Privacy concerns regarding data breaches in the health system, hospitals in particular

November 30, 2014 |

Privacy and the medical sector should be synonymous. It is present in one of the world’s oldest oaths, the Hippocratic Oath.  The classical version makes specific reference to privacy.  It provides:

I swear by Apollo Physician and Asclepius and Hygieia and Panaceia and all the gods and goddesses, making them my witnesses, that I will fulfil according to my ability and judgment this oath and this covenant:

To hold him who has taught me this art as equal to my parents and to live my life in partnership with him, and if he is in need of money to give him a share of mine, and to regard his offspring as equal to my brothers in male lineage and to teach them this art – if they desire to learn it – without fee and covenant; to give a share of precepts and oral instruction and all the other learning to my sons and to the sons of him who has instructed me and to pupils who have signed the covenant and have taken an oath according to the medical law, but no one else.

I will apply dietetic measures for the benefit of the sick according to my ability and judgment; I will keep them from harm and injustice.

I will neither give a deadly drug to anybody who asked for it, nor will I make a suggestion to this effect. Similarly I will not give to a woman an abortive remedy. In purity and holiness I will guard my life and my art.

I will not use the knife, not even on sufferers from stone, but will withdraw in favor of such men as are engaged in this work.

Whatever houses I may visit, I will come for the benefit of the sick, remaining free of all intentional injustice, of all mischief and in particular of sexual relations with both female and male persons, be they free or slaves.

What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.

If I fulfil this oath and do not violate it, may it be granted to me to enjoy life and art, being honored with fame among all men for all time to come; if I transgress it and swear falsely, may the opposite of all this be my lot.

(Emphasis added)

If a number of recent reported incidents are any guide the problems with privacy in hospitals is significant, if not chronic.  In Massachusetts, USA, the Attorney General announced a settlement with Boston hospital Beth Israel Deaconess Medical Center agreeing to pay a total of $100,000 to settle charges related to a data breach that affected f nearly 4,000 patients and employees. The breach involved a trespasser entering an unlocked office of the Hospital and stealing a  laptop containing unencrypted names, Social Security numbers and medical information. The consent judgement is found here.

There are further instances of data security breaches in the health sector in  University Hospitals: Employee gained unauthorized access to 692 patient files in breach, Lakeridge Health reports 578 patient records inappropriately accessed, ‘Curiosity’ of Island Health employees led to privacy breach, probe reveals,  Medway Maritime Hospital accidentally faxes patient’s records to a vet and Ex-clerk charged after privacy breach at Toronto hospital.  In Australia earlied this year the Age reported on a significant data breach by the Royal Prince Alfred in Hospital breached privacy rules by releasing woman’s details to ex-husband.  It provides:

A mother of two says a Sydney hospital released sensitive details about her health to her hostile ex-husband, who used it against her in his attempt to gain sole custody of their children.

The woman could receive up to $40,000 in compensation after a tribunal found Royal Prince Alfred Hospital breached privacy rules by giving her former husband medical records detailing her serious, chronic illness.

The mother, known for legal reasons as ADJ, and her former husband had equal custody of the children.

But when the father requested copies of the children’s medical records, the hospital handed them over without asking for the mother’s consent, notifying her or redacting information about her own illness, test results and treatments, which were detailed in the file.

ADJ told the NSW Civil and Administrative Tribunal her ex-husband had a history of violent behaviour and he used the information released by the hospital to pursue sole custody of the children in the Family Court. She said he disclosed her condition to a number of people, which made her feel “violated”, and that she had to defend herself publicly from his attacks on her character.

She said she felt “physically unsafe” in his presence.

The hospital claimed the information about her medical condition and treatment was relevant to the continuing care of the children, and therefore the health information belonged to all of them simultaneously.

Both children were born in the hospital’s maternity unit and the files included details of the antenatal care ADJ received and the children’s births. The hospital said the strength of the children’s rights to their own health information outweighed ADJ’s interest in maintaining her privacy.

Tribunal senior member Stephen Montgomery said the information could belong to both a mother and her children simultaneously. In ADJ’s case, records show a particular health service was provided to one of the children directly because of ADJ’s illness.

Mr Montgomery said information about a mother’s illness or hereditary condition could be relevant to the provision of treatment to her children and the same could be said for a father.

But ADJ argued that mothers were unique in that while their medical information formed part of their children’s files, potentially equally valuable health information about the father or other relatives remained solely in their files, inaccessible to the child or the mother.

In ruling the hospital had breached health privacy laws, Mr Montgomery said some of ADJ’s information included on the children’s records was neither relevant nor necessary for their care and treatment. There was no evidence to establish why some tests the mother had had were relevant to the children’s treatment and “should not have been released”.

Mr Montgomery also found that by retaining the mother’s health details on the children’s records, the hospital failed to ensure the security of her information against unauthorised use and disclosure

The matter will return to the tribunal next month for submissions on ADJ’s case for damages. The tribunal can order the hospital to pay compensation of up to $40,000.

One Response to “Privacy concerns regarding data breaches in the health system, hospitals in particular”

  1. Privacy concerns regarding data breaches in the health system, hospitals in particular | Australian Law Blogs

    […] Privacy concerns regarding data breaches in the health system, hospitals in particular […]

Leave a Reply