Privacy

1
Privacy Confidentiality

• Amberleigh Artus
• Lisa Cyopeck
• Kim Helmer
• Jenn Farr
• Jessica Ranger
• Chrissy Sullivan
• Natalie Westerlund

2
What is Nursing?
  The professional practice of a nurse.
3
What is a profession?
A controlling occupation which has a status of
superiority and precedence within a division of
work
4
Nursing as a Profession

• Professional standards are authoritative
  statements used by the profession in describing
  the responsibilities for which its practitioners
  are accountable. Standards are an organizations
  interpretation of the professionals competency
• Nursing is a profession encompasses educational
  preparation for the nurse, a body of knowledge,
  service to society, autonomy, and a code of
  ethics
• The code is organized around seven primary
  values
• Health and well-being - Choice
• Dignity - Confidentiality
• Fairness - Accountability
• Practice environments that are conducive to
  safe, competent, and ethical care.

5
Nursing as a Profession
The CNA assists and supports provinces in the
development of standards of nursing practice,
education and ethical conduct. It initiates and
influences legislation, government programs and
national and international health policy. It
establishes and supports research priorities,
facilitates information sharing, and represents
the profession to health groups, government
bodies and the public
6
What is Confidentiality?
Confidentiality is defined as The ethical
principle or legal right that a physician or
other health professional will hold secret all
information relating to a patient, unless the
patient gives consent permitting disclosure.
7
What is Privacy?
Privacy is the right to remain alone with no
disturbance from outside and to choose treatments
according to personal preference.

• Confidentiality is a type of informational
  privacy in that it prevents re-disclosure of
  information previously shared within a
  confidential relationship.
• They differentiate privacy and confidentiality
  in terms of how each is violated. Privacy is
  violated when an unauthorized person gains access
  to another persons private information, whereas
  confidentiality is violated when someone
  discloses private information about a person to
  another person without the first persons consent.

8
Why Privacy and Confidentiality?
1. When professionals keep patients information
private, they promote effective medical treatment
by establishing trust in the patient/provider
relationship. 2. An implicit obligation is
entailed in the sharing of private information by
a patient with a provider. The provider has a
duty to keep the promise of secrecy, whether it
is explicit or implicit. 3. To respect an
individuals autonomy.
9
Informed Consent
In the history of informed consent, even into
the first decade of the twentieth century,
established canons or practices did not exist
regarding the disclosure of patient information.
Societal, regulatory, and technological changes
over the last 15 years have heightened concerns
about privacy and confidentiality issues.
10
Problems with Informed Consent

• There was consensus regarding a perceived threat
  to patients control over their health care
  information. Both patients and nurses complained
  that waivers and consent forms were often written
  in legal language or in print so small that they
  could not understand or even decipher the forms.
  Several patients also expressed concern over the
  idea that if they did not sign the forms given to
  them at some health care facilities, they would
  be denied access to treatment.
• Many spoke of the fine print that they were
  unable to read on information sheets they had to
  complete in order to receive care. Also found
  that, although 99 of primary care practices
  surveyed had a policy regarding confidentiality,
  only 27 of these practices publicize it to their
  patients.

11
Summary
Patients acquire a sense of trust and control
when they believe that their privacy is
maintained and that their health care information
is kept confidential. Privacy and
confidentiality encourage patients to share
sensitive information with their primary care
providers without fear of it being shared with
others who are not involved directly in their
care. Conversely, if patients do not believe that
their conversations will be kept private or that
their information will be kept confidential, they
may be hesitant to disclose information fully,
and their care may be compromised. It is
imperative, therefore, that key providers of
primary health care should understand their
responsibilities both legally and morally in
relation to patients rights to privacy and
confidentiality.
12
Legislation
Federal Personal Information Protection and
Electronic Documents Act (PIPEDA) Effective Date
January 1, 2004 Federal Personal Health and
Information Privacy Act (PHIPA) Effective Date
November 1, 2004 for most Health Information
Custodians Effective Date November 1, 2004 for
Hospitals
On February 5, 2005 Jennifer Stoddart, Federal
Privacy Commission has deemed PHIPA to be
substantially similar to PIPEDA PHIPA is the
sole Privacy legislation applying to Health
Information Custodians In Ontario
13
What is PHIPA?
Legislation that requires Health Information
Custodians (HIC) to protect personal health
information in their custody or control to ensure
that records are retained, transferred and
disposed of in a secure manner.
14
PHIPA Objectives

• To establish rules for the collection, use and
  disclosure of personal health information about
  individuals that protect the confidentiality of
  that information and the privacy of individuals
  with respect to that information while
  facilitating the effective provision of health
  care
• To provide individuals with a right to access
  and to require the correction or amendment of,
  personal health information (PHI) about
  themselves, subject to limited and specific
  exceptions set out in PHIPA
• To provide for independent review and resolution
  of complaints with respect to PHI to provide
  effective remedies for contraventions of PHIPA

15
Consent Requirements Under the Act
Where consent for the collection, use or
disclosure of PHI is required consent must -
Relate to the information - Be the consent of
the individual (or substitute decision-maker) -
Be knowledgeable - Not be obtained through
coercion or deception
Knowledgeable Consent The individual must know
why the information is being collected, used and
disclosed. They have the right to give or
withhold consent for the collection, use or
disclosure of PIH
16
Lockbox

• Allows an individual to withhold or not to use
  information from a particular HIC
• A particular item within a record may not be
  collected, used or disclosed
• An entire record may be not collected, used or
  disclosed

• This part of the legislation has become a
  nightmare for HIC
• Difficult to close off certain information to
  specific HIC such as nurses, or doctors, etc.
• Compliance must be in policies and procedures
  manuals and through technological means

17
Disposal of E-Records
- Must include physically destroying the media in
where they are stored (CD) - Magnetically erasing
or overwriting the information in such a manner
that it cannot be recovered - A record of the
disposal date must be kept
18
Breach of Privacy
- The Act states that custodians must notify
individuals whose personal health information has
been stolen, lost or accessed by an unauthorized
person. - Reasonable efforts need to be made to
notify the patient of any breaches or transfer of
information.
19
Case Study
In an elevator, two nurses are in
mid-conversation while two visitors can hear
every word. One nurse says, Can you believe who
our new patient in the ICU is? He looks even
older in person than on TV. Im gonna watch
tonight to see how they handle his absence on the
news. I bet hes going to be here a long time.
20
Case Study
   Several patients in a family practice clinic
waiting room hear a primary care provider in an
exam room yell out to the office manager. I
need you to get Sue Rust on the phone, her labs
are off the page! he bellows. Lets get her
in here to give her the bad news.
21
Case Study
   A nurse notices a patients name in the
electronic medical record while using Meditech.
She realizes the patient is actually her
neighbor, and reads the information without
anyone seeing her do so.
22
Case Study
A nurse works in a high-tech hospital, where
portable computers are used on the unit to
maintain patients electronic health record. At
one point during her shift she uses the portable
computer in the hall to update a patients
record. Meanwhile, patients, family members, and
other staff are walking around her with a clear
view of the computer screen.
23
Case Study
A nurse works in a high-tech hospital, where PDAs
are used for maintaining patients electronic
health record. She starts her shift using her
PDA. In the middle of her shift she realizes
that she no longer has her PDA, and cannot find
it anywhere on the unit. She suspects that it has
been taken by an unauthorized person.
24
Case Study
A nurse using Meditech to verify his patients
lab results, notices a familiar name in the
patient registry - recognizing that the patient
is one of his friends girlfriend. He looks at
her record and notices that she is being treated
for a sexually transmitted illness. At the end of
his shift, he goes to one of the local bars,
where he meets his friends (one of whom is the
patients boyfriend). The nurse starts talking
about how there was a patient in the hospital
being treated for a sexually transmitted illness
and how he thought it was one of his friends
girlfriendAfter the patient is discharged, she
finds out from her boyfriend that one of his
friends (the nurse) breached privacy and
confidentiality. She goes to the hospital to find
this nurse. When she finds him, she accuses him
in front of his co-workers of breaching privacy
and confidentiality and then starts hitting him
and swearing at him.
25
Case Study
A clinic nurse, whose organizational email
address is listed on the companys web site,
receives an email from an anonymous email address
asking questions about the care planned for a
patient. The sender of the email states that he
is the patients son and his father doesnt
remember what he was told at the clinic visit.
26
Considerations
- Few mechanisms to verify the identity of the
sender - Making control of who ultimately has
access to the information in an email is nearly
impossible (b/c of simplicity of saving and
forwarding email) - Content of an email can be
changed before it is saved (creating false
record of communication) - Email may not be
received by its intended recipient
27
Nurse should inform the sender that
- Information regarding patients is not given
out over email - Information is not given out
without the patients consent.
28
General Rules
- Discuss health information only with those
individuals who have a need to know. - Keep those
discussions away from other patients or their
visitors - Safeguard and do not share methods of
access to health information such as keys, PINS,
or passwords - Try to use easy to remember
password or PINS, so you do not have to write
them down - Close charts and mars when not
needed (whether they are paper or electronic) -
When faxing information, fax machines should be
located in secure location and not in common
area (ensure faxed records comply with
guidelines) - Keep unauthorized personnel or
visitors away from area where individual health
information is available - Ensure that computer
monitors face away from traffic or waiting
areas - Log off of computers when you are done
using them - Read and follow the confidentiality
agreement you signed with your employer
29
Implication for Nurses
- Given attention to detail - Should be familiar
with employer policy and procedure - Need to
update knowledge by attending continuing
education courses, in-services, and other
program and become familiar with information
manage system - Becomes familiar with standard of
practice, standard of care, HIPAA regulation,
laws - Demonstrate accountability for action
30
To Maintain Confidentiality
- Passwords should be changed at regular
intervals and should not consist of easily
determined terms - Categories of user classes
should be developed that provide users only with
the information they need to know to best care
for the patient. - Display terminals should have
a security log-off procedure to automatically
sign off the user after a set period of time -
Unauthorized user should not be permitted to
access to information - Maintain continued
integrity of stored information by preventing
alteration or loss of data - Authenticity of
data should be ensured by verifying the source
and retaining communication records should be
available to users through efficiently defined
software and hardware
31
Additional Info
Public response - Overwhelming majority of
Americans disapproves of third parties having
access to their medical records without their
consent - Seventy-eight percent of respondents in
the survey believed that their medical records
should remain confidential - Eighty two percent
object to insurance companies gaining access to
the records without specific permission. (Gallup
poll conducted by the Instituted of Freedom)
32
HIPAA
- Patient electronic data governed by HIPAA
includes telephone transmissions, telefax
transmissions, Internet and extranet
transmissions, and the movement of data using
magnetic tape, floppy disks, and other disk
transmissions - Violations of HIPAA can result
in civil or criminal liability. - Civil-fine of
"no more than 100 per violation" for any
individual who fails to comply with the Rule.
(fine not exceeding 25,000 per violation) -
Criminal liability fines can range from 50,000
to 250,000 and imprisonment of 1 to 10 years.
- An example of a criminal violation would be
obtaining or disclosing patient health
information to another individual.
33
Patients Attitudes on Confidentiality in
Healthcare
In legal actions concerning breaches of
confidence it has been argued that "It is
important that those who require medical
assistance should not be inhibited in any way
from seeking or obtaining it". This view is
supported by research showing that without a
guarantee of confidentiality some groups of
patients will not seek healthcare (Mulligan,
2001).
34
Patients Attitudes on Confidentiality in
Healthcare
Study Interviews of the public - The results
indicated that patients have strong feelings
about the use of EMRs and wish to be involved in
the process of electronically storing and sharing
PHI. - In keeping with international studies,
the results about the amount and type of PHI
stored in an EMR varied from limited factual data
only to all data, with less than 10 having any
significant concerns about the stored data and
about 20 having no real concerns. The remaining
respondents had some concerns, mainly about the
level of security and access. - A popular issue
raised by respondents with feeling was that the
sharing of PHI should only be by the direct
consent of the patient.
35
Patients Attitudes on Confidentiality in
Healthcare
Research study  Objective To determine
attitudes towards doctors and hospitals as data
custodians, and patients' experiences of
unauthorized information releases from health
services.  Participants 3013 randomly selected
residents over 15 years of age.
Results - 288 survey participants (9.6) were
not confident that healthcare providers keep and
use information responsibly - 108 (3.6) reported
that healthcare providers had released
information without their consent - Participants
reported distress, embarrassment, arguments
between family members and loss of trust in
medical services as a result of unauthorized
release of information. (Mulligan, 2001)
36
Patients Attitudes on Confidentiality in
Healthcare
Conclusions Healthcare providers have lost the
confidence of a minority of patients. For some,
this mistrust is based on experience of
unauthorized information release (Mulligan, 2001).
37
Patients Attitudes on Confidentiality in
Healthcare
Although most people express confidence in
healthcare professionals to keep and use
information responsibly, concerns arise for those
who do not. Some people are taking drastic
action to protect their privacywithholding or
providing inadequate information to their
doctors, paying out of pocket for covered
services, and hopping from doctor to
doctorputting themselves at risk for untreated
conditions (Badzek, 1999).
38
Patients Attitudes on Confidentiality in
Healthcare
At worst, others are avoiding care altogether
because of privacy concerns. This is not just
about protecting individual privacy but
protecting public health as well, because if
people provide incomplete information or are left
out of care, then the data needed for research,
monitoring quality of care, and other public
health functions will be woefully inadequate.
(Badzek, 1999)
39
Implications Obstacles
In this age of electronic and computerized
systems of medical recording, sharing and
recording of confidential information takes on a
new dimension. (Olson, 2001)
In nursing informatics confidentiality is a
constant balancing act - The more
confidential we make a record, the more
difficult it becomes to use - But the more
confidential we make a record the more
difficult it is for confidentiality to be
breached
40
Implications Obstacles

• Computerized records have brought the use of
  confidentiality to the forefront
• If one gains entrance to the system, it is easy
  to access many records
• Therefore, the first line of defense/protection
  is to ensure unauthorized access or entrance
• first biometrics- use of physical
  characteristics (fingerprints, iris scan, voice
  print)
• second use of card or keys
• third user id and password (least secure, but
  most widely used)
• Another function to preserve data
  confidentiality is automatic log out

41
Implications Obstacles

• -  Another implication in nursing informatics
  concerns how health care data are transmitted
  (increased electronically) ie. fax or computer
• Faxed information should have a cover sheet that
  hides confidential information
• Sender must be sure correct number is dialed
• When data are exchanged outside an institution
  using computer-encryption, it translates data
  into a code that requires a password by
  recipient to decrypt it (Thede, 2003)

42
Implications Obstacles

• Health informatics assures that technology will
  provide many benefits
• increased access, improved quality of care and
  decreased costs
• ease of access is the underlying cause of
  problem (59 of concern comes from unauthorized
  access) regarding security of medical records
• it is a two edged sword because unauthorized
  users as well as authorized ones have easy
  access

43
Implications Obstacles
Inadvertent breaches occur - Defects in
computer security systems - Human error

• Purposeful breaches
• Hackers ie. Change cancer pt results from
  negative to positive

44
Implications Obstacles
Another implication for nursing informatics deals
with the publics trust - One of the benefits of
nursing informatics - improved quality of care
is not assured - ie. CPRs contain data many
person fear could damage their reputation or
cause employers and insurers to discrimination
against them (Layman, 2003)
45
Future Considerations
Technology is only going to increase, so the need
for confidentiality is always going to be a major
concern in nursing informatics. Confidentiality
has and always will be a core principle within
nursing, so as the profession evolves the need
for it will always be there. As nurses learn new
technology, they will demand that basic
confidentiality guidelines be enforced.
46
Future Considerations
The CNA has emphasized the need for
confidentiality and privacy in fact their
position statement is Privacy of personal health
information (2001). They recommend that the
government engage health care professionals and
others to develop a national framework for the
protection of personal health information
(Nursing Now, 2002). There are currently
technical gurus that are working on and
developing tools that will help aid in ensuring
confidentiality, as well as aiding the ease of
communication between patient, doctor, nurse and
other healthcare professionals.
47
Future Considerations

• What do we need?
• increased information in regards to
  how can we effectively
  ensure confidentiality
• regulatory services or tools that protect
  confidentiality
• compliance
• need and desire
• rules and mandates
• provision of audit trails
• monitoring systems

48
Future Considerations
What may tools look like? - passwords - digital
signatures - voice automated entry - finger
print entry - increased firewall - security
safeguards
49
Future Considerations
Consider this - limit who is involved in data
collection and entry - ensure that consents are
obtained before entry - who should be given
access - reflect on purpose for entering patient
file or information - who will monitor
confidentiality
50
Future Considerations
What will happen if confidentiality is breached?
- public will loose faith in healthcare
system - lawsuits - loss of jobs - client
outcomes lost - focus shift
51
References
Anderson, K., Anderson, L., and Glanze, W.
(Eds.). (1998). Mosbys medical, nursing,
allied health dictionary (fifth ed.). St.
Louis Mosby. Badzek, L. (1999). Confidentiality
and privacy at the forefront for nurses. Nursing
World. 69  Beardwood, J.P. (2004) Coming Soon to
the Health Sector Near You An Advance Look at
Bill 31, the Ontario Personal Health Information
Protection Act (PHIPA). Ontario Bar Association.
Retrieved on October 24, 2005. http//www.oba.org
/en/pri/may04/Coming.aspx Brent, N.J. (2005). The
use and misuse of electronic patient data.
Journal of Infusion Nursing. Retrieved October
20, 2005 from http//gateway.ut.ovid.com
Cavoukian, A. (2005) Fact Sheet, Disclosure of
Information Permitted Emergency or Other Urgent
Circumstances. Information and Privacy
Commissioner/Ontario. Retrieved on October 23,
2005. http//www.ipc.on.ca/scripts/index_.asp?act
ion31P_ID15827N_ID1PT_ID15825U_ID0
Cavoukian, A. (2005). Fact Sheet, Consent and
Form 14. Information and Privacy Commisioner/Ontar
io. Retrieved on October 24, 2005. http//www.ip
c.on.ca/scripts/index_.asp?action31P_ID16117N_
ID1PT_ID15825U_ID0  Cavoukian, A. (2005).
Fact Sheet, Lock-box Fact Sheet. Information and
Privacy Commissioner/Ontario. Retrieved on
October 24, 2005. http//www.ipc.on.ca/scripts/in
dex_.asp?action31P_ID15827N_ID1PT_
ID15825U_ID0
52
Clark, A. (2004). Whats all the HIPAA hype?
(cover story). Nurse practitioner. Retrieved
October 23rd, 2005 from EBSCHOhost. (p.4).
Deshefy-Longhi, T., Dixon, J., Olsen, D., and
Grey, M. (2004). Privacy and confidentiality
issues in primary care views of advanced
practice nurses and their patients. Nursing
Ethics. Retrieved October 23rd, 2005 from
EBSCHOhost. (p.16). Dowd, S.B. Dowd, L.P.
(1996). Maintaining confidentiality health
cares ongoing dilemma. The health care
supervisor. Retrieved October 20, 2005 from
http//proquest .umi.com/pqdweb Healthcare Canada
(2005) PHIPA Summit 2005 A Balancing Act.
Information and Privacy Commissioner/Ontario.
Retrieved on October 24, 2005. http//www.governme
ntevents.ca/phipa2005/agenda.php Hunter, I.
Patient attitudes to electronic medical records
(unknown date). Retrieved on October 24, 2005
from www.privacy.org.nz/media/Hunter.pdf
   Information and Privacy Commissioner/Ontario.
(2005). Your Health Information and Your Privacy
in Our Hospital. Retrieved on October 24,
2005. http//www.ipc.on.ca/userfiles/page_attachme
nts/fact-07-e.pdf Keatings, M. Smith, O.
(2000). Ethical and legal issues in Canadian
nursing. (2nd ed.). (p.136). Toronto
Saunders. Layman, Elizabeth. (2003). Health
informatics Ethical issues. Health Care Manager.
Greenville Lippincott Williams Wilkins, Inc.
22(1).pp2-15.  Mulligan, E. C. (2001).
Confidentiality in health records evidence of
current performance from a population survey in
South Australia. Medicine and the Community,
174(637-640)
53
Olson, Linda.(2001). Privacy and confidentiality
in an electronic age. Look Smart. Retrieved
October 19th 2005 _at_ http//findarticles.com.
  Potter, P. Perry, A. (2001). Canadian
fundamentals of nursing. (2nd ed.). (p.79,
384,399). New York Mosby. Quallich, S.
(2002). Issues of confidentiality. Urologic
Nursing. Retrieved October 20, 2005 from
http//gateway.ut.ovid.com Roberts,D.W. (2003).
Privacy and confidentiality the health insurance
portability and accountability act in critical
care nursing. AACN Clinical Issues. Retrieved
October 20, 2005 from http//proquest
.umi.com/pqdweb Rutty, J. (1998). The nature of
philosophy of science, theory and knowledge
relating to nursing and professionalism.
Journal of Advanced Nursing. Retrieved October
23rd, 2005 from EBSCHOhost. (p.8). Tabak, N.
and Ozon, M. (2004). The influence of nurses
attitudes, subjective norms and perceived
behavioral control on maintaining patients
privacy in a hospital setting. Nursing Ethics.
Retrieved October 23rd, 2005 from EBSCHOhost.
(p.12). The American Heritage Stedman's
Medical Dictionary (ed. 4th). (2002). Boston
Houghton Mifflin Company. Retrieved October 27,
2005 from www.bartleby.com. Thede, Linda,
Q.(2003). Informatics Challenges and issues.
Informatics and Nursing. Philadelphia
Lippincott Williams Wilkins.
pp.322-323. Unknown Arthor, (2002). Nursing
Demystifying the Electronic Health Record.
Nursing Now Issues and Trends in Canada. 13(2).
p.13-17. Unknown Arthor, (2001). What is Nursing
Information and Why is it Important. Nursing Now
Issues and Trends in Canada. 11(5). p.25-29.
54
Pictures Retrieved From
www.computerworld.com/hardwaretopics/storage/story
/0,10801,87153p2,00.html www.cnn.com/TECH/computin
g/9901/25/hacktracts.idg http//ccdf.ca/NewCoach/e
nglish/ccoachb/b1_sample_dialogue.htm www.hcmc.org
/a_z/nursing.htm www.cowart.info/nurses20in20cri
sis/nursesncrisis.htm www.nursing-standard.co.uk/
students/whybe.asp www.qbs.com.pl/programy/qs-via
net/ www.gynendo.com/computer.htm