Privacy from a Compliance and Ethics Perspective

Jeannine LeCompte, Publishing and Research Coordinator

A ransomware attack on one of southeast Georgia’s largest healthcare systems exposed both staff and patients’ protected health information (PHI). The company announced that it experienced “a data security incident that may have resulted in unauthorized access to patient and employee information.” 

A health system in New Mexico had to notify patients about a cybersecurity incident which resulted in potential data exposure. According to the system’s report to the US Department of Health and Human Services Office of Civil Rights, 637,252 individuals were affected. An unauthorized third party had gained access to the system’s network and could have accessed or obtained certain files. The health system hadn’t discovered the breach until over a month had passed.

More than 7,000 Ohio hospital system patients had their private records accessed by a former employee as part of a privacy breach. The former employee accessed patient information outside the scope of his job duties over a twelve-year period, including patients’ names, addresses, birthdays, Social Security numbers, insurance information, and diagnosis and treatment information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established national standards to protect individuals’ medical records and other personal health information. It requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA requirements should be included in a skilled nursing facility’s (SNF) compliance and ethics program.

PHI is health information, recorded digitally, or on paper, or exchanged verbally, about an identifiable patient. It includes health or healthcare history, genetic information, observational notes, healthcare provision, payment methodologies, personal and financial information, domestic situation, and any other personally identifying information which may, for any reason whatsoever, have come to the attention of staff.

To ensure resident privacy and fulfill legal requirements, SNFs must take steps to safeguard PHI confidentiality. This includes setting up robust systems to protect the integrity of all PHI that the organization creates, receives, maintains, or transmits—while at the same time ensuring that this information is available to staff who need to treat or care for the individual in question.

The facility must therefore be in possession of a physical system and process which protects PHI against any reasonably anticipated threat or hazard. The emphasis on reasonably anticipated threats is vital. In the event of a data breach, the facility will have to be able to prove to the investigating authorities that all reasonably expected eventualities were foreseen and prevented—and that only an unforeseen event has led to the PHI loss.

Preventing these “reasonably expected” data breaches forms the core of protecting privacy from a compliance and ethics perspective.