Potential to Violate, Employer says it's ok.

Nurses HIPAA

Published

Sorry for the long post, but detailed explanation is required.

I'm not a nurse. I'm a lab technician. I travel between LTC facilities to collect samples. During regular office hours, clients call the special "phlebotomy line" which is a cell phone number, and a live person picks up and dispatches technicians as needed. But, after regular office hours, which is the shift I work, they call the line and leave a message and the on-call person calls the phone, retrieves the messages, and calls them back. The on-call technician is required to check the messages every 15 to 20mins. If we don't return the call within 20 mins, they call again, and if in another 20 mins they don't get a call back, they are to call the supervisor. This process can be problematic for a number of reasons but, in my opinion, it's the potential for HIPAA violations that is the worst. I'll explain why.

Sometimes, that 15-20 min mark comes (and goes) while the on-call person is inside another facility. It's not always "in and out" for many reasons; difficult draw,staff unaware of any needed labs, patient whereabouts is unknown, even just little details like missing ICD codes or DOBs on lab reqs and an authorized staff member not immediately available to remedy that. Some facilities you can expect to be there for 30-45 mins for just one tube just because of a lack of professionalism and organization.

In those instances, I can find myself needing to call and check messages while in the facility. As I'm on a cell phone myself, the potential for others to hear the message or the conversation exist. And, as it's often loud in nursing facilities, I have to turn up the volume so I can hear it. (There's also the times when in the car, using the car blue tooth, with the windows rolled down...I don't do that because of the privacy issue, but others do). Use of facility phones is not always possible, either all phones are in use, or it's not permitted by the facility.

Occasionally, a person leaving a message will include patient identifying information in the message. First, Last, Room #, DOB, medical record number, Even the REASON they need blood work. I, personally, do not need all the information over the phone to do the duties of MY job. I'm not sitting at a computer order this lab work. All I need to know is Where, what unit I'm going to, and what labs need to be drawn so that I(or the person drawing the next day) can be sure to have all the supplies and equipment needed, ie: special tubes, something I might be low on currently as it could be hours between lab drop offs, special handling or return times so I know how to plan my route and manage my time. A person leaving that information is rare, so that's proof enough that I don't need it in a message.

Yes, the lab(processing, hemo, etc.) does need to know all this information, but that information is on the lab requisition. We can't return tubes to the lab without a requisition, and I certainly can't draw the lab without the requisition, so I feel that leaving this information in a message is not only unnecessary, but has the potential to set ME up for a HIPAA violation if someone should happen to hear any part of that message I'm listening to on my cell phone. Nurses, especially DONs in LTC facilities are well-known for filing ridiculous complaints about "lab girls" so I am always minding my P and Qs. Just the fact that I'm using a cell phone at all in nursing home can trigger a complaint, BECAUSE of the potential for overheard background conversations that include patient information. And on that point, I completely agree with the facility.

Well, last night, we had another of those Patient Identifying information messages, and when I called back, the RN that left the message had already left for the day and did not communicate to anyone else that she had called or why. So, when I returned the call, the receptionist could not answer my, "What are we drawing," question. She wanted patient name. Well, I don't have that, I'm in the car, I didn't write any of that down. Actually, she thought I was calling with results and I couldn't get her to understand that was not what I calling for, and besides, she's the receptionist, we can't tell her results anyway because HIPAA, and she was getting "testy" with me about it. So, I asked for RN on duty. When I got her on the line, I told her, "Just BTW, you don't have to leave patient names, date of birth, etc. on the message. If I need it before I get there for some reason, I get that from you when I call back, but because I'm on a cell phone, it's not always secure on my end and I don't want a HIPAA violation. Most of the time, all I need to know is where, when, and what." That nurse said she would leave the other nurse a note. Well, I don't know what that note said, but I got a call from my Supervisor this morning. "Did you tell so-and-so that our phone line is not secure?"

Well, yes, technically, I did. Maybe my choice of "secure" was not the best choice of words. I admit, I should have said something like, "I'm not always in a private place." But, the fact is, it's a cell phone. And, if we aren't allowed to text patient information, or write patient names in our day book (list of facilities that need draws that day), because someone who does not need to know that information to do their job might see it, then I don't think putting the lab tech into a position where she may be in a public setting and need to listen to a message containing patient information over a CELL PHONE is OK, either.

Well, my supervisor is pissed. Now the nursing home thinks they aren't calling a secure line. Well, they aren't. It's a CELL PHONE. They should know that. CELL PHONES are NOT secure. Anyone who thinks they are needs a lesson is technology. No, it's not my fault if they leave the information, but it COULD be if someone who isn't suppose to hear that information, hears it and it could be MY job on the line for it. And, it could be theirs as well.

I do NOT need to know that information to do MY job in that moment. Technically, I don't even need to know the medical record number or dx code, either. As I said, I'm not ordering this on the computer. I'm bringing the information back to the people who do need to know it. All I need to do is to make sure it's on the requisition. But, if it isn't, I don't chase facility staff down for it, because I don't need to know it. When I turn in the lab without the MR or ICDs are missing, it's processing's job to call the facility to get it because THEY need to know it. Not me. Yes, I need to know the patient name, room number, date of birth, to verify I'm drawing the correct person, but I DON'T need to know that until I get to the facility to draw it.

So, my boss is considering a disciplinary action based on what the nursing facility told her about what I said. I do not think I'm wrong here. Especially since, I know, full well, that if I were to get reported for someone overhearing that message, my supervisor and company would NOT stand behind me and say, "Well, she needed to know that information to do her job." That doesn't stand when the person who needs to know that allows or creates a potential for persons who don't need to know that to hear it. It's STILL a HIPAA violation.

Am I right or am I wrong? Any advice on this issue is appreciated.

Up Vote Up Vote ×
Specializes in Emergency, Telemetry, Transplant.

I can't really get into everything, but in terms of what you need to do:

1. If you are in a facility and talking a call or listening to a VM--it is your responsibility to find a private place if you are concerned that some random person might hear the message if you are in public. You can say what you want about it being a cell phone, about it not being secure (which I'm not sure is actually true, but I am not a tech whiz), about what patient information was left on the VM and what should not have been left. However, if someone overhears that message, that is as much on you as anyone.

2. If you are in your car, pull over and take the message. May not always be convenient, but there are lots of things with HIPAA and with sharing of information that are inconveniences.

3. When you call a facility--"hi, this is hbic3 from the lab. May please speak to the RN on duty about a lab draw that I was called about." If the receptionist continually gives you a hard time, talk to you supervisor and tell her "when I call XYZ facility, the receptionist is giving my a hard time about getting a nurse on the phone." In truth, the nurses at the facility may be giving the receptionist a hard time about transferring pointless calls to them, especially when nurses are busy. A friendly heads up from your supervisor to the DON at the facility may be all it takes to get through more easily.

4. Leave the "lecturing" of the facility about the ins and outs of HIPAA to your supervisor. Even if it is well intentioned (and not truly a lecture) it can get taken the wrong way, and it sounds like it was.

Up Vote Up Vote ×
Specializes in Emergency, Telemetry, Transplant.

One other thing...we were having planned downtime at work. There was a question about whether physicians could take a picture of an EKG or a radiology image and text it to another physician (they communicate a lot by text regardless). Someone questioned if this was secure. The IT guy in the room said that all Apple text were encrypted, and, thus, secure (he only specified Apple). For those more in the know about such things that I: is that true about Apple? Are texts secure? What about other systems/providers?

Up Vote Up Vote ×
Specializes in Critical Care.

There's no HIPAA violation there. To be HIPAA compliant, a secure voice messaging system must be used, but it's not non-secure just because you're accessing it using a cell phone. As for the information being left on the secure voice mail system, it's reasonable to leave appropriate identification and indications for the test, it not necessary that they precisely predict what of that information you won't be interested in and to leave that out.

Up Vote Up Vote ×

Girl, you are going to wear yourself out.

Life.Is.Too.Short.

I promise.

Although patient privacy and confidentiality is paramount, I *will not* work in a situation where half the people are more worried about "Gotchas" than taking excellent care of patients.

1) Never use your personal phone. Never.

2) The message system/service needs to be secure, and you need to keep your work phone (aka your employer's property which contains PHI) secure.

3) For the love of all that is holy, go to a private place to listen to messages. What are you doing, listening on speaker function?? Get some ear buds, problem solved! Or just hold the phone securely to your ear.

I tend towards the careful rule-follower type, and this saga has exhausted even me - just reading it.

You seriously cannot go on like this.

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.

Dont assume the cell phone or voice mail system is not HIPAA compliant. First mistake. Get a headset don't use Bluetooth with the windows open would it kill you to pull over to take the messages and call facilities?

You are barking up the wrong tree your job is to keep your phone secure and find a private area. You were wrong to admonish the nurse. Accept responsibility for your error

Up Vote Up Vote ×
Specializes in Emergency, Telemetry, Transplant.
You were wrong to admonish the nurse.

Exactly. There is another thread currently active on AN where an ED nurse lectured an Urgent Care nurse on HIPAA. That ED was approached by his NM, and the ED took it as the UC nurse ratted on him, including making up details of the call. Not sure how it exactly went down, but I see a similar situation here.

The nurse that you (the OP) talked to may have told the DON of the facility "Hbic from the lab called to tell us how what information to put in and not put in our voicemails to her. She said we were violating HIPAA." The DON may have interpreted this as some lab tech is being a know it all and trying to tell my nurses what to do. You may have had the best of intentions, but it really is not your place to get in the middle of it.

Up Vote Up Vote ×

I did not admonish the nurse, first of all. You're wrong for admonishing me for something I didn't do. I told her the information wasn't necessary for message. I also didn't lecture. I just said that *I* didn't want a violation. I didn't say it was a violation, or "Section A, article 2 of the HIPAA laws says....." Don't twist it. Don't assume the messaging system isn't HIPAA compliant....I'm not going to assume it IS either. The phone number doesn't go to some landline phone at the brick and mortar lab. It's a cell phone. It's not just that I'm accessing it by cell phone, the number, phone and messaging system IS a cell phone. We don't get to use "company property phones." We are to use our own cell phones. The boss keeps the cell phone to which the number and messaging system is attached. I have an ear piece, when it's too loud where I am, I can't hear, the speaker function isn't facing out towards the general public AND as I CLEARLY stated, I don't use the car blue tooth for that exact reason, AND, as I am not an employee of these facilities, I am NOT allowed in areas that would be considered "Private" unless they are patient rooms and I'm attending the patient. In some, we're not even allowed to move anywhere in the building without a staff escort, except to walk to and from the entrance to and from the office. We are also not allowed to use staff or resident bathrooms, only the public bathrooms, which are by no means private. Pull over.... Um, if I'm supposed to call every 20 mins and I've been in one facility for 45 mins, how do I pull over? I'm not even in a car. I'm inside a facility. Talk about lecturing.....

Up Vote Up Vote ×

BTW, the lab manager did ask me into her office to discuss the issue and she AGREED with me. These things were not considered when the on call system was set up because they don't do the job and don't actually know the challenges we face. They also don't ask us before they put a new plan in place and that has to change. We both agreed that my use of the word "secure" was a poor choice, but my concerns about patient privacy was valid and the way our on call phone line is set up isn't "perfect," so I will NOT have any disciplinary action for trying to protect patient information. The solution is to not call to get the messages while inside the facility and should the supervisor get a call from a facility saying they've not gotten a response, she is to explain that the on call tech is probably tied up in another facility and to take the message herself and pass it on to the tech.

Up Vote Up Vote ×

We exclusively use cell phones in my work as a visiting nurse. It is not a privacy violation to use a secure messaging service, even if you access it with a cell phone. You do have to ensure you do not take calls/voicemails where others can over hear you to protect privacy.

Up Vote Up Vote ×

I understand your concern about privacy and information that could unintentionally get out. I believe the nurse was giving you the information that he or she thought would help make it easier for you. On the other hand, I understand where your concern lies with your messenger system and security of the phone. How you come off to someone could be so different to what you thought. Plus how people want to understand your words is not always in your control. Amazing how things could be misinterpreted so its very possible a nurse or receptionist told her DON that you sounded rude even though you were not. I am glad you have found a solution and that you are not getting any disciplinary action.

Up Vote Up Vote ×
Specializes in Emergency, Telemetry, Transplant.
I have an ear piece, when it's too loud where I am, I can't hear, the speaker function isn't facing out towards the general public AND as I CLEARLY stated, I don't use the car blue tooth for that exact reason, AND, as I am not an employee of these facilities, I am NOT allowed in areas that would be considered "Private" unless they are patient rooms and I'm attending the patient. In some, we're not even allowed to move anywhere in the building without a staff escort, except to walk to and from the entrance to and from the office. We are also not allowed to use staff or resident bathrooms, only the public bathrooms, which are by no means private. Pull over.... Um, if I'm supposed to call every 20 mins and I've been in one facility for 45 mins, how do I pull over? I'm not even in a car. I'm inside a facility. Talk about lecturing.....

You have already said people make 'ridiculous complaints about "lab girls."' Don't put yourself in a position that they will complain that you made patient information public. Your claim of "I can't get to somewhere private" will hold no water. Even if it means locking yourself in your car, don't even listen to messages in a public area if people can possibly hear your VM.

As for pulling over: you were the one who brought up the fact that you were in a car and that is why you could not remember the details of a message. If you are actually not in a car, then I guess it's a moot point.

You may not think you were lecturing, but it may have come across that way.

Glad you won't have any disciplinary action...you certainly did not deserve any.

Up Vote Up Vote ×
+ Add a Comment