Unauthorized Sharing of Patient Protected Health Information

Introduction

Unauthorized accessing of patients private health
information and disclosure can have many legal implications for the patient
information that has been disclosed, and the healthcare professional who have
violated the confidence of the patient. The purpose of this research paper is
to address the issue of unauthorized or sharing of patient protected health
information.

Overview of Health Care Issue

The following paper will discuss the sensitivity of
patient health information, and the implementation of HIPAA Privacy Rules.
Sensitivity of health information is personal and varies on the basics of the
person’s circumstances and situation. Significant factors include cultural,
person’s life situation, the emotional and health status of the person.
Sensitive health information is information that brings high risk if disclosure
of information.

Possibilities of disclosure include discrimination,
humiliation and physical harm.  Risk of
disclosure of health information extend beyond the person’s family, employer,
or others. Types of personal health information that is considered sensitive
includes mental health issues, Communicable health disease, Reproductive issues
and abortions.

Ethical Analysis

From the perspective of the patient on February 2010 John
Doe was diagnosed with a sexually transmitted disease and was referred to
Guthrie Clinic Steuben, a private medical practice located in Corning, New York
for specific treatment for his STD. He arrived at the medical clinic on July 1,
2010 for treatment for his disease. A nurse by the name of Magan Stalbird who
knew Doe as the boyfriend of her sister- in- law by the name of Jessica,
accessed Doe Medical records without authorization for determining the reason
he was visiting the clinic.

From the perspective of a family member Jessica once
Magan Stalbird her sister- in- law learn her boyfriend was being treated for a
sexual Transmitted disease while he was receiving treatment in the clinic was
texting her to inform her of her boyfriend’s condition and was mocking and
ridiculing him, Jessica was forwarding the text messages that her sister- in-
law was sending to Doe. According to Jessica, Doe suggested that the messages
that Stalbird and other staff member was making fun of his medical diagnosis. (Guglielmo,
2013). 

“From”, the perspective of Guthrie Clinic Steuben they
denied the charges alleged by Doe. The Clinic contends that Doe has failed to
state a breach of confidentiality because Doe failed to allege a breach of
confidentiality by any named defendant. Guthrie concedes for purposes of this
motion that the Stalbird who disclose Doe’s disease may have violated a duty of
confidentiality, they did not knowingly violate any duty they have owed Doe.
They further argued there is no private cause of action under New York State
statutes asserted by Doe. (More Law Lexapedia, 1996-2018. Para 2)

Policies

The protection of patient confidentiality and Protected
Health Information was changed due to the final privacy rules on January 17,
2013. HIPAA Final Omnibus Rule 1 explains and outline new changes to the
previous HIPAA of 1996 guidelines to patient safety and quality improvement act
of 2005 and Health Information Technology for Economic and Clinical Health Act
of 2009. HIPAA Omnibus Rules includes changes to HIPAA Privacy, enforcement of
rules changes, Warning of a breach in unsecured protected health information
under HITECH and changes to HIPAA privacy rule required for Genetic
Information. 

“According”, to an article by AHIMA. (2018. Para, 1 -4). It
is the duty of all healthcare professionals to keep patients protected health
information confidential preexisting laws and regulations like HIPAA or HITECH
mandates the protection of patient health information. Protecting patient
information has been a major concern for hospital or clinics. It is important
to exchange information it can lead the doctor in the diagnosis and treatment
of patient. We must establish trust and build a rapport which is vital to the
doctor patient relationship, satisfaction, and produce the clinical outcomes.  

Patients should feel assured that their information that
is shared with their doctor or staff will not be exposed to the public or be
release to third parties without their authorization or consent. “If”, a
patient does not feel assured they will be hesitant to give out their
information that could be serious to their healthcare. (Health IT Gov, N. D P.
25)

The provider duty of confidentiality spreads out to the
employee and their duty is to protect patient health information. Patient
information or data should not be released without proper authorization, unless
it is an emergency. Disclosing patient information with consent can result in
malpractice or HIPAA violations. 

“In”, an article by Symes. (2018. Para. 1-5). “When”,
analyzing the implications of these policies on the operation of healthcare
HIPAA law applies to health care as well as small business that aren’t in the
health business. The keeping of Patient protected health information needs to
be secured and if you are not directly involved in patient care records should
not be accessed. “If”, the hospital or clinic staff is not trained and they disclose
patient health information you can be held liable and may be sued by the
patient whom information was exposed. HIPAA laws should be followed on a daily
basis, and you should follow your hospital compliance laws. These policies
should address employee access to information, securing of information and what
conditions health information should be disclosed and violating of the laws.

Laws Relevant to the Case

Three state or federal laws that are relevant to the case
are breach of the fiduciary duty of confidentiality for the disclosing of
person health information that goes against health care businesses, even if a
hospital employee is responsible for a leak and is not a doctor and acts
outside the scope of practice. The second Law is Breach of Contract which is
the disclosing of the patient personal information and; “finally”, negligent of
hiring, training, supervising of employees. (FindLaw. 2018, Para. 1-4).

“When”, evaluating key legal factors of the case Breach
of Fiduciary Duty Doe alleges that Guthrie, owed a duty to keep his information
confidential and was breached by revealing his health information. Breach of
Contract, Doe claims that the medical clinic violated an implied contract of
good faith and negligent of hiring, training, supervising of employees, Doe
claims that the medical clinic should have known that the nurse would breach
her duty of confidentiality with respect to other people personal protected
health information. (Doe vs. Guthrie Clinic Ltd. Et al. 2018. P 6-16) 

Assessing various policies and procedure that are
inherent in these laws that relate to the provision of health care by providers
or patient rights we should add training about the policies and procedure
compliance into the newcomer’s employee orientation. Managers should be held
accountable for policy changes and reinforce policies into the annual
performance review. Situations that have the potential to cause harm to the
patient should be reported to management by implementing a feedback tool.
Establish a mock review team to review policies and compare them to the
policies already within the organization. (Irving, 2017. Para 23-30)

Laws v. Need

As suggested by Reference. (2018, Para.
1-8). The difference between the demand of legal policies and ethical issues
with significance to the need of the provider and patient, laws control what
individuals can and cannot do and ethics are morals standards distinguish wrong
from right. Legal regulations forbids healthcare professionals from carrying
out certain duties that are considered morally acceptable actions.

Laws are created to protect patients’
rights and freedom and can generate positive responses to protect the safety
and well-being of the community. “Occasionally”, legal and moral issues exist
in agreement and can also raise questions and inconsistence in opinions.  

Assessment

When formulating an assessment of the
potential impact of the case on decision-making options in the future for
providers, patients, and administrators includes conducting a security review
of patient organization and using the results of the assessment to make
adequate changes to improve data security. “Secondly”, implementing a lock down
response after unauthorized patient medical information access by blocking
unauthorized access to the patient medical information and work with
Information Technology to identify the source of the attempted breach. Finding
should be communicated to the HIPAA privacy or compliance officer.

Hospitals or clinic should implement a
zero tolerance policy for unauthorized access to patient medical information
for an employee who purposely enter or gain access to patient medical health
information without authorization. Offer orientation and in-services on the
zero tolerance policy for unlawful access to patient health information.
Restrict use of personal communication devices and respond immediately to
unauthorized access to patient medical information by employees in your
response include data used, investigation, evaluate the level of the breach and
reinforce the Zero Tolerance policy. (RMS. 2014. P. 1-9)

Conclusion

In my opinion the world is infatuated
with privacy and obtaining patient health information, which can be easily
access by anyone and yet most people are unaware of the possibilities or
unworried about the loss of confidentiality. Knowing the federal and state laws
can help you to make educated decisions about the sharing of health
information. Confidentiality laws concerning medical health information is
continuously changing at the state and federal level.

More focus is on HIPAA although there
are a number of state confidentiality protections and laws that is important
for health care employees and patients it’s vitally important for them to be
educated about the confidentiality laws. Sharing of patient information without
authorization can lead to lawsuit and cost the healthcare industry millions of
dollars     

References

• AHIMA. (2018). Laws and Regulations Governing the Disclosure of Health Information (2014 update) Retrieved from http://bok.ahima.org/doc?oid=300245#.XALP0ttKjIU
• Doe v. Guthrie Clinic, Ltd. et al. DOC 17, 11-CV-6089T (W. D. N. Y, Feb 17, 2012). Retrieved from https://cases.justia.com/federal/district-courts/new-york/nywdce/6:2011cv06089/83052/17/0.pdf?ts=1428914771
• FindLaw. (2018). DOE v. GUTHRIE CLINIC LTD Retrieved from https://caselaw.findlaw.com/ny-court-of-appeals/1654495.html
• Guglielmo, Wayne J. (2013).Nurse Reveals STD Patient to Girlfriend, Man Sues; and More Retrieved from https://www.medscape.com/viewarticle/803758_1
• Health Information Technology. (N.D.). Guide to Privacy and Security of Health Information Retrieved from https://www.integration.samhsa.gov/operations-administration/privacy-and-security-guide.pdf
• Irving, Anne. V (2017) Policies and Procedures for Healthcare Organizations: A Risk Management Perspective Retrieved from https://www.psqh.com/analysis/policies-and-procedures-for-healthcare-organizations-a-risk-management-perspective/
• MoreLaw, Inc. (1996-2018). John Doe v. Guthrie Clinic, Ltd Retrieved from https://www.morelaw.com/verdicts/case.asp?s=NY&d=60079
• Reference. (2018). What is the Difference between Legal and Ethical Issues? Retrieved from https://www.reference.com/world-view/difference-between-legal-ethical-issues-b59c4a38f6029883
• RMS. (2014). Is Strict Liability Next for a Purposeful Data Breach? Retrieved from https://obpi.therozovskygroup.com/ob-files/uploads/TRG_News_Feb_2014_no_2_OBPI.pdf
• Symes, Steven. (2018). How Do HIPAA Laws Affect Day-to-Day Organizations? Retrieved from https://smallbusiness.chron.com/hipaa-laws-affect-daytoday-organizations-16592.html