This article is part 2 of our 3-part Privacy Training Series: Financial Impacts & Consequences of a Privacy Breach.
It doesn’t take significant effort with Google to discover multiple stories about privacy breaches in Canadian healthcare settings over the past year. These stories have consistent plot lines with egregious privacy breaches being committed by employees, typically for personal reasons and with strong enforcement outcomes.
These privacy breach stories normally contain detail about the incidents, the health care facility, and the names of the individuals who committed the breaches (intentional or not), all in the public record. Employers’ names and practices are also highly publicized. Many of these stories gain broader publicity than a disciplinary tribunal hearing by regularly appearing in industry publications. Of course the juicier or higher profile cases always end up on the evening news. It goes without saying that this is not how healthcare practitioners want to gain publicity for their organization.
Intentional and Unintentional
What do many of these breaches look like? The two most common circumstances for privacy breaches are intentional and unintentional.
The intentional breach frequently involves an employee improperly accessing multiple patient healthcare records over a period of time. The breach is commonly discovered by one of three methods:
- Most frequent is through an accidental disclosure of information that triggers someone to question why that employee was accessing the information.
- Second most common is the breach victim becoming suspicious and requesting a log of who has accessed their information.
- The final most popular method that reveals privacy breaches is through periodic audits of information access. Either way the breach is discovered, in a digital world the trail of evidence is easy to follow.
The unintentional breach that normally stems from poor privacy procedures and practices is often more egregious, as the information is frequently lost into the public domain. There are unknown consequences to those whose privacy has been affected and no way to fully retrieve the information. For example, consider electronic devices with privacy information improperly stored on them that become lost or stolen – either way, there are equal chances of the privacy breach ending up as tomorrow’s headlines.
A look at privacy breaches in Canada over the last few years shows that all levels of employees were involved. Breaches are committed by staff ranging from billing clerks all the way to the top levels of the medical profession. It is important to note again that not all breaches are intentional.
Malicious Breaches Pose a Growing Threat; Accidental Breaches Still Common
This is where things get strange! The majority of breaches are not committed for financial gain. A survey of recent cases reveals motivations more related to human emotions and frailty.
- Snooping or malicious breaches are the leading reason why people commit privacy breaches, to learn information about family members or friends.
- Next up is influencing an outcome of a situation by gaining an informational edge with personal knowledge of the people involved.
- In the third spot is revenge, using healthcare information to do potential harm to another person.
- Inadvertent breaches from human error and system glitches are still too common.
Consequences
Penalties for breaches continue to be severe as governing bodies take privacy very seriously. A wide range of sanctions frequently given include hefty monetary fines, professional reprimands, work discipline actions including suspensions, the removal of future privileges to access to health information systems and loss of employment. For the health practices there is significant reputational damage plus additional costs that will be discussed in our next blog.
Privacy Best Practices Starts with Education & Annual Training
Since privacy breaches start with people, it is important to identify ways to improve your privacy best practices before your office becomes tomorrow’s headlines. The best medicine, as mandated by many governing tribunals, starts with education and annual privacy training. Efficient online training where progress is tracked and audited, with frequent refresher courses has been proven to work. A proactive training strategy keeps employees up-to-date on privacy obligations and reminds them of the serious consequences a privacy breach brings. The cost to employers and employees of proper education is substantially less than the alternative!