• E-mail
• Print
• RSS

Balance patient care, privacy when dealing with infection control

HIPAA Training Advisor, July 13, 2006

To avoid confusion and potential legal conflicts, when infection control staff deliberate over policies for protecting patients from infectious diseases, they must also consider HIPAA.

For example, consider the practice of placing a sign on the door to a tuberculosis patient's isolation room. The sign reminds staff that the patient must be kept separate from others to prevent spread of an infectious disease, which medically benefits other patients and hospital workers. Yet, it might also be a breach of privacy if visitors can view the sign and the patient's name as they walk by.

"HIPAA doesn't specifically prohibit something like this. It's up to each covered entity to assess privacy risk and look at alternatives," says Kate Borten, CISSP, CISM, founder of The Marblehead Group, Inc., in Marblehead, MA. As a safer step, for example, "more and more hospitals are putting patient names inside rooms instead of in the corridor, without any apparent health risk," Borten says. Either way, HIPAA intends its regulations to come second to patient care, she adds.

If you're treated, you're a patient
Here's a health privacy situation that is even more complicated than the sign on the isolation room: Suppose a clinician accidentally sticks him- or herself with a needle and receives testing.

"When an employee goes through the testing process he or she becomes a patient," says Frank Ruelas, compliance officer at Gila River Health Care Corporation in Sacaton, AZ. "Now you have to juggle three balls in the air, including the rights of confidentiality of the person who was the source of blood of that needle, the employer obligation to the employee, and . . . the confidentiality of this patient who happens to be your employee," Ruelas says.

When the employee's blood goes for testing, laboratory staff may be aware that the sample belongs to a coworker, which can raise concerns if the employee expects the testing to remain confidential. The tested person's name is often on accompanying payment information, he says. The solution is to "treat anyone involved in an infection control situation as a patient-then you'll find yourself conducting yourself in a manner more sensitive and probably correct for the situation," Ruelas says.

Hospitals must handle employee-patient concerns with those dual identities in mind, he adds. For example, "if you had an employee or patient who said he or she wanted an HIV test, and if it comes back positive, you and I know you are obligated to report that to the health board in your jurisdiction," he says.

Healthcare staff understand that they need to explain to a patient that this information will be forwarded to public health officials. However, those same staff may incorrectly assume that an employee who is a patient already knows this policy and thus won't tell him or her.

"I say treat it the same, whether it is John Doe or John Employee," Ruelas says.

Editor's note: Adapted from "Balance patient care, privacy when dealing with infection control," Briefings on HIPAA, July 2006.

• E-mail to a Colleague
• Print
• RSS
• Archive