Summary of Breach of Patient Confidentiality Stories
Today, the news media feature multiple stories regarding incidences of a breach of patient confidentiality resulting from either negligence or intentional acts. In many stories, the violations emanate from unauthorized access to patients’ protected health information. On February 2, 2023, the HHS released a press briefing highlighting that its Office for Civil Rights (OCR) settled for $1.25 million with Banner Health for a cybersecurity hacking incident that affected approximately 3 million people (HHS, 2023). A hacker accessed protected health information, including patient names, addresses, social security numbers, clinical details, claims data, lab results, clinical information, and dates of birth. Healthcare organizations are held responsible for assessing cybersecurity risks and effectively mitigating them, which explains why OCR fined Banner Health for this breach.
The most interesting aspect of this story is that an entire organization is charged with negligence in safeguarding patient data. In essence, the organization was expected to prevent the cyberattack, and the failure to do so is considered corporate negligence. OCR places a duty on Banner Health, and the incident constitutes a breach. Unauthorized access to personal information causes harm to patients, further justifying why a successful cyberattack is deemed a violation of HIPAA Security Rules. While Banner Health faces an external threat, other firms face internal human errors that cause the breach. For example, Vesty (2023) story tells of a leukemia patient receiving a notification from NHS Lothian that a staff member inappropriately accessed his information and that of over 90 patients. Police Scotland was investigating the breach, but the patient could not receive details of its extent and the risk to which he was exposed.
Liability in Healthcare
Liability in healthcare emanates from the negligent actions of the organizations’ employees. For example, the story of Banner Health implied that employees responsible for cybersecurity acted negligently, which allowed hacking to occur. Healthcare liabilities often fall under two types. The first type is the liability for the negligence of hospital employees, which aligns with the concept of vicarious liability in personal injury law. In this category, employees can be held liable for their negligence. Such a provision implies that a hospital can be responsible for the malpractices of its staff members. The second type is the hospital’s liability for harm caused by the mistakes of the facility’s administration. For instance, a firm may be negligent in hiring and supervising employees or fail to repair and maintain equipment. In the example of Banner Health, the firm’s administration acted negligently in its cybersecurity efforts. The rationale is that the administration must ensure that a breach of patient confidentiality does not occur, which means implementing the necessary risk mitigation mechanisms.
Healthcare liability has multiple legal implications. A tort of negligence often seeks to compensate injured patients, offer corrective justice, or deter negligence. In the Banner Health story, the fines paid by the firm provided a corrective justice and discouraged negligence by making the firm more proactive in safeguarding patient health information. In the NHS Lothian story, the culpable employee can expect legal action, and the hospital could be found negligent for allowing such unauthorized access. Legal healthcare liability can be an effective mechanism for ensuring improper disclosure of patient health information does not occur.
References
HHS. (2023). HHS office for Civil Rights settles HIPAA investigation with Arizona Hospital System following cybersecurity hacking. HHS.gov. Web.
HHS. (2023). Initial 20 entities selected for audit. HHS.gov. Web.
Vesty, S. (2023). Scots cancer patient hits out after major data breach of medical records at NHS Lothian by staff member. Daily Record. Web.