Privacy laws in the U.S. protect confidential medical information.
But the next crop of healthcare professionals say they would violate those privacy laws—for a price.
A study of graduating students looking to go into the healthcare field found that close to half (46%) said they would violate federal privacy regulations for an amount of money ranging from $1,000 to more than $10 million.
While many of the graduating students interviewed believed there would be a high probability of getting caught, they said they still would be willing to violate regulations of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, according to a study published in JMIR Medical Informatics in July.
Researchers at Florida Atlantic University, Baylor University and the State University of New York at Buffalo were interested in taking a look at the role that monetary incentives play in violating HIPAA regulations and privacy laws by the next generation of employees.
Researchers first conducted a pilot study involving medical residents and individuals in an executive MBA program, some of who work in the health care industry as executives.The main study was based on 520 students in an undergraduate information technology course.
The researchers developed five different scenarios to see how easily future employees would be influenced to release patients' confidential medical information.
In one scenario, study participants were told to suppose they were a nurse’s aide at a hospital, earning $30,000 per year. Participiants were asked what amount of money they would take to release information on a patient they were caring for if a friend asked for the medical records.
A second scenario asked study participants if would they release patient information to a very close friend to help them in an upcoming legal battle, assuming that they are a doctor at a hospital, earning $200,000 per year.
A third scenario involved an insurance agent making $60,000 a year with access to confidential patient information.
Forty-six percent of participants in the nursing scenario indicated they would violate the federal law for an amount of money ranging from $1,000 to more than $10 million.
About 35% of participants in the doctor scenario and 45% of participants in the insurance scenario agreed to share HIPAA-protected information.
The larger the financial reward, the more participants agreed to violate HIPAA in all five scenarios, according to researchers.
In the fourth and fifth scenarios, researchers raised the stakes by including a personal or family situation.
The percentage of study participants who said they would violate HIPAA rose sharply when the issue became personal, the research found.
Roughly 78% of the study participants would accept $100,000 from a media outlet to release medical records of a politician to help pay for a friend’s medical procedure not covered by insurance.
About two-thirds of participants (65%) would accept $50,000 for the medical records of a reality star to help a friend in need of emergency medical transportation.
Granted, these situations are purely hypothetical and the odds of these scenarios occuring are pretty slim.
But the findings come as COVID-19 has shed new light on the issue of patient privacy, with the Office of Civil Rights, which oversees HIPAA compliance, granting specific relief and waivers related to the pandemic.
"Physicians and nurses are trained in terms of HIPAA,” said Chul Woo Yoo, Ph.D., one of the study’s authors and an associate professor in the information technology and operations management department within FAU’s College of Business. “However, it is not their focal interest. Therefore, developing the strong security climate among physicians and nurses should be carefully revisited by management.”
A report from Verizon in 2019 found that the majority of data breaches in healthcare come from inside the organizations. The healthcare industry is the only sector to show a greater number of insider attacks than external, according to Verizon's analysis of more than 20 industries.
"Insider threats can come from outside infiltrators who become insiders by phishing and social networking attacks. However, they can also come from insider threats, resulting from homegrown malicious employees who intentionally want to compromise a system for profit and for a variety of reasons, including hacktivism and thrill motives," Yoo and his fellow researchers said in the study.
According to the study results, there is a high probability that compromises can occur when employees are presented with monetary incentives, given the right context.
The research highlights the need for organizational procedures and the development of educational and training programs to encourage HIPAA compliance, researchers said.
Organizations need to have preventive controls in place including sophisticated monitoring systems technologies and constant attention to authentication protocols to prevent unauthorized access to buildings, software and databases.