear.
In any case, thanks for posting this. I've always thought I should have an entire class on HIPAA or at least a lengthy seminar. So far it was just glossed over in my Fundamentals course. If the above example is a violation, what do you suggest I do?Last edit by Clovery on Apr 19, '12 : Reason: typo1Apr 20, '12 by GrnTea, BSN, MSN, RNthe information you gave on km is fine, though i suggest you change or eliminate the initials. some nursing programs have gone to a format where the student notes something like, "male age 65 (no initials, no date of birth); date of care 4/19/2012, postop day 3."
you can use date of admission on your care planning for school because it's part of your educational process.0Apr 20, '12 by CloveryThanks for the clarification - as a student I'm always so worried about accidentally violating HIPAA!2Jun 6, '12 by GrnTea, BSN, MSN, RNbumped in hopes that some folks will read it before they ask!2Jan 27, '14 by epijunkyI have often contemplated writing a journal or blog type thing (private or personal) to let off steam and share my experiences. As an ER/Trauma nurse, I see a lot of bizarre and crazy things that make for comedic entertainment for some. I have never done so because I am so afraid of violating HIPAA. I am well aware of the A-R listed in the article, what I am concerned with is more like someone could track the IP address of my blog and know what city,state I am writing from and therefore be able to figure out a patient, even if the only info given was 'a middle-age male presented to the ED c/o rectal pain...radiology reports reveal a vibrator-like object visualized in the colon.' Even in a big town that's bound to only present to the ED once a month or so. Also, if people knew who wrote the book/article/whatever, and they knew I worked in town x, that could lead to identification. What are some ways to deal with this? How can one write about their experiences while honoring HIPAA. Several people have blogs and have written books, how is this achieved without violating HIPAA?2Jan 27, '14 by GrnTea, BSN, MSN, RNSince you've only been working for three years, you wouldn't have plausible deniability about cases you saw twenty years ago that you have neatly fictionalized. I think that's your main problem, as many, many nurses and physicians have changed enough details to publish books and blogs like this. They often meld details from many different patients to make a composite that's not recognizable as an actual individual-- you see this all the time. It's fiction you can publish in this area, not nonfiction. Here on AN, the most outstanding example (in my opinion) is CheesePotato, though I haven't seen anything from that quarter lately you can search the name and read some truly excellent writing.
At only three years, you don't have enough anecdotes to do that yet. And I have to tell you, the vibrator in the distal colon, often still buzzing, is nothing new in the literature .
Suppose you keep bare-bones notes on paper with just a few words to jog your memory, no identifiable data: no names, using altered ages, dates, time of the year, and then liberally fictionalize details like clothing, nonrelated medical comorbidities, who's with them, time of day, and so forth ... and then put it away in a closet for a few years. Do not post them anywhere. You'll have more experience to make composites, too. You can do this for your private use to let off steam, and never let it see the light of day.
You may even find that creative writing leads you to be the nursing equivalent of Samuel Shem.Last edit by GrnTea on Jan 27, '141Apr 1, '14 by NRSKarenRN, BSN, RN ModeratorFrom National Council State Board of Nursing
Video: Social Media Guidelines for Nurses
White Paper: A Nurse's Guide to the Use of Social Media4Apr 19, '14 by Jory, ADN, BSN, MSNQuote from GrnTeaMost nursing schools tell them to use the initials...that way if the clinical instructor needs to go back and find the patient to reference the chart for grading, they can. If the assignment is going from the hospital, to the student, to the instructor, that is not a HIPAA violation, because again, it's for educational purposes. Medical students do it all the time...they never change the info.[FONT=comic sans ms]the information you gave on km is fine, though i suggest you change or eliminate the initials. some nursing programs have gone to a format where the student notes something like, "male age 65 (no initials, no date of birth); date of care 4/19/2012, postop day 3."
you can use date of admission on your care planning for school because it's part of your educational process.
HIPAA is not a mystery and I have never understood what the confusion was. If it's not your patient, you don't access the chart. You don't discuss your patients with other people. It's not a HIPAA violation if out of earshot of the general public, if a group of nurses in a unit are discussing patient cases in order to gain an understanding of how to take care of them better.
Never mention work on Facebook. I would disagree somewhat with what has been posted above and I'll give you an example of how you can violate HIPAA with the most simple of a comment:
My Facebook Post: "we lost the sweetest patient last night"
My info page lists that I work at "Memorial Hospital" and that I'm an RN in the NICU and my city/state.
If any one of my friends reads the obituaries and sees that a baby named Jane Doe, infant, died at Memorial Hospital, with the date that matches when I said the death occurred.
I have just committed a HIPAA violation, because my personal information in my profile PLUS what I posted, allowed the infant to be identified, even though I did not mention the name, age or location of the patient in my post.
Must Read Topics