Unauthorized Sharing of Patient Protected Health Information

Introduction

Unauthorized accessing of patients private health information and disclosure can have many legal implications for the patient information that has been disclosed, and the healthcare professional who have violated the confidence of the patient. The purpose of this research paper is to address the issue of unauthorized or sharing of patient protected health information.

Overview of Health Care Issue

The following paper will discuss the sensitivity of patient health information, and the implementation of HIPAA Privacy Rules. Sensitivity of health information is personal and varies on the basics of the person’s circumstances and situation. Significant factors include cultural, person’s life situation, the emotional and health status of the person. Sensitive health information is information that brings high risk if disclosure of information.

Possibilities of disclosure include discrimination, humiliation and physical harm.  Risk of disclosure of health information extend beyond the person’s family, employer, or others. Types of personal health information that is considered sensitive includes mental health issues, Communicable health disease, Reproductive issues and abortions.

Ethical Analysis

From the perspective of the patient on February 2010 John Doe was diagnosed with a sexually transmitted disease and was referred to Guthrie Clinic Steuben, a private medical practice located in Corning, New York for specific treatment for his STD. He arrived at the medical clinic on July 1, 2010 for treatment for his disease. A nurse by the name of Magan Stalbird who knew Doe as the boyfriend of her sister- in- law by the name of Jessica, accessed Doe Medical records without authorization for determining the reason he was visiting the clinic.

From the perspective of a family member Jessica once Magan Stalbird her sister- in- law learn her boyfriend was being treated for a sexual Transmitted disease while he was receiving treatment in the clinic was texting her to inform her of her boyfriend’s condition and was mocking and ridiculing him, Jessica was forwarding the text messages that her sister- in- law was sending to Doe. According to Jessica, Doe suggested that the messages that Stalbird and other staff member was making fun of his medical diagnosis. (Guglielmo, 2013). 

“From”, the perspective of Guthrie Clinic Steuben they denied the charges alleged by Doe. The Clinic contends that Doe has failed to state a breach of confidentiality because Doe failed to allege a breach of confidentiality by any named defendant. Guthrie concedes for purposes of this motion that the Stalbird who disclose Doe’s disease may have violated a duty of confidentiality, they did not knowingly violate any duty they have owed Doe. They further argued there is no private cause of action under New York State statutes asserted by Doe. (More Law Lexapedia, 1996-2018. Para 2)

Policies

The protection of patient confidentiality and Protected Health Information was changed due to the final privacy rules on January 17, 2013. HIPAA Final Omnibus Rule 1 explains and outline new changes to the previous HIPAA of 1996 guidelines to patient safety and quality improvement act of 2005 and Health Information Technology for Economic and Clinical Health Act of 2009. HIPAA Omnibus Rules includes changes to HIPAA Privacy, enforcement of rules changes, Warning of a breach in unsecured protected health information under HITECH and changes to HIPAA privacy rule required for Genetic Information. 

“According”, to an article by AHIMA. (2018. Para, 1 -4). It is the duty of all healthcare professionals to keep patients protected health information confidential preexisting laws and regulations like HIPAA or HITECH mandates the protection of patient health information. Protecting patient information has been a major concern for hospital or clinics. It is important to exchange information it can lead the doctor in the diagnosis and treatment of patient. We must establish trust and build a rapport which is vital to the doctor patient relationship, satisfaction, and produce the clinical outcomes.  

Patients should feel assured that their information that is shared with their doctor or staff will not be exposed to the public or be release to third parties without their authorization or consent. “If”, a patient does not feel assured they will be hesitant to give out their information that could be serious to their healthcare. (Health IT Gov, N. D P. 25)

The provider duty of confidentiality spreads out to the employee and their duty is to protect patient health information. Patient information or data should not be released without proper authorization, unless it is an emergency. Disclosing patient information with consent can result in malpractice or HIPAA violations. 

“In”, an article by Symes. (2018. Para. 1-5). “When”, analyzing the implications of these policies on the operation of healthcare HIPAA law applies to health care as well as small business that aren’t in the health business. The keeping of Patient protected health information needs to be secured and if you are not directly involved in patient care records should not be accessed. “If”, the hospital or clinic staff is not trained and they disclose patient health information you can be held liable and may be sued by the patient whom information was exposed. HIPAA laws should be followed on a daily basis, and you should follow your hospital compliance laws. These policies should address employee access to information, securing of information and what conditions health information should be disclosed and violating of the laws.

Laws Relevant to the Case

Three state or federal laws that are relevant to the case are breach of the fiduciary duty of confidentiality for the disclosing of person health information that goes against health care businesses, even if a hospital employee is responsible for a leak and is not a doctor and acts outside the scope of practice. The second Law is Breach of Contract which is the disclosing of the patient personal information and; “finally”, negligent of hiring, training, supervising of employees. (FindLaw. 2018, Para. 1-4).

“When”, evaluating key legal factors of the case Breach of Fiduciary Duty Doe alleges that Guthrie, owed a duty to keep his information confidential and was breached by revealing his health information. Breach of Contract, Doe claims that the medical clinic violated an implied contract of good faith and negligent of hiring, training, supervising of employees, Doe claims that the medical clinic should have known that the nurse would breach her duty of confidentiality with respect to other people personal protected health information. (Doe vs. Guthrie Clinic Ltd. Et al. 2018. P 6-16) 

Assessing various policies and procedure that are inherent in these laws that relate to the provision of health care by providers or patient rights we should add training about the policies and procedure compliance into the newcomer’s employee orientation. Managers should be held accountable for policy changes and reinforce policies into the annual performance review. Situations that have the potential to cause harm to the patient should be reported to management by implementing a feedback tool. Establish a mock review team to review policies and compare them to the policies already within the organization. (Irving, 2017. Para 23-30)

Laws v. Need

As suggested by Reference. (2018, Para. 1-8). The difference between the demand of legal policies and ethical issues with significance to the need of the provider and patient, laws control what individuals can and cannot do and ethics are morals standards distinguish wrong from right. Legal regulations forbids healthcare professionals from carrying out certain duties that are considered morally acceptable actions.

Laws are created to protect patients’ rights and freedom and can generate positive responses to protect the safety and well-being of the community. “Occasionally”, legal and moral issues exist in agreement and can also raise questions and inconsistence in opinions.  

Assessment

When formulating an assessment of the potential impact of the case on decision-making options in the future for providers, patients, and administrators includes conducting a security review of patient organization and using the results of the assessment to make adequate changes to improve data security. “Secondly”, implementing a lock down response after unauthorized patient medical information access by blocking unauthorized access to the patient medical information and work with Information Technology to identify the source of the attempted breach. Finding should be communicated to the HIPAA privacy or compliance officer.

Hospitals or clinic should implement a zero tolerance policy for unauthorized access to patient medical information for an employee who purposely enter or gain access to patient medical health information without authorization. Offer orientation and in-services on the zero tolerance policy for unlawful access to patient health information. Restrict use of personal communication devices and respond immediately to unauthorized access to patient medical information by employees in your response include data used, investigation, evaluate the level of the breach and reinforce the Zero Tolerance policy. (RMS. 2014. P. 1-9)

Conclusion

In my opinion the world is infatuated with privacy and obtaining patient health information, which can be easily access by anyone and yet most people are unaware of the possibilities or unworried about the loss of confidentiality. Knowing the federal and state laws can help you to make educated decisions about the sharing of health information. Confidentiality laws concerning medical health information is continuously changing at the state and federal level.

More focus is on HIPAA although there are a number of state confidentiality protections and laws that is important for health care employees and patients it’s vitally important for them to be educated about the confidentiality laws. Sharing of patient information without authorization can lead to lawsuit and cost the healthcare industry millions of dollars     

References

• AHIMA. (2018). Laws and Regulations Governing the Disclosure of Health Information (2014 update) Retrieved from http://bok.ahima.org/doc?oid=300245#.XALP0ttKjIU
• Doe v. Guthrie Clinic, Ltd. et al. DOC 17, 11-CV-6089T (W. D. N. Y, Feb 17, 2012). Retrieved from https://cases.justia.com/federal/district-courts/new-york/nywdce/6:2011cv06089/83052/17/0.pdf?ts=1428914771
• FindLaw. (2018). DOE v. GUTHRIE CLINIC LTD Retrieved from https://caselaw.findlaw.com/ny-court-of-appeals/1654495.html
• Guglielmo, Wayne J. (2013).Nurse Reveals STD Patient to Girlfriend, Man Sues; and More Retrieved from https://www.medscape.com/viewarticle/803758_1
• Health Information Technology. (N.D.). Guide to Privacy and Security of Health Information Retrieved from https://www.integration.samhsa.gov/operations-administration/privacy-and-security-guide.pdf
• Irving, Anne. V (2017) Policies and Procedures for Healthcare Organizations: A Risk Management Perspective Retrieved from https://www.psqh.com/analysis/policies-and-procedures-for-healthcare-organizations-a-risk-management-perspective/
• MoreLaw, Inc. (1996-2018). John Doe v. Guthrie Clinic, Ltd Retrieved from https://www.morelaw.com/verdicts/case.asp?s=NY&d=60079
• Reference. (2018). What is the Difference between Legal and Ethical Issues? Retrieved from https://www.reference.com/world-view/difference-between-legal-ethical-issues-b59c4a38f6029883
• RMS. (2014). Is Strict Liability Next for a Purposeful Data Breach? Retrieved from https://obpi.therozovskygroup.com/ob-files/uploads/TRG_News_Feb_2014_no_2_OBPI.pdf
• Symes, Steven. (2018). How Do HIPAA Laws Affect Day-to-Day Organizations? Retrieved from https://smallbusiness.chron.com/hipaa-laws-affect-daytoday-organizations-16592.html