Patient Confidentiality Is on Threat?
Date: March 26, 2010
Physician-patient relationship is perhaps on a verge of losing its eternal sacrosanct essence. Utmost dependence of a patient with all his personal and intimate information on a doctor will have to see an end as an increasing numbers of incidents of breaching patients’ confidentiality are being recorded from almost all corners of the word, and surprisingly the number is on rise!
Almost everyday’s newspaper brings to us the news of breaching patient confidentiality, but how many of us are truly aware of its effect? Let’s take a ride to this article and try to explore some unknown corners of patient confidentiality, its meaning, significance and impact of breaching..let’s explore who breaches and why…so that next time we become sincere (finicky?) before sharing our information (if patient) or will give a little effort to maintain the data in a more proper way (if staff/doctor).
What is Patient Confidentiality?
According to the American Medical Association, “Confidentiality is the right of an individual to have personal, identifiable medical information kept private. Such information should be available only to the physician of record and other health care and insurance personnel as necessary.”
If put in simple words, patient confidentiality means when a patient reveals his personal and medical information to a healthcare provider, that has to be kept with maximum care so that the information do not get divulged to others. Only with specific permission of the patient, his information can be disclosed to others.
Knowing a patient’s full information helps a doctor to provide better diagnosis and improved care. Therefore, knowing a patient’s medical history is a doctor’s right. Likewise, when a patient reveals his personal info, he expects it to be protected by the doctor. Hence, it is the physician’s duty to keep patient’s information confidential and let the patient enjoy access to a better treatment.
What is a Breach of Patient Confidentiality?
Breach of patient confidentiality refers to incident where patient’s confidential information, learned by the doctor within the physician-patient relationship, is divulged to a third party without the former’s consent or court order.
Breaching can be oral, written, or done via telephone or fax, or electronically by using email or health information network. Importantly, the medium of disclosure is not important but special security requirements may apply to the electronic transfer of information.
HIPAA and Patient Confidentiality
HIPAA Privacy Rule was introduced to ensure the privacy and protection of personal information of the patients held by physicians, hospitals and its staffs. HIPAA also provides a range of rights with respect to personal information. At the same time, the Privacy Rule permits the disclosure of personal health information when needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
As per the Health Insurance Portability and Accountability Act (HIPAA) of 1996, all professionals and organizations are to guard the privacy of their patients and customers. Employees at all levels are required to maintain confidentiality with integrity.
Not only HIPAA, in other countries like in UK, a similar Act, Patient confidentiality and Access to Health Records is also there to protect patients’ confidentiality. This law functions under the Data Protection Act, 1998. This rule says, “Patient information is generally held under legal and ethical obligations of confidentiality. Information provided in confidence should not be used or disclosed in a form that might identify a patient without his or her consent. There are a number of exceptions to this rule but it applies in most circumstances”.
In India also, Privacy and the Right to Information Act, 2005 holds high the significance of individual`s right to privacy in general, and especially in health-related matters.
Impact of Patient Confidentiality Breaching
According to UK government, organizations failed to comply with the Data Protection Act can face a fine of up to £5K in magistrates courts, unlimited fines in higher courts and even face legalities in charge of violating Human Rights Act. Moreover, there are possibilities that the organization may be told to stop using the data they gather.
Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5). The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations. Under this rule, the organization, violating HIPAA is supposed to give penalty of $100 per violation, with an annual maximum of $25,000 for repeat violations to $50,000 per violation, with an annual maximum of $1.5 million.
In June 2005, the U.S. Department of Justice (DOJ) clarified criminally liability of breaking HIPAA. Organizations and specified individuals, who "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations, can be penalized with a fine of up to $50,000, as well as can be imprisoned for up to one year.
Cases of Patient Confidentiality Breach
- Breach of Britney Spears patient data reported (March, 2008)
New York Times published that employees accessed confidential medical records of pop star Britney Spears during her stay at UCLA Medical Center.
- GPs fear breach of secret patient data
In UK, doctors blamed health officials for risking a breach in thousands of patients' medical records through a new system being pioneered in Stoke-on-Trent.
- Estimated 500,000 BlueCross members at risk for identity theft (October, 2009)
Health Imaging revealed, the October data security breach at a Chattanooga, Tenn. office threatened an estimated 500,000 BlueCross members’ of identifies theft. While most of the at-risk members reside in Tennessee, BlueCross has identified 32 states with 500 or more members whose data may be at risk as of Jan. 8.
- Kaiser Hospital Fined $250,000 for Privacy Breach in Octuplet Case (December 2009)
An external electronic data storage device containing patient health information for approximately 15,500 Northern California members of health insurance company Kaiser Permanente got stolen from an employee’s car at the employee’s home in Sacramento, Calif.
- Non-medical staff 'have access to health records' (March 2010)
BBC News reveals, At least 100,000 non-medical staff in NHS trusts have access to confidential patient records.
Can Breaching Be Stopped?
Breaching of patient confidentiality can be stopped if addressed properly. If you are an owner of a healthcare organization, following steps can provide you with a good result:
Train Your Staff
Organizations can’t assure confidentiality, integrity, and availability of information without “ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them, therefore implement a security awareness and training program for workforce, including management
Establish and Check Workforce Clearance Procedures
Before giving access to your organization’s confidential database, check your employee’s criminal background.
Use Improved Security Measure
To restrict employees’ access to your confidential start using improved security measures. The new technologically sound security measures will help you cut or limit your employee’s access.
Effective Workforce Termination
Adhere to a policy that terminates your employee’s access to building, computer and health related protected information, soon as you terminate the person.
Review System Activity
Conduct technical audits and do a regular checking of your systems’ activities. Regular tracking may help you know the access of your employees.
Keep Data in Encrypted Mode
Provide password to all important data to protect them from theft.
Periodic Security Reminder
Use a security reminder to help you keep your employees vigilant about data theft.
Finally, discuss consequences of theft! Let workforce know what measure company can take when someone breaks the rules. And, make your training program dynamic and part of everyday work routines. Now, with successful implementation of the above mentioned steps, witness a better result in terms of protecting patient data and saving yourself from bad reputation.