No individual wants his or her protected health information (PHI) to be unnecessarily made public. Not only is the information personal, but if it fell into the wrong hands, it could lead to many issues – personal and even medical – for the patient in question.
As technology continues to evolve, it also seems that the number of healthcare data breaches is on the rise. Rightfully so, more people are becoming aware of how their information is shared electronically. But are all concerns over electronic data sharing warranted? Is everything considered a HIPAA violation?
That concern is one reason why some hospitals are reportedly abandoning a long-held tradition: announcing the first birth of the new year. Community Health Systems recently ordered its facilities nationwide to stop publicizing the first baby born in the year, according to the Associated Press.
“We know the birth of the new year baby is a joyous and exciting event, but protecting patient safety and privacy is our most important responsibility,” Community Health spokeswoman Tomi Galin told the news source.
Galin added that the move was a preventative measure, and not because of specific threats or abduction attempts. Moreover, the National Center for Missing & Exploited Children cautions healthcare providers how much information they give to the media, Galin said. For example, home addresses or other personally identifiable information does not need to be released.
Community Health made headlines last year when it reported that Chinese cyber criminals hacked into its database, compromising the information of 4.5 million patients. The data included names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were involved.
Another surprising area where a HIPAA violation concern arose was in Major League Baseball. Matt Kemp played for the Los Angeles Dodgers, and was involved in a trade deal that would send him to the San Diego Padres. However, there were concerns over Kemp’s physical condition, according to a Yahoo Sports story. Specifically, a USA Today article reported that Kemp’s physical showed severe arthritis in his hips.
Yahoo Sports quoted a tweet from Ken Rosenthal, which said it would not be good if the Padres had leaked the medical information.
“Information damages Kemp in public realm. Gives appearance of #Padres trying to leverage medical information. And is a violation of HIPAA,” read the tweet.
But what exactly constitutes a HIPAA violation? According to the Department of Health and Human Services (HHS), organizations defined as a HIPAA covered entity need to comply with the rule’s requirements to protect patients’ privacy and security.
“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information,” according to HHS.
Something that is seemingly innocent, such as announcing the first baby born in a new year, will not always lead to things such as identity theft. However, too much personal information, or information that is given without written parental consent, might be enough for a criminal to take advantage of the situation.
In terms of professional athletes, their information is often in the public eye. But covered entities must remain diligent in keeping PHI safe, regardless of who the data belongs to. Neither of these situations is necessarily a HIPAA violation, but it is important for healthcare organizations – and their patients – to remain current on all regulations to best protect sensitive information.