RN breaches patient confidentiality policy to check work schedule

Upholding patient confidentiality policy is a fundamental obligation for any nurse in any setting.

I have discussed this topic in several blog posts, including “What happens when a nurse breaches patient confidentiality” and “Protecting a patient’s confidentiality does matter”.

Most often, a breach can happen when a nurse shares patient information with a person who is not a member of the healthcare team or when a patient’s electronic medical record is accessed for a personal reason when a nurse is not providing care.

A nurse discovered how far-reaching the obligation to uphold patient confidentiality policy is in the case of Leach v. Iowa Board of Nursing. The nurse, who was employed in the hospital’s ICU, remotely accessed patient census lists 11 times when not at work. The lists contained private health information, including patient names, ages, diagnoses, medications and other personal information.

When a supervisor discovered the nurse accessed the lists, she was questioned. The nurse’s reason for checking the lists was to determine ICU staffing and whether she would be required to work her assigned shifts.

The nurse was told her actions were in violation of the hospital’s “information security policies” when employees were in a remote location and did not seek authorization. Moreover, the supervisor informed the nurse that any access had to be “necessary to complete her job responsibilities.”

The nurse was disciplined, suspended for two 12-hour shifts and required to repeat a Health Insurance Portability and Accountability Act learning module.

Supervisor files complaint with state board

After a board investigation on the alleged breach of the patient confidentiality policy, probable cause was determined to proceed to a hearing. The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients’ confidentiality and privacy rights in violation of the state’s nurse practice act and administrative rules.

A contested hearing took place, and the board found the nurse:

  • Accessed the patient lists for her own purpose to determine if she would work the next day or be placed on call.
  • Did not use information from the lists for any other purpose.
  • Did not share the information with anyone else.
  • Did not read any personal information on the lists.
  • Was not authorized to access the lists from a remote location.
  • Did not need the information to perform her duties as an ICU nurse.

As a result of these findings, the board found by a “preponderance of the evidence” (its burden of proof) the nurse’s conduct was unethical.

Because the board believed the nurse did not understand her conduct was a violation of the patient confidentiality policy and the hospital determined the behavior was not a HIPAA breach, the discipline imposed was the least severe sanction — a citation and a warning.

The nurse filed for a judicial review of the board’s ruling. The district court dismissed the nurse’s petition.

Disciplined nurse appeals decision

The nurse asked an appeals court to reverse the district court ruling, alleging she never shared the information with someone else and the board’s finding of a …read more

Read full article here: nurse.com