The privacy of personal health records is governed by the Health Insurance Portability and Accountability Act, known throughout the healthcare world as HIPAA, signed into law in 1996. In the years since, HIPAA has become one of the most widely cited and discussed regulations in healthcare compliance.
Much External Vigilance
Much of the recent focus on HIPAA and threats to protected health information and data has been external, alerting providers and staff to criminal entities wanting access to large amounts of individual data, gained by breaches of cybersecurity. For example, the U.S. Department of Health & Human Services recently released guidance titled “Ransomware and HIPAA.” Ransomware locks up a computer or network to prevent access to data until a ransom, usually demanded in Bitcoin, is paid. Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without access to medical histories, drug usage, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.
Ransomware has the potential to expose patients’ Protected Health Information (PHI). PHI is at the center of HIPAA regulation, and any release of PHI is a potential HIPAA violation, even when it occurs due to nefarious and illegal acts of outside 3rd parties. Ultimately every healthcare facility is responsible for safeguarding the health information of its patients.
Insider HIPAA Threats
Importantly, while large-scale data breaches are the work of cyberattacks from outsiders, insider threats also are a danger to healthcare organizations. Even though the scale of these violations is nowhere similar, the damage to reputation and resulting fines can be significant. These undeniably illegal breaches often occur related to famous people. Typical situations involve hospital employees who “access records outside of their traditional job duties—especially if hospital patients are high-profile individuals or celebrities” (Becker’s Health IT & CIO Report, 2015).
According to Etactics.com, “there is a fine line between finding out that a celebrity checked into a hospital and digging through their medical records” (Moneypenny, 2019). The same website has compiled a list of 20 reported celebrity HIPAA violations that demonstrate another important element of healthcare privacy about which staff at every level of a medical facility must be trained.
The same article shares that since 2003, when Dr. Huping Zhou “received a four-month sentence and $2,000 fine” for illegally viewing “medical records of celebrities and high-profile patients,” in violation of HIPAA, the list of celebrities whose privacy has been violated keeps growing. For example, healthcare staff has been implicated in criminally accessing and sometimes selling information about:
- Prince’s opiate treatment just prior to death
- The birth of the daughter of Kim Kardashian and Kanye West
- U.S. Representative Gabrielle Gifford’s treatment after being shot
- Michael Jackson’s death
- Psychiatric treatment of Britney Spears
- Farrah Fawcett’s cancer treatment
It’s important to remember that like all the rest of us, famous people have a legal right to privacy and to controlling information about their healthcare. Being well-known changes nothing about how medical records are protected under HIPAA.
Use Training to Create a Culture of Compliance
An August 2019 FierceHealthcare article details the findings from a Kaspersky survey of North American healthcare staff about healthcare privacy. Results showed “ nearly 1 in 5 respondents (19%) said there needed to be more cybersecurity training by their organization.” More alarmingly, “nearly a fifth of U.S. respondents (18%) reported they did not know what the HIPAA security rule meant” (Landi, 2019).
These sobering statistics serve to remind us of the importance of regular compliance training— the kind that changes behaviors and helps to communicate the commitment to compliance of top leadership, to influence the overall culture of your organization. Providing compliance training is a way to ensure your business is conducted ethically and within the boundaries of the law, and it reinforces your organization’s good reputation. Educating your organization also demonstrates a proactive approach to the detection and prevention of unlawful activity.
Importantly, compliance training should impart individual responsibility that reinforces the obligation to be a good corporate and organizational citizen and to be accountable. Training should help employees apply complex laws and regulations to their daily work, and it should include how they can access your policies and procedures for guidance. What can make HIPAA training much more meaningful is to provide examples of illegal or suspicious behaviors that illustrate the kinds of things that you want reported. Violations involving celebrities deserve to be one of these examples.