Each day in medical settings, conversations that challenge the privacy of health care information take place between clinicians. Giving report on patients in an area where it can be overheard by others, a conversation in a hallway when someone unexpectedly walks by, clicking on an incorrect chart, or glancing at the census of a co-worker you are meeting can all be breaches of confidentiality.
All of us have attended hospital orientation, whether as a volunteer, student, or employee. The need for confidentiality and privacy in the work we do is clearly emphasized in all training. In addition, when becoming certified as child life specialists, we agree to the fourth principle of the Child Life Code of Ethics:
Certified Child Life Specialists respect the privacy of children and families and maintain confidentiality within the standards and requirements of employers, local governing regulations, or private practice standards. (Child Life Certification Commission,
2020, Principle 4)
The above principle and hospital privacy rules are guided by HIPAA, the Health Insurance Portability and Accountability Act of 1996 (Health Insurance Portability and Accountability Act of 1996 Pub. L. No. 104 199, 1996). The HIPAA rules are written in an indefinite manner, allowing flexibility within different types of work groups, but this ambiguity can also lead to more questions. Each hospital expects that its employees will know the risks, pay attention to the advice of the organizations built to oversee the rules, and use professional judgment in ethical grey areas.
The group overseeing compliance with the U.S. HIPAA privacy rules is each hospital’s privacy and compliance office, often led by a privacy officer. It is their job to handle protected health information (PHI) and develop, implement, and oversee the organization’s compliance (USLegal, n.d.). Privacy officers are trained in ethics, regulations, investigations and compliance, program management administration, technology/physical technical safeguards, customer service, and client/patient services. Often certified in Healthcare Privacy and Security (designated by the CHPS credential), they are professionally overseen by the American Health Information Management Association.
Recently, at our hospital, there was a child life breach of HIPAA that was filed anonymously with the compliance office. In a late-night phone call from the nurse director, the specialist was questioned about her discussion of an ill coworker. What had been intended as social support of staff who knew and worked with this person had been reported to the compliance line by someone who overheard the conversation. Although able to explain her case, a warning was issued and the specialist was told that any other breach would lead to immediate termination. The fear of losing a job was nauseatingly real. Based on this event, our team spent two staff meetings with our hospital’s privacy officers. This article and the chart below summarize these meetings in an attempt to clarify how HIPAA specifically impacts child life.
For most health care professionals, there are four basic tenets when it comes to PHI:
Child Life Certification Commission. (2020). Child life code of ethics. https://www.childlife.org/docs/default-source/certification/child-life-code-of-ethics.pdf
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. (1996). https://aspe.hhs.gov/report/health-insurance-portability-andaccountability-act-1996
Office for Civil Rights. (2013, July 26). Breach notification rule. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
USLegal. (n.d.). Privacy Officer (Health Care) Law and Legal Definition. https:// definitions.uslegal.com/p/privacy-officerhealth-care/
Vine, S. (2017, October 26). 7 steps for handling a patient HIPAA privacy complaint. First Healthcare Compliance. https://1sthcc.com/7-steps-for-handlinga-patient-hipaa-privacy-complaint/