Back To Good Reads

Patient Privacy in the Clinical Setting

April 1, 2023 MHDC Staff

Patient Experience icon

We all work in companies in the healthcare sector and most of us routinely receive HIPAA training whether or not we're in clinical settings. This training should make us very aware of what is considered PHI. No MHDC employees work in clinical settings, but we all get this training.

Sometimes, when we're in our role as patients, we have cause to wonder if the staff at hospitals or clinics have had the same training. It's very common to have shared spaces in these settings, especially in pre-surgical, recovery, and ED settings. Sometimes there are cubicles separated by curtains. Sometimes patients are left in and even treated in hallways. Inpatient rooms are almost always shared with at least one other patient. In all of these settings there are no sound barriers restricting verbal discussions to individual patients. Every single question, answer, discussion, explanation, and request is heard not just by the patient getting care and any companions, but also other patients, their visitors, their care team (if different), people walking in hallways, and perhaps others.

This is exacerbated by constantly having to repeat/confirm name and date of birth for every interaction in some of these settings. The medical information isn't just supplied in a vacuum, but specifically verbally tied to identity - in other words, it's PHI. Whether or not you want to hear it, you'll learn other people's current medication, medical history, demographic information, and more - and lots of people will hear yours whether you want them to or not.

Some people may not be aware enough of what's going on to absorb the information they're hearing and others may not care if people know their information, but some people may care and it's their right to have their information protected. Where is the HIPAA line drawn?

This can be worse for patients with disabilities who may need additional assistance with paperwork. When help is provided, it almost always occurs in a waiting room with everyone present able to hear all of the answers provided. Expansive medical history, specifics about why the current visit was scheduled, and information about their disability/why assistance is needed are all likely to be overheard by everyone in the waiting room. Sometimes this can be a 20-30 minute ongoing stream of private health information.

This isn't the only time people may be expected to share private information in the waiting room. If you've ever arrived at a provider and been asked to update your registration, chances are good you were directed to either a library-style carrel or low walled office-style cubicle in a corner of the waiting room. This gives the illusion of a modicum of privacy because you cant see out but offers little or no privacy in reality. This may or may not involve sharing of PHI depending on what's asked, but it certainly involves a lot of very personal information.

Another time people may be expected to share information in waiting rooms is if they asked for someone from patient services to come address some issue they've encountered. While this varies from facility to facility, there can be an expectation to explain any issues in the waiting room simply because the person sent to hear them doesn't have office space in the clinic. Since the patient is likely already upset and looking to explain why, this seems like a particularly egregious invasion of privacy.

We're sure there are many other examples of this type of casual questioning about or discussion of personal or health-related information in waiting rooms, spaces separated from others only by a curtain, and other not-really private places.

There are often signs in elevators to be careful not to discuss patient specifics to preserve privacy, but this advice needs to be taken and worked into standard operating processes in many other spaces and care situations for outpatient, inpatient, and emergency care. We appreciate that in many cases space is limited and has not been designed with privacy in mind, but whether it's PII or PHI and whether during data collection, data storage, or data exchange people deserve to have their privacy respected.

We know this is a thorny issue - we’d love to hear your thoughts on what we can do as an industry given the physical spaces that already exist and will likely continue to be used for some time to come.

Share This: