The general public has a great many misconceptions about the regulations and practices associated with healthcare, from what exactly is included in HIPAA legislation to the legal implications associated with the Hippocratic Oath. In the case of the latter, many believe the oath to be codified law. It isn’t. These misconceptions contribute to widespread confusion about what legal obligations exist and how they are applied.
Central to these misconceptions is a proper understanding of a patient’s right to keep medical records private. Medical issues can be personally embarrassing, or make one feel vulnerable or exposed. In other cases, revealed medical information can also show a condition that comes with stigma. Mental health and psychiatric diagnoses are such conditions.
One of the most stigmatized health-related issues is HIV and AIDS. These were first identified in the early 1980s, though had likely been circulating for some time prior. The reaction among the public was almost immediate fear, paranoia, and revulsion. Many people born prior to 1981 may remember a time “before” HIV; generations born later have never known a world without it.
As of October 2021, the virus still has no cure or vaccine. New medications have hit the market, including pre-exposure prophylaxis (commonly called PrEP for short) which helps HIV-negative individuals prevent contracting the virus from an HIV-positive individual, as well as medications that can reduce an HIV-positive individual’s viral load to an undetectable and untransmittable level.
However, despite innovations that have helped to mitigate the HIV pandemic and extend the lives of HIV-positive individuals, the stigma still exists. Many people living with HIV do not openly and freely disclose their status, such as in the workplace, for fear of discrimination and ostracism. Needless to say, any organization with personally identifiable information on HIV-positive people must be careful to keep their identities secret. Recently in Scotland, one organization failed to do this and paid a heavy price.
Located in northern Great Britain, Scotland falls well outside of American HIPAA regulations—it is, however, subject to British regulations regarding health and data privacy. HIV Scotland—a charity group that aims to prevent further HIV spread, educate the public about the virus, and offer treatment support to individuals with the virus—sent out a mass email to 105 people in February 2021. The organization failed to hide the email addresses, 65 of which contained people’s names.
Given the names within emails, anyone who saw the full list of recipients could have assumed an HIV-positive status of someone else. The United Kingdom’s Information Commissioner’s Office (ICO) investigated HIV Scotland following the incident. In short, the organization was fined £10,000, though the ICO’s findings shed light onto the organization’s poor data security practices and issues with protecting individuals and sensitive information.
The ICO reported that HIV Scotland did not train its staff adequately on such matters, and it had poor methods when sending bulk emails. One of the most alarming revelations was its poor data protection policy, which should have been up to proper standards given the potentially damaging information the charity has on people. What should be the most alarming finding from the ICO is that HIV Scotland recognized risks and understood it needed to improve its system, yet it continued its practices seven months later.
This leak could have had serious fallout for HIV-positive individuals had their status been made public. This story is sadly not isolated. Not long before this incident in Scotland, Mikhy Farrera-Brochez, an American man formerly living abroad in Singapore, threatened to release the names of 14,000 Singaporeans living with HIV he claimed he had accessed from a database. The repercussions for those innocent people could have been severe.
Internal Policy Matters
While the world collectively holds its breath and waits for a cure to permanently end the HIV pandemic, those living with the virus still have their rights to dignity, happiness, longevity, health, and hope. Just as almost anyone would not want his or her medical information exposed, no matter how inconsequential, individuals living with HIV should be afforded the same privacy.
As HIV Scotland showed, an internal data security policy matters. While the charity must have improved email and training policies, it is also important to implement proper restrictions over employees who have access to this information. SecureDrive external portable drives and flash drives are hardware-encrypted, offline storage solutions that keep data safe. All drives have read only mode and time-out lock features.
The BT drives work with Remote Management, which allows additional restrictions over when and where they can be used, as well as unlocking and wiping remotely. As part of an internal data security policy, SecureGuard allows blacklisting and whitelisting individual devices to restrict access to Windows or Mac computers when unauthorized devices are inserted.
To learn how to start your data security system today, contact one of our experts at 424-363-8535.