1. Knox, Crissy RN, BSN
  2. Smith, Anna MSN

Article Content

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other health information privacy laws provide patients with certain rights regarding the use and disclosure of their medical information. Such laws compel us to think about the connection between technology and patient privacy.


Employees may violate an organization's HIPAA policies without even knowing it. Diligent assessments of HIPAA practices and potential infractions are essential in every organization. All staff members should receive training and orientation about HIPAA on a regular, ongoing basis. Not only do they need to be educated about policy, but also how to apply the policy to real-life scenarios. For example, how should you respond if a surgeon asks you to take a picture of a trauma patient, without consent, to be used for educational purposes? Is either employee in violation of HIPAA? What policy actually determines the right or wrong of such a request? These policy discussions will allow employees and nurse leaders to process application of policy as it relates to practice.


Employee education should include which staff leader to contact when questionable issues arise. For instance, a facility should have set guidelines for the appropriate chain of command for these issues. Some institutions have established roles such as a "privacy officer" who can provide an immediate response to potential patient disclosure concerns.1 Employees should know the institution's policies on:

Figure. No caption a... - Click to enlarge in new windowFigure. No caption available.

* cell phone use in patient care settings


* picture taking


* Internet use


* Internet access policy


* information security access


* PDA use


* user ID/password agreement


* case law


* HIPAA policies/violations.



Keep it current

Policies should reflect new and changing patient pri-vacy technologies. It's important to note that HIPAA lawsuits are only just beginning to emerge. The government may be the enforcer of HIPAA violations, but anyone else can sue for breach of privacy.


In addition to privacy and current policy, become familiar with the latest handheld technology and Internet-use devices and their appropriate role in the patient care setting. Stay informed on the latest technologies and features such as blogging and text messaging. Conversations regarding these devices should occur with staff during orientation. Ongoing education should occur frequently to assist staff with compliance. Finally, strong working relations with your organization's HIPAA compliance officer, risk management, privacy officer, and hospital legal counsel are essential.


The influx of technology and its implications on healthcare is so new that little information exists, especially as it relates to healthcare and patient privacy. Although organizational HIPAA policies generally speak to patient confidentiality and patient rights, they don't specifically address the impact of technology on healthcare. Hopefully, your facility will make it a priority to investigate the latest gadgets, as educating staff today will protect your patients and organization tomorrow.




1. Corporate compliance. University of Louisville Hospital Privacy Compliance Policy, 2003. [Context Link]