A 'Critical Eye' on Patient Confidentiality in Eye Care

Christina M. Sorenson, OD


November 20, 2018

The Health Insurance Portability and Accountability Act (HIPAA) of 1996[1] changed how we handled medical charting, but did it change our habits?

Certainly, there is more "paperwork" for the patient to review and sign and more time to be spent on annual reviews and updates of that paperwork. But did this act essentially change how we handle private information in eye care? I think HIPAA addressed the administrative, physical, and technical security of private health information well. HIPAA achieved this change in a remarkably short time frame given the size, breadth, and variety of the healthcare system of the United States. Where HIPAA fails seems to be at the end user—the employee who just cannot help but review a patient's chart "because the eye was disgusting."

A few months ago, I cared for such a patient, with a chlamydial infection—certainly an etiology that may carry with it some stigma. Our practice rigorously follows universal precautions, so my reminder to the support staff on observations of these precautions was probably unnecessary and may have triggered what happened next. When I took my lunch break, I stumbled into a full-on dissection of the patient's presentation by the technical staff, none of whom had any reasonable cause to enter the patient's chart. They were simply curious. After I reprimanded them for the ill-gotten knowledge, I reflected on what was the root cause of this breach. It was our failure in a few key areas.

With an exponentially growing staff, from a single surgeon to a multiple-surgeon practice, multiple-optometrist practice, we had become lax in emphasizing which employees have access to electronic protected health information (ePHI). Specifically, when access is indicated and for what reason the access is allowed—and just being curious does not meet this standard. We have a training program for employees to learn the privacy policy; but, on reflection, it was loosely structured on how it applies to their specific job.

Our annual risk-assessment/internal audit to determine our organization's security risk clearly neglected the human factor. We could check all the boxes and meet all of the requirements, but we were not holding the important discussions on the day-to-day application of patient privacy.

Since this realization, our training has expanded to include the human factor discussions; that is, the "just because you can does not mean you should" criterion is discussed with each employee. Justification for entering a chart is documented, giving the employee another reminder of their accountability to uphold the tenants of HIPAA.

This occurrence was a strong reminder to review our practice's culture and habits with a critical eye toward always striving for excellence in the care we provide.

Follow Medscape on Facebook, Twitter, and Instagram.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: