by Daniel J. Solove
The recent cases of Ebola in the United States demonstrate challenges to health privacy in today’s information age — both in preventing employees from snooping into patient information as well as preventing the disclosure of patient identities.
Just the other day, a health privacy blogger asked on Twitter: “How long will it be before we start seeing disclosures of HIPAA breaches involving employees snooping in Ebola patients’ files?”
Before the ink had even dried on the tweet, I was able to answer the question — not long at all, because it had just already happened! In one recent incident, Nebraska Medical Center fired two employees who snooped into the records of an Ebola patient being treated at the facility. According to a statement by the hospital, the improper access was discovered during an audit of the institution’s electronic medical records.
Snooping into patient records by employees is a common problem. Most incidents involve celebrities, friends, relatives, and co-workers. According to a 2013 HIMSS survey, 80% of healthcare IT security officials said that snooping was one of the most major motivations for data breaches.
According to a few years ago, “majority of breaches were committed by employees, with 35% snooping into medical records of fellow employees and 27% accessing records of friends and relatives.”
In 2011, a hospital paid a $865,000 penalty to HHS for HIPAA violations stemming from employees improperly accessing the medical records of celebrities including Britney Spears and Farrah Fawcett.
One of the things that HHS faulted the hospital for was its training. Employees often think that they can snoop and get away with it, and they often don’t understand how serious the consequences can be. Not only can they be fired, but they can also jeopardize their entire careers and lose their license. These consequences must be emphasized — emphatically. Many employees think: “What’s the harm of a little peep?” They don’t realize that a small incident of peeping can cost their employer millions of dollars and ruin their careers.
A number of snooping incidents are caught when institutions audit who accesses various records. Employees often think that nobody will find out, but many are surprised when their names show up in an audit for improper access.
Snooping is a big problem, as people’s curiosity can be intense. It is thus no surprise that we’re already hearing about a snooping case involving Ebola patients.
Breach of Confidentiality
One of the things that struck me about the Ebola cases at Dallas Presbyterian Hospital was that all of the Ebola victims were named almost immediately. How could this happen? In all the swirling news coverage, I was struck by the fact that few were asking the question: Why were all of these individuals identified? Under HIPAA, state law, and medical ethical rules, healthcare providers owe a duty of confidentiality to patients, especially people infected by Ebola, where they can be subject to intense media scrutiny and their families can also be put under the hot glare of the spotlight.
Apparently, the Liberian government outed Thomas Duncan as the initial Ebola patient at the hospital. But it remains unclear who disclosed the identities of the two nurses who contracted Ebola while treating Duncan.
A thoughtful piece in the Columbia Journalism Review questions “whether knowing who they are does more than invade victim privacy and distract from the kind of reporting that might help transmit useful information about the disease.”
One of the challenges in maintaining confidentiality in today’s times is that so many people might know about a particular patient’s health information. Numerous individuals in the healthcare system will know or have access — doctors, nurses, administrators, environmental services staff, various individuals who work for billing companies, transcription companies, insurance companies, and others. In the case of Ebola, many government officials will know too. Although all these individuals will be constrained by the law in breaching confidentiality, all it takes is one person to leak . . . and then it’s out widely in the media.
Another challenge is that it is hard to conceal the investigation when a person’s residence is cordoned off with a large group of officials in hazard suits doing searches. The identity of the person can be traced back from the address. Today it is so easy to link up pieces of information and figure out the identities of the patients.
Sometimes, other people who may have had contact with the Ebola patient need to be notified. What’s stopping them from disclosing? Perhaps government officials shouldn’t disclose to these people unless they agree via a confidentiality agreement to not disclose the information. Indeed, the government can ask people to sign confidentiality agreements consistent with the First Amendment right to free speech. But in the case of Ebola or other situations where a person’s life might be at risk or where the person is needed to cooperate, it would be problematic to deny the person the information if the person refused to sign the agreement.
There are no easy answers here, but I wish that more journalists and others were asking the questions. Instead, so many in the media rushed to report without much consideration about whether it was necessary or ethical to identify the patients. At the very least, it deserved some thought.
For more about HIPAA and its enforcement, please see my previous post: The Brave New World of HIPAA Enforcement, which provides a primer on how HIPAA is enforced.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter