Health care pros will accept money to violate privacy law

The next crop of health care professionals has a price when it comes to illegally releasing confidential medical information, according to researchers at Florida Atlantic University, Baylor University and the State University of New York at Buffalo.

While many of the graduating students interviewed believed there would be a high probability of getting caught, they said they still would be willing to violate regulations of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, the research showed. The study, published in JMIR Medical Informatics, noted that health care has more insider breaches than any other industry.

The findings of the study come as COVID-19 has shed new light on the issue of patient privacy, with the Office of Civil Rights, which oversees HIPAA compliance, granting specific relief and waivers related to the pandemic.

“Physicians and nurses are trained in terms of HIPAA,” said Chul Woo Yoo, Ph.D., one of the study’s authors and an associate professor in the information technology and operations management department within FAU’s College of Business. “However, it is not their focal interest. Therefore, developing the strong security climate among physicians and nurses should be carefully revisited by management.”

He worked on the research with Xunyi Wang, Ph.D., assistant professor of information systems in the Hankamer School of Business at Baylor University; Joanna Gaia, Ph.D., a clinical assistant professor at the State University of New York at Buffalo; and G. Lawrence Sanders, Ph.D., a professor in the Department of Management Science and Systems at the State University of New York at Buffalo.

The researchers developed and deployed five scenarios to determine whether financial incentives would influence subjects. Specifically, 45.9% of participants in the nursing scenario (240 of 523) indicated they would violate the federal law for an amount of money ranging from $1,000 to more than $10 million. About 35% of participants in the doctor scenario (185 of 523) and 45% of participants in the insurance scenario (236 of 523) agreed to share HIPAA-protected information. The larger the financial reward, the more participants agreed to violate HIPAA in all five scenarios.

What’s more, the percentages rose sharply when the issue became personal. Roughly 78% of the study participants in the personal context scenarios (410 of 523) said they would accept $100,000 from a media outlet to release medical records of a politician to help pay for a friend’s medical procedure not covered by insurance. About 65% of participants in the personal context scenarios (338 of 523) would accept $50,000 for the medical records of a reality star to help a friend in need of emergency medical transportation.

While fewer study participants would break the law if they perceived a high probability of getting caught, they likely would do so anyway if the situation involved a friend or family member in the experimental scenarios, the study found.

Negligence is only one reason for the breaches, and the researchers concluded that organizational procedures and training programs are key to reducing noncompliance.

“The dark side of the abundance of personal information is that this information can be compromised and retrieved by insiders and external hackers,” the study stated. “Insider threats can come from outside infiltrators who become insiders by phishing and social networking attacks. However, they can also come from insider threats, resulting from homegrown malicious employees who intentionally want to compromise a system for profit and for a variety of reasons, including hacktivism and thrill motives.”