Ethics focus on actions we should take — what we should and should not do. Ethics shape our values, cultures, and worldviews, and give us sensitivity to considering how our actions affect the welfare of others. In our society, we value privacy, which in the medical arena was not very well regulated until HIPAA was passed in 1996 and enacted in 2003 — even when considering the presence of the Hippocratic Oath. Medical privacy refers to the patient’s right to control his/her medical information and keep it confidential, and to decide how one wants it used and disclosed (or not used and disclosed). HIPAA provides for privacy of oral, written, and electronic health information with two rules governing privacy and security. The privacy rule focuses on an individual’s right to control the use of personal health information (PHI) while the security rule refers to a healthcare provider’s responsibility to prevent unauthorized disclosure, destruction, or loss of electronic PHI. In their textbook Principles of Biomedical Ethics, Tom L. Beauchamp and James F. Childress introduce the concept of biomedical ethics,1 which are often used to evaluate ethical decisions in healthcare. These four ethical principles are:
- Autonomy: the right of individuals to make their own choices.
- Beneficence: the principle of acting with the best interests of the other person (eg, patient) in mind.
- Nonmaleficence: at the crux of the Hippocratic Oath means “do no harm.”
- Justice: treating others fairly and equally; benefits, risks, and costs are fairly distributed between people.
Let’s look at some HIPAA breaches and see how these four principles play out in everyday life.
1) A nurse at Poudre Valley Hospital (PVH), Fort Collins, CO, was fired last year for viewing patients’ medical records2 out of personal curiosity. University of Colorado Health, which operates PVH, had to notify patients that an employee had inappropriately accessed their electronic health records. Did the nurse allow the patients to choose whether or not she could view their records? No, thus the nurse violated the patients’ autonomy. Did the nurse have the patients’ best interest in mind? It’s very likely she did not, thus she was not acting with beneficence. Did her actions do harm? The answer to this is subjective, but most of us would probably agree we do not want strangers snooping through our personal medical records. We do not know what the nurse did with the information she gained. Might she at some point gossip about a patient? Might she use the information she learned for personal gain?
For example, medical identity theft is extremely prevalent and much more lucrative than personal identity theft. Thieves use insurance information to gain health services or medical goods in another person’s name with the victim risking incorrect information being placed in their actual medical records. With regard to justice, it’s clear the nurse was not treating the patient fairly.
2) Valley Hope Association, Norton, KS, a provider of drug and alcohol treatment programs, had an unencrypted laptop stolen from an employee’s desk. Information included social security numbers, driver’s license numbers, health insurance information, financial information, disability codes, and much more. The number of people affected by the breach: 52,076.3 Did the patients of Valley Hope have autonomy in their decision-making? No, the decision to have unencrypted PHI on a laptop was not theirs. It clearly does not evidence beneficence — no patient benefited in any way and nonmaleficence could not be claimed because patients’ sensitive healthcare information transferred to unknown hands. Justice clearly was not served. Both of these examples involve the opportunity to make ethical decisions and both represent breaches of federal HIPAA regulations (and likely state law as well). Let’s take a look more closely at how we can make informed ethical decisions.
The process of ethical decision-making typically involves defining a problem, gathering information from all relevant sources, weighing the alternatives using ethical principles, deciding a course of action, and implementing the decision. We make ethical decisions every day, we just don’t often think about them as such.
When we decide to code a procedure in the manner in which we are most likely to get reimbursed, we are making an ethical decision. When a friend asks us for medical advice, we are making an ethical decision. When making ethical decisions within patient care, we gather information from several sources. We might utilize clinical research related to the problem at hand, core competencies, professional codes of ethics, and understanding the wishes of the patient. Ideally, we would also be able to assess the impact of culture and context on a patient. We also consider federal (eg, HIPAA), state, and local laws in making decisions about patients. Herein lies the interaction of ethics and HIPAA. We must weigh HIPAA regulations into our ethical decision-making. HIPAA was established to give patients a “floor” of privacy protection. We value their autonomy to make decisions about who, what, when, and where people may have access to their PHI. Let’s walk through the ethical decision-making process with a case study that could arise in various healthcare environments.
“Nurse J” works in a Midwest hospital. Because the community was relatively small and Jan’s husband was a police officer, Jan knew almost all of the police. When a local officer was investigating an adult male for prescription fraud, the officer approached Jan about getting the suspect’s pharmaceutical information for the investigation. Jan was torn, since she knew the officer, but was unsure if law enforcement should get easy access to patients’ PHI. She did know the suspect was a “frequent flier” in the emergency department, but was unsure if the person had a drug-abuse problem.
What should Jan do? According to our ethical decision-making model, the steps she may go through include:
1. Identify the problem. Jan’s ethical dilemma is that she is unsure if she should release patient PHI to law enforcement. If she does release the information, she fears she is violating the rights of her patient’s privacy; but if she does not, she feels like she is in the wrong for not helping law enforcement.
2. Gather information from all relevant sources. Jan needs to know several pieces of information in order to make an informed ethical decision. For example:
- Would the patient approve of the release of PHI?
- What does the ethics code of the professional nursing association that Jan belongs to say related to this scenario?
- What does hospital policy say about disclosures to police?
- Does Jan need to consult the hospital privacy officer? Administration?
- Which laws or regulations are relevant to Jan’s decision? For example, does HIPAA or state law comment on this issue?
3. After gathering information, Jan must weigh the ethical principles for her potential courses of action.
- If Jan releases the information to the officer without asking for the patient’s permission, she has stripped the patient of his autonomy.
- If Jan refuses to release the information, she is concerned of the impact on the investigation. She weighs beneficence: Will her actions help the patient in anyway? Jan may think giving the information to the officer will help the patient in recovery efforts. For example, he may be forced to stop abusing drugs if he’s arrested. Conversely, she might look beyond the patient and consider the community, hoping her actions of releasing the patient’s information may decrease overall drug abuse.
- If Jan does not release the information, is there a potential for harm to the patient? To the community? If she does release the information, might she damage the hospital’s relationship with the patient? Might she damage her hospital’s relationship with the police by not complying? She wants to adhere to the principle of nonmaleficence and “do no harm.”
- Jan must consider any applicable state laws, national laws and regulations, and her professional code of ethics. Her state law may be quite clear about maintaining confidentiality in lieu of a court order. Conversely, there may be exceptions for law enforcement investigations. Jan considers HIPAA regulations. HIPAA allows Jan to respond to a court-ordered warrant [Code of Federal Regulations (CFR) 45 164.512(e)(1)(ii)]. It is also likely her particular state’s law will allow disclosures for law enforcement. Jan’s professional association’s code of ethics dictates she put her patient first, she protect both his rights and safety, and notes she must follow the law. She discusses these issues with the chief privacy officer at her hospital to gain further insight.
4. Jan must decide a course of action. She decides she has few options in this case. She could ask the patient for permission to share the information with law enforcement, though this could hinder police investigation. Jan could ask law enforcement to obtain a warrant for the information. She could just give the information to the law enforcement officer since she knows him and wants to grant him “a favor.” Given the laws are clear, and while she would like to protect her patient’s privacy, Jan makes the decision to ask the officer to obtain a warrant for the information.
5. Jan implements the decision by informing the officer that in consultation with the hospital’s chief privacy officer, she must insist on a warrant to share her patient’s information. While the officer is not happy, she has upheld the rights of her patient, is following HIPAA regulations (and presumably state law), and is following policies and procedures of her hospital and her professional code of ethics. In this case, Jan has protected the autonomy of her patient, has acted with beneficence by keeping the patient’s best interests in mind, and has done no harm to the patient (nonmaleficence). She believes this is a fair solution to all (protecting client confidentiality and asking the police to follow the law protects the patient) and “the community.”
HIPAA regulations were drafted so patients would have a “floor” of privacy protection. In this case, we weighed ethical concepts that included consideration of HIPAA regulations as part of the ethical obligation of patient privacy. Each day is filled with ethical decisions to be made, and HIPAA must be part of one’s decision-making process. Patients have a right to an accounting of disclosures, but this must be temporarily suspended if law enforcement provides a written statement claiming the accounting would be reasonably likely to impede law enforcement activities. Law enforcement must specify the time for which the suspension of the accounting is required [45 CFR 164.512(d) & (f)], with a limit of 30 days from the date of the oral request by the officer to suspend. Unless a written statement is provided, the temporary suspension is limited to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to is submitted during that time. n
Roger Shindell is chief executive of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at firstname.lastname@example.org.
1. Beauchamp TL, Childress JF. Principles of Biomedical Ethics. New York. Oxford University Press;2012.
2. Monegain B. 10 Most Recent HIPAA Breaches. 2015. Accessed online: Healthcare IT News. www.healthcareitnews.com/news/10-most-recent-hipaa-breaches
3. Valley Hope Association Notifies Patients of Unencrypted Laptop Theft. HIPAA Journal. 2016. Accessed online: www.hipaajournal.com/valley-hope-association-notifies-patients-of-unencrypted-laptop-theft-8330