Skip to main content

Cytogenetics

Patient Confidentiality

In the medical laboratory, protecting patient privacy is not just an ethical obligation; it is a federal law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets the national standard for the protection of health information. For Cytogenetic laboratory scientists, who handle sensitive genetic data that has implications not only for the patient but for their entire family, adherence to these standards is critical. Violations can result in severe fines for the institution, termination of employment, and even criminal charges for the individual

Protected Health Information (PHI)

The core of HIPAA is the protection of PHI. PHI is defined as any information held by a covered entity (the lab/hospital) that concerns health status, provision of healthcare, or payment for healthcare that can be linked to an individual

  • The 18 Identifiers: HIPAA lists 18 specific identifiers that render data “PHI.” In the Cytogenetics lab, the most common include:
    • Names: (Patient Name)
    • Dates: (Birth Date, Admission Date, Date of Collection)
    • Medical Record Numbers (MRN)
    • Laboratory Accession Numbers: Even though this is generated by the lab, it is a unique link to the patient
    • Biometric Identifiers: In a broad sense, a unique chromosomal rearrangement or a high-resolution microarray profile could be considered unique to that individual
    • Any other unique identifying number, characteristic, or code.
  • ePHI (Electronic PHI): This refers to PHI stored or transmitted digitally. In Cytogenetics, this includes:
    • Digital images of metaphase spreads stored on imaging servers (e.g., CytoVision, GenASIs)
    • Patient reports in the Laboratory Information System (LIS)
    • Emails between the lab and the pathologist containing patient details

The Privacy Rule: Behavioral Standards

The Privacy Rule governs how PHI is used and disclosed. The guiding principle is the “Minimum Necessary Standard.” This means a laboratory scientist should only access or disclose the minimum amount of information required to perform their specific job duty

  • Authorized Access
    • A laboratory scientist can access the Electronic Medical Record (EMR) to check a patient’s diagnosis to determine which FISH probes to set up (e.g., checking if a patient has CLL vs. AML)
    • A laboratory scientist cannot access the EMR of a neighbor, celebrity, or family member out of curiosity. “Snooping” is tracked by audit logs and is grounds for immediate termination
  • Verbal Privacy
    • The “Elevator Rule”: Never discuss patient cases, names, or results in public areas (elevators, cafeterias, hallways). Even if names are omitted, describing a unique case (e.g., “The baby with the Translocation 4;15”) could allow bystanders to identify the patient
    • Phone Protocols: When giving results over the phone, the laboratory scientist must verify the identity of the caller (e.g., asking for a callback number or physician code) to ensure they are authorized to receive the results
  • Visual Privacy
    • Worksheets: Paperwork should not be left face-up in areas where unauthorized visitors (e.g., maintenance staff) might see it. Flip paperwork over when leaving the bench
    • Monitors: Computer screens displaying karyotypes or patient lists should be positioned away from public view. Screens must be locked (Windows + L) whenever the user walks away

The Security Rule: Technical Safeguards

The Security Rule deals specifically with protecting ePHI from unauthorized access, deletion, or transmission

  • Authentication
    • Every user must have a unique: username and password
    • Never Share Passwords: It is a violation to log in as someone else or allow a student to use your login. If a breach occurs under your login, you are responsible
  • Audit Trails
    • The LIS records every single action: who logged in, which patient file was opened, what result was entered, and exactly when. This digital footprint is permanent
  • Data Security
    • USB Drives: Using unencrypted personal thumb drives to move images or data is typically prohibited due to the risk of loss/theft
    • Emailing Reports: Reports should generally not be emailed to outside providers unless the email system is encrypted. Secure fax or web-portal access is preferred

Genetic Information Nondiscrimination Act (GINA)

While HIPAA protects privacy, GINA (2008) protects patients from discrimination based on that genetic information. This is particularly relevant to Cytogenetics

  • The Protection: GINA prohibits health insurers and employers from using genetic information (including family history and carrier testing results) to:
    • Deny coverage or raise premiums
    • Make hiring, firing, or promotion decisions
  • Lab Relevance: Laboratory scientists must understand that a karyotype result showing a balanced translocation in a healthy adult (which might affect their future children but not their own health) is highly sensitive data protected under this federal act

Disposal & De-identification

Proper disposal of PHI is a key component of compliance

  • Paper Records: Any worksheet, printout, or sticky note with a patient identifier must be placed in a secure shredding bin. It cannot be thrown in the regular trash
  • Specimen Labels: When disposing of old culture flasks or tubes, the labels containing patient names/MRNs should be defaced or removed, or the entire vessel placed in a biohazard bin that is destined for incineration (which destroys the data)
  • Research and Education
    • If a rare case is used for a conference presentation or student teaching, it must be De-identified
    • This involves removing all 18 HIPAA identifiers
    • Showing a picture of a karyotype is generally acceptable if the name and accession number are cropped out, as the chromosomes alone (usually) cannot identify the patient to the general public

Breach Notification

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI

  • Examples of Breaches
    • Faxing a Cytogenetics report to the wrong physician’s office
    • Handing a discharge summary to the wrong patient
    • A laptop containing unencrypted patient images being stolen from a car
  • Reporting
    • If a laboratory scientist suspects a breach (e.g., they realize they faxed the wrong number), they must report it to the Privacy Officer: or Supervisor immediately
    • The institution is legally required to notify the affected patient(s) and, in large cases, the Department of Health and Human Services (HHS) and the media. Hiding a mistake makes the penalties much worse