This article first appeared on iHealthBeat.org.
Americans love their privacy. And yet, as the ever-increasing trend of social networking illustrates, they also love to share the facts of their lives. As a result, defining privacy can be tricky in this modern age and often depends on the venue in which information is presented and the form it takes.
In today’s world of electronic health records, straddling the fence between harmless information and sensitive data is no longer such an easy task, and the repercussions for the slightest transgression can be severe.
On August 22, HHS issued a press release challenging software developers to create new Facebook applications to assist in emergency preparation efforts. If Facebook was a nation, its “population” would be more than double that of the United States. If online minutes for Facebook users were the functional equivalent of “dollars spent,” the social network’s estimated $84 trillion in annual “spending” would top the collective gross national products of all nations across the globe, even if the U.S. or European Union were counted twice.
While Facebook is a great way to stay connected to friends and family, it also can blur the line between privacy and the public domain. With a few quick clicks you may come to learn that Susan is at the coffee shop with Billy, Milton is attending a marketing seminar, or David is recovering nicely from a recent appendectomy at a hospital in Florida.
While Facebook might be given free rein to spread news of David and his recently removed appendix, other mediums must proceed with caution. If someone from David’s hospital was to leak his news, the hospital would face great scrutiny because health care providers are bound by law to obtain in advance David’s express, written authorization to publicly disclose details about his physical well-being. This is true even if said metadata were common knowledge among David’s 268 Facebook friends.
Though it may sound unfair, this Orwellian fantasy appears almost daily in news headlines across the U.S., as health care facilities are being forced to raise their standards in response to the industry’s growing reliance on EHRs. For such infractions, disciplinary response is swift and stern.
Protections Under HIPAA
Without question, HIPAA affords necessary protection to individuals who may be unable to stop the disclosure of personal, medical information.
In August, authorities discovered that confidential patient health information for nearly 300,000 Californians had been posted online without any security or protections whatsoever. Anyone who happened to stumble upon the offending website found details relating to broken fingers, cracked ribs, even a case of sexual dysfunction, not to mention corresponding Social Security numbers. Although the company behind the postings said it took immediate corrective action and accepted responsibility for its failure to follow internal procedures, the damage already had been done.
More recently, Stanford University Hospital disclosed a security breach affecting medical records of 20,000 patients.
While the law may appropriately treat “recklessness” in the same manner it does intentional acts, it is important to remember that not all breaches in patient privacy are created equal. When the potentially libelous information relates to accusations of certain crimes, acts of questionable morality or even having an STI, the customary need to prove the element of “damages” is removed. The purpose behind this departure from ordinary tort law rests in part behind society’s belief that such loathsome acts of falsehood shall not be tolerated.
And yet, such delineation can be difficult to apply across the spectrum of health care, especially when it comes to EHRs. As the federal government dangles billions of dollars over the nation’s health care system with one hand so that we might someday enjoy meaningful use of our digitized medical information, the other hand keeps a tight grip on the equivalent of a modern day heretic’s fork, the threat of non-compliance to privacy laws. Like some antiquated means of torture resting firmly at the throat of health care providers across the nation, such laws place providers firmly between a rock and a hard place.
In some instances the penalty might be justified, regardless if the actions were deliberate or reckless in nature. But often the nexus between crime and punishment is tenuous at best, relying as it does on the venue and scope of the infraction. When assessing blame, it is important to understand that an entire hospital may well be held liable for the actions of a single employee in any department, irrespective of training, skill set or pay scale.
With so much of today’s congressional focus on the inherent expenses of health care, coupled with America’s present interest in corporate accountability, now is the time to reflect and make sure the rights of David and his appendectomy are well served.
As the health care industry continues to increase its drive toward EHRs, we must also be mindful of the speed with which technology changes, as well as the dilution of privacy expectations progressing from generation to generation.
Without question, HIPAA is a critical facet of our nation’s march toward the ultimate goal of paperless medicine, though it may at times appear to be more of an obstacle. Still, even the most barbaric methods of medieval torture had an identifiable purpose, and with this in mind we must hone our focus on the goal behind today’s health care penalties in their modern context by relying on the tools at our disposal.