Much has already been discussed about the controversy surrounding Facebook and Cambridge Analytica and their usage of customers' data. In all the mayhem and confusion surrounding the massive privacy debacle, is there a lesson to be learned for the healthcare industry?
According to HHS, "the HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information" (45 CFR 164.520). The Privacy Rule also maintains:
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information...state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice...describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated...include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.
Luckily, HHS provides a model Notice that can be used by Covered Entities to fulfill these requirements. However, simply having the Notice is not enough. Simply having a patient sign that she has received your Notice of Privacy Practices is not enough to maintain compliance. Each patient must be provided with a copy.
The words of the late Steve Jobs are both timely and relevant to any privacy discussion:
Privacy means people know what they’re signing up for. In plain English, and repeatedly. That’s what it means. I’m an optimist. I believe people are smart. And some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they’re tired of you asking them. Let them know precisely what you’re going to do with their data.
So often in the healthcare world, compliance regulations are seen as a barrier to quality care. But ultimately, isn't healthcare about protecting the patient? Don't let your patients' right to privacy be a barrier to providing them with the care that they deserve - and that includes notifying them about their rights!