HIM Frontlines covers HIM professionals working in emerging roles and tackling difficult HIM problems.
The HIM Problem
Nursing staff at NorthShore University Health System were worried about protecting patient privacy when family members called for status updates during surgical procedures and inpatient stays.
The HIM Problem Solver
Terri Bunsen, RHIA, chief privacy offer, NorthShore University Health System
In an age when health IT is changing how things are done seemingly overnight, it’s rare to find a policy or procedure—even in the privacy and security space—that’s been unchanged for more than 10 years. But when it works, it works.
Back in 2003, just as HIPAA was being implemented, NorthShore University Health System, which has hospitals and clinics in the northern suburbs of Chicago, was also learning its way around an electronic health record (EHR)—a technology in which NorthShore was an early adopter. In 2003, the EHR was being used in the emergency department and for inpatients.
“In the early days of HIPAA, the staff was very concerned about making sure they followed HIPAA and did the right thing,” says NorthShore’s chief privacy officer, Terri Bunsen, RHIA.
Nurses in particular were concerned since they took the bulk of the phone calls from friends and family of patients calling to inquire about how a patient’s surgery went, or to find out if a patient was in the emergency department, or admitted as an inpatient.
To help ease nursing concerns, Bunsen sat down with nurse leaders to discuss ways in which nurses could help both concerned family members while protecting a patient’s privacy.
“We knew that whatever we came up with, it had to be able to work for all of the caregivers” the patient could encounter during a stay or treatment, Bunsen says.
The solution they agreed on was to create a four-digit patient privacy number, which would be auto-generated by the EHR whenever a patient is admitted, or is registered for an ambulatory procedure. The patient can then choose to share this number with friends and family who might live out of town and want updates on how a surgery went or any noteworthy developments during a patient’s hospital admission. Bunsen says that it was very important to her that the same number is never used twice.
“If you gave someone a code that they used every time, they might not want to share the details with the same family members every time they came in. So we want it to be a code number that would change with each visit,” Bunsen says.
NorthShore’s EHR creates a medical record number for every patient who comes into the system, and that number stays the same forever. But each additional time the patient comes in, a new account number is created every time. The privacy code is the last four digits of that number, and it is prominently displayed on the first screen of a patient’s EHR.
Patients are given a privacy code when they register for a procedure, which is usually done over the phone. If they are admitted to the hospital through the emergency department or following a surgery, they are given the code in their patient handbook, which they receive upon admission.
The privacy code has “really been the most helpful with putting the staff at ease. It helps them know who they can and cannot share information with. If someone calls and says ‘I have the privacy code,’ then the nurse knows they can give out information without having to go to the patient’s room and check,” Bunsen says.
Naturally, knowing who has access to a patient’s health information is harder for caregivers working in an ambulatory and inpatient setting. In a clinic setting, Bunsen says, doctors and nurses easily learn who it’s okay to share relevant information with, whether it’s the son or daughter of an elderly patient. But caregivers in an inpatient setting aren’t as familiar with family dynamics.
“The patient’s in a vulnerable position. Maybe they really don’t want that family member to know [about their health issues], but this makes it easier for the patient to really take control.”
All of NorthShore’s hospitals and ambulatory centers use the privacy code, but, “We consider it a guideline, not a hard and fast policy. I don’t want to say there’s inconsistencies, but it is a guideline. There certainly may be situations where it’s just not going to work for that particular situation,” Bunsen says.