In this section of the NCLEX-RN examination, you will be expected to demonstrate your knowledge and skills of confidentiality and information security in order to:

  • Assess staff member and client understanding of confidentiality requirements (e.g., HIPAA)
  • Maintain client confidentiality and privacy
  • Intervene appropriately when confidentiality has been breached by staff members

According to the United States Department of Health & Human Services, the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule provides federal protections for individually identifiable health information and gives patients an array of rights with respect to that information.

At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes such as health insurance reimbursement and quality improvement activities.

The Security Rule of HIPAA has administrative, physical, and technical safeguards to insure the confidentiality, integrity, and availability of electronic protected health information. This rule relates to electronic information security as well as other forms of information.

Our nation's Health Insurance Portability and Accountability Act (HIPAA) protects the patients' rights to the privacy and confidentiality of all medical information, including written, oral electronic information, unless the client has expressly consented to it in writing.

Maintaining Client Confidentiality and Privacy

The HIPAA Privacy Rule legally limits access to medical records and information to only those who have a NEED to know. Those who have the need to know have this need because they need some data and information about the patient so that they can perform some indirect or direct patient care. For example, nurses have a need to know information about the patient so that they can provide the patient with quality care. Dietitians have to need to know some information about the patient so that they can assess and plan care for the patient as based on their nutritional needs and status, and, those who provide indirect care, such as the director of nursing, the infection control nurse, the wound care nurse and the members of the quality assurance department, also have a need to know about patients and groups of patients so that they can perform their roles even though they are not providing any direct patient care to the patient. Others who have a need to know are health insurance companies and students including student nurses.

All nurses must be aware of the implications of and the possible consequences for violations relating to the Health Insurance Portability and Accountability Act and the HIPAA Privacy Rule.

Few nurses violate patient confidentiality intentionally. It is often momentary lacks of judgment that lead to these breaches so nurses must consciously think before they act or speak.

Nurses should never discuss patients with others who do not have the "need to know". They must protect and secure client written records and they must also secure electronic records by protecting and not sharing their password and logging off after each entry.

Other things that protect patient privacy and confidentiality include not responding to any telephone or email inquiries about patients unless the inquiring person states a unique identifier for the patient such as a secret code number or word. Lastly Facebook, and other forms of social media, and photos using a cell phone are strictly prohibited.

All healthcare facilities have regulations, policies and procedures related to confidentiality and accessing client records. All nurses, and other healthcare providers, have the responsibility to be knowledgeable about these regulations, policies and procedures and adhering to them at all times without any breaches.

Personal privacy, including privacy during visits and during conversations as well as when they are getting personal care such as hygiene must also be upheld and maintained.

Assessing Staff Members' and Client Understanding of Confidentiality Requirements

The best way to know whether or not staff members understand and apply the requirements associated with confidentiality and privacy is to observe the staff member as they perform their roles and uphold these rights.

For example:

  • Are all staff members knowledgeable about the Health Insurance Portability and Accountability Act (HIPAA)?
  • Is the staff member carrying on idle conversations in the cafeteria about patients?
  • Is the staff member logging off the computer before leaving the screen unattended?
  • Is the staff member securing medical records so that anyone without the need to know has no access to them?

Clients must also know their rights and the rights of others in terms of medical information. Nurses can identify a knowledge deficit in this area when a patient asks a nurse a question like "What is wrong with that patient who is always screaming out?" or a similar question. Nurses should inform this inquisitive patient that you cannot share any information with them that relates to other patients.

Intervening Appropriately When Confidentiality Has Been Breached by Staff Members

The registered nurse has the professional, ethical and legal responsibility to insure that all client rights, including the clients' rights to privacy and confidentiality, are upheld, supported and advocated for.

Whenever a nurse witnesses any breach of confidentiality and privacy including, but not limited to, any unauthorized access to medical records by those without the need to know, idle discussions that violate HIPAA regulations, a failure to log off the computer when done, and the lack of privacy during change of shift reports, the nurse must intervene immediately by correcting the situation and not allowing it to continue.


SEE - Management of Care Practice Test Questions