Privacy is critical in every aspect of life but perhaps most critical in healthcare. Having the assurance that confidential health information will not be disclosed without proper authorization is a fundamental right. The expectation of privacy enables patients to speak freely with medical professionals and helps ensure that patients receive optimal care based on all necessary information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established clear legal requirements for patient privacy, the security of health records and how health information can be shared. Individual states have also enacted laws to protect patients’ privacy. Unfortunately, healthcare data breaches continue to increase. According to data that the HIPAA Journal has compiled, the number of healthcare data breaches involving 500 or more records rose from 199 in 2010 to 642 in 2020.
Healthcare organizations, patients, insurers, and all other parties involved in healthcare can benefit from an understanding of the medical privacy laws and the privacy rights that all patients are entitled to.
What Is Patient Privacy?
While defining patient privacy may seem simple, complexities begin to appear upon examining its various aspects. The American Medical Association (AMA) categorizes the specific types of patient privacy as follows:
- Physical privacy, privacy related to a patient’s personal space
- Informational privacy, privacy related to a patient’s medical information
- Decisional privacy, privacy related to a patient’s personal choices, including cultural and religious affiliations
- Associational privacy, privacy related to a patient’s personal relationships with family and other individuals
Scholars have also highlighted the concept of proprietary privacy, which applies to patients’ genes, genomes and tissue specimens. Researchers must balance the need for these materials for medical research against patients’ privacy rights.
Why Is Patient Privacy Important?
Patient privacy is important on a number of levels. In addition to being a basic human right, privacy is linked to establishing doctor-patient trust and the effectiveness of healthcare. The consequences of failing to respect patient privacy can also be significant.
Privacy Is a Basic Human Right
In its 1948 Universal Declaration of Human Rights, the U.N. affirmed that “no one shall be subjected to arbitrary interference with his privacy. … Everyone has the right to the protection of the law against such interference.”
When healthcare organizations recognize the basic human right of patients to privacy, they demonstrate respect for patients and help to preserve patients’ dignity. This recognition is particularly important as medical information becomes digitized and can seem removed from a patient. It must be remembered that digital information is still associated with a patient who has a basic human right to privacy.
Privacy Is Key to Trust Between Doctor and Patient
The trust between doctor and patient is critical, and ensuring patient privacy plays a significant role in establishing and maintaining that trust. Research has established a positive relationship between trust and patients’ satisfaction with their doctors; establishing trust between doctor and patient also leads to better patient adherence to treatment plans.
Privacy Helps to Maximize the Effectiveness of Healthcare
Assurance that their conversations and medical information will remain private helps patients provide full information that can help doctors provide the best healthcare. In short, better information can result in more targeted, effective healthcare.
Not Maintaining Privacy Could Have a Negative Effect on Healthcare Organizations’ Finances
Failure to comply with legal privacy requirements can subject healthcare organizations to financial penalties. In addition, data breaches at healthcare organizations can trigger lawsuits or lead to hefty financial settlements. Data breaches can also erode basic trust and result in patients seeking healthcare at other healthcare organizations. In 2020, cybersecurity firm CynergisTek released a report specifying that nearly 70% of individuals surveyed would likely cut ties with a healthcare provider if they learned that their personal health data was not properly protected.
What Are Patient Privacy Rights?
Both HIPAA and state medical privacy laws outline patient privacy rights.
HIPAA Privacy Rights
HIPAA established the first set of nationwide standards to protect individual’s health information, giving individuals control over their information and establishing limits on the use of that information. HIPAA also set forth civil and criminal penalties for violations of individuals’ privacy rights. Under HIPAA, individuals have the right to be told how their health information will be used and to control its disclosure.
HIPAA protects the privacy of individually identifiable health information in any format. That includes information regarding:
- Past, present or future physical or mental health or condition
- Healthcare services provided
- Past, present or future payment for healthcare services
HIPAA places no restrictions on health information that does not identify the associated individual or supply a way to identify the individual.
Under HIPAA, individuals have the right to:
- Obtain a copy of their health information
- Request corrections or additions to their health information
- Learn how providers or insurers use their health information
- Inform providers and insurers when they do not want their health information to be shared
Entities subject to HIPAA privacy requirements include health plans, insurers, health maintenance organizations, long-term care insurers, healthcare organizations, healthcare clearinghouses, Medicare and Medicaid. In addition, business associates who perform services or functions on behalf of those entities are subject to HIPAA privacy requirements.
Entities that are subject to HIPAA must report breaches of unsecured protected health information data to the U.S. Department of Health and Human Services (HHS). The department’s Office for Civil Rights (OCR) investigates complaints regarding alleged HIPAA violations; it also makes referrals to the U.S. Department of Justice for criminal investigation of cases involving the disclosure or obtaining of protected health information. From April 2003 to March 2021, OCR received nearly 260,000 HIPAA complaints. Some of the most common complaints have been related to:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards to protect health information
- Lack of patients’ access to their health information
State Privacy Laws
While HIPAA may be the best known medical privacy law, individual states have also passed privacy laws that extend beyond HIPAA. Those state laws include the following:
- In California, the Confidentiality of Medical Information Act, supplements the protection of individually identifiable medical information under HIPAA. For example, it allows individuals to sue a healthcare organization for a data breach.
- In Texas, the Medical Records Privacy Act is broader than HIPAA in certain respects. For example, it applies to any individual, business or organization (or their agents, employees and contractors) that obtains, stores or possesses individually identifiable health information.
- In Colorado, the Consumer Data Privacy Law imposes specific requirements for notification related to security breaches, including a shorter time frame for notification than HIPAA requires.
States are able to enact privacy laws that are more stringent than federal law because HIPAA establishes a floor of federal privacy protections, according to HHS. Therefore, if a provision of state law provides greater privacy protection than HIPAA’s privacy rule and it is possible to comply with both state law and HIPAA, then there is no conflict between the two and no preemption of state law.
What Is the Difference Between Patient Privacy and Confidentiality?
While patient privacy and confidentiality are frequently used interchangeably, they can be applied in different ways. In general, privacy is used when discussing an individual’s rights, while confidentiality is used when discussing an individual’s information.
The AMA Code of Medical Ethics makes the following distinction:
- Patient privacy encompasses many aspects, including personal space, personal data, personal choices and personal relationships.
- Physicians must preserve the confidentiality of information gathered in association with the care of a patient. In general, patients are entitled to decide whether and to whom their personal health information is disclosed.
HIPAA makes a further contribution to the distinction between privacy and confidentiality.
- HIPAA Privacy Rule. The privacy rule identifies who HIPAA covers, what information is protected and how protected health information can be disclosed.
- HIPAA Security Rule. The security rule specifies confidentiality requirements to support the privacy rule’s prohibition against improper uses and disclosures of protected health information.
How to Maintain Patient Confidentiality, Privacy and Security
Properly protecting patient privacy encompasses a combination of controls that, together, help ensure confidentiality of information. Exactly how to maintain patient confidentiality, privacy and security is still an evolving issue. The following examples of controls highlight the challenges that healthcare organizations face:
Providing Patients Access to Their Records
HIPAA guarantees patients the right to access their medical records, but doing so securely can be challenging. In complying with patients’ request for information, healthcare organizations must keep the following in mind to protect patient privacy:
- Patients are not required to use a portal to obtain their medical information, and they have a right to obtain that information through other secure means. Therefore, healthcare organizations must plan secure, alternative methods for providing information to patients.
- Patients have the right to request that healthcare organizations securely send their medical information to a third party. Therefore, healthcare organizations need to establish secure methods for transferring that information.
Digitizing Patient Health Records
Digitizing patient health records (PHRs) is not a simple matter of scanning hard copies of documents into electronic files. The transition to exclusive use of electronic health records (EHRs) can be more secure if healthcare organizations do the following:
- Form an implementation team with representatives from all levels of the organization. This will help to ensure buy-in and identify potential security threats.
- Identify workflows and physical layout changes that may be helpful when using the EHR software.
- Consult with the EHR software vendor or information technology (IT) staff on the most secure, efficient way to migrate existing records.
- Have an implementation plan. For example, decide whether to launch all EHR functionality at the same time or whether to launch specific pieces of the EHR functionality sequentially.
- Provide adequate training and request feedback regarding aspects of the new system that require improvement.
Safeguarding the computers in medical offices is critical to ensuring patient privacy and health information security. The AMA recommends the following:
- Use strong controls for password composition and length, and always lock computers when not in use..
- Restrict administrator access and regularly monitor the software on each computer.
- Install all software patches promptly.
- Use the most current version of web browser software and use up-to-date antivirus software and firewalls.
- Beware of software macros that automate certain tasks because they can contain malicious code.
- Control physical access to computers, manage the keys to locations where computers are used and restrict the ability to remove computers from secure areas.
Protecting Patient Health Records Available Through Mobile Apps
The increasing use of mobile health apps has introduced a new set of security challenges, and healthcare organizations that use them should keep in mind the following:
- Include a written description of security features within the app.
- Encrypt app usernames; passwords; and other data that’s collected, stored and transmitted.
- Create an incident response system in case of a security breach.
- Develop a disaster recovery and business continuity plan in case an app becomes unavailable.
Protecting Patient Health Records as Technology Advances
As medicine and technology evolve, healthcare organizations must ensure that they continue to protect PHRs. Examples include the following:
- Healthcare providers that use data from smart homes and smart devices to intersect with or feed into EMRs must ensure that they continue to comply with HIPAA.
- Healthcare organizations that permit data mining will need to be vigilant about the protection of that data from unauthorized use.
- With hacking incidents involving medical records on the rise as hackers develop more sophisticated approaches, healthcare organizations should consider expanding their use of artificial intelligence to alert them to suspicious behavior.
Conducting Required HIPAA Risk Assessment
HIPAA requires entities to conduct risk assessments to identify vulnerabilities and risks to patients’ protected health information. OCR and the Office of the National Coordinator for Health Information Technology within HHS have developed a web-based risk assessment tool to assist in that effort. The components the tool assesses illustrate the areas of consideration that are important in a risk assessment. Those components include an entity’s:
- Security management process
- Policies and procedures
- Controls over system access
- Workforce training
- Technical security procedures
- Physical security procedures
- Business associate agreements and vendor access
- Backup and data recovery plans
Providing Required HIPAA Training
HIPAA requires entities to conduct periodic training, and it’s important for employees to remain up to date. According to a 2020 survey of group health plan sponsors that consulting firm Buck conducted, 35% of respondents indicated that the most recent HIPAA training they offered occurred between one and five years ago and 10% of respondents could not specify when they last offered HIPAA training.
To develop effective training programs, healthcare organizations can do the following:
- Base training on the results of risk assessment.
- Ensure that training covers the roles that all employees play when they come into contact with protected health information.
- After employees have received training, provide regular refresher training to reinforce concepts and ensure that employees remain up to date on requirements.
- Regularly monitor for any changes to HIPAA requirements and promptly provide training when changes occur.
Disposing of Patient Health Records
HIPAA does not require healthcare organizations to dispose of PHRs using a particular method. Instead, HHS advises healthcare organizations to identify disposal steps that assess potential privacy risks and consider the format of the information. HHS has issued the following general information regarding PHR disposal:
- Organizations should not dispose of records in dumpsters or any location accessible to the public or unauthorized individuals.
- When disposing of the hard copies of records, entities should shred, burn, pulp or pulverize records in a way that ensures that the information on those records is not readable and that reconstruction of the information is not possible.
- When disposing of PHRs, entities should use technology that overwrites information, destroy records through exposure to a strong magnetic field or physically destroy the media on which the records are stored.
- If an entity is closing and therefore disposing of PHRs, it should consider offering patients the chance to retrieve their information before destroying it. In addition, HHS notes that state laws may require entities to retain PHRs and make them available to individuals even after they close.
Securing Patient Health Records During a Pandemic
The COVID-19 pandemic has put a spotlight on security issues that healthcare organizations will need to address.
- The pandemic has triggered a shift to remote work that has introduced new security vulnerabilities, and healthcare organizations need to ensure that they continue to comply with HIPAA as their employees work remotely.
- The expansion of telehealth during the pandemic has enabled patients to stay safe while consulting with healthcare providers. However, it has also raised privacy concerns, and healthcare organizations will need to address the potential for hackers to access health information through telehealth technology.
- The rise of phishing email scams related to the pandemic has increased the need for healthcare organizations to reinforce and improve controls over their email systems.
- The pandemic spurred the use of health information surveillance technology for purposes such as tracking virus exposure and monitoring outbreaks. The effects of that technology on patient privacy must be assessed.
- Ransomware attacks have also increased during the pandemic, prompting healthcare organizations to reinforce or expand their efforts to secure and back up their data.
Protecting Patient Privacy Is Critical to Effective Health Administration
Protecting patient privacy is fundamental to the effectiveness of healthcare, and the consequences of breach of the trust between patients and healthcare organizations can be significant. As they manage and lead healthcare organizations, health administrators must continue to make patient privacy a primary objective.
Individuals who are interested in working as health administrators can explore Duquesne University’s online Master of Health Administration program and its Healthcare Compliance and Risk Management concentration to learn more about how obtaining expertise in health administration and compliance and risk management can help them pursue their professional goals. With courses in medical and regulatory compliance, data mining, and healthcare law and ethics, the Healthcare Compliance and Risk Management concentration is a good fit for anyone interested in patient privacy in healthcare.
Start on the path to a rewarding career in health administration today.