The unintended consequences of privacy protection
March 6, 2019
Healthcare professionals and organizations are continually challenged to comply with federal patient privacy regulations while providing the highest quality care.
“Often, the two goals are at odds,” said Paul Benjamin Lowry, the Suzanne Parker Thornhill Chair Professor in the Pamplin College of Business. Lowry received the 2018 Operational Research Society’s Stafford Beer Medal, together with three co-authors, for a groundbreaking study on organizational privacy. This medal recognized their judged best paper, published in 2017.
While previous research focused primarily on the intended consequences of policies put in place to safeguard privacy, Lowry’s study is the first to also look at unintended consequences, which can be catastrophic.
“For example,” said Lowry, “if information needed by healthcare professionals to reach critical clinical decisions is unavailable due to tight access controls, a patient may be incorrectly treated and even die as a result. This would be a dire, unintended consequence of privacy safeguards.”
One chief privacy officer participating in the study emphasized that he would much rather explain to the Office for Civil Rights (of the U.S. Department of Health and Human Services) why a hospital employee inappropriately accessed information using another person’s login than explain to family members that he could not save their loved one because of privacy regulations.
Lowry said that facing an “imbalance challenge” like this — where the unintended consequence outweighs the intended consequence of privacy safeguard enactment — a healthcare professional may be forced to develop a workaround that actually harms the original goal of data privacy.
Studying unintended consequences
The study also reported desirable unintended consequences, including benefits like standardization of work processes and better accountability.
Data for the study was gathered through qualitative interviews with key participants with expert knowledge in privacy practices and holding key positions in hospitals, such as chief executive officers, chief information officers, chief privacy officers, and chief medical information officers. After initial analysis, the researchers expanded their target to other healthcare organizations and professionals, including the U.S. Department of Health and Human Services, associations, IT providers, and privacy consultants.
In the study, designed to gain an in-depth understanding of the actual outcomes and implications of privacy safeguards in healthcare organizations, the researchers were able to distinguish between organizations where leaders were not aware of the unintended negative impacts and organizations where leaders were aware of them and accounted for the imbalance challenge in how they responded to privacy threats.
“When we asked unaware leaders how they measured the effectiveness of their safeguards, they indicated that there were no formal metrics in place to access the impacts and consequences, intended or unintended, of enacting privacy safeguards. Instead they relied on the number of complaints or reported privacy breaches as an indication of effectiveness,” said Lowry.
A preliminary benchmark
He said that once these same leaders became aware of the unintended adverse impacts, they considered revisiting their safeguards to account for the imbalance challenge.
“Our study has created a preliminary benchmark by which healthcare executives can better account for unintended consequences and ultimately achieve privacy compliance,” Lowry said.
“The extent to which we can learn to better address the imbalance challenge and workarounds that occur in healthcare organizations, and thus learn how to thwart them, the better it is for protecting patients’ privacy.”
Lowry said that the theoretical framework they developed will also serve as a guide for other scientists studying privacy in a healthcare setting.
– Barbara Micale