Patients have long been concerned about the privacy of their health care information. "How private is 'private'?" is a question that echoes through the minds of patients every time they receive a stigmatizing diagnosis such as cancer, a sexually transmitted disease (STD), alcohol or drug dependency, a mental or emotional health problem, or trauma symptoms related to a personal and private experience. Federal regulations for health care providers that went into effect in April 2003 are touted as improving or ensuring the privacy of an individual's personal health information, but do they? We think not.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191) is a multitiered, comprehensive, convoluted, and controversial federal law for sweeping health care reform. Although HIPAA is dramatically broader in scope than privacy protections for health care information, a provision for privacy in the form of a Privacy Rule is included in Title II of HIPAA under the Administrative Simplification regulations; this regulation has created widespread controversy, as well it should, juxtaposed with both civil liberties and the tenets of our profession s ethical code.
In preparation for the Privacy Rule compliance date in April 2003, executives of covered entities (CEs), which include health plans, health care clearinghouses, and health care providers, were involuntarily plunged into a mire of federal definitions, acronyms, regulations, and procedures that spiked the jargon meter. A veritable compliance melee erupted as a result of struggles to comply with the letter of the law in the face of inability to decipher what the letter of the law was. A health care network-wide plethora of brochures, forms, and flyers, ostensibly aimed at protecting patient privacy better than ever before, spilled from the many months of compliance preparations by each CE. But contrary to the HIPAA hype about patient protection, and despite the glacier of paperwork for protecting privacy that was spawned by the Privacy Rule, critics of HIPAA claim that this federal law erodes patients' right to privacy Citizens for Health filed papers in the U.S. district court in Philadelphia alleging that HIPAA regulations threaten "essential liberties [privacy] guaranteed by the Constitution" (Dougherty, 2003).
Privacy and confidentiality are in greater jeopardy than ever because of two security issues inherent in compliance with HIPAA regulations. The first security issue stems from the fact that health care providers are forced to use the Internet for sharing information and for billing purposes. Second, and counter to HIPAA's alleged intent, is the issue of access to private health information. According to a statement issued by Citizens for Health, "virtually all personal health information about every aspect of an individual's life can be used and disclosed routinely without notice, without the individual's consent and against his or her will" (Dougherty, 2003).
In the first instance, patient confidentiality is compromised by the federal government, health care workers, hackers, and the legal system. The federal government realizes a savings of billions of tax dollars by computerizing Medicare and Medicaid programs and HIPAA, and, except in very small practices, makes electronic billing mandatory. Also, to facilitate quick information exchange in medical emergencies, there is a push for universal patient identifiers, which relates to the second security issue. A nationwide linking of all medical records is possible with such identifiers (Gelman, Pollack, & Weiner, 1999). "A national health ID so presages a national health database that Congress has consistently refused to fund the program" (Privacilla.org, 2003, p.11). Even so, increasing amounts of new private health information will be traveling the electronic highways, in addition to what is already stored in computers by managed care companies, as the private insurance companies follow the government's lead.
Managed care personnel have secured private health information about patients and clients to verify the necessity of treatment (Harris, 2003). During the past 15 years service providers assumed that this confidential information would remain safe with managed care personnel. With the retroactive element of the 2003 amendments to HIPAA, making past medical information available electronically, how valid is that assumption? Several years of paper treatment plans and client progress reports can be scanned into computer banks and be available for dissemination via the Internet. Internet use for insurance billing and sharing information is mandated by HIPAA, and the pesky problem of keeping that electronic information safe and secure is also addressed by HIPAA, allocating that responsibility to the service providers.
Unfortunately, that allocation does not guarantee that private medical information will remain safe and secure in storage or transit via the Internet. As distribution of information widens via the Internet, that information is more apt to become public (Aaronson, 2002). With date of birth, gender, and five-digit zip codes, 87 percent of the U.S. population can be identified (Aaronson).
"Instances of computer security breaches and associated financial losses have soared in recent years" (Raul, Volpe, & Meyer, 2001, p. 2). Computer programs now exist to crack passwords. In the first 20 minutes of an attempted break-in to a database, 20 percent to 50 percent of the Microsoft Windows passwords of a corporation with 10,000 employees could be found, and 90 percent could be found within 24 hours "by adding a brute force attack" (Lee, 2001, p. 2).
Hackers have enjoyed success in these endeavors. The confidential records of thousands of patients were stolen from the University of Washington Medical Center in 2001 (Chin, 2001), and in Philadelphia, Drexel University College of Medicine's database of 5,000 neurosurgery patients was accessed last year (Chin, 2003). Microsoft and the Pentagon, with state of the art computer security systems, were recently victims of hackers (Chin, 2001).
Computer security companies advertising the need for their products focus on the lack of security in cyberspace. Security lacks are documented by the Computer Security Institute and the FBI, which found in 2002 that 90 percent of large corporations and government agencies were victimized by backers (Computer Security Institute, 2002). Doc-Shred (2003) estimated that "U.S. corporations are losing an estimated 100 billion dollars a year to information thieves" (p. 1). Prescriptions to remedy these situations include access-control servers, firewalls, intrusion detection, network scanning, encryption, and virtual private networks (Cisco Systems, 2001). However, as the hackers and computer security companies do battle, there is, to date, no foolproof system to keep Internet information 100 percent safe.
In addition to the problems of managed care's ownership and use of private medical information, the health care employee can compromise patient confidentiality through inadvertent errors. Electronic information can be sent to the wrong place, or the wrong information may be sent. The sheer volume of transmissions translates one simple mistake into thousands of cases misplaced or misdirected. Glitches occur within a "company's computer system leading to unintended dissemination of proprietary information" (Raul et al., 2001, p. 2). In August 2000, 858 Kaiser Permanente patients' confidentiality was breached when a computer glitch made incorrect appointments (Dyer, 2001).
In addition to negligent errors, people with access to medical information may have malevolent intent. A public health worker gave two newspapers a computer disk with 4,000 names of HIV-positive individuals. Medicaid clerks sold recipients' computerized printouts of financial resources to managed care companies. A banker called due the mortgages on cancer patients after cross-referencing information he obtained as a county health board member (Clark, 2001).
Legal recourse for damages caused by negligent failure to secure confidential information is woefully lacking. "To date no U.S. court has addressed the issue of liability for failure to secure a computer adequately" (Personick & Patterson, 2003, p. 45). The public bas no recourse to sue under the new privacy rule (Peisert, 1999). HIPAA threatens penalties for noncompliance with security regulations, but if backers or others obtain private information and an individual is harmed, suing in the courts does not seem to be an option. Rather, "if the right to refuse information sharing comes only from the HIPAA privacy regulation, the consumer can only complain to the Department of Health and Human Services (HHS), getting in line behind thousands of other people to see if the agency will pursue his or her interests" (Privacilla.org, 2003, p. 23).
The second confidentiality problem under HIPAA is that information may be shared without the patients consent and with the 2003 Amendments may be shared despite patient objections. Peter Kavanaugh (n.d.), past president of the Academy for the Study of the Psychoanalytic Arts, stated that the board of the Academy is opposed to the new
HIPAA-cratic oath that requires the entry of personal and private information into a nationwide computer data base where it can be accessed by dozens of government agencies, thousands of bureaucrats, pharmaceutical corporations, private insurance companies, police agencies, foreign government officials and others … without the person's consent, (p. 2)
Health studies and drug marketing are instances in which patient data is shared (Aaronson, 2002). Law enforcement officials' access to patients' medical information has been broadened (Gelman et al., 1999). Public health activities may necessitate collecting individually identifiable information, including genetic information, without bothering to ask for an individuals consent (Peisert. 1999). Another broad area that allows sharing information without consent is defined only as having "specified public and public policy related purposes" (Richards, 2003). The FBI's new surveillance system could conceivably be used under these broad purposes. The new system was dubbed "'Carnivore' because it has the ability to get at the 'meat' of interesting or suspicious communications" (Lycos, 2003, p. 1).
The plaintiffs' brief, submitted to the United States District Court for the Eastern District of Pennsylvania by attorneys James C. Pyles and Kenneth I. Trujillo in Citizens for Health v. Tommy G, Thompson, Secretary. U.S. Department of Health and Human Services, clearly delineates the privacy concerns regarding the 2003 Amendments to HIPAA. The brief states that
"The Amendments eliminate their [citizens'] ability to exercise any control over the use and disclosure of their identifiable health information for routine purposes" (p. 3).
"Confer blanket federal authority on covered entities… to use and disclose their health information against their will and over their objections" (p. 3).
"Eliminate the ability to protect the privacy of their identifiable health information by paying out of pocket" (p. 5).
"Persona! health information that they had permitted to be included in their medical records prior to April 14, 2003 would be used and disclosed without their permission" (p. 27).
Honorable Mary Ann McLaughlin entered a temporary order enjoining HHS Secretary Thompson's use of the Amended Privacy Rule "to the extent that it authorizes and permits the use and disclosure of Plaintiffs' identifiable health information without their consent" (Citizens for Health v. Tommy G. Thompson). However, the final decision was favorable to the secretary of HHS.
In a news release on April 2,2004, the secretary stated that the "court's decision supports our authority to protect the privacy of patient health information in a way that does not impede their access to quality health care. … We will continue to educate consumers about these important new protections and to promote compliance by those who, under the law. must safeguard patient health information." (HHS, 2004). Citizens for Health filed a Notice of Appeal on May 27, 2004. The Appellate Brief in this matter was filed on August 23, 2004 (Appeal for Patient Privacy Foundation, n.d.).
- Kuczynski, Kay & Patty Gibbs-Wahlberg; HIPAA the healthcare hippo: despite the rhetoric, is privacy still an issue?; Social Work; Jul 2005; Vol. 50; Issue 3.
Evolution of Social Work Ethics by Mary Rankin, J.D.
The change in a social worker’s approach to ethical concerns is one of the most significant advances in our profession. Early in the 20th century, a social worker’s concern for ethics centered on the morality of the client, not the ethics of the profession or its practitioners. Over the next couple of decades, the emphasis on the client’s ethics began to weaken as social workers began developing new perspectives and methods that eventually would be fundamental to the profession, all in an effort to distinguish social work’s approach from other allied health professions.
The first attempt at creating a code of ethics was made in 1919, and by the 1940s and 1950s, social workers began to focus on the morality, values, and ethics of the profession, rather than the ethics and morality of the patient. As a result of the turbulent social times of the 1960s and 1970s, social workers began directing significant efforts towards the issues of social justice, social reform, and civil rights.
In the 1980s and 1990s, the focus shifted from abstract debates about ethical terms and conceptually complex moral arguments to more practical and immediate ethical problems. For example, a significant portion of the literature from the time period focuses on decision-making strategies for complex or difficult ethical dilemmas. More recently, the profession has worked to develop a new and comprehensive Code of Ethics to outline the profession’s core values, provide guidance on dealing with ethical issues and dilemmas, and also to describe and define ethical misconduct. Today, ethics in social work is focused primarily on helping social workers identify and analyze ethical dilemmas, apply appropriate decision-making strategies, manage ethics related risks, and confront ethical misconduct within the profession.
The following contains thee key Legal issues for mental health professionals: Tarasoff - Duty to Warn, Duty to Protect; and Mandatory Reporting of Child Abuse
Tarasoff - Duty to Warn, Duty to Protect
Most states have laws that either require or permit mental health professionals to disclose information about patients who may become violent often referred to as the duty to warn and/or duty to protect. These laws stem from two decisions in Tarasoff v. The Regents of the University of California. Together, the Tarasoff decisions impose liability on all mental health professionals to protect victims from violent acts. Specifically, the first Tarasoff case imposed a duty to verbally warn an intended victim victim of foreseeable danger, and the second Tarasoff case implies a duty to protect the intended victim against possible danger (e.g., alert police, warn the victim, etc.).
Domestic Violence – Confidentiality and the Duty to Warn
Stemming from the decisions in Tarasoff v. The Regents of the University of California, many states have imposed liability on mental health professionals to protect victims from violent acts, often referred to as the duty to warn and duty to protect. This liability extends to potential victims of domestic violence. When working with a client who has a history of domestic violence, a social worker should conduct a risk assessment to determine if whether there is a potential for harm, and take all necessary steps to diffuse a potentially violent situation.
Mandatory Reporting of Child Abuse
All states have laws that identify individuals who are obligated to report suspected child abuse, including social workers these individuals are often referred to as “mandatory reporters.” The requirements vary from state to state, but typically, a report must be made when the reporter (in his or her official capacity) suspects or has reason to believe that a child has been abused or neglected. Most states operate a toll-free hotline to receive reports of abuse and typically the reporter may choose to remain anonymous (there are limitations and exceptions that vary by state so please review your state’s laws).
The article above contains foundational information. Articles below contain optional updates.
Reflection Exercise #4
The preceding section contained information about if privacy is still an issue with HIPAA standards. Write three case study examples
regarding how you might use the content of this section in your practice.
Ethics CEUs QUESTION 8
According to Kuczynski & Gibbs-Wahlberg, what is the second confidentiality problem under HIPAA?
Record the letter of the correct answer the