Skip to Main Content

Solutions: A Blog for Health Care Professionals

February 13, 2012

Marci Pederson, RN, BSN, Nurse Educator/Consultant, Avera Education & Staffing Solutions

Federal Regulation – F164

Personal Privacy/Confidentiality of Medical Records

South Dakota long term care facilities had eight deficiencies cited for F164 in 2010.  It ranked number 11 in the top twenty deficiencies for long-term care facilities in South Dakota.   

The regulation F164 states,

§483.10(e) Privacy and Confidentiality

The resident has the right to personal privacy and confidentiality of his or her personal privacy and confidentiality of his or her clinical records.


(1)     Personal privacy includes accommodations, medical treatment, written and telephone communications, personal care, visits, and meetings of family and resident groups, but this does not require the facility to provide a private room for each resident;

(2)     Except as provided in paragraph (e)(3) of this section, the resident may approve or refuse the release of personal and clinical records to any individual outside the facility;

(3)     The resident’s right to refuse release of personal and clinical records does not apply when—


         (i)          The resident is transferred to another health care institution; or

         (ii)          Record release is required by law



                The facility must keep confidential all information contained in the resident’s records, regardless of the form or storage method of the records, except when release is required by—

(i)                 Transfer to another health care institution;

(ii)               Law;

(iii)             Third party payment contract; or

(iv)              The resident. “


In reviewing this regulation one would agree we need to comply with the regulation pertaining to privacy and confidentiality. Is noncompliance with this regulation really a problem in our long term care facilities?   Violations of privacy and confidentiality occur more frequently than we realize.  When surveyors are on-site in long term care facilities they are there only two to three days out of a 365 day year and yet, there were eight deficiencies cited in 2010 for privacy and confidentiality violations.  Imagine what might be seen if this were monitored more frequently.  In reviewing legal actions relating to breaches of confidentiality in medical records, I chose two examples.

  • In a 2008 Nursing News article Debra Wood, RN Contributor, reported a licensed practical nurse who pled guilty to wrongfully disclosing a patient’s health information for personal gain faced a maximum penalty of 10 years imprisonment, a $250,000 fine, or both.  Andrea Smith, LPN, 25, of Trumann, Arkansas, and her husband, Justin Smith, were indicted on federal charges of conspiracy to violate and substantive violations of the Health Insurance Portability and Accountability Act (HIPAA). Smith accessed a patient’s private medical information on November 28, 2006, according to the indictment. She then shared that information with her husband, who on that same day, called the patient. Justin Smith reportedly told the patient he intended to use the information against the patient in an upcoming legal proceeding. “What every HIPAA-covered entity needs to realize and reinforce to its employees is that privacy provisions of HIPAA are serious and have significant consequences if they are violated,” said U.S. Attorney Jane W. Duke, of the Eastern District of Arkansas, in a written statement quoted in Debra Wood’s article.


  • In another article from February 19, 2009, the Associated Press reported a huge settlement of $2.25 million paid by CVS pharmacies because employees at CVS pharmacies left the drug labels and other items in open trash bins outside stores.  The labels contained patients’ names, drugsprescribed, andprescribing physicians’ namesThe company did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, according to the Federal Trade Commission and the Department of Health and Human Services.


Right to Privacy means the resident has the right to privacy with whomever the resident wishes to be private and this privacy should include full visual, and to the extent desired, for visits or other activities, auditory privacy.  Private space may be created flexibly and need not be dedicated solely for visitation purposes.  This need not be through a provision of private room. The facility staff must examine and treat residents in a manner that maintains the privacy of their bodies. 

  • For example, when a physician, physician’s assistant, or a nurse must conduct a basic physical assessment of a resident, they must do this in a private area.  During 2011, a facility in South Dakota received a deficiency due to not providing privacy to residents during brief physical examinations, such as checking vital signs.  The staff involved was contracted staff from a hospice agency.  The staff person examined the residents in the dining room during meal-time.  The facility learned the importance of clear communication with contracted agencies to ensure the contracted agencies’ staff is familiar with regulatory requirements and residents’ rights.

To conclude, I would suggest we all imagine we are patients or residents in long term care, and then ask ourselves what is important to us when we think about our right to privacy and confidentiality.

If your facility would like to improve regulatory compliance and quality of care pertaining to providing privacy and confidentiality, contact AESS at 605-668-8475 for solutions. 

Marci Pederson, RN, BSN

Marci Pederson, RN, BSN

As a former health facilities senior surveyor, Marci served a variety of health care facilities. Her experience includes nursing education, medical/surgical nursing, psychiatric nursing, infection control, utilization review and quality assurance.

Have a question for Marci? A topic idea for her next column? Need more information on having a mock survey at your facility? Send her an email at