Medical entities are tasked with handling a patient’s diagnosis and subsequent treatment with the utmost sensitivity and confidentiality. Complying with current healthcare regulations is crucial to maintain a patient’s trust and protect the healthcare organization’s reputation as a professional, unbiased entity. Using a cancer diagnosis as an example, examine how current patient data and privacy laws could affect a patient.
How A Disclosed Diagnosis Can Negatively Impact A Patient
Failure to comply with healthcare regulations on privacy can lead to the misuse of a patient’s medical information about a cancer diagnosis and treatments which can detrimentally affect the patient’s personal life. An example of how a medical facility could compromise a patient’s confidentiality is by using a photo or case study of the patient on the health organization’s website without redacting the patient’s name or receiving their written consent.
The reason for the inadvertent breach may have been innocuous — the medical organization was sharing its successes with company stakeholders during a quarterly shareholder meeting or humanizing fundraising efforts with touching real-life stories. Nevertheless, the oversight could cause damage to the patient’s personal life. Three ways such a privacy breach could affect the patient include:
Employment
Employers often conduct background checks on prospective hires. The checks can consist of investigating credit history, social media accounts, online presence, and financials for a clearer picture of the individual’s personal life. An employer who uncovers a prospect’s personal information about their diagnosis or recovery may determine that the individual may not be physically able to fulfill the job description or may be absent too often in order to seek medical treatment.
The American With Disabilities Act makes it illegal to discriminate against employees and job applicants due to a medical condition such as a cancer diagnosis, but proving the employer acted with prejudice in the recruitment and hiring process would be difficult to establish in a court of law.
Insurance
Disclosing patient medical history incorrectly could affect their chances of getting health insurance coverage in the future. It’s currently illegal for insurers to refuse consumers with pre-existing conditions under the Affordable Care Act (ACA).
The current administration is working on repealing the Act, leaving its fate — and the insurability of millions of Americans in the balance. ACA’s insurance mandate was recently struck down by the Federal Appeals Court, amplifying uncertainty among Americans with pre-existing conditions.
Family Members
No one is ever prepared for a cancer diagnosis. It may take time for the patient and loved ones to accept the news. Patients may decide to stoically keep their cancer diagnosis and treatment from their families to avoid causing loved ones extreme stress.
Healthcare organizations should respect and honor a patient’s privacy wishes and allow them to absorb and share the information with others at their pace. Training should be required for all medical and administrative staff in contact with patients and family members to know how much information is legally and morally acceptable to share, as well as how to compassionately respond to loved ones seeking further information when the patient is unwilling to discuss the diagnosis.
Failure to Comply With HIPAA Mandates
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The Act came about for several reasons, including protection of a patient’s confidentiality as medical records transitioned to digital or electronic records and to promote and ensure professional and impartial medical practices.
Medical professionals and healthcare facilities have specific privacy guidelines they must follow, including how they handle patient data. Healthcare businesses should consider implementing a Disaster Recovery Plan to address how an organization will handle a confidential data breach. The plan should include the vital compliance step of notifying affected patients, since failure to adequately address and correct the data breach can lead to criminal charges and large fines.
Healthcare providers and organizations that don’t comply can face monetary penalties ranging between $100 to $50,000 for unknowingly violating regulations to $50,000 per violation for willful neglect of a patient’s privacy without making corrections within the mandated time period.
A former UCLA employee was jailed for four months and had to pay a $2,000 fine after it was uncovered he accessed the medical records of celebrities including Tom Hanks and Drew Barrymore, his supervisor, and other work colleagues more than 300 times. In another case, a Walgreens pharmacist was fined $1.4 million for looking up and sharing confidential information about her husband’s ex-girlfriend. HIPAA guidelines should be taken extremely seriously.
Updates to HIPAA
The last significant changes to the Act occurred in 2006. However, the HIPAA Journal reports that the “Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has favored issuing HIPAA guidelines to clear up misunderstandings with HIPAA compliance requirements.”
The HHS’ OCR aims to simplify without shortcutting some contested HIPAA aspects that are currently deemed unclear. Possible changes healthcare organizations may see in the regulations include:
- Removal of the written confirmation requirement that a patient received the healthcare facility’s notice of privacy practices.
- Easing restrictions on disclosing protected health information (PHI), including more open sharing among health professionals for treatment and care.
- Changes to the HITECH Act, created to implement electronic health records (EHRs), on how PHI disclosures are handled regarding treatment, payment and healthcare operations.
As patient privacy regulations evolve, medical professionals need to take an adaptive stance to the changes. Organizations should implement periodic updates to its processes and policies and provide the training required so that all staff and executives are up to date and in compliance.
