Wednesday, June 2, 2010


Today, amid the usual eight-hour day full of classes, we got the legally mandated lecture on HIPAA (the Health Insurance Portability and Accountability Act of 1996).

I'm not even kidding about the "legally mandated" bit. Before we're allowed to go work in a hospital for clinical experience, we are required to get a certain amount of training about HIPAA. Every student in the place had to sign an attendance sheet to show that we were there. Anybody who was absent, or somehow failed to sign it, will have to sit through the same lecture again some other day.

They explained some basic history of the law, and its significance-- biggest health care legislation in the last 38 years, blah blah blah-- but what they're really interested in is the privacy provisions. The hospitals want to be absolutely sure we know that personal information is not a toy. I can understand their reasoning, because if any of us student nurses screws up, the student is not the only one who's gonna get sued.

A lot of the privacy concerns are blindingly obvious: Don't leave charts lying around in the open. Don't tell your neighbor about the procedure you did on his pool guy. Don't take a picture of a patient's unusual wound or condition and post it on Facebook, no matter how awesome or gruesome or embarrassing it looks. (Well, maybe that last one isn't quite as obvious as I thought.)

Some of the stuff is a little more interesting, because even though it may be obvious to me, it may be novel information to anyone without a security or IT background: Keep permanent records safe permanently. Destroy temporary records when they expire. Don't share your computer password. Don't copy confidential information onto your personal laptop.

Then there's the tricky bit. A health care worker may not access the records of anyone-- even in the department where they work-- unless that worker has a need to know that information for their job. This means if a famous celebrity comes into your hospital, and is being treated on your ward, but you personally are not caring for them, you must not access their records. Every access to electronic records is logged. People really do get fired for "just looking," and recently, a surgeon in California even got sent to prison for reading stuff he wasn't supposed to.

There seems to a little bit of a gray area where we student nurses are concerned, because teaching is an expected operational function of the hospital. A student can be given access to case information that is interesting for educational reasons, like a rare disease or a particularly unusual presentation. But there has to be a reasonable teaching purpose behind sharing the information, and "curiousity" does not qualify.

Because I don't want to be sued or go to prison, this would be a good place to note that if I ever post here about patients, everything will be disidentified and anonymized. Any identifying details (like name) will be removed. Anything that could suggest identity (like age and sex) will be randomized by flipping coins and rolling dice. If you ever think you recognize someone in a story here, I assure you that you will be entirely incorrect.


  1. An unnamed associate of ours had their entire family's personal medical information accessed by a medical student working under said associate. Somehow, this student was not expelled. I'm still shocked by this. (Bad grammar used to protect sex and privacy!)

  2. It sounds like the lecture I get to give once a quarter and more often if need be. However, my lecture is governed by FINRA Regulation S-P.

  3. Keri, I am distressed to note that your grammar is no longer considered "bad." It's not "acceptable." Alas. Or hooray for gender ambiguity, depending on your preference.

    My husband and his natural curiosity have somehow managed to avoid any problems with HIPAA, but as a patient it's a little alarming how many of y'all have access to our data!