Content uploaded by Rick Love
Author content
All content in this area was uploaded by Rick Love on Nov 12, 2015
Content may be subject to copyright.
Journal of Health Care Compliance — July – August 2011 17
Varick D. Love, MIS, currently works in
information security and compliance
in the health care industry. He is
currently pursuing his doctorate in
organizational management with an
emphasis on information technology.
His primary research focuses on health
care information technology and the
compliance strategies health care
organizations are implementing to
protect the privacy of patient data. He
can be reached at 704/506-4594 or by
email at VarickL@yahoo.com.
Privacy Ethics in Health Care
Compliance Professionals Must Ensure Protected
Health Information Remains Just That — Protected
Varick D. Love
The Hippocratic Oath states that the fi rst goal of a
physician is to “First do no harm.” Patients trust phy-
sicians to always be honest with them and give them
the best medical advice possible. Patients trust physicians
with the most intimate details of their personal lives in
hopes of the physician curing their illness. In giving that
trust, patients believe that the physicians and other health
care offi cials are doing all they possibly can to ensure that
protected health information (PHI) is being handled in a
safe and secure manner to minimize the risk of this in-
formation being lost or stolen. This article discusses the
ethics of patient privacy between patients and their phy-
sicians and the various ethical issues that health care offi -
cials encounter on a daily basis in dealing with PHI.
INTRODUCTION
In the 21st century, the world as we know it (or used
to know it) is quickly changing as we become a more
digitized and networked society. We seldom leave home
without our cell phones or iPods. Even our cell phones
have changed and are no longer just cell phones; now
they are personal digital assistants (PDAs), camera video
recorders, and juke boxes all rolled into one. As society
has progressed and grown to new digital heights, how-
ever, it also has become more vulnerable to unwanted
intrusions of privacy. Because of the threat of digital-
ly stored information being stolen, the compromise be-
tween embracing the digital age and being wary of know-
ing exactly how much information to make public has
made many consumers more cautious when confronted
with the question of disclosing personal data.
s
a
fe
an
d
se
tr
rus
are
patie
ffi c
ia
e
n
ls
e
s
are
th
ve
li
doing
hat
t
all
t
h
he
he
Journal of Health Care Compliance — July – August 2011
18
Privacy Ethics in Health Care
Many professionals in the health care in-
dustry now face this issue. Physicians are
tasked with trying to cure patients and in do-
ing so must build a rapport of trust with their
patients. A patient has to know that anything
discussed with his or her physician will be
held in the strictest confi dence and that the
physician is someone with high ethical stan-
dards and who values confi dentiality.
UTILITARIAN PERSPECTIVES
The relationship between a patient and
his or her physician has always centered
on an unspoken trust that a patient’s right
to privacy will always be respected and up-
held. Privacy is one of the most important,
if not the most important, standards in the
health care fi eld. Privacy has been the pri-
mary professional code since the time of
Hippocrates. From a utilitarian and human
rights perspective, individual patients may
want their records sealed for many rea-
sons. Given the prejudice that we experi-
ence in the world today, the slightest hint
of misinformation about someone’s health
could cause an individual to lose out on a
potential job or suffer discrimination sim-
ply because someone assumed that some-
thing was wrong with that individual.
The ongoing confl ict in the health care in-
dustry as it relates to physicians is twofold:
What, if any, PHI should ever be disclosed?
If the data is disclosed, what rights do cit-
izens have? We will look at this question
from utilitarian and Kantian perspectives.
Utilitarians, according to Jeremy Ben-
tham, follow moral principles that hold that
the morally right course of action in any sit-
uation is the one that produces the great-
est balance of benefi ts over harm for every-
one affected.1 The utilitarian point of view
relates to the recent controversy of Caster
Semenya, an 18-year-old South African run-
ner, and many other athletes whose person-
al information is disclosed without consent.
Semenya was born in Ga-Masehlong, a small
province in South Africa. As a youth, Seme-
nya was a tom-boy. Instead of playing with
dolls or wearing dresses, she was always
playing sports that traditionally would have
been considered strictly for boys. Therein
lies the crux of her controversy.
As Semenya grew older, she started com-
peting in track and fi eld events. Yet, because
of her looks (i.e.., corn-row hair and muscu-
lar build), rumors started to circulate that she
might be a man competing against women,
which would be deemed unfair. In the 2008
World Junior Championships and the 2008
Commonwealth Youth Games, Semenya
won the gold medal in the 800 meters at both
events. In 2009, Semenya participated in the
African Junior Championships, winning both
the 800 meters and 1500 meters with faster
times than in her previous track meets.
Because of the controversy surrounding
her, Semenya was asked by the Interna-
tional Association of Athletics Federations
(IAAF) to take a private test to verify her
gender. But controversy ensued once again
when news leaked that Semenya was be-
ing tested, which was later confi rmed by
the IAFF. Why the testing was leaked to the
media is less important than who leaked
the information. Semenya expected a right
to privacy during her gender screening pro-
cess, and whoever leaked her information
violated her expectations.
There is nothing more sacred than the
trust between a doctor and a patient. Does
a doctor nevertheless have the right to di-
vulge personal information with or without
the patient’s consent? The utilitarian theo-
ry of ethics states that whether an action
is good or bad is determined solely by the
outcome. In laymen’s terms, the sacrifi ce
of an individual’s privacy is acceptable if it
will bring about a positive affect for the ma-
jority of society.2
The question that needs to be answered
is: who benefi ts from the leaks? Is the IAFF
giving the impression that it is doing all
that it can to prevent cheating, or was the
IAFF unethical by indirectly breaking the
doctor/patient confi dentiality? From the
IAFF’s perspective, it was protecting the
sanctity of the sport, which overrides the
spirit of privacy for an individual.
r
su
ffer
disc
m
na
h
ati
h
o
n s
im
m-
pj
world to
ation a
oday
bout
ce
s
the
om
slig
meon
hte
e
est
he
nt
th
t
e
me
F.
AF
I
dia is
Wh
less
y th
Gi
G
ca
oul
ld
ve
h
fo
th
of
so
en
o
n
s
n
c
e
f
m
s
.
G
i
e
i
m
i
s
Giv
n
t
s
in
f
orm
rm
Journal of Health Care Compliance — July – August 2011 19
Privacy Ethics in Health Care
The code of ethics as prescribed by the
American Medical Association states that
information disclosed to a physician during
the course of a doctor/patient relationship
is confi dential.3 This code means a patient,
without a doubt or concern, should with
confi dence be able to disclose to a physi-
cian anything deemed pertinent to his or
her personal health care.
DOCTOR/PATIENT PRIVACY
As discussed in the case of Caster Semenya,
the rights of a patient to privacy are some-
times subject to interpretations, depending
upon the situation and the individual. As
technology grows and more health care fa-
cilities start transitioning patient records to
electronic formats, patients and health care
facilities are expressing great concerns per-
taining not only to the external security of
the data being stored but also about other un-
authorized internal personnel viewing PHI.
As discussed by Seward in the Journal
of Legal Medicine, the accurate diagnoses
of treatments rely on the comfort level be-
tween patients and their physicians. Any
fear of a potential breach will lessen the
trust between a doctor and a patient.4 Al-
though various individuals are ultimately
charged with the care and diagnosis of a pa-
tient’s ailment, the trust or focus of the pa-
tient will always be on the physician who is
providing the care.
Through the years, doctors have had an
unbreakable bond of trust with their pa-
tients, a trust that if broken is almost im-
possible to repair. Unlike an accountant
stealing money from a mismanaged 401(k)
(which hopefully can be recovered), if a
doctor misdiagnoses or knowingly disclos-
es the wrong information to unauthorized
personnel who then give the wrong diag-
noses, the patient could die. If patients’ re-
cords are illegally or legally disclosed with-
out prior consent, the trust between the pa-
tient and the physician could be damaged,
forcing the patient to fi nd another physi-
cian and start the process of building trust
all over again.
The Council on Ethical and Judicial Af-
fairs states that the release of confi den-
tial medical information from a database
should be confi ned to the specifi c purpose
for which the information is requested and
limited to a specifi c time window.5 For all
of its obvious benefi ts, electronic health re-
cords represent some obvious dangers to
patients’ privacy.
When making the transition from paper
to electronic data, it is assumed that the
medical staff is doing everything possible to
ensure that any and all inaccurate patient
information is corrected. If, for instance, a
patients’ records state inaccurately that the
patient has a history of heart disease and
that statement is transferred to his or her
electronic records, there is a possibility that
the patient could have issues getting insured
for certain procedures or even getting a job
as some jobs require that applicants pass a
physical. Or if the wrong person takes pos-
session of these records, he or she could
use these records for illegal means, such as
identity theft or other activities.
PATIENT INFORMATION PRIVACY
The right to privacy, as stated in Velasquez
(see Endnote 1), is the right of individu-
als to determine what, to whom, and how
much information about themselves will
be disclosed to other parties, whether a
spouse, child, or employer.6 The primary
reasons consumers or patients keep infor-
mation private is to avoid any unwanted or
undue negative perception. For example,
during the 19th century, if someone con-
tracted smallpox, consumption, or cholera,
they would have been ostracized from the
community and, in some cases, even killed.
A more recent example is the social ostra-
cizing of acquired immune defi ciency syn-
drome (AIDS) or human immunodefi cien-
cy virus (HIV) patients in the 20th century
that led to the Ryan White Care Act, which
ensured that HIV patients’ rights were not
being violated.7
Patient and physician privacy has been,
and always will be, held in the highest re-
n
ial
d
bre
ach
d
wil
l l
es
se
en
th
e
l
y
dicine,
th
rely o
he a
n th
a
c
e c
cur
om
ate
mfor
dia
t
agn
eve
es
e-
u
e
ide
e
he
t
ntity t
rec
heft
ord
o
A
di
Ad
p
wee
en
sc
me
M
of
f
of
A
f
f
L
f
t
r
A
s
d
L
eg
a
r
e
a
dis
l
al
a
t
m
en
n
Journal of Health Care Compliance — July – August 2011
20
Privacy Ethics in Health Care
gard. As with all things, not all data needs
to be deemed private. The level of priva-
cy of the data will always depend upon the
reason the information is needed (i.e., So-
cial Security numbers and birthdays are al-
ways considered numbers that should be
held in the strictest confi dence). If a hack-
er or thief has these numbers, they can at-
tack bank accounts, credit cards, or steal an
identity. The fi nancial loss associated with
identity theft, as reported by the Depart-
ment of Justice during a six-month time-
frame, was upwards of $3.2 billion.8
Consumers or patients do not become
actively involved with an issue until it af-
fects them directly. Information protection
is always someone else’s concern until the
patient or consumer has his or her infor-
mation or privacy violated; in other words,
few people buy fi re insurance after their
house burns down.
Privacy is the ability to control person-
al information, whether it is the age of a
daughter, a bank account number, health
records, Social Security number, or the time
lock to the safe in a corporate vault. Priva-
cy gives an individual anonymity. Although
this anonymity is not 100 percent safe, it
sometimes comforts patients to know they
are protecting themselves. But some pa-
tients are not only concerned with hackers
intruding into their lives; they are also con-
cerned with the government going through
their fi nancial, phone, and health care infor-
mation. The debate surrounding the Patriot
Act passed by the Bush Administration cor-
relates with the utilitarian theory that the
greater good of society trumps the privacy
of a few citizens whose records might have
been legally disclosed in the hopes of pre-
venting a potential disaster,9 even if those
citizens were not directly or indirectly in-
volved with the potential disaster.
With records now going electronic, the
speed with which data can be accessed has
increased. People no longer have to go to a
paper fi le cabinet to pull up a patient’s re-
cords. Now people can log into a computer,
pull up the electronic health record applica-
tion, and access patient records. Location is
not a limitation; as long as someone has ac-
cess to a mobile device or the Internet any-
where in a medical facility, he or she can
pull up any patient information requested.
If it is deemed feasible by the patient’s
physician that an outside source view the
data so that a second or third opinion can
be obtain, the patient can give the physi-
cian consent to share the PHI with a third
party, which could be a doctor on staff at
another facility in another country. The
data also could be shared with various re-
searchers who are analyzing the symptoms
reported in the patient’s fi les.
The sharing of PHI should not be tak-
en lightly and should only be discussed if
there is an obvious benefi t to the patient as
well as the researchers. Health care priva-
cy encompasses anything associated with
a patient’s information (e.g., Social Securi-
ty number or birthday), but it does not in-
clude things such as hair color, eye color,
height, or weight. Social Security informa-
tion, dates of birth, or health information
cannot be readily known without some
research. Because data is now electronic,
the likelihood of complete privacy has de-
creased. While your physician’s offi ce may
have gone electronic, the other parties they
previously consulted through paper copies
more than likely will still have paper cop-
ies of prior patients’ communications with
their health care partners.
Electronically stored data also gives phy-
sicians the ability to share data with col-
leagues and share the information with in-
surance companies (i.e., prescriptions, x-
rays, and various other medical data) that
should be considered private. In the health
care industry, when patients are paying for
their medical care through an insurance
carrier, they participate in what is called a
tripartite exchange environment. As indi-
cated in Figure 1, the tripartite exchange
in its simplest form involves only the pa-
tient, physician, and the payer (insurance
company). This essentially involves a pa-
tient going for a routine check-up and the
iv
idu
ual a
non
mit
ty.
A
t
l
ho
ug
h
bank ac
l Secu
cou
ity n
nt
um
nu
mb
umb
er, o
er,
r
he
he t
th
me
h
ei
tion
or
t,
gh
, date
r we
s of
igh
b
li
f
ot
ck
kto
ma
So
r,
re
al
d
da
l
in
a
u
g
e
c
o
nfo
h
ght
o
r
d
o
r
m
t
e
r
d
s,
S
oci
c
Journal of Health Care Compliance — July – August 2011 21
Privacy Ethics in Health Care
physician fi ling the proper paperwork both
in-house and with the insurance compa-
ny. The tripartite exchange is the most se-
cure because it involves fewer participants,
which reduces the chances of error or data
loss and patients’ privacy being violated.
The patient/physician relationship will
always be at the center of the PHI fl ow pro-
cess. If the medical needs of the patient are
minimal or typical, then it is assumed that
the patient’s data will remain private or
given out only by permission from the pa-
tient. Each patient has specifi c needs, and
no two patients — no matter how similar
they are in age or race — will require the
same level of treatment.
Because of the disparity among patients,
the need will sometimes arise to involve
others in the patient care process, wheth-
er they are researchers or colleagues who
are more familiar with the symptoms.
Whatever the case, the more variables that
are added, the less secure the privacy be-
comes. While assisting in patient care, if
someone breaches the security for patient
information, the likelihood of patient data
being leaked increases, thereby putting a
patient’s personal and private information
Laric et al, 2009
Figure 1:
Laric et al, 2009
Figure 2:
:
:
Fi
Fi
igu
igu
ure
ure
e2:
e
2:
Journal of Health Care Compliance — July – August 2011
22
Privacy Ethics in Health Care
at risk. If a breach occurs anywhere in the
chain of communication indicated in Fig-
ure 2, then the risk of PHI being disclosed
improperly increases exponentially.
Whether a patient is visiting a doctor for
the fi rst time or for the fourth or fi fth time,
he or she will have a unique medical histo-
ry. Each subsequent time the patient visits
the physician, that history will be updated
by the physician. Because of the relation-
ship of trust between the physician and his
or her patients, it is of the upmost impor-
tance that anyone handling the patients’
medical information does so in a manner
that prevents theft or loss.
PRIVACY AND SOCIAL RESPONSIBILITY
Simson Garfi nkel states in his book The
Death of Privacy in the 21st Century that pri-
vacy is the right of people to control what
details of their lives stay inside of the house
and what leaks outside.10 Most people would
have a great interest in ensuring that their
private medical information is secure from
unwanted disclosure. With anyone, a doc-
tor, patient, or employee, it is human na-
ture to do all that can possibly be done to
protect what is considered of major impor-
tance to their well-being. Any invasion of
privacy, whether it is medical records, bank
account, or investment accounts, is consid-
ered a breach of integrity.11 But depending
upon the perceived consequences, the inva-
sion of patients’ privacy can and often does
bring up the ethical concerns not only of
the patients but of the physicians as well.
When third parties have unauthorized
access to patients’ data for public research,
the perceived train of thought is that all ap-
propriate security measures are being fol-
lowed to ensure that all patient data are
secure. But balancing that train of thought
with a patient’s right to privacy is another
matter. Finding a medium between an indi-
vidual’s right to privacy versus the overall
good of society requires that each side take
a long look at the potential consequenc-
es of the actions being proposed. Do both
sides take a utilitarian stance and look at
the potential negative or positive impacts
of disclosing the record to third parties and
determine if the risk of disclosure is indeed
for the greater good?12
From a utilitarian perspective, the re-
searchers would argue that regardless of the
objections of the patients, if the research
will be of use to society, then consent ac-
cess to the patients’ records should be given
over the patients’ objections. The question
of authority over PHI centers on who has
actual ownership authority of said records.
It is assumed that a patient’s medical infor-
mation belongs to him or her and that they
have absolute authority over who does and
does not have access to the records. Any
unauthorized breach of privacy concerning
medical records would be akin to breaching
someone’s personal physical property.
Paul Starr asserts, “That the principle in-
terest in privacy is not control, but dignity
and the protection of the individual from
offensive and embarrassing disclosures.”13
Recall now the case of Caster Semenya.
When the testing of her gender, which she
assumed would be private, was leaked to
the media, this clearly broke the physi-
cian/patient trust. Ms. Semenya was fur-
ther humiliated when her test results were
made public. She was indeed a female, but
she had some internal male organs.14 What
should have been a private conversation
between a physician and a patient was sud-
denly turned into a major media storm.
The subsequent controversy surrounding
the leaking of Semenya’s results forced her
to drop out of races and to ponder how a
private matter became a media topic.
Gaining access to patients’ PHI for research
or other purposes for the sake of improving
society is supported by the fact that medical
records are connected with health care cov-
erage through insurance or other health care
services funded by the community. Utili-
tarian philosophy states that all the records
should be available to whoever needs access,
whether the patient consents or not.
With the growth of the Internet, the
threat of online privacy abuses increases
h
at
can
d
pos
d
bly
b
e
d
d
on
e t
o
cal infor
closur
rma
e. W
e
io
th
on i
a
s se
nyo
cur
n
re f
a
m
c-
Rec
Wh
call no
en the
w t
tes
he
ti
atie
r
pa
re
d
me
un
ha
pr
a
v
e
i
riv
nw
e
a
v
at
e
w
a
n
a
g
r
e
m
n
te
d
d
Journal of Health Care Compliance — July – August 2011 23
Privacy Ethics in Health Care
daily. Various privacy violations include
abuses by doctors concerning patient pri-
vacy, employers spying on employees by
looking into their personnel fi les without
proper authorization, or local pharmacy or
other retailers gaining access to PHI. Ac-
cording to a survey of Fortune 500 com-
panies, 35 percent indicated that they use
personal medical information to make hir-
ing and fi ring decisions. In one case, a pa-
tient who entrusted his doctor to keep his
medical issues private soon started to re-
ceive mailings from vitamin and penile im-
plant companies. In another case, a phar-
maceutical company sold a list containing
the private information of various elderly
female patients to a third-party vendor that
manufactured products for undergarment
bladder control.
To curb such abuses of privacy, the Clin-
ton Administration brought up a plan that
limited the physicians’ ability to arbitrarily
disclose patients’ personal medical records.15
The rule also includes insurance compa-
nies and other third-party vendors who have
access to patient information. Whereas in
the past companies were free to do as they
pleased when it came to how they ran their
business, now with more stringent legislative
guidelines, they are making greater efforts
to ensure they are building and maintaining
the required trust to ensure
that patients’ privacy rights
are not being violated. If a
consumer or patient deter-
mines that the business or
physician they are dealing
with is not doing all that is
possible to protect their per-
sonal information, there is
a strong likelihood that they
will fi nd another business
or physician who will.
The study conducted by
Rohm and Milne brings to
light consumers or patients
who had their PHI used
for means other than help-
ing them. Rohm and Milne
presented a design that addressed the issues
about consumers’ PHI. The design addressed
privacy concerns and risks associated with
gathering information from the perspective
of the sensitivity of personal information and
the trust people have that a particular orga-
nization will use the information appropri-
ately. As indicated in Figure 3, their research
determined that consumers were highly con-
cerned about their personal information.
Consumers did not have complete faith in
the organizations or physicians handling this
data, but the concern was low concerning
PHI when the consumers had a healthy trust
in their physicians or businesses.
Developing a trusting relationship with
a physician is one of the most important
relationships a patient can foster. But the
trust has to go both ways. As Figure 3 indi-
cates, if a patient has concerns about a phy-
sician, he or she will have more concern
about how personal data is maintained. Be-
cause of the greater access to the Internet
and other technologies, it is easier to gain
or access data through illegal means. With
whom physicians decide to share patient
data should be chosen with care; if the phy-
sician inadvertently exposes patient data
to the wrong vendor or to the wrong col-
league for a second opinion, that physician
will have violated a patient’s trust.
Figure 3:
Rohm & Milne, 2004
an
ies
s we
e fr
h
e t
o d
do
a
s t
he
h
y
p
o inclu
third-
des
party
in
v
nsu
end
ranc
dors
e
w
com
ho h
a-
ve
a
nd
or
er
th
d
ccess
r tec
dat
hn
a
il
l
t
ce
ess
pa
ot
e
ni
di
h
Th
i
sc
l
h
h
e
i
e
s
l
o
s
r
u
s
a
n
s
e
p
l
ule
n
d
th
h
Journal of Health Care Compliance — July – August 2011
24
Privacy Ethics in Health Care
With new Health Insurance Portability
and Accountability Act (HIPAA) guidelines
coming into effect soon, physicians will be
held to a higher standard when maintain-
ing patients’ data. But just recently, before
HIPAA rules were taken seriously, many
third parties’ medical-related Web sites
maintaining PHI had lax or outdated se-
curity policies, thus leaving many records
open to exposure by hackers or thieves.
The trust associated with physicians de-
pends solely upon how the information
they gather is being used, as there are both
health care and commercial benefi ts asso-
ciated with gaining PHI. From the aspect of
health care, the more data physicians have
on patients, the better they can understand
the treatment the patients need. Commer-
cially, as indicated earlier, pharmaceuti-
cal and medical companies are sometimes
business partners, and depending upon the
strength of that relationship, the health
care facility can and will at times pass along
patients’ information to a pharmaceutical
company, as indicated by the patient who
started receiving pamphlets related to pe-
nile enhancement or the elderly women
who started receiving calls in reference to
bladder control undergarments.16
THIRD-PARTY RIGHTS TO PRIVACY
The majority of this article has touched
on fi rst-party rights to privacy, and little, if
any, research involving third-party individ-
uals or patients and their right to privacy is
ever brought into the forefront. The right
to privacy, whether it is third party or an
individual, requires respect for the right of
individuals to have autonomy over and the
ability to make the best decisions for them-
selves. We all have a need to privacy and do
all that we can to maintain that privacy.
The HIPAA Act of 2003 was intended to
protect individuals’ right to privacy and
give them the ability to obtain health insur-
ance coverage without fear of having their
privacy invaded without cause. Lounsbury
et al base their third-party research on the
case involving a research participant at Vir-
ginia Common University (VCU) and the
father of the participant. The case entailed
the adult research participant volunteering
personal information not only about herself
but also about her family’s history pertain-
ing to health-related issues. The research
participant was clearly of age, so consent
was not the crux of the issue.
The father feared that because of his
daughter’s participation in the research that
the information she revealed would be a di-
rect invasion of his family’s privacy.17 The
father argued that Virginia Common should
have obtained consent not only from his
daughter but also from his family. As a result
of this case, the Offi ce of Human Research
Protection ruled that the VCU researcher
failed to take into consideration any inher-
ent privacy issues related to third parties.
Social Network Analysis (SNA) is a com-
mon tool used to study third-party data. SNA
entails collecting data about signifi cant oth-
ers to create a control group for research
purposes. Control groups could include
friends, family, or casual acquaintances. The
SNA employs what is generally described as
snowball analysis in which one participant
recommends one friend or family member
for research and that friend or family recom-
mends others. The issue researchers are fac-
ing with the snowball effect centers on how
the information being collected affects those
not participating in the research. To best pro-
tect those rights, we fi rst must determine un-
der what circumstances should a third party
identifi ed in the research be classifi ed as a
subject and to what lengths should research-
ers go to get complicit consent.
HIPAA — HITECH 2009
On February 17, 2009, President Obama
signed the American Recovery and Rein-
vestment Act (ARRA) into law. Title XIII
of ARRA was given a subtitle: Health Infor-
mation Technology for Economic and Clin-
ical Health (HITECH) Act. The goal of the
HITECH Act is to create a method for elec-
tronic medical storage to protect the pri-
vacy of consumers. The HITECH Act pro-
m
nt
or
he
ll
lde
erl
f
y
w
wom
me
n
ormation
indica
n to
ed b
at
a
y
ph
the
harm
e pa
mac
ti
ceu
nt
g
al
ho
p
ur
frie
s.
se
p
nds, fa
Co
mily
ntr
y
,
il
g
f
dr
art
ted
lit
i
y,
i
co
ca
pa
a
r
e
i
a
t
i
om
e
fa
e
n
m
p
a
a
c
il
’
n
ts
’
a
n
y
a
a
Journal of Health Care Compliance — July – August 2011 25
Privacy Ethics in Health Care
vides a fi nancial reward to health care net-
works that install electronic health record
systems to maintain patients’ records.
As it stands today, the goal of the HITECH
Act will be to have every person in the
United States associated with a health care
employee health records system by 2014.18
Moving to this new health records system
will allow health care facilities not only to
gain quicker access to patients’ records but
also ensure that all patient data are stored
in a safe and secure manner.
Under the old HIPAA guidelines, third-
party vendors were not directly regulated by
HIPAA regulations or guidelines. If a health
care facility dealt with various vendors,
it was the sole responsibility of the health
care facility to ensure that HIPAA guidelines
were being followed. Under the old rules, if
a breach occurred, only the health care facil-
ity would be held accountable.
Under the new HIPAA guidelines, effec-
tive February 17, 2010, any and all HIPAA
security guidelines will not only apply to
the fi rst party (i.e., the health care facility),
but also directly to the second or third-party
vendor, making each party accountable for
its actions. The new Act will require noti-
fi cation to any individual whose PHI may
have been breached because of lax security
measures. The notifi cation needs to happen
within 60 days of the alleged breach, either
by mail, email, or in person. Breaches of 500
patients or more require that the U.S. De-
partment of Health and Human Services be
contacted as well as local news stations.19
The HITECH Act now gives patients the
right to receive a copy of their PHI in elec-
tronic format, whereas in the past everything
was written in paper format. Under the old-
er HIPAA rules, patients had the right to re-
quest that restrictions be placed on their pa-
tient records to prevent unauthorized view-
ing. The new guidelines being put in place
ensure that patient rights will now be fol-
lowed as requested, which now gives the pa-
tient true authority of the privacy. The new
Act will now require health care facilities to
disclose reports upon the request of the pa-
tient. This report gives the patient a detailed
list of who has received their PHI and how it
pertains to a second opinion or lab work.20
PRIVACY VIOLATIONS
Here are a few examples of privacy violations:
Nurses in Lake Geneva, WI, posted pic-
tures of patients with a sexual device
stuck in their rectums on Facebook. Af-
ter a police investigation, the nurses
were fi red.21
Tapes containing personal information on
365,000 hospice patients were stolen from
an employee’s car. This incident took
place on December 31, 2006, after the em-
ployee took backup tapes home as part of
the company’s security backup plan.22
Hackers break into a server for UC Berk-
ley’s health care services, accessing the
PHI of over 160,000 patients. Informa-
tion accessed included Social Security
numbers and medical information.
A hacker in Virginia claims to have sto-
len 8.3 million patient data records and
seeks $10 million in ransom. The threat
is being investigated by the Federal Bu-
reau of Investigation (FBI).23
In Greensboro, NC, health care pro-
vider Moses Cone reports that a laptop
containing confi dential information on
14,380 patients was stolen from one of
its third-party vendors.24
SUGGESTIONS
It must be understood that the security of
PHI is not the sole responsibility of the in-
formation security department. As stat-
ed in the research, each person or institu-
tion involved with a patient’s personal in-
formation is responsible for ensuring that
the data is handled in a secure manner. If
a physician is discussing patients’ diagno-
ses with a third party, it is the physician’s
responsibility to ensure that proper con-
sent has been authorized by the patients.
If nurses are accessing patient data, they
must ensure that they are following accept-
able user policy as stated by the health care
organization and not leave fi les open when
g
ea
ch p
arty
cc
l
ou
nt
ab
b
ble
fo
r
y
delines w
(
i.e.
, t
will
he h
n
ea
ot
lth
only
car
ap
e
ppl
acil
to
y),
l
s
3
8
en
eeks $
mil
10 m
lio
m
b
F
so
ut a
als
ru
pa
gu
th
tiv
se
v
e
e
c
u
h
e
Fe
i
u
r
it
fi r
s
ebr
t
y
s
t
p
art
ar
Journal of Health Care Compliance — July – August 2011
26
Privacy Ethics in Health Care
not in use. From a patient point of view, it
is imperative that they protect all PHI.
The health care facility should always
seek to keep employees educated on the lat-
est security guidelines and procedures for
handling PHI. As the new HITECH HIPAA
guidelines have indicated, the changes that
are being implemented will not only affect
health care facilities but also anyone asso-
ciated with the health care facility that has
access to patient data. The guidelines will
now make health care organizations as well
as third-party vendors accountable for the
protection of patient data. Penalties will be
the same for both.
ROLE OF THE COMPLIANCE PROFESSIONAL
Each organization — whether it be a health
care organization that deals directly with
patients or an organization contracted out
by the health care organization that will
have access to patient data — should have a
compliance offi cer on hand to ensure that
all policies and procedures are being fol-
lowed to ensure that patient data is being
protected. The role of the compliance of-
fi cer is to develop, train, and enforce rules
and regulations that protect not only the
rights of the patient but also the rights of
the health care organization as well.
The compliance offi cer ensures that
any research or testing done by the health
care organization or vendor follows HIPAA
guidelines as it relates to the organization’s
role with research. If the compliance of-
fi cer believes a breach of privacy has oc-
curred by either the health care organiza-
tion or the vendor, it is the compliance of-
fi cer’s duty to (1) conduct a thorough inves-
tigation to determine if a breach of privacy
did occur and (2) act accordingly to ensure
that the breach has been corrected.
If the compliance offi cer determines
that a breach has occurred, he or she will
investigate what data were breached (e.g.,
patient data or employee personnel fi les),
where and when the breach occurred, and
who had access to the data at the time of
the breach. After the breach has been iden-
tifi ed, the compliance offi cer then will
take corrective action with the alleged rule
breaker. This corrective action could in-
clude bringing disciplinary action against
an employee (e.g., verbal or written warn-
ing, suspension, termination, or simply re-
quiring them to take further training relat-
ed to handling patient data).
Endnotes:
1. Velasquez, M. (2006). Business Ethics (6th Ed.). Upper
Saddle River, New Jersey: Pearson.
2. Voyce, A. (2009, February, 2009). Ethics. Kai Tiaki
Nursing, 15(1), 12-13.
3. American Medical Association (2006, 2006). Code of
medical ethics of AMA. Ethical and Judicial Affairs.
4. Steward, M. (2005, 2005). Electronic Medical Records.
Journal of Legal Medicine, 26, 491-506.
5. Black, L., & Anderson, E. E. (2007, March 2007).
Physicians, Patients and Confi dentiality. American
Journal of Bioethics, (7), 51.
6. Velasquez, M. (2006). Business Ethics (6th Ed.). Upper
Saddle River, New Jersey: Pearson.
7. Buchanan, R. J. (2002, 2002). Ryan White Care ACT.
Healthcare Financing Review, 23(4), 149-157.
8. Kieke, R. L. (2009, Jan-Feb 2009). Medical Identity
Theft. Journal of Healthcare Compliance, 51-74.
9. Laric, M. V., Pitta, D. A., & Katsanis, L. P. (2009, 2009).
Consumer Concerns for Healthcare Information
Privacy. Research in Healthcare Financial management,
12(1), 93-111.
10. Garfi nkel, S. (2001). Death of Privacy in the 21st
Century (2nd Ed.). Sebastopol, CA: O’Reilly Media Inc.
11. Beauchamp, T. L., & Childress, J. F. (2001). Principle
of BioMedical Ethics (5th ed.). New York: Oxford
University Press.
12. Gostin, L. O., & Hodge Jr., J. G. (2002, 2002). A
Framework for balancing under the National Health
Information Privacy Rule. Minnesota Law Review,
86(6), 1439-79.
13. Starr, P. (1999, 1999). Health and the Right to Privacy.
American Journal of Law & Medicine, 25(3), 193-201.
14. Yaniv, O. (2009, September 10, 2009). Semenya forced to
take a Gender Test. Retrieved September 12, from www.
nydailynews.com/news/world/2009/09/10/2009-09-
10_caster_semenya_.html.
15. Rohm, A. J., & Milne, G. R. (2004, 2004). Information
Sensitivity and trust in reducing medical information
privacy concern. Journal of Business Research, 57,
1000-1011.
16. Miller, F. J. (2004, 2008). Research on Medical Records
without Consent. Journal of Law, Medicine and Ethics,
560-566.
17. Lounsbury, D. W., Reynolds, T. C., Rapkin, B. D., Robson,
M. E., & Ostroff, J. (2007, 2007). Protecting the privacy
of third party information: Recommendations for
social and behavioral health researchers. Social
Science and Medicine, 64, 213-222.
l
p,
h
trai
n, an
d e
nfo
orc
ce
ru
l
ule
h
s
and pro
ure th
cedu
t pa
a
r
tie
es
nt
are
dat
bei
a
ing
s b
ol-
ng
9.
C
aric, M. V
onsum
V., P it
er Co
a,
nc
i
l
cte
rot
tec
nc
i
e
ie
lo
co
l
al
om
ll
ll
p
o
w
e
m
p
l
l
p
o
l
e
d
i
a
n
li i
li
c
i
to
en
n
Journal of Health Care Compliance — July – August 2011 27
Privacy Ethics in Health Care
18. Holloway, M., & Fensholt, E. (2009, 2009). HiTech: HIPAA
gets a facelift. Benefi ts of Law Journal, 22(3), 85-89.
19. Maffeo, M. (2009, June). Relationship of Privacy
Provision in Stimulus. Journal of Health Care
Compliance, 56-74.
20. Brown, B. (2009, 2009). Privacy Provisions. Journal of
Health Care Compliance, 37-73.
21. Scott, D., & Troutman, A. K. (2009, May 2009).
Facebook fi rings show privacy concerns. Healthcare
Risk Management, 31(5), 49-60.
22. Weiss, T. R. (2006, March 6, 2006). Healthcare workers
lose job over data theft. Retrieved September 4, 2009,
from www.computerworld.com/s/article/109067/
Reprinted from Journal of Health Care Compliance, Volume 13, Number 4, July-August 2011,
pages 17-27, with permission from CCH and Aspen Publishers, Wolters Kluwer businesses.
For permission to reprint, e-mail permissions@cch.com.
Four_lose_jobs_after_data_breach_at_Oregon_
health_care_facility.
23. Merrill, M. (2009, May 06, 2009). Hacker says he stole
confi dential medical data. Retrieved September
10, 2009, from www.healthcareitnews.com/news/
hacker-says-he-stole-confi dential-medical-data-8-
million-virginia-residents.
24. Porter, B. (2009, May 2009). Data Security Breaches
in Healthcare. Retrieved September 12, 2009, from
www.healthcareitnews.com/news/hacker-says-
he-stole-confidential-medical-data-8-million-
virginia-residents.
