A key factor in reinforcing organization policy is the practice of retraining every year. Annual installments remind employees that policy is in place to guide their behavior; they also allow an organization to educate employees about changes that have resulted from statutory or regulatory changes, procedural changes, and changes in the threat environment. At least one site visited by committee members had sections to be marked off on the employee performance review form that verified the employee's attendance at training and his or her viewing of the confidentiality video.

In addition to a formal policy guide, periodic memos and newsletters were circulated to employees by some sites in order to provide regular reinforcement and to make a tangible addition to the employees' knowledge base. Information on changes in the data system were distributed routinely, and the ongoing policies were regularly reinforced.

User Confidentiality Agreements

In addition to informing employees of the organization's expectations with regard to keeping health information confidential, organizations need to hold them responsible for their behavior. Of the sites visited by committee members, several required any individual accessing the information system to sign a form verifying that he or she had read, had understood, and was committed to the organization's confidentiality policies.19 In keeping with other ongoing efforts, employees were required to sign this agreement during the initial orientation session and annually thereafter at the time of their performance review. Confidentiality agreements may also be used for nonemployees who have access to health information; these can include contract workers, vendors, physician's office staff, students, temporary workers, and volunteers. See Box 5.4 for a sample confidentiality agreement developed by the Computer-based Patient Record Institute (CPRI).

Sanctions For Breaches Of Confidentiality

The most effective response to either internal or external violations of confidentiality policies follows from disciplinary sanctions described in


The Computer-based Patient Record Institute advises that all health provider organizations will benefit from developing confidentiality agreements. These include hospitals, physician offices, home health agencies, pharmacies, nursing homes, and others. See Computer-based Patient Record Institute (CPRI). 1996. Sample Confidentiality Statements and Agreements for Organizations Using Computer-based Patient Record Systems, Work Group on Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., May.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement