Knock knock. Who's there? HIPAA. HIPAA who?

Nurses HIPAA Toon

Updated:   Published

Mr. Peabody! You need to sign this HIPAA privacy form before we can look at your rash!

And, of course the answer to that question is ... I can't tell you that. This is a joke that's floated around for years. But, HIPAA is very serious. Passed by Congress in 1996, The Health Insurance Portability and Accountability Act (HIPAA) is, in short, for the protection and confidential handling of protected health information. HIPAA is always lurking in the back of the minds of every Nurse: Does this violate HIPAA? I am being accused of violating HIPAA; will I be fired? Nurses everywhere receive education in their Nursing programs as well as from their healthcare employers. Are you HIPAA savvy?

Visit Nursing Toons / Memes for more cartoons!

Specializes in Professor of Nursing Research and Ethics.
On 5/31/2021 at 11:58 AM, JKL33 said:

Hello. Please provide the HHS reference related to ^ this.

I've briefly reviewed what I believe to be the relevant HHS/HIPAA-related information but I'd like to know what your interpretation is basED upon. 

"A health care provider may utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place.  If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate.  Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed.  See 45 C.F.R. 164.504(e)(2).  As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI.  In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated."

This quotation can be found here: "Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization?" https://www.hhs.gov/HIPAA/for-professionals/faq/2023/film-and-media/index.html

No reasonable person, especially one with an ethical eye, would conclude that HIPAA's conceptualization of "healthcare operations" includes programs for teenage shadows.  After a reasoned analysis of this conceptualization, The AHIMA Privacy and Security Practice Council concluded, "[J]ob shadowing experiences that involve patient or PHI exposure are not part of a [covered entity's] healthcare operations and cannot be permitted without the authorization of each involved patient or individual." (Journal of AHIMA, "Job Shadowing and the HIPAA Privacy Rule," pp. 69, 71)  Among the consequences of HIPAA authorities' inclusion of shadowing programs beneath the rubric of "healthcare operations" have been egregious violations of patients' rights to privacy and dignity that may rise to the level of torts. 

 Furthermore, a careful reading of HIPAA's conceptualization of "business associate" would not lead a thoughtful reader to include commercial film organizations in a list of business associates.  My efforts to find out how HIPAA authorities are able to reconcile including shadowing programs as "healthcare operations" and commercial film crews as "business associates" with principles of healthcare ethics and HIPAA's mandate to protect patients' privacy have been in vain.  

Quote

 

 

2 Votes

The link you provided is the information I reviewed as well. The answer given begins with this:
 

Quote

 

Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization?

Answer:

Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.  Only in very limited circumstances, as set forth below, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.

 

Everything else in the subsequent comments at that link flows from ^ this. They are not saying that a hospital can drag in a film crew to film whatever they want as long as they do some monkey business to consider/pretend that the crew is one of their "business associates." Instead, what it says is that, for the purposes of filming training or marketing materials, the entity must put into place a formal business associate agreement with the media company, which then obligates both of them to the HIPAA-related provisions that apply to business associates. Any PHI that crews were exposed to in the course of filming training or marketing materials must not be publicized without express permission. That's the way I read it.

Now, I understand that some patients may not want even the exposures allowed by these provisions. I am not sure what to say except that I haven't had these things going on around me in my workplaces. The hospital systems I have worked for would never allow it in the way you are describing as what "could" be done.

Here is a more recent reminder bulletin from OCR: It applies to this discussion as an example of what is and isn't allowed/expected:

https://www.hhs.gov/about/news/2020/05/05/ocr-issues-guidance-covered-health-care-poviders-restrictions-media-access-protected-health-information-individuals-facilities.html

 

On 5/31/2021 at 12:39 PM, Charles Barrow said:

For example, according to one of the Office of Civil Rights' regional managers, all shadowing programs run by "covered entities" are classified beneath the rubric "health care operations" (45 C.F.R 164 164.501)  and as such are exempt from obtaining the prior consent of patients before permitting shadows (no matter their age, educational status, or purpose) to have access to patient's "protected health information" (PHI) and observe exchanges between providers and patients. 

 

1 hour ago, Charles Barrow said:

No reasonable person, especially one with an ethical eye, would conclude that HIPAA's conceptualization of "healthcare operations" includes programs for teenage shadows. 

 As to the above issue, I can't comment as HIPAA doesn't appear to specifically address "shadowing" (meaning observation of a work area by someone who is not a health professions student). All I can tell you is that where shadowing is allowed it is within strict facility-specific policies that involve things like training that is required, signed agreements, etc., all the way to background checks sometimes. In recent years I have not seen any shadowing at all that is not either by a health professions student with a formal agreement through their school or something like a job candidate being allowed to spend a day on a unit to see whether it would be a good employment match--and this latter thing has become extremely rare lately (my anecdote). I'm sure that outside of hospitals (large healthcare organizations) general shadowing may be more common, but in the instances I am aware of patients were given the option of allowing the student to observe interactions or not allowing them.

I cannot offer an opinion on whether shadowing is allowed under HIPAA, IOW, I am not going to try to interpret the full possibility of what all could be considered healthcare operations. But I do not believe that shadowing is unethical as you suggest--I believe that it should be undertaken similarly to how I have observed it, which is within policies that are strictly enforced and with patients' permission. My opinion is that it behooves society to encourage possible future healthcare providers. I'm not sure what the teenage aspect has to do with it (although personally I would hope they might be older teens). Some of the "kids" wiping bottoms at nursing homes are officially teens or not a whole heck of a lot past their teenage years. Pre-nursing students, young adults preparing for other entry level positions in healthcare may be teens.

Can you elaborate more on what your view/stake/position in this is? Have you had a personal experience that didn't seem right?

 

2 Votes
Specializes in Professor of Nursing Research and Ethics.
On 6/1/2021 at 5:25 PM, JKL33 said:

 

Can you elaborate more on what your view/stake/position in this is? Have you had a personal experience that didn't seem right?

  

I will respond to your post a bit at a time beginning with your last question.  

I have been conducting research using a technique called triangulation which involves, in my case, the use of both quantitative and qualitative methods to identify patterns of patient-provider interactions.  This requires studying HIPAA because some of its rules articulate how providers must or must not interact with patients.

As one would suspect, there is some degree of disparity between the ideal (rules designed to guide interactions) and the real (violations of those rules).  The “convictions” of and fines imposed on violators by HIPAA authorities constitute evidence of the official deviations from those rules.  These “official statistics” are analogous to the data collected by the FBI and published in the Uniform Crime Reports.  Criminologists speak of the “dark figures of crime” which refers to crimes unknown to the police.  They are analogous to breaches of HIPAA unknown to HIPAA authorities; we can call them the “dark figures of HIPAA violations.”  One of my tasks as a researcher is to uncover or expose these “dark figures.” 

One research method I use is a qualitative one called participant observation.  Formally, I play the role of a participant as observer; I am an actual patient who observes the interactions that take place between other patients and providers and make note of how providers interact with me.  Just as actors vary their roles from one play to another, I vary the roles I play when I interact with providers.  But unlike actors, I vary these roles at random.  When I detect a breach of etiquette or ethics I sometimes behave in a way expected of a patient (e.g., compliant and agreeable – I say nothing and pretend I hear and see nothing out of the ordinary) and at other times I deviate from the role of the ideal patient (e.g., contrary and confrontational).  In each case I observe and note the providers’ reactions and when I have sufficient data, I search for patterns in these reactions.  Social psychologists may recognize this approach as being a modified ethnomethodological study called a breaching experiment.

To your question, “Have you had a personal experience that didn’t seem right?” my answer to your question is, as a participant observer and before I was a participant observer, I observed and experienced many breaches of social norms (folkways, mores, and laws) in which providers engaged.  None of these breaches, as far as I know, constituted a violation of HIPAA.  I already wrote about one of these breaches.  It was published in this blog on November 26, 2020.

 

 

14 hours ago, Charles Barrow said:

I already wrote about one of these breaches.  It was published in this blog on November 26, 2020.

Yes.

I have heard others' information/goings-on next door while sitting in a thin-walled exam room without even trying to eavesdrop.

I am not sure what the answer is, except that each of us use our best judgment to maintain the degree of privacy possible in our settings. That is, uphold both the law and the spirit of the law to the extent we possibly can. But we just don't live in a world where every single piece of every single health care interaction can be completed in total and utter privacy at all times. Some of the concerns I understand and sometimes I think people can get preoccupied with this due to their own emotional insecurity when in reality it seems like our private affairs in general are less private than ever before overall. I'd worry about other things well before I'd worry that some other citizen heard a snippet of my health concern or overheard my name while they happened to be in the same place as me attending to their own health concerns and problems. Seems a bit like worrying about a passerby stepping onto one's lawn, meanwhile the house is being burglarized by an actual thief. But that's just me.

In practice, HIPAA interpretations have had some good effects as well as some very unfortunate effects (my opinion).

 

14 hours ago, Charles Barrow said:

These “official statistics” are analogous to the data collected by the FBI and published in the Uniform Crime Reports.  Criminologists speak of the “dark figures of crime” which refers to crimes unknown to the police.  They are analogous to breaches of HIPAA unknown to HIPAA authorities; we can call them the “dark figures of HIPAA violations.”  One of my tasks as a researcher is to uncover or expose these “dark figures.” 

For clarification: You are researching the actions of mostly entry-level worker citizens/employees and you believe these day-to-day interactions which occur in significantly less than ideal circumstances represent dark figures of HIPAA violations?

Maybe I am misunderstanding but it sounds like you are hoping to catch criminals at the staff/employee level (aka non-decision-making level). How does this play out?

Specializes in Professor of Nursing Research and Ethics.
On 6/1/2021 at 5:25 PM, JKL33 said:

 As to the above issue, I can't comment as HIPAA doesn't appear to specifically address "shadowing" (meaning observation of a work area by someone who is not a health professions student). All I can tell you is that where shadowing is allowed it is within strict facility-specific policies that involve things like training that is required, signed agreements, etc., all the way to background checks sometimes. In recent years I have not seen any shadowing at all that is not either by a health professions student with a formal agreement through their school or something like a job candidate

 

On 6/1/2021 at 5:25 PM, JKL33 said:

in the instances I am aware of patients were given the option of allowing the student to observe interactions or not allowing them.

As far as I can tell, you are correct; I have been unable to find anything about shadowing programs in HIPAA documents.  However, HIPAA authorities do address shadowing.  That’s one of the reasons I distinguish between HIPAA and HIPAA authorities, one of whom is the regional manager I cited on 5/31.

I have been conducting research on shadowing for some years now.  To guide my observations, I have used McDade’s conceptualization of a shadow: to paraphrase McDade, shadows are individuals who accompany licensed healthcare providers into locations where these providers care for or treat patients.  The role of a shadow is to observe the exchanges that occur between providers and patients; they engage in no hands-on activities.  They strive to remain as unobtrusive as possible, especially during an examination.  Shadows’ communications with patients and preceptors occur primarily, if at all, before and/or after the provision of treatment or care.  This conceptualization encompasses, among other people, “someone who is not a health professions student” as well as shadowing “by a health professions student with a formal agreement . . . or something like a job candidate.”  Using this conceptualization, between 2008 and 2020, I identified 38 shadows who joined me and their preceptors in examination rooms.  In only 3 (8%) of the visits was prior consent secured. 

Without going into detail, here are a few of my other findings.  On most occasions, the first time I saw a shadow at a healthcare facility was in an examination room.  Most shadows were not introduced to me.  I was not introduced to any of the shadows.  Some shadows believed that informing me that they would be present to observe constituted getting permission.  Some preceptors believed the same.  Shadows were taught to use this approach in lieu of asking permission because it was believed to increase the likelihood that patients would permit them to observe.  On those occasions that I was subjected to the scrutiny of shadows, I was never thanked for my service. In the last 6 weeks, I visited healthcare facilities 4 times during which shadows accompanied providers.  The same pattern I noted between 2008 and 2020 was pretty much repeated except that one shadow thanked me for my service – an unexpected first of its kind for me. 

I have reviewed 15 online descriptions of shadowing programs so far.  Within these descriptions are program policies.  The rigidity of these policies’ adherence to a set of criteria that would protect patients’ privacy varies across programs but are, in general, high.  However, there is inevitably some gap between policy and practice or what sociologists call ideal norms and real norms.  I first measured that gap in the 1970s when I made site visits to healthcare facilities as a program evaluator and program developer helping them prepare for site visits from what was then called the Joint Commission on Accreditation of Hospitals (JCAH).  Every year, our team found that policy deviations varied from trivial to egregious (or close to it).  I suspect things are pretty much the same today as they were back then.  I plan to contact the facilities in which the shadowing programs I studied are housed and find out about their assessment programs.  Back in the ‘70s when I made site visits, the focus of organizations that did assessments of government-funded programs was disproportionately on policies with little attention to practice.  Regarding the experiences I described in the last paragraph, I don’t know if the behaviors I reported were or were not consistent with the policies of the facilities involved.

In 2015, I learned of an event that transpired in one facility that, in spite of violating norms of common decency and, possibly, legal precepts, seemed to be considered within the boundaries of care standards by facility officials.  During an interview with a mother, she told me that her 15-year-old son had recently visited a physician for a physical.  As he sat in the examination room with only his underpants on, the physician walked in with a shadow; a young lady the boy knew.  She was a senior in the high school he attended.  He was so flabbergasted and surprised that he was at a loss for words.  The doctor pulled his pants down and examined him as the girl watched.  All this occurred without his or his mother’s consent.  The boy refused to return to school and had to undergo counseling.  The mother filed a complaint with the facility and was told that neither its policies nor HIPAA standards were violated.  According to the mother, she had started the process of seeking justice for her son through the courts against the girl (who was 18), the physician, the healthcare facility, and the school (which probably had an agreement with the facility).

I was skeptical about the facility’s claim that HIPAA allegedly permitted shadowing programs that allowed teenagers to observe patients without prior consent, but didn’t investigate the claim until 2017 when I had an opportunity to file my own complaint against a facility.  My complaint was two-fold: 1) The physician permitted an 18-year-old shadow,* who was not connected to any bona fide healthcare training or education program, into an examination room that I occupied without prior consent and 2) the physician failed to fully describe the educational/training status of the shadow.  Regarding the latter, the physician introduced the shadow only as "a student."  I reasonably believed he was a medical student, but his youthful looks gave me pause.  I did a little probing and found out he was a college freshman; was no more interested in becoming a healthcare provider than in pursuing a vocation in a number of other areas; and was, by his own admission, shadowing “because I am curious.” 

I filed a complaint with HIPAA only after the facility’s compliance officer defended the practices described and then refused to reply to my follow-up letter.  HIPAA’s regional manager responded thusly: “As far as the Privacy rule’s ‘minimum necessary requirements’ are concerned … covered entities are free to design their own policies and procedures surrounding access to patients’ PHI by the latter [45 C.F.R. 164.501]…  A student shadowing a physician falls under the definition of ‘health care operations,’ in the HIPAA Privacy Rule and is permitted; A health care provider (e.g., a physician) is not required to obtain a patient’s consent prior to having a student/intern shadow him/her; [having obtained the complainant’s permission [would have been] a courtesy [but not a requirement]… As a result, OCR finds that there was no violation of the HIPAA Privacy Rule.  OCR finds [the facility and the physician] in compliance with the HIPAA Privacy Rule and is closing this complaint.” 

Although the regional manager did not address my complaint regarding the physician’s failure to fully disclose the shadow’s status, he did recognize its existence.  Apparently, this omission is not a concern addressed in HIPAA or of concern to HIPAA authorities in spite of the fact that shadowing programs per se are not addressed by HIPAA but are of interest to HIPAA authorities.

On 6/1/2021 at 5:25 PM, JKL33 said:

I cannot offer an opinion on whether shadowing is allowed under HIPAA, IOW, I am not going to try to interpret the full possibility of what all could be considered healthcare operations. But I do not believe that shadowing is unethical as you suggest

 

On 6/1/2021 at 5:25 PM, JKL33 said:

I'm not sure what the teenage aspect has to do with it

Although I can make a cogent argument that putting patients on display for the benefit of others is, in and of itself, ethically questionable, I did not suggest that shadowing is unethical when I asserted, “No reasonable person, especially one with an ethical eye, would conclude that HIPAA's conceptualization of "healthcare operations" includes programs for teenage shadows.” 

According to the regional manager with whom I communicated, “A student shadowing a physician falls under the definition of ‘health care operations,’ in the HIPAA Privacy Rule.  Under this provision, health care providers are permitted to (a) ‘conduct training programs in which students, trainees, or other practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers; and (b) the program is specifically designed to: review the competence or qualifications of health care professionals; evaluate practitioner and provider performance; train non-health care professionals; and to assess accreditation, certification, licensing, or credentialing activities’ [l45 C.F.R. 164.501].”  That is the conceptualization to which I am referring.  Where does an 18-year-old college student who is, by his own admission, not involved in any bona fide healthcare training/education program, is no more committed to becoming a healthcare provider than he is in pursuing a vocation in a number of other areas, and shadows to satiate his curiosity fit in the conceptualization?  This question elicited no answer by HIPAA authorities.  However, as I suggested in an earlier post, independent analysis conducted by AHIMA answered my question in the same way I did – “Nowhere!” 

What some laypeople I have interviewed find chilling is that HIPAA authorities’ defense for not getting consent is that HIPAA would allow shadows to, without prior consent of patients or their legal reps, intrude on patients’ privacy in their most vulnerable moments including during intrusive preps for surgery, during surgeries, and while they are anesthetized or otherwise unconscious.  Essentially, as interpreted by HIPAA authorities, what my best friend cannot do without my consent (e.g., join me in an examination room), their children can do without my consent as long as they get a qualified provider to serve as a preceptor and conform to certain criteria specified by HIPAA including, among other things, signing a HIPAA confidentiality form.

*  All the online programs I reviewed required shadows to be 18 or older.  I was told that 18 was the cutoff primarily because at 18, parents did not have to be involved in the process.  By contrast, Nancy Davis (director of privacy at Ministry Health Care and co-chair of the AHIMA 2006 Privacy and Security Practice Council) writes, “More often than not, job shadowing participants are middle and high school students . . .” (2006. “Job Shadowing and the HIPAA Privacy Rule.” Journal of AHIMA. 77(8): 69, 71). 

I am familiar with several facilities, some connected to hospitals, that have shadowing programs that include shadows under 18.  I had an experience in one healthcare facility that had (and may still have) a day-program which included shadows who were elementary school children.  I found this out during a visit to a physician.  I walked into the examination room and, without my consent, was followed by a nurse and her 8-year-old daughter.  They didn’t leave when the doctor entered and closed the door.  I found out the little girl was given a school project to follow one of her parents at work and report back to the school what she learned, thereby risking a HIPAA no-no.

 

 

Specializes in Professor of Nursing Research and Ethics.
On 6/5/2021 at 12:08 PM, JKL33 said:

Yes.

I have heard others' information/goings-on next door while sitting in a thin-walled exam room without even trying to eavesdrop.

Ditto!  I had two cataract surgeries over the last 6 weeks at which time I was made privy to personal information about other patients and I suppose they were made privy to mine. Given what I heard and said, I think my information was more private than theirs. ?

We were being prepped for surgery in cubbyholes separated by curtains.  I estimate that we were about 5 to 6 feet apart.  There were two other prep locations which would have allowed greater distance between us.  The nurses who gathered information spoke more loudly than they had to when they gave and received information and the patients followed suit.  The anesthesiologist, however, was very quiet and the patients followed suit with him, too; I heard the anesthesiologist and patient speaking at each visit, but could not decipher the words.  I fell asleep.

On 6/5/2021 at 12:08 PM, JKL33 said:

I am not sure what the answer is, except that each of us use our best judgment to maintain the degree of privacy possible in our settings. That is, uphold both the law and the spirit of the law to the extent we possibly can.

I suppose when you write about “the law,” you are referring to HIPAA as well as other federal laws and state statutes.  I would add to that the idea of upholding ethical principles (autonomy, non-malfeasance, beneficence, and social justice), which may loosely be conceived as “the spirit of the law,” given that laws tend to originate with social mores (morally important norms) which are often reflected in ethical documents.  The AMA’s Code of Medical Ethics Opinion 3.12, for example, advises – “When individuals who are not involved in providing care [e.g., shadows] seek to observe patient-physician encounters, e.g., for educational purposes, physicians should safeguard patient privacy by permitting such observers to be present during a clinical encounter only when:  1. The patient has explicitly agreed to the presence of the observer(s). . . 2. The presence of the observer will not compromise care. 3. The observer understands and has agreed to adhere to standards of medical privacy and confidentiality.”  This is a mos (singular of mores) that forbids shadows to observe without patient consent, but it is trumped by the law (or at least HIPAA authorities’ interpretation of the law) which permits shadows to observe without patient consent.  In other words, the AMA does not have the authority to enforce its ethical expectations and sanction violators for deviating from those expectations.  Unless there are other authoritative sources of social control, such as the Joint Commission, “covered entities” are free to permit shadows to observe patients’ encounters with preceptors without prior consent.

In my personal experience, with few exceptions, of the three conditions listed in the last paragraph, the only one with which providers tend to be most concerned is the third.  That may be because it is the only one required by HIPAA – the law.  I was told by compliance officials (without evidence*) that all shadows agree to “adhere to standards of medical privacy and confidentiality” by signing a HIPAA confidentiality form.  However, I have been unable to find evidence that shadows fully understood “standards of medical privacy and confidentiality.”  The 12 shadows with whom I spoke were either not tested over what they learned or, among those who were tested, I found out that the levels of validity and reliability of the tests had not been established.  Moreover, they could not answer the few simple questions I asked them, such as the relationship between privacy and confidentiality.  In retrospect, I wonder if they knew what HIPAA stands for (a question which I have posed to 81 allied healthcare workers).  I cannot claim that the samples I’ve taken are representative of any population on any variable, but what I’ve found should give pause to those who believe that policy (as set forth in shadowing preparation materials) equals practice.

There is irony in your exhortation that “each of us use our best judgment to maintain the degree of privacy possible in our settings.”  Before HIPAA, many providers to whom I spoke about privacy issues tended to sigh, wax philosophical, and say something to the effect, “I guess all we can do is that ‘each of us use our best judgment to maintain the degree of privacy possible in our settings.’”  Unfortunately, before HIPAA, the understanding of what constituted privacy varied across healthcare facilities and individuals in them and the way to deal with privacy intrusions varied in the same way.  HIPAA brought some degree of consistency and continuity to understanding privacy and dealing with unnecessary privacy intrusions.  Healthcare providers acting on the old way of understanding privacy not infrequently violated social mores.  Nowadays, if a healthcare facility acts on these old understandings, they run the risk of being slapped with a fine by HIPAA.  Just ask administrators at N.Y. Presbyterian Hospital (HIPAA. 2016. “New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients.” HIPAA Journal. (April 22). Retrieved June 6, 2021 https://www.hipaajournal.com/new-york-hospital-fined-2-2-million-for-unauthorized-filming-of-patients-3402/), Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital (Jessica Davis. 2018. “3 Massachusetts Hospitals Fined Nearly $1 Million by OCR for HIPAA Violations.” Healthcare Security Forum. (September 21). Retrieved June 6, 2021. https://www.healthcareitnews.com/news/3-massachusetts-hospitals-fined-nearly-1-million-ocr-HIPAA-violations) The disturbing thing here is that hospital administrators and participant healthcare providers not only believed that they did not violate HIPAA; they believed they did not violate social norms.  This suggests that they were emersed in a deviant subculture; they sported and may still sport a set of beliefs, values, and norms that are inconsistent with the values, beliefs, and norms of the greater society.  If so, if HIPAA were expunged, if there were no other laws to deter providers, and if there were no internal controls, then one would expect that providers who embraced the lax old ways of understanding privacy would again exploit the opportunity to violate the privacy rights of their patients.

*  Evidence could be provided without compromising the identity of shadows by conducting evaluation research and aggregating the data.  None of the programs with which I had contact while doing a participant observation study had done evaluation research that included this information.

On 6/5/2021 at 12:08 PM, JKL33 said:

But we just don't live in a world where every single piece of every single health care interaction can be completed in total and utter privacy at all times. Some of the concerns I understand and sometimes I think people can get preoccupied with this due to their own emotional insecurity when in reality it seems like our private affairs in general are less private than ever before overall. I'd worry about other things well before I'd worry that some other citizen heard a snippet of my health concern or overheard my name while they happened to be in the same place as me attending to their own health concerns and problems. Seems a bit like worrying about a passerby stepping onto one's lawn, meanwhile the house is being burglarized by an actual thief. But that's just me. 

In the first sentence, you seem to be “tilting at windmills” or, more precisely, “attacking straw men.”*  I don’t know anybody who makes a claim that we live in such a world.  I know I don’t.  And, I can envision healthcare providers unintentionally sharing an unwitting patient’s personal information to a thief who uses the information to burgle the patient’s house.

I’m confused by your second sentence.  What point are you trying to make?  You suggest that the preoccupation with privacy issues is due to emotional insecurity and then you correctly assert that the reality is that our “private affairs are less private than ever before.”  But isn’t this exactly what the so-called insecure patient is concerned about?  What you’ve written reminds me of a convict in “Scared Straight.”  To the young men who were the victims of this program, he said: “I wake up every morning wondering if I’m going to have to kill or be killed.  That’s not paranoia, that’s reality.”

I’ll paraphrase what I think your point is.  “Some people go too far in their concern and quest for privacy.  This overzealousness trivializes what I believe to be the more important things in life.  The cause of this overzealousness is emotional insecurity.” 

Now, the average Joe or Jane would probably agree that if a homeowner went bananas over someone stepping on his/her lawn and labels the trespass a privacy intrusion or an invasion of personal space, then that person probably has a personality disorder or emotional disorder.  But maybe you’ve read something on this blog or some other blog that deals with privacy issues in healthcare that you believe are trivial enough to be considered evidence of the emotional insecurity of the poster.  If so, will you tell us readers what it is?

In the meantime, I’ll play the role of those who zealously pursue changes that would bring about greater respect for people’s right to privacy in healthcare and who are labeled by some people in and out of healthcare as overzealous and emotionally insecure.

Martin Luther King was labeled overzealous and, consequently, maladjusted, because of his indefatigable efforts to bring about racial equality via the reduction in racial discrimination and segregation.  Let’s imagine King was also interested in eliminating unnecessary threats to patients’ right to privacy in healthcare settings.  Let’s also say that his detractors labeled him overzealous and emotionally insecure because of his efforts.  Here is how he might have responded? “There are some things within our social order to which I am proud to be [emotionally insecure] and I call upon you to be [emotionally insecure] with me.  I never intend to [feel secure with violations of people’s right to privacy.  The violation of privacy rights is a “glaring evil…  It relegates the [recipient] to the status of a thing rather than elevates him to the status of a person.” It is “not only politically, economically, and sociologically unsound but it is morally wrong and sinful.”  It is “morally wrong because it deprives man of freedom, the quality that makes him a man” and because “it injures one spiritually.  It scars the soul and distorts the personality.  It inflicts the [offender] with a false sense of superiority while inflicting the [offended] with a false sense of inferiority.”

Privacy is one of Americans’ most highly valued rights as evidenced by, among other indicators, its enshrinement in the penumbra amendments of the U.S. Constitution (First, Third, Fourth, Fifth, Ninth, and Fourteenth) which originated with the U.S. Supreme Court’s 1965 decision Griswold v. Connecticut.  It is the Fourth Amendment that is the exemplar of privacy rights; it recognizes “[t]he right of the people to be secure in their persons, houses, papers, and effects.”  The founding fathers, in their vast wisdom, chose to put “to be secure in their persons” (personal privacy) before the right to be secure in, what amounts to, their property (houses, papers, and effects).  However, many if not all healthcare facilities seem to turn this order upside down by imputing greater value to personal property than to personal privacy (e.g., bodily integrity), as indicated by their readiness to unnecessarily compromise the latter while, at the same time, securing even property of little worth (pencils) under lock and key.  And then when they are caught with their hands in the cookie jar, they will invariably, with tortured disingenuousness and in the face of contrary evidence, beseech the public thusly: “Our facility ‘is deeply committed to … protecting the rights of all patients.”**

American’s right to privacy is being threatened today on numerous fronts as it never has in my lifetime – by the government, by the courts, by the media, by new technology, and by healthcare organizations.  George Annas recognized the latter in his 1988 publication “Judging Medicine” where he dubs the modern hospital at that time as a “human rights wasteland.”  As many of the privacy rights defended by Annas (e.g., right to refuse medical treatment) but denied to Americans in 1988 became well established, other breaches of privacy rights became emergent (those created by new technologies, demographic changes in healthcare, and the corporatization of healthcare).  Healthcare organizations have been promoted from human rights wastelands to human rights abattoirs. 

And, one last thing, in the U.S., the expressions “nip it in the bud” and “if you give them an inch, they’ll take a mile” tends to be applied to the powerless in society – e.g., to children, poor people, and ethnic/racial minorities.  It tends not to be employed to deter the deviant behaviors of those in positions of authority.  In particular, high-class predators who are in positions of power over others tend to groom their intended victims.  Larry Nassar, for example, began his molestation of Olympic gymnastic hopefuls with what was defined by authorities to whom victims complained as trivial and well within the boundaries of standard care.  They chose to “worry about other things,” if they worried at all.  They worried about other things for 20 years before Nassar was arrested and sentenced to spend the rest of his life in prison for full-blown sexual abuse which could have been nipped in the bud.   

*  “A straw man fallacy occurs when someone takes another person’s argument or point, distorts it or exaggerates it in some kind of extreme way, and then attacks the extreme distortion, as if that is really the claim the first person is making.”

**  Fred Donovan. 2018. “CMS Finds Minnesota Hospital Violated Patient Privacy Rights.” Health IT Security. Retrieved June 8, 2012 https://healthitsecurity.com/news/cms-finds-minnesota-hospital-violated-patient-privacy-rights

On 6/5/2021 at 12:08 PM, JKL33 said:

For clarification: You are researching the actions of mostly entry-level worker citizens/employees and you believe these day-to-day interactions which occur in significantly less than ideal circumstances represent dark figures of HIPAA violations?

Maybe I am misunderstanding but it sounds like you are hoping to catch criminals at the staff/employee level (aka non-decision-making level). How does this play out?

I was trained as a criminologist and sociologist.  Simply put, criminology is the systematic/scientific study of crime and delinquency.  The sociological parallel to criminology is the study of deviance which includes not only violations of laws but also violations of folkways (customs) and mores (morally/ethically important social norms that usually, but not always, are the bases for laws). 

In my role as sociologist/criminologist, I do not catch criminals; I make note of the crimes and other deviancies I observe, are told about by interviewees, or glean from other sources no matter what the status of violators or the conditions under which the violations occur.  I interpret what I observe, look for patterns in my data, create typologies of deviancies, explain them, and ultimately derive ideas for actions designed to ameliorate any problem I identify.  The only actions I’ve learned about that may be among the “dark figures of HIPAA violations” were reported to me by others.  My field observations have not resulted in any evidence of HIPAA violations, if one defines a HIPAA violation as what HIPAA authorities define as a HIPAA violation.

I have not limited my field study observations to those at “the staff/employee level.”  I have observed exchanges I and others have had with doctors, RNs, BSNs, nurse assistants, PAs, MAs, technicians, scribes, chaperones, shadows, company reps, clinic/hospital clerical workers and administrators, students (from elementary to medical schools), hospital/clinic volunteers, hospital/clinic photographers, friends of providers, and family members of providers (including their children).  In one hospital, I and other patients may have been observed by employees who controlled surveillance equipment that videoed taped activities in rooms where surgery preps took place, ORs,  ERs, patients’ rooms, and other places where patients had a reasonable expectation of privacy.  Regarding the latter, in the conditions of admission document, patients were informed that this surveillance was to protect us and others.  I have personally observed breaches of etiquette (folkways), breaches of mores that are not legal violations, and what can technically be construed as breaches of civil laws (e.g., intrusion on seclusion) and criminal laws (e.g., battery).

 

 

1 hour ago, Charles Barrow said:

I suppose when you write about “the law,” you are referring to HIPAA as well as other federal laws and state statutes.  I would add to that the idea of upholding ethical principles (autonomy, non-malfeasance, beneficence, and social justice), which may loosely be conceived as “the spirit of the law,”

Yes. The applicable laws and the spirit of the applicable laws. That's what I try to do.

1 hour ago, Charles Barrow said:

Unless there are other authoritative sources of social control, such as the Joint Commission, “covered entities” are free to permit shadows to observe patients’ encounters with preceptors without prior consent.

I can't comment further. As I already mentioned I have not personally witnessed any shadows of the nature you're discussing for (?) probably 10 years or more. Zero. That is to say, not only have I not seen any situations where there was a shadow present and I knew that patient permission had not been sought; I just mean no shadows, period.

2 hours ago, Charles Barrow said:

There is irony in your exhortation that “each of us use our best judgment to maintain the degree of privacy possible in our settings.”  Before HIPAA, many providers to whom I spoke about privacy issues tended to sigh, wax philosophical, and say something to the effect, “I guess all we can do is that ‘each of us use our best judgment to maintain the degree of privacy possible in our settings.’”

Despite the irony, that is what I as an individual health care provider can do about this on a daily basis, in addition to advocating for my patients in these and related matters.

 

3 hours ago, Charles Barrow said:

In my personal experience, with few exceptions, of the three conditions listed in the last paragraph, the only one with which providers tend to be most concerned is the third.  That may be because it is the only one required by HIPAA – the law. 

We are trading personal experiences. I haven't at all felt that people are only concerned with the portion covered by the law. In fact as a graduate student who has participated in clinical rotations with all proper trainings in place, signed agreements, legal agreements between my university and clinical sites and the whole nine yards, I have not approached any patient without their express permission for my presence having already been given.

 

3 hours ago, Charles Barrow said:

Moreover, they could not answer the few simple questions I asked them, such as the relationship between privacy and confidentiality. 

I don't know the demographics of those who were shadowing but I would not have thought this a simple question for lay people at all. 

 

3 hours ago, Charles Barrow said:

In retrospect, I wonder if they knew what HIPAA stands for (a question which I have posed to 81 allied healthcare workers). 

Right. And even if they did the way it is named doesn't clearly signal that it has anything to do with privacy or confidentiality anyway. Maybe the reason so many people make the double-P mistake is because somehow it just might have made sense if privacy was accounted for somewhere in the title. ??‍♀️

 

2 hours ago, Charles Barrow said:

In the first sentence, you seem to be “tilting at windmills” or, more precisely, “attacking straw men.”*  I don’t know anybody who makes a claim that we live in such a world. 

I don't see it that way. I did purposely describe sort of a superlative of the situation, but I did so because I think it is relevant, not so that I could attack an idea that doesn't exist or is off-topic or that is easy to blow apart. I am trying to understand what you want to see or have happen. I am telling you that with very few exceptions I see people (workers) trying to comply with the law (letter/spirit) and with their facility's individual privacy practices. That is my experience. So when I hear that it isn't good enough or that trying to do our best is merely ironic, I am not sure exactly what more looks like. The posited exaggeration is my attempt to pose that question to you. If you now say that you are not expecting perfect and that perfect is absurd and/or a strawman, I would be interested to know where and how you would draw your lines.

 

2 hours ago, Charles Barrow said:

I’m confused by your second sentence.  What point are you trying to make?  You suggest that the preoccupation with privacy issues is due to emotional insecurity and then you correctly assert that the reality is that our “private affairs are less private than ever before.”  But isn’t this exactly what the so-called insecure patient is concerned about? 

No. My point has to do with my own perception of reasonable vs unreasonable (and I stipulate that is an individual opinion). Preoccupation is preoccupation and that's what I was referring to. I am making a distinction between a scenario where a healthcare provider walks out to a waiting room and starts interviewing a patient about something or announcing test results (clearly inappropriate), vs. a situation where someone is going to report everyone because their name was used when they were called from the waiting room (under usual circumstances would seem a strange thing to get bent out of shape about). Meanwhile, nearly everyone is carrying a cell phone on their person. ??‍♀️?

2 hours ago, Charles Barrow said:

I’ll paraphrase what I think your point is.  “Some people go too far in their concern and quest for privacy.  This overzealousness trivializes what I believe to be the more important things in life.  The cause of this overzealousness is emotional insecurity.” 

That's pretty close to what I was thinking, although I'm not sure that it is their actual privacy they are most worried about. I believe some of it is a preoccupation with whether rights (or "rights") might have been violated in some way.

3 hours ago, Charles Barrow said:

Privacy is one of Americans’ most highly valued rights

Well, we say that, but here we are living half of our lives online, banking online, using our SSNs in ways that apparently previous generations were promised they wouldn't be used, carrying cell phones wherever we go, and more.

2 hours ago, Charles Barrow said:

But maybe you’ve read something on this blog or some other blog that deals with privacy issues in healthcare that you believe are trivial enough to be considered evidence of the emotional insecurity of the poster.  If so, will you tell us readers what it is?

Example already given. I have read some things, yes, but most have been direct observations.

 

2 hours ago, Charles Barrow said:

However, many if not all healthcare facilities seem to turn this order upside down by imputing greater value to personal property than to personal privacy (e.g., bodily integrity), as indicated by their readiness to unnecessarily compromise the latter while, at the same time, securing even property of little worth (pencils) under lock and key.  And then when they are caught with their hands in the cookie jar, they will invariably, with tortured disingenuousness and in the face of contrary evidence, beseech the public thusly: “Our facility ‘is deeply committed to … protecting the rights of all patients.”**

I don't disagree. However the workers are not the healthcare facilities. If you want to get into the disingenuous and self-serving nature of healthcare facilities (corporations) this conversation could go on indefinitely.

 

2 hours ago, Charles Barrow said:

And, one last thing, in the U.S., the expressions “nip it in the bud” and “if you give them an inch, they’ll take a mile” tends to be applied to the powerless in society – e.g., to children, poor people, and ethnic/racial minorities.  It tends not to be employed to deter the deviant behaviors of those in positions of authority. 

Agreed.

2 hours ago, Charles Barrow said:

*  “A straw man fallacy occurs when someone takes another person’s argument or point, distorts it or exaggerates it in some kind of extreme way, and then attacks the extreme distortion, as if that is really the claim the first person is making.”

Aware. See aforementioned attempt at explanation.

 

2 hours ago, Charles Barrow said:

I have observed exchanges I and others have had with doctors, RNs, BSNs, nurse assistants, PAs, MAs, technicians, scribes, chaperones, shadows, company reps, clinic/hospital clerical workers and administrators, students (from elementary to medical schools), hospital/clinic volunteers, hospital/clinic photographers, friends of providers, and family members of providers (including their children).  In one hospital, I and other patients may have been observed by employees who controlled surveillance equipment that videoed taped activities in rooms where surgery preps took place, ORs,  ERs, patients’ rooms, and other places where patients had a reasonable expectation of privacy.

I'm making a distinction between those with the autonomy to unilaterally make a decision about what will or will not be allowed (I.e. what a facility's various policies and privacy practices will include); for example, whether or not a non-healthcare student will be allowed to shadow. The majority of those you listed do not have that autonomy.

It bothers me that there is no autonomy at those levels but there is much scrutiny. The main reason I am interacting with you is because I do find this conversation somewhat intriguing but mostly I want to know what you want to see. What is it that you want from those punching a clock or working for a large healthcare corporation and trying to do their best in a system that nearly everybody seems fed up with?

Your post was very, very long and although well-stated you have to understand that it's only fair to get to the point.

What is it that you want to see here.

I am not sure but it sounds like you are at least somewhat concerned with the system and what big players can get away with. I won't argue against that being concerning. It's just that this is a nursing forum. As far as I can tell the business execs drove our train off the tracks some time ago. I think you should go way bigger with your concerns. Way, WAY up the food chain.

Specializes in Professor of Nursing Research and Ethics.
On 6/8/2021 at 7:49 PM, JKL33 said:

I can't comment further. As I already mentioned I have not personally witnessed any shadows of the nature you're discussing for (?) probably 10 years or more. Zero. That is to say, not only have I not seen any situations where there was a shadow present and I knew that patient permission had not been sought; I just mean no shadows, period. 

It is not necessary to have seen shadowing take place to know what HIPAA’s position on the subject is.  There are 8 district offices with district managers who help administer HIPAA.  The district managers are expected to be expert spokespersons for HIPAA and I imagine there is considerable consistency among them regarding what the rules are as they pertain to prior consent for shadows.  The manager with whom I communicated by email clearly stated that shadowing programs are considered by HIPAA to be “health care operations…  [C]overed entities are free to design their own policies and procedures surrounding access to patients’ PHI” for programs that are classified as “health care operations.”  Those who administer shadowing programs may, therefore, decide to require shadows to get prior consent, not require them to get prior consent, get consent under some circumstances but not others, get consent of some patients but not others, etc.  It appears that you have been exposed only to programs that require shadows to get prior consent.  That’s in keeping with the standards set down by the Joint Commission and the AMA’s Code of Medical Ethics.  Apparently, HIPAA authorities are just as “happy” with programs that require consent and those who don’t, all other things being equal.

Authors of many publications who have been shadows or have administered shadowing programs express the mistaken belief that HIPAA requires prior consent before shadows can observe.  They make this assumption probably because they believe HIPAA is supposed to function to protect patients’ privacy rights; not getting prior consent, they believe, violates those privacy rights.  Administrators of shadowing programs who believe this fiction require shadows to get prior consent.  Other administrators of shadowing programs are aware of HIPAA authorities’ position and, if they are so inclined, don’t require shadows to get prior consent.  An interesting empirical question is, how would administrators of shadowing programs who require prior consent because they believe HIPAA requires it behave if they found out they were, in fact, “free to design their own policies and procedures surrounding access to patients’ PHI.”  Would they keep the requirement, drop it, or modify the shadowing program in some other way?  

 

On 6/8/2021 at 7:49 PM, JKL33 said:

I don't know the demographics of those who were shadowing but I would not have thought this a simple question for lay people at all.

These were laypeople who, in order to shadow, were required to complete HIPAA workshops (some facilities don’t require this) where the concepts privacy and confidentiality were used.  One would think that they would have been taught to make a distinction between the two.  Of course, the answer to one question is not sufficient for determining how well respondents understand HIPAA.  I have interviewed some providers who think that HIPAA has virtually everything to do with the protection of PHIs in written/electronic form (e.g., EMRs) and verbal form (talking about PHIs only to those who have a need to know) but virtually nothing to do with the protection of personal privacy (e.g., getting consent to observe or photograph treatment).  It seems to me, rightly or wrongly, that HIPAA is heavy on the former and light on the latter.  I’d hypothesize that an assessment of the punitive actions taken by HIPAA authorities against offending healthcare organizations would support this hypothesis. 

On 6/8/2021 at 7:49 PM, JKL33 said:

I am telling you that with very few exceptions I see people (workers) trying to comply with the law (letter/spirit) and with their facility's individual privacy practices. That is my experience. So when I hear that it isn't good enough or that trying to do our best is merely ironic, I am not sure exactly what more looks like. The posited exaggeration is my attempt to pose that question to you. If you now say that you are not expecting perfect and that perfect is absurd and/or a strawman, I would be interested to know where and how you would draw your lines.

You see “with very few exceptions, people trying to comply with the law and with their facility’s individual privacy practices.”  I see the same thing.  But I also see people who violate folkways, mores, laws, and their facilities’ privacy policies.  I see clinics that have practices based on policies that are legally and/or ethically questionable and to which their providers conform.  I see people who work in facilities that have no privacy policies other than HIPAA and others that work in facilities that have their own privacy policies in addition to HIPAA.  I draw no lines regarding what I observe around me.  I stay as focused and as attentive as I can when I interact with others in healthcare facilities because it’s from them that I gather my data.  The majority of them do not violate rules that govern social behavior, ethical guidelines, and legal requirements.  Those who study deviance, however, tend to be interested in the exceptions; it’s the deviance they want to understand.

I didn’t suggest that your and your colleagues’ efforts to comply with the law isn’t “good enough.”  How could I?  I’ve never seen you or them in action to make that determination.  Nor did I claim that “trying to do [your] best is merely ironic.”  The irony is that before HIPAA, I knew providers who said the same thing as you wrote about privacy but had different and varying understandings of the word, possibly because, in part, its meaning was not standardized by some regulatory agency, such as HIPAA, as it is now.

On 6/8/2021 at 7:49 PM, JKL33 said:

That's pretty close to what I was thinking, although I'm not sure that it is their actual privacy they are most worried about. I believe some of it is a preoccupation with whether rights (or "rights") might have been violated in some way.

Privacy is generally conceived as a right by medical ethicists.  It is likely to be discussed beneath the more general right to autonomy along with the rights to informed consent, dignity, self-determination, bodily integrity, none of which is mutually exclusive.  Some healthcare organizations give patients a “Patient Rights and Responsibilities” document which supplements an explanation of HIPAA.  The rights listed usually include the right to be treated with respect, the right to privacy, the right to refuse treatment, the right to dignity and the like.  If an organization knows there is a patient responsibility (e.g, follow clinic policies) that trumps a patient right (e.g., privacy), it is ethically and sometimes legally obligatory to inform the patient of the gap so s/he can make an informed decision about whether or not to seek care at that facility. 

On 6/8/2021 at 7:49 PM, JKL33 said:

Well, we say that, but here we are living half of our lives online, banking online, using our SSNs in ways that apparently previous generations were promised they wouldn't be used, carrying cell phones wherever we go, and more. 

I won’t quibble with that.  You’ve recognized a gap between what Americans’ value and what modern life affords them.  If you go to HIPAA Journal and read about HIPAA violations that have been addressed by HIPAA authorities, you’ll probably conclude that the largest percent of them involve irresponsible behavior by some people in healthcare that has led to the release without consent of 1000s of EMRs.  

On 6/8/2021 at 7:49 PM, JKL33 said:

Example already given. I have read some things, yes, but most have been direct observations.

You know of a patient who took umbrage at his/her name being called out in a waiting room and filed a complaint with the facility or with HIPAA?  Appears to be an overreaction -- an effort to make a tornado out of an innocuous breeze.

 

On 6/8/2021 at 7:49 PM, JKL33 said:

I'm making a distinction between those with the autonomy to unilaterally make a decision about what will or will not be allowed (I.e. what a facility's various policies and privacy practices will include); for example, whether or not a non-healthcare student will be allowed to shadow. The majority of those you listed do not have that autonomy.

You asked me if I was “researching the actions of mostly entry-level worker” and if I was “hoping to catch criminals at the staff/employee level.” I listed the statuses of all the people with whom I have had exchanges in healthcare facilities.  I don’t count the number of each when I go to a facility.  However, were I to guess with whom, overall, I have had the greatest contact, it is probably not with physicians and highly paid administrators of healthcare organizations.

On 6/8/2021 at 7:49 PM, JKL33 said:

What is it that you want to see here.

Here are two things, among others, I want to see.

I want to see to what extent the “mortification of the self” (replacement of one’s identity with another to accommodate to social changes) occurs in healthcare facilities in which exchanges tend to be ephemeral (e.g., outpatient facilities, clinics) rather than in “total institutions” (e.g., in-patient hospitals, psychiatric hospitals) where exchanges tend to be long-lived (see Erving Goffman, Asylums). 

I also want to see whether or not there is a gap in healthcare organizations between ideal norms and real norms, to what extent do those gaps occur if they exist at all, and in what social situations do they happen.

On 6/8/2021 at 7:49 PM, JKL33 said:

I am not sure but it sounds like you are at least somewhat concerned with the system and what big players can get away with.

You are correct.  I also write about the influence of healthcare organizations’ non-material culture (values, beliefs, norms, language).  Most of the data I collect has to do with interactions among individuals in healthcare settings.  In other words, my research is social psychological in nature.  One can make hypotheses about the system, structure, or institutionalized practices of an organization by noting patterns of social exchanges that occur between and among players in the organization. 

In some of the things I write, I reference others who address social systems and their effects in and across organizations and institutions.  James Stewart’s book Blind Eye was as much about how the system opened up opportunities for Dr. Michael Swango to kill dozens of hospital patients as it was about Swango himself.  Charles Graeber did pretty much the same in his book The Good Nurse about Nurse Charlie Cullen who may be the most prolific serial killer in the U.S., having murdered as many as 300 hospital patients.  Dr. Steven Miles (Oath Betrayed: Torture, Medical Complicity, and the War on Terror) wrote about how the system made it possible for doctors at Abu Ghraib to violate their Hippocratic Oath.    

On 6/13/2021 at 12:26 AM, Charles Barrow said:

These were laypeople who, in order to shadow, were required to complete HIPAA workshops (some facilities don’t require this) where the concepts privacy and confidentiality were used.  One would think that they would have been taught to make a distinction between the two. 

Having attended numerous employer presentations of HIPAA I have never encountered a presentation where the presenters seemed to concern themselves with any degree of nuance. They are there to scare everyone, which they accomplish by dumbing it all down so much (improperly oversimplifying) that people are practically afraid to take care of patients. Read this question I recently answered elsewhere on this forum for an example of my assertion. In my experience questions and concerns like this are very common.

On 6/13/2021 at 12:26 AM, Charles Barrow said:

Those who study deviance, however, tend to be interested in the exceptions; it’s the deviance they want to understand.

I see. That is noble on some level but I can't help you understand deviance other than to say I reserve my nursing judgment and believe there probably are situations out there where I would deviate if I had weighed out the ethical conundrum and felt that deviating was the lesser of two evils.

On 6/13/2021 at 12:26 AM, Charles Barrow said:

You know of a patient who took umbrage at his/her name being called out in a waiting room and filed a complaint with the facility or with HIPAA?  Appears to be an overreaction -- an effort to make a tornado out of an innocuous breeze.

I don't know what they do after they leave but sometimes yes they do make quite a scene about matters such as that one or others at that level of importance, if you will. I am not sure if it's an overreaction or just a completely inappropriate attempt to scare, threaten and manipulate others under the guise of one's "rights." When it happens, it is usually some sort of public performance (waiting area, nurse's station, hallway, etc) so that other patients can be led to believe some major crime has been committed. This is on the level of people who scream about how someone will be hearing from their lawyer.

On 6/13/2021 at 12:26 AM, Charles Barrow said:

However, were I to guess with whom, overall, I have had the greatest contact, it is probably not with physicians and highly paid administrators of healthcare organizations.

I was curious about your interests because one of the examples was patients placed in cubicles that were deemed to be unnecessarily near each other--which is an act that would have been done by a harried RN or assistive personnel, not a physician or high level admin.

By the way, I don't know why they did that and I am usually aware of those types of things as a nurse. However, I believe many things like this have at least some roots that go beyond the staff level. For example, occasionally when seated in a restaurant I have been seated near another table when there were many open tables. I sat there and asked myself why anyone would do that, and then recognized that it probably had to do with efficiency and workflow or something like "this" group was "that" waiter's assigned tables so that's where "his" customers were seated. The same could be true in an ED or clinic. Nurse A has these cubicles and Nurse B has those ones over there. I don't know, but I am sensitive to perceived criticism from anyone not intimately involved--for these types of reasons, and because of the incredible amount of inane, like utterly ludicrous stuff that admin is capable of coming up with and then the staff is just there looking like uncaring idiots because of it.

On 6/13/2021 at 12:26 AM, Charles Barrow said:

I also want to see whether or not there is a gap in healthcare organizations between ideal norms and real norms, to what extent do those gaps occur if they exist at all, and in what social situations do they happen.

I think there are. I think our whole system overlooks obvious opportunities for abuse, pretends they won't happen, makes a few examples here and there (that are either outrageous or in some other way noteworthy) and calls it good. For starters I have a hard time understanding how there is actual confidentiality and privacy when one corporation is allowed to own tons of healthcare facilities in a region, own the largest insurance provider, employ 30K or 40K people throughout the region who are also patients and have health insurance provided by the employer who also provides the health care and pays for it (not specifics, just the situation in a nutshell). So my perspective is that I don't care about who sits near me in a cubicle or who wants to shadow for a reasonably valid reason, I care about things like ^ this.

I can appreciate your work. But there are things that concern me much more than the examples you have given. Were I to investigate gaps between ideal and reality I would be interested almost exclusively in the executive/administrative piece of the picture in hopes of filling in some of the gaps of how they have abused so many laws, regulations and guidelines to serve their interests while destroying those around them. Here's another example of abusing the idea of "healthcare operations." I know of another situation in a bunch of outpatient specialty clinics where nurses are now supposed to call patients not even under the guise of healthcare but just making a social call solely  under the pretense that it would be good for business. It is specifically not to be a health-related phone call. Just "Wanted to say hi" I guess (??).

So in my humble opinion you should look into these kinds of things. ?

Specializes in Professor of Nursing Research and Ethics.
On 6/13/2021 at 9:21 PM, JKL33 said:

Having attended numerous employer presentations of HIPAA I have never encountered a presentation where the presenters seemed to concern themselves with any degree of nuance. They are there to scare everyone, which they accomplish by dumbing it all down so much (improperly oversimplifying) that people are practically afraid to take care of patients. Read this question I recently answered elsewhere on this forum for an example of my assertion. In my experience questions and concerns like this are very common.

Exactly!  You’ve confirmed one explanation for why shadows may not be able to answer questions relevant to HIPAA.  I’ve not been able to find any published evidence one way or the other on shadows’ understanding of HIPAA following the workshops they’ve taken.  The few shadows to whom I have spoken who remember being asked a few questions following HIPAA workshops said that they could have answered the questions correctly before they took the workshops.

I’d also like to add that knowledge of the number of fines imposed by DHHS on hospitals for privacy violations committed by professional healthcare providers should give us pause when directors of shadowing programs try to reassure us that shadows (who tend to be younger than seasoned professionals and, as you say, are laypeople) can be trusted with private information.  This is an assumption they make; they have no evidence of its veracity.  Even more telling is that a majority of shadows admit that they never had any HIPAA training to help prepare them for their shadowing experiences.  More specifically, Erik Langenau and his co-authors found that among the osteopathic students studied who had shadowing experiences before medical school, 48% were first required to undergo HIPAA training; only 40% of osteopathic students who shadowed while in osteopathic school reported that they were required to first complete HIPAA training. (2019. Survey of Osteopathic Medical Students Regarding Physician Shadowing Experiences Before and During Medical School Training. Journal of Medical Education and Curricular Development.

On 6/13/2021 at 9:21 PM, JKL33 said:

I can't help you understand deviance other than to say I reserve my nursing judgment and believe there

I already understand deviance at several levels of explanation.  For any number of reasons, the study of deviance and crime in the healthcare institution has been largely neglected.  There is a lot of descriptive stuff but few efforts at explanation.  In fact, although the words you’ve written don’t add anything to what is already known about the etiology of deviance and crime, they do constitute a reiteration of some of that knowledge.

On 6/13/2021 at 9:21 PM, JKL33 said:

I don't know what they do after they leave but sometimes yes they do make quite a scene about matters such as that one or others at that level of importance, if you will. I am not sure if it's an overreaction or just a completely inappropriate attempt to scare, threaten and manipulate others under the guise of one's "rights." When it happens, it is usually some sort of public performance (waiting area, nurse's station, hallway, etc) so that other patients can be led to believe some major crime has been committed. This is on the level of people who scream about how someone will be hearing from their lawyer.

Funny, I can’t think of a better example of an overreaction to someone calling out a patient’s name in the waiting room than what you’ve given.  But, really, in order to make a determination of the propriety of calling out a patient’s name in a healthcare clinic’s waiting room, I’d have to have more information than you’ve provided. 

HIPAA addresses the issue in “HIPAA Waiting Rooms” 2021 Compliancy Group https://compliancy-group.com/HIPAA-waiting-rooms/ It does not give specifics but does appear to afford providers considerable discretionary latitude by defining the calling out of names “incidental disclosures” and mandating only that a facility put in place “reasonable safeguards to protect the privacy” of PHIs (of which patient names are a part) such as “implementing technical solutions to mitigate risks and workforce training.”  In my experience, one technical solution is to give each waiting-room patient a mechanical alert, hand-held device that beeps or flashes when providers are ready for a patient.  Short of that, beckoners call out first names or last names preceded by customary titles of Mr. or Ms.  I don’t believe I have ever heard a beckoner call out both first and last names. 

In my opinion, any intervention on the part of authorities to a pattern of privacy breaches in a facility – whether they be by internal compliance officers, Joint Commission site visitors, or a HIPAA representatives – the response should be measured and proportional to the seriousness of the breaches.  For example, to show maximal respect for patients, facility administrators may train their staff to use formal titles when calling out names – e.g., Dr., General, Senator, President so-and-so.  The desire to show maximal respect to patients by using their formal titles may be perceived as commendable but, at the same time, wrongheaded because of the ease with which they could be tracked down by people with malevolent intent.  By way of illustration, in Oath Betrayed: Torture, Medical Complicity, and the War on Terror,” Steven Miles, M.D. (and in his other publications) gives the names of physicians at Abu Ghraib whose major task was to keep prisoners alive so that they could be tortured and humiliated.  I was able, within minutes, to track down a number of these physicians.  I found out where they lived, where they did business, what they had done since the Abu Ghraib debacle, things about their families and their lives before becoming physicians, patient evaluations, whether any grievances had been levied against them, etc.  Were members of some healthcare regulatory organization to get wind of this practice by a facility, it would probably be considered by most to be too heavy-handed to slap the facility with a big fine and more even-handed to inform them of the possibility, albeit remote, of negative consequences of their practice and to recommend ameliorative changes.  They may also respectfully recommend that a facility explain to patients in writing why its modified policy is what it is and that if providers want to show maximal respect to patients by using their formal titles, it would be best to do so in private places rather than public places such as waiting rooms. However, were the facility to obdurately continue its practice unabated, more punitive sanctions could be in order.

My previous suggestion that breaches of privacy be nipped in the bud is pertinent to this discussion.  Borrowing from deterrence or rational choice theory, I have in the past suggested that predatory crimes committed by healthcare providers will diminish in frequency were they nipped in the bud.  Healthcare predators groom their prey just as other predators do.  The predatory behaviors of Larry Nassar, for example, may never have reached the level they did had the healthcare community collectively come to the defense of his victims.  Instead, except for a few who worked closely with him, they came to his defense and did so, in some cases, viciously – for about 20 years.  For example, Malcolm Gladwell writes, “Many people close to Nassar backed him even after [a newspaper ‘published a devastating account of Nassar’s record’].  Nassar’s boss, the Dean of Osteopathic Medicine at Michigan State, allegedly told students, ‘This just goes to show that none of you learned the most basic lesson in medicine, Medicine 101…..Don’t trust your patients.  Patients lie to get doctors in trouble”’ (Talking to Strangers, p. 127).  I know more than a few physicians who took this lesson to heart.  One boldly told me, “If anyone wants my services, they can only get them with my chaperone present.  They have no say in the matter.”  The irony is, that Nassar committed some of his crimes in the presence of other healthcare providers who stayed mum rather than incur the wrath of Nassar and his defenders.    

On 6/13/2021 at 9:21 PM, JKL33 said:

I was curious about your interests because one of the examples was patients placed in cubicles that were deemed to be unnecessarily near each other--which is an act that would have been done by a harried RN or assistive personnel, not a physician or high level admin.

The anecdote I gave involved the surgeon, the anesthesiologist, three nurses and maybe a tech.  They first prepped me and then the patient in the cubicle next to mine.  The earlier anecdote I wrote about the young lady who inadvertently shared information about her sex life with me, there was just the two of us in the entire ER along with a physician who was interviewing her.  These episodes were not a consequence of “a harried RN or assistive personnel” in which physicians were uninvolved.  Indeed, it was clear to me that these behaviors were institutionalized (part of the system of care).  Being harried, harassed and hoary may increase the likelihood of privacy breaches, but they are neither necessary nor sufficient explanations for them.

On 6/13/2021 at 9:21 PM, JKL33 said:

I think our whole system overlooks obvious opportunities for abuse, pretends they won't happen, makes a few examples here and there (that are either outrageous or in some other way noteworthy) and calls it good. For starters I have a hard time understanding how there is actual confidentiality and privacy when one corporation is allowed to own tons of healthcare facilities in a region, own the largest insurance provider, employ 30K or 40K people throughout the region who are also patients and have health insurance provided by the employer who also provides the health care and pays for it (not specifics, just the situation in a nutshell). So my perspective is that I don't care about who sits near me in a cubicle or who wants to shadow for a reasonably valid reason, I care about things like ^ this. 

Of course the ways social systems are organized and structured help determine people’s behaviors or, in the words of Emile Durkheim, social facts determine psychological facts.  However, just because social systems help determine people’s behaviors, it does not necessarily absolve individuals of responsibility and accountability for their actions. Explanations are not the same as justifications; they impute empirical responsibility while justifications impute moral responsibility.  Retributive justice demands that the little guy pay for his crimes commensurate to the damage he has done and ditto for the big guy.  When retributive justice is served, however, it (and injustice) is more likely to be served to the little guy than the big guy.  For example, the book has been thrown at members of the illegal drug trade who took advantage of the opioid crisis reportedly created in large measure by members of the Sackler family who, so far, have not been held accountable for their role in creating the crisis. (see, Beth Macy.2018. Dopesick: Dealers, Doctors, and the Drug Company That Addicted America)  Indeed, prosecutors have reportedly not been able to find a law under which they can be prosecuted. 

Specializes in Physiology, CM, consulting, nsg edu, LNC, COB.
On 6/13/2021 at 12:26 AM, Charles Barrow said:

An interesting empirical question is, how would administrators of shadowing programs who require prior consent because they believe HIPAA requires it behave if they found out they were, in fact, “free to design their own policies and procedures surrounding access to patients’ PHI.”  Would they keep the requirement, drop it, or modify the shadowing program in some other way? 

No matter what, they would still be subject to adhering to the privacy rules, and so would be smart to protect themselves by developing and enforcing policies to keep their institution in compliance. This would include training shadows, students, and volunteers. 

Specializes in nursing ethics.

HIPAA-Potamus!

Seriously, last year as I sat in the waiting room of my doctor, a nurse's aide walked in and told me-- so everyone heard-- the name of my intimate procedure! Another patient turned to look at me. That's a violation, isn't it?

+ Add a Comment