There are stories left and right of inadvertent leaks of medical information violating the HIPAA security rule. Sometimes there is a computer glitch allowing unauthorized people to access information. Sometimes I file is left out and picked up by a curious passerby. Sometimes one simple error can lead to a violation of the HIPAA privacy regulations for thousands of patients. This can be appalling.
Even more appalling sometimes are the intentional information leaks. A celebrity is treated at a clinic and one of the office staff copies their file and sells it to a tabloid. In one particular instance, the daughter of a hospital employee took a list of patients’ information and called those people to tell them they had been diagnosed with HIV—as a practical joke. Some of these stories make us shake our heads in disbelief.
The topic of HIPAA privacy violations—whether intentional or not—raises an important question. Is it ever okay to violate the rules of HIPAA? Is there ever a time when there is something more important than protecting a patient’s privacy? Are there times when keeping a patients’ information private might cause them—or others—more harm than good?
Let’s address a few things first. The previous examples are obviously unethical on the part of the HIPAA violators and harmful to the victims—psychologically, emotionally, and financially. There are times when it is obvious that HIPAA achieves its purposes in protecting patients. No one should ever use another person’s health for personal financial gain. Also, no one should be giving out false information about a patient—to him nor to anyone else. That is obvious. But what about some situations that may lie in the gray area?
What about public safety? Is there ever a time when it is better for the safety and health of the public to disclose health information about an individual? Should illnesses that are highly contagious be disclosed to a patient’s school or workplace to protect those with whom the patient may come in contact? HIPAA protects the privacy of that patient but what about the safety and health of those around him? Are those people less important?
What about the patient’s own safety and well-being? Doctors are often privy to a great deal of personal information. According to HIPAA, he must keep that information confidential. What if a doctor is aware of a recent suicide attempt and thinks it would be beneficial to notify a family member to have them keep an eye on the patient and offer support? Is it better to guard the patient’s privacy or his life?
There is no easy answer to questions like these. But in a world that has become so obsessed with safeguarding the privacy of the individual, maybe it is time to stop and ask ourselves “Is there a downside to so much privacy?”
It’s crucial for any business proactively safeguarding their business against HIPAA security rule violations.