Who Decides if We Need to Know?
Why do we know so much about Senator John McCain’s medical condition day by day? And when Congressman Steve Scalise was gravely injured in a shooting on June 14, why did the media report daily updates on his condition, revealing what might otherwise be considered private information? In your own family, are you quick to reveal a family member’s diagnosis or medical condition or do you guard it more closely?
Public Officials and Celebrities Have the Same Rights to Privacy as the Rest of Us
The reason we know more about Senator McCain and Congressman Scalise is because they and their families chose to allow the information to be disclosed. As public figures with constituencies who depend on their leadership, they likely decided that the public’s need for information outweighed their privacy needs. Contrast the timely reports from these elected officials with the more guarded information about Steve Jobs during his last years of life while he lived with cancer. He made a different choice. He was entitled to make that choice. When Prince died suddenly in April 2016 the public clamored for information but his right to privacy did not evaporate when he died. Under HIPAA law, an individual’s right to privacy lasts for 50 years after death.
Although hospital spokespersons and treating physicians generally are the ones speaking publicly about the patients’ medical condition, they are doing so strictly in line with an authorization provided by the patients. It is never appropriate for a health care provider to reveal more than what has been authorized. In the case of death, a personal representative is entitled to make those decisions.
Insiders are a Growing Threat to Maintaining Privacy
Unfortunately, curiosity by health care workers can lead to inappropriate disclosures. There is a long list of Hollywood celebrities, famous athletes, musicians and other public figures whose privacy has been breached by insiders in recent years. Curiosity is one reason, but financial gain is another.
The 2017 Verizon Data Breach Report (April 28, 2017) stated: “Insider misuse is a major issue for the Healthcare industry; in fact it is the only industry where employees are the predominant threat actors in breaches.”
Breaches are Costly
Organizations pay a price when privacy is breached, including stiff fines and resolution agreements with ongoing oversight. And employees can be subject to criminal prosecution. In 2011 UCLA agreed to pay $865,000 to federal regulators due to allegations that hospital employees viewed celebrity patients’ medical records without authorization. In 2017 a Florida hospital was fined $5.5 million because several employees had inappropriately accessed patient information.
The remedy is multi layered – having the right policies and procedures in place, building a culture of compliance, ongoing workforce training, audit controls and penalties against the wrongdoers. The core value is always the primacy of patient privacy – the patient has the right to decide whether to disclose or keep private their personal information, no matter how much we might want to know.