The legislation that guarantees confidentiality of all patient information is

An overview of what information is protected, by what measures and laws, and why this is essential to the healthcare provider-patient relationship.

Radiologists and radiographers have been at the forefront of adopting digital medical imaging and electronic health information [1]. In order to provide high quality medical care to patients, radiologists and radiographers use information from the Hospital Information System (HIS), Radiology Information System (RIS), and Picture Archiving and Communication System (PACS) [2]. Medical images are digitally archived, transferred on telecommunication networks, and visualized on computer screens [3]. However, in this electronic age, these trends have led to increased access to the patient’s primary health record and subsequent concerns about confidentiality [4]. The protection of patient privacy and the confidential health information related to patients are now recognized as a patient right and an essential element of medical ethics. They are guaranteed by many constitutions, laws, and international conventions [5].

This article clarifies the value of confidentiality in healthcare settings, and provides an overview of the international laws and guidelines aiming to ensure the health information protection, and to end by presenting measures to guarantee confidentiality in radiology department.

Table of Contents

What counts as “patient data”?

Patient data is all the personal information about or related to a patient’s physical or mental health. This includes what health and care services they have received which would reveal or indicate in some way information about the patient’s health status [2]. Patient data can include information relating to a patient past and current health or illness, their treatment history, lifestyle choices, and genetic data [6].

What exactly does confidentiality mean in a healthcare setting?

In a healthcare setting, confidentiality is “the principle of keeping secure and secret from others, information given by or about an individual in the course of a professional relationship,” and it is the right of every patient, even after death [7]. Confidentiality is considered as essential to the relationship between a patient and healthcare provider, because without it, patients may be hesitant to get medical help or may withhold information that healthcare personnel or doctors need to make a proper diagnosis or provide treatment [8].

The gist: Confidentiality requires healthcare providers to keep a patient’s personal health information confidential unless the patient consents to releasing the information.

What is confidentiality in radiography?

All members of imaging and radiation teams must respect a patient’s privacy and never reveal or discuss a patient’s personal information without the explicit permission of that patient.

How to Protect Patient Confidentiality and Data in the Radiology Department

In radiology department, which rely on PACS systems and medical imaging networks, safeguarding and protecting patient data and confidentiality is known to be more difficult. The Royal College of Radiologists, in their second edition of Guidance on maintaining patient confidentiality when using radiolody department information systems, recommends the following measures be taken:

• All staff should be informed that confidentiality is an obligation for everyone. This includes external contractors, volunteers, and students. Further, an institution must ensure that all relevant personnel are properly trained in healthcare confidentiality.
• Patient information should be recorded accurately and consistently. Medical jargon, abbreviations, speculation, and personal opinions should not be used.
• Patient information must not be discussed inappropriately or where there is a risk of being overheard. Patient information must be disclosed with care.
• Keeping information secure.
• Use of encrypted storage or devices
• Restricting physical access to authorized personnel only.
• Preserving copies and conducting data backups.
• Using firewalls and secure modes of transmission for communication, (e.g., virtual private networks (VPN) or secure sockets layer (SSL) and encryption techniques).
• Laptops and mobile phones holding patient information should not be left unattended (and, if possible, should be encrypted).
• Computers must be password-protected and logged out when not in use so that patient information is not visible to people passing by.
• Passwords should never be shared and should be changed regularly.
• Except for the purposes of audit, research, or teaching, it is not appropriate to “browse” PACS, RIS, or other electronic systems or interrogate them for patient information with which there is no legitimate relationship.
• Patient information should not be removed from the workplace unless specific local rules have been agreed.
• Maintaining emergency contingency protocols.
• Disposing of outdated devices properly so that patient data cannot be recovered from them.
• Check that persons requesting information are genuine and have a legitimate reason to access that information.
• Share only the minimum information required.
• If in doubt, do NOT share information.
• Reporting any breaches of confidentiality at the earliest opportunity [9][10].

The gist: Reporting any breaches of confidentiality at the earliest opportunity [9][10].

The Eight Caldicott Principles (UK)

You can also use the eight Caldicott principles to ensure patient healthcare information is kept confidential and used appropriately.

• Principle 1: Justify the purpose(s) for using confidential information
• Principle 2: Use confidential information only when it is necessary
• Principle 3: Use the minimum necessary confidential information
• Principle 4: Access to confidential information should be on a strict need-to-know basis
• Principle 5: Everyone with access to confidential information should be aware of their responsibilities
• Principle 6: Comply with the law
• Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality
• Principle 8: Inform patients and service users about how their confidential information is used [11]

Value and Importance of Confidentiality in Healthcare

Since Hippocrates (of “Do no harm” fame), confidentiality has been presented as a pillar of ethics in healthcare. It is actually rooted in respect for autonomy and self-control of information [12]. In fact, in healthcare settings, patient confidentiality and privacy are considered a patient’s right. That means it is the patient who gets to choose how, when, and to what extent their confidential health information is collected, used, and shared with others [2]. This right is guaranteed by a slew of laws and regulations. More on that below.

It is one thing to understand that confidentiality and privacy are a patient right; it is another entirely to understand their importance in healthcare and treatment and to value them. Respect for patient confidentiality and privacy is important because it acts as a safeguard for the well-being of patients and helps to maintain patient confidence in the healthcare provider-patient relationship [13]. Consider the impact on the patient if personally identifiable health information is shared with their family, friends, or employer: they may suffer embarrassment, humiliation, stigmatization, and discrimination. And if patient’s had to worry about the risk of their private information being shared, they may be less likely to provide an honest and complete disclosure of sensitive information. Ensuring privacy and confidentiality can promote more effective communication between caregiver and patient, which is essential for quality of care, enhanced autonomy, and preventing harm, embarrassment, and discrimination for patients [4].

Ensuring patient health information remains confidential is a patient right!

Laws and Guidelines on Confidentiality in Healthcare

The patient right to privacy and confidentiality has become a right in its own way over time, and it is now recognized and guaranteed by many constitutions, laws, and international conventions [5].

HIPAA

Radiologic technologists in the United States must be acutely aware of the Health Insurance Portability and Accountability Act (HIPAA), public law 104-191, which was enacted into federal law to ensure that patients’ personal health data remains private and secure in healthcare settings. There are two main sections of the law: the privacy rule, which addresses the use and disclosure of individuals’ health information, and the security rule, which sets standards for protecting the confidentiality, integrity, and availability of electronically protected health information [14].

HIPAA violations have very serious consequences, depending on the severity and nature of the violation. Your employer may deal with the matter internally or you may be fired; you could be sanctioned by professional organizations, such as the American Registry of Radiologic Technologists (ARRT®) for violating the ARRT® Standards of Ethics; you may even face civil or criminal charges (with criminal fines for a willful violation set at a minimum of $50,000 and a maximum of $250,000).

JCI Standards

The Joint Commission International (JCI) standards for hospital accreditation require organizations to comply with applicable law and regulation to protect the confidentiality of patient health information. These standards state that it doesn’t matter if this information is in paper or electronic form or some combination of the two, the hospital must respect such health information as confidential. Staff must respect patient privacy and confidentiality by not posting confidential health information on the patient’s door or at the nursing station and by not holding patient-related discussions in public places where you may be overheard.

Healthcare staff should be aware of laws and regulations governing the confidentiality of information and inform patients about how the hospital respects their privacy and ensures confidentiality of information. Patients must also informed about when and under what circumstances confidential health information may be released and how their permission will be obtained (Chapter: Patient and Family Rights) [15].

GDPR

For radiologic technologists in the European Union, the new General Data Protection Regulation (GDPR) is of the utmost importance. It contains specific regulations for healthcare data and medical images. The new regulations try to protect the confidentiality of patients’ personal health data, and, at the same time, try to safeguard the benefits of digital image processing in healthcare.

The GDPR addresses new obligations for healthcare providers (including radiology departments), including data access for patients, rules for data processing (including explicit consent of the data subject if not exempt), or technical and organizational protections. These new regulations mean that radiology departments, specifically, must:

• Get explicit consent from the patient before processing or communicating his or her data, except in specific situations exempt from this regulation;
• Implement technical and organizational safeguards for confidential patient health information (for example, making patient information anonymous, using pseudonyms, or encrypting patient data that will be used in public health projects, individual research projects, or imaging databases for analysis)
• To notify the national supervisory authority within 72 hours in case of a breach of personal data [2].

The gist: Ensuring the security, confidentiality, and protection of patients’ healthcare data is not just an ethical obligation; in many places, it is a legal requirement with severe consequences for violations.

Conclusion

Confidentiality is the foundation on which the healthcare provider-patient relationship is built and essential in building and maintaining trust. In the radiology department, with the use of PACS and RIS, is is more important than ever to stay aware of confidentiality regulations, to be familiar with organizational data security policy, to develop a professional culture that values and respects patient privacy at all times (even if nobody is listening in on your private conversation with your work friend about that patient you just saw) [2] [12].

References

• European Society of Radiographers & European Federation of Radiographer Societies (2019). Patient safety in medical imaging: A joint paper of the European Society of Radiology (ESR) and the European Federation of Radiographer Societies (EFRS). Radiography, 25(2),e26-e38.
• European Society of Radiology. (2017). The new EU General Data Protection Regulation: What the radiologist should know. Insights into Imaging, (8)3, 295-299.
• Noumeir, R., & Chafik, A. (2015). Access control and confidentiality in radiology. Proceedings of SPIE – The International Society for Optical Engineering, Medical Imaging 2005: PACS and Imaging Informatics.
• Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information. (2009). The value and importance of Health Information Privacy, in S. J. Nass, L.A. Levit, & L.O. Gostin (Eds.), Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research., Washington, National Academies Press.
• Demirsoy,N., & Kırımlıoğlu, N. (2016). Protection of privacy and confidentiality as a patient right: Physicians’ and nurses’ viewpoints. Biomedical Research, 27, 1437-1448.
• Genetic Alliance. What is patient data and how is it used? Genetic Alliance (2016, May 3). [Link]
• Bourke, J., & Wessely, S. (2008). Confidentiality. The BMJ, 336(7649), 888–891. [Link]
• Dybian, M. (2015, July 1). All healthcare staff have a duty of confidentiality. Guidelines in practice. [Link]
• National Research Council (US) Committee. (1997). Technical approaches to protecting electronic health information in For the Record Protecting Electronic Health Information, US, National Academies Press. doi: 10.17226/5595
• The Royal College of Radiologists. (2019). Guidance on maintaining patient confidentiality when using radiology department information system. [Link]
• National Data Guardian for Health and Social Care. (2020). The Eight Caldicott Principles. [Link]
• Noroozi, M., Zahedi, L., Bathaei, F.S., & Salari, P. (2018). Challenges of confidentiality in clinical settings: Compilation of an ethical guideline. Iranian Journal of Public Health, 47(6), 875-883, 2018.
• Beltran-Aroca, C.M., Girela-Lopez, E., Collazo-Chao, E., Montero-Pérez-Barquero, M., & Muñoz-Villanueva, M.C. (2016). Confidentiality breaches in clinical practice: What happens in hospitals? BMC Medical Ethics, 17(1), 52.
• Tariq, R. A., & Hackert, P. B. (2021). Patient Confidentiality. In StatPearls. StatPearls Publishing.
• Joint Commission International. (2017). Joint Commission International accreditation standards for hospitals. [Link]
• Dilauro, M., Thornhill, R., & Fasih, N. (2016). How well are we respecting patient privacy in medical imaging? Lessons learnt from a departmental audit. Canadian Association of Radiologists Journal, 67(4), 339–344. [Link]

Disclaimer: The information provided on this website is intended to provide useful information to radiologic technologists. This information should not replace information provided by state, federal, or professional regulatory and authoritative bodies in the radiological technology industry. While Medical Professionals strives to always provide up-to-date and accurate information, laws, regulations, statutes, rules, and requirements may vary from one state to another and may change. Use of this information is entirely voluntary, and users should always refer to official regulatory bodies before acting on information. Users assume the entire risk as to the results of using the information provided, and in no event shall Medical Professionals be held liable for any direct, consequential, incidental or indirect damages suffered in the course of using the information provided. Medical Professionals hereby disclaims any responsibility for the consequences of any action(s) taken by any user as a result of using the information provided. Users hereby agree not to take action against, or seek to hold, or hold liable, Medical Professionals for the user’s use of the information provided.

What is confidentiality in healthcare quizlet?

What does Hipaa stand for quizlet?