Privacy Gone Awry
Approach to Improving Safety
- Practice Guidelines
- Provider-Patient Communication
- Medical Alarm Design
- Education and Training
- Discontinuities, Gaps, and Hand-Off Problems
- Postoperative Surgical Complications
- Privacy Violations
Setting of Care
A 3-year-old child underwent bilateral myringotomies and tube insertion with adenoidectomy. Preoperatively, she had an upper respiratory infection, but was eating normally. She was very active in the preoperative screening area. Immediately following the surgery, her oxygen saturations fell to the upper 80s while on blow-by humidified oxygen.
In preparation for an upcoming JCAHO inspection, the small community hospital (which had suffered from significant nursing shortages and thereby relied on many young and inexperienced staff members) was in the midst of a major internal educational campaign regarding HIPAA, encouraging all staff to be particularly attentive to issues of patient privacy. In keeping with this, the recovery room nurse (a recent graduate from nursing school) closed the "privacy" drapes, which left her unable to visualize the pulse oximeter.
Within the hour, the nurse heard loud inspiratory stridor coming from inside the curtain. The anesthesiologist and otolaryngologist were called stat, and found the child in extremis. They managed the patient's airway over the next few minutes, barely avoiding intubation by "bagging" the patient.
The child was admitted overnight and was
discharged the following morning after her respiratory status
dramatically improved. She suffered no permanent adverse
Privacy vs. Safety: Is the Tradeoff a Bug or a Feature of HIPAA?
Tradeoffs abound in all areas of clinical medicine—eg, between morbidity and mortality, when considering an operative procedure (such as a hip replacement) to improve quality of life, between survival and morbidity when considering chemotherapy for cancer, or between long-term and short-term survival when considering surgery (such as for aortic aneurysm in Marfan's syndrome). Clinicians often manage such choices and tradeoffs, but patients' preferences and wishes must guide us.
Similar tradeoffs exist between access and confidentiality. As we restrict access to clinical information, the processes of patient care become more complex and the risks of inadequate communication among clinicians increase. Our obligation to respect our patients' privacy is an ethical imperative. (1-7) But we must also act in our patients' best interests. The ethical precepts of beneficence and nonmaleficence (5) require that, as clinicians, we ensure our patients' safety in the things we ourselves do. We must also establish systems that minimize the chance of medical errors (Primum, non nocere).
Concerns about patient privacy have long been appreciated in health care. For example, more than a century ago, Sir William Osler wrote,
"In this irreverent generation, the almost sacred character of the relation of the physician has come to be lightly regarded, and the modern reporter...asks for and expects to obtain information of the most private nature. That he should so often procure it is a sad evidence of degeneracy in the profession, and of neglect of that most important section of the Hippocratic oath."(2)
That section is, "Whatever I see or hear, professionally or privately, which ought not to be divulged, I will keep secret and tell no one."(1) However, these concerns were not codified into law until recently.
The Health Insurance Portability and Accountability Act (HIPAA)(8-11), which in 2003 established standards for the privacy and confidentiality of individually identifiable, protected health information (PHI), is congruent with our ethical obligations as professionals. HIPAA reinforces behaviors that should already be second nature for clinicians. Although abuse of electronic databases and communication created the need for explicit standards (12), HIPAA's standards are not limited to electronic information transfer. They apply to all PHI—electronic, written, oral, or visual. In part because of the hefty fines associated with violations, many health care organizations have invested substantial resources in educating providers and staff about HIPAA. But many of these educational programs have been more focused on communicating warnings about the law than on the proper place of privacy and confidentiality in patient care.
When considering restrictions on information transfer, based either on HIPAA or on the precepts of medical ethics, one basic rule should be remembered: Patient care and safety come first. HIPAA contains explicit exclusions for treatment, payment, and health care operations: PHI that is required for these three purposes is exempt from HIPAA's restrictions. When HIPAA appears to compromise good patient care or safety, HIPAA must be set aside, not because HIPAA is unimportant, but because the appearance of a conflict most likely indicates a misunderstanding of HIPAA.
This case raises a number of issues about patient safety (13-17) and common misconceptions about HIPAA. Because this child developed an unexpected compromise in her oxygenation, the decision was made to monitor her respiratory status. However, monitoring (18) requires two components: the measurement of some (physiologic) parameter (eg, her oxygen saturation with a pulse oximeter) and the detection of when that measurement crosses some criterion for action. In this case, the inexperienced recovery room nurse appears to have understood neither the need for detection and response nor how conflicts between privacy and safety should be managed. The recovery room's key function is the enhanced monitoring of post-operative patients, presumably more frequently than once an hour. Perhaps the delay in recognizing this child's distress was related to a shortage of nurses, but relying solely on a single clinician to observe the pulse oximeter readings seems unwise. Whenever we employ a monitoring device, we should have an alarm (19) for automatically indicating when that parameter falls beyond an acceptable range. Alternatively, the parameter could be monitored at a central console in the unit. (18) Had an alarm been employed in this case, even with the privacy drapes closed, the child's respiratory distress should have been detected before her stridor warned the nurse of a life-threatening change.
Did closing the drapes in the recovery room enhance this child's privacy? Would a 3-year-old truly care about her privacy or might the isolation of closed drapes have frightened the child more? Because recovery rooms and intensive care units should enhance our ability to observe and monitor immediate post-operative and acutely ill patients, we must question the logic of privacy drapes in these settings, unless staffing permits continuous observation or unless either an automatic alarm or central monitoring is available. When a tradeoff between privacy/confidentiality and safety exists, we should ask our patients whether they want to forego safety to enhance privacy. Were this child's parents consulted?
One must also wonder why a patient with an intercurrent upper respiratory infection underwent an elective surgical procedure. Cancelling surgery would inconvenience the patient's family and represent a potential revenue loss for the surgeon and the hospital, but standard guidelines for elective surgery should be designed to minimize risk to the patient, not to minimize inconvenience or economic loss. Through the clarity of hindsight, one must ask whether this hospital's pre-operative criteria were adequate, whether they were compromised for convenience or efficiency, or whether this child was truly not at increased risk for this elective procedure.
Finally, this case raises issues about education and regulation. Both HIPAA regulations and JCAHO inspections should be stimuli for improving our processes of care and for educating clinicians and other staff about minimizing risk and improving quality. Unfortunately, these underlying goals are not always evident in our educational programs, our preparations for inspections, and our compliance with regulations. We too often neglect the rationale behind the rules; sometimes we focus on simply dotting the I's, crossing the T's, being sure that forms are completed, and documenting that our staff have attended educational programs.
This near miss should
reinforce our need to educate beyond the rules and to implement
processes of care that both enhance privacy and improve safety. The
conflict between privacy and safety is not a "bug" (or problem) in
HIPAA; the conflict should be a "feature" (or opportunity) that
encourages us to understand the nature of the tradeoffs we face and
how we can improve the processes of care within our health care
systems. Apparent conflicts between HIPAA and patient safety often
reveal underlying unsafe practices and misunderstandings about
Stephen G. Pauker,
Associate Physician-in-Chief, Tufts-New England Medical Center
Sara Murray Jordan Professor of Medicine, Tufts University School of Medicine
Susan P. Pauker,
Chief, Department of Medical Genetics, Harvard Vanguard Medical Associates
Associate Professor of Pediatrics, Harvard Medical School
1. Oath of Hippocrates. In: Chadwick J, Mann WN, trans. Hippocratic writings. London, England: Penguin Books Ltd; 1950. Available online at: [ go to related site ]. Accessed April 20, 2004.
2. Osler W. Dementia paralytica and syphilis. In: Silverman ME, Murray TJ, Bryan CS, eds. The quotable Osler. Philadelphia, PA: American College of Physician Publishing; 2003:31.
3. Principles of medical ethics. American Medical Association Web site. Available at: [ go to related site ]. Accessed April 20, 2004.
4. Ethics Manual, 4th ed. American College of Physicians Web site. Available at: [ go to related site ]. Accessed April 20, 2004.
5. Beauchamp TL, Childress JF. Principles of biomedical ethics. 5th ed. New York, NY: Oxford University Press; 2001:113-224;293-312.
6. Jonsen AR, Siegler M, Winslade WJ. Clinical ethics. 5th ed. New York, NY: Macmillan; 2002:158-163.
7. Brody H. The physician-patient relationship. In: Veatch R, ed. Medical ethics. Boston and Portola Valley: Jones and Bartlett Publishing; 1989:82-86.
8. HIPAA Administrative Simplification: Privacy. Final Rule. Centers for Medicare & Medicaid Services Web site. Available at: [ go to related site ]. Accessed April 20, 2004.
9. Gostin LO. National health information privacy: regulations under the health Insurance Portability and Accountability Act. JAMA. 2001;285:3015-21.[ go to PubMed ]
10. Annas GJ. HIPAA regulations—a new era of medical-record privacy? N Engl J Med. 2003;348:1486-90.[ go to PubMed ]
11. American College of Physicians: HIPAA privacy manual. Philadelphia, PA: American College of Physicians Publishings; 2002.
12. Department of Health and Human Services. Office of the Secretary. Breaches in health privacy harm more than our health status. Federal Register. 2000; 250:82462-82470. Available at: [ go to related site ]. Accessed April 20, 2004.
13. Reason JT. Human Error. New York, NY: Cambridge University Press; 1990.
14. Leape LL. Preventability of medical error. In: Bogner MS, ed. Human error in medicine. Hillsdale, New Jersey: Lawrence Erlbaum Associates; 1994.
15. Sharpe VA, Faden AI. Medical harm: historical, conceptual and ethical dimensions of iatrogenic illness. Cambridge: Cambridge University Press; 1998.
16. Kohn LT, Corrigan JM Donaldson MS, eds. To err is human: building a safer health system. Institute of Medicine. Committee on Quality of Health Care in America. Washington, DC: National Academy Press; 1999. [ go to related site ]
17. Institute of Medicine, Committee on Quality of Health Care in America, eds. Crossing the quality chasm. Washington, DC: National Academy Press; 2001. [ go to related site ]
18. Pierson DJ. Goals and indications for monitoring. In: Tobin MJ, ed. Principles and practice of intensive care monitoring. New York, NY:McGraw-Hill Publishing; 1997:33-44.
19. Kacmarek RM. Alarms. In: Tobin MJ, ed. Principles and practice of intensive care monitoring. New York, NY:McGraw-Hill Publishing; 1997:133-141.