Good morning. I am Mary Foley, President of the American Nurses Association, which is the only full-service professional organization representing the nation's registered nurses through our 54 state and territorial nurses associations. It is a pleasure to be here this morning to offer our views on implementation of the patient privacy and confidentiality regulations issued by the Department of Health and Human Services as directed by the Health Insurance portability and Accountability Act of 1996 (HIPAA). I will direct my comments to the provisions of the rule limiting disclosure and use of patient information to the minimum amount reasonably necessary.
I am a health care practitioner. Until I became president of the American Nurses Association a year and a half ago, I was a nurse executive in a medium-sized hospital in California. Before that, I spent seventeen years as a staff nurse, and I have served as clinical instructor in nursing.
The third charge in the Code of Ethics for Nurses states:
"The nurse safeguards the patient's right to privacy. The need for health care does not justify unwanted intrusion into the patient's life. The nurse advocates for an environment that provides for sufficient physical privacy including auditory privacy for discussions of a personal nature and policy and practices that protect the confidentiality of information.
"Stemming from the right to privacy, the nurse has a duty to maintain confidentiality of all patient information. The patient's well being could be jeopardized and the fundamental trust between patient and nurse destroyed by unnecessary access to data or by the inappropriate disclosure of identifiable patient information."
That statement is an obligation the nursing profession takes very seriously, and it is why I am here today.
Virtually all of ANA's members are involved in creating, transmitting, maintaining, and safeguarding patient records on a daily basis as an integral part of their professional practice. Working on the front line of health care, registered nurses are well aware of the concerns of their patients regarding privacy and confidentiality and are professionally committed to strong enforceable standards to protect the confidentiality of the health information of their patients.
This commitment has always been a part of professional practice. But the need for federal law is in large part a function of the momentous change in communications technology. Health care professionals have always been aware of the importance of confidentiality and the possibilities for carelessness; the need for that reminder in the code of ethics is real. But the complexity of the health care system means that transgressions of patient confidentiality, intentional or not, have much broader consequences than ever before, because the information travels further and faster and cannot be retrieved.
In my testimony, I will focus on two aspects of this issue that I can speak to as a nurse and as a representative of the nursing profession: First, is the necessity to keep our focus on what is best for the patient. Second, is the practical application of this standard in health care settings.
The most important test that these regulations must meet is whether every individual patient's reasonable expectations for privacy and confidentiality are addressed. Can I assure my patients that - when they are describing the most intimate, troublesome, embarrassing, frightening aspects of their lives to people who will treat them and care for them - there will be safeguards for maintaining the confidentiality of this sensitive information?
If I can't do that, many of my patients will go without treatment or will disclose only some of the information, a dangerous proposition, which can lead to improper diagnosis, improper treatment, complications in an illness or injury, even death. It is hard for patients to talk about a whole range of sensitive issues, which might include mental illness, sexual practices, and physical abuse. And it will not happen at all if you think your story is going to be grist for the local gossip mill because the people who treat you are careless about who hears discussions about your care. And it will not happen if you know that your records may be made available to your employer, who will have then the opportunity to consider the implications of a prescription for antidepressants.
This concern for our patients must be our overriding concern, not whether the rule will be inconvenient for hospitals or practitioners or staffers who handle insurance paper work.
The "minimum necessary" standard requires covered entities to make reasonable efforts to limit disclosure of protected health information to the minimum amount necessary to accomplish the intended purpose of its use. The standard does not apply to disclosures to providers for treatment purposes, to the individual patient or entities specifically authorized by the patient, to comply with standardized transactions required by HIPAA, or for enforcement of the HIPAA statute or other law. I believe it is very important that we convey - as does the Department's guidance document, which contains sensible explanations and a useful question and answer section - the ways in which normal practice will continue without change.
What, then, is left to be regulated? In ordinary terms, the rule speaks to carelessness and insensitivity. But a subtler and, in some ways, more important issue is the need for institutional systems that support practitioners and other health staff in methodical applications of ethical decision-making. This regulation requires that "a covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure....." Of course it must. Accrediting bodies for hospitals already require it. Any suggestion that this is a new or burdensome requirement for health care institutions is really unfounded. Watch your voice, don't talk about patients by name in the hallways, post prominent notices for patients informing them that staff will work to meet their requests for greater privacy - and do it. These instructions are the stuff of daily work in a hospital setting. Every nurse is trained to be attuned to its importance. And any hospital or practitioner that isn't already doing it - and doing it seriously - is a menace. A systematic approach to privacy and confidentiality protections would look at everyday devices like intercoms that carry voices throughout a treatment area populated by numerous and staff - devices that could and should easily by replaced by handsets that allow protected conversations between, say, a nurse and a physician in another part of the hospital. It may be as simple as remembering to close a door when taking a case history in a practitioner's office.
One of the core issues around the controversy that has been raised by these regulations - aside from money - is the extent to which it may require changes in the way practitioners and institutional providers interact among themselves and with their patients. It is understandable that, in an environment that is already in many ways burdensome for practitioners, another layer of regulation can be seen as intrusive and unnecessary. Our response is that these regulations have, as we must have, the patients' best interests at heart. If we are already careful, then these rules give us a framework for making sure that our safeguards are consistent and reliable. If we can't be bothered to be careful, the rules will force us to change our ways - and they should.
A few years ago, the chief medical officer in my hospital was himself a patient in the hospital. While he was a patient, any number of physicians, none of whom was attending, stopped by to offer advice and comments on his condition from information they felt free to glean from his charts. I will tell you that that physician, when he was back at work, made known in no uncertain terms what he thought about this casual breach of privacy. The minimum necessary rule requires that a hospital have in place a policy identifying which practitioners and staff will have access to patient information and under which circumstances. It doesn't prescribe the policy - only that it must be in place and must afford the patient a reasonable expectation that his or her identifiable records will be treated with appropriate respect for privacy and confidentiality.
Every day there are practitioners who, as a matter of ethics and successful treatment, must be able to assure their patients that their records are protected. We have a patchwork of state laws that provide some protections to some people some of the time in some places. The American Nurses Association welcomes this new national standard of basic protections for all of our people all of the time in every place in the nation.
Thank you for allowing me this opportunity to testify. I will be happy to answer questions.