Being a Princess is No Fairytale: Catherine, Princess of Wales experiences PHI data breach.

By Lisa Prior, healthcare marketing expert and Co-founder of Confluence Healthcare Marketing

Earlier this week I read several reports of an investigation launched at the London Clinic due to claims that staff attempted to access a patient’s private medical records. Specifically, it's alleged that at least one staff member tried to access Catherine, the Princess of Wales' medical notes while she was a patient at the clinic for abdominal surgery in January. I felt such a sense of dismay because the Princess did not disclose the reason for her surgery and expressed her desire for her personal medical information to remain private in a statement released by Kensington Palace. My healthcare colleagues and I have been outraged by the calls by some members of the British public that as a working royal Kate’s health information should be released to the public. By that same line of reasoning, anyone paid by the public purse would forfeit their right to healthcare privacy.

The Call is Coming From Inside The House

Having worked in hospital marketing for over 5 years, I have learned that the most egregious hospital privacy breaches start in-house, when a member of staff accesses patient records that are outside of their remit or where information is used inappropriately by a person that has authorized access to a patient’s protected health information (PHI). Either way, this professional form of voyeurism is abhorrent. While these transgressors make up a very small percentage of what is a very conscientious workforce, all it takes is one incident to unravel a carefully nurtured reputation, not to mention the hard work it takes to build it back.

Bad Optics vs. Bad Ethics

Beyond the PR fallout is the very real assault on the human soul receiving the medical care. The victim of this kind of ethical violation may experience overwhelming fear, anger, shame or anxiety wondering who was looking and who & how they may have shared it with others.

Marketing teams tend to focus on the bad optics and issue boilerplate statements expertly crafted by hospital or clinic attorneys to try and limit the damage. But where does that leave the patient? I can’t imagine how violated Kate Middleton feels knowing that there was someone waiting in the wings to sell the scoop that has been fueling column inches in the tabloid media. A good healthcare marketing team will have the chops to balance optics with ethics. A race to kill the story can backfire if it fails to take on the challenge of re-sowing the seeds of trust with the truth, however bitter the medicine.

Read the blog: The Vital Role of Crisis PR in Healthcare: Safeguarding your organization’repute

To Trust or Not to Trust, That Is the Question

Healthcare is one of the most intimate relationships a human will ever have with a stranger. We will tell our doctor, nurse or clinician things that we would not reveal to a family member or close friend. And when we are sick or injured we are at our most vulnerable, giving ourselves over to the care of another in complete trust, because we must.

I speak from a position of authority on this subject, having been operated on by a surgeon in the hospital where I was working. About a year after my accident, I was in the surgical unit with a camera crew getting some behind the scenes b-roll for a TV spot. Between shots I had the opportunity to watch my surgeon perform a similar procedure on a patient. At the end of the surgery the patient’s gurney was wheeled back to the anesthesiologist who was stationed next to the OR theater window where I was watching. Casting my eyes on the patient I experienced what I can only call a moment of grace; I felt such humility to be with him in this most vulnerable moment. Trust is every bit as precious as the patient because the two are entwined.

Healthcare Privacy Is a Fundamental Right for All

Just like Healthcare Privacy and Accountability Act (HIPAA) protects people receiving medical care in the United States, the United Kingdom has a stringent healthcare privacy policy, and it applies to everyone, whether a public figure or not. The attempted misuse of the Princess of Wales healthcare records underscores the importance of maintaining patient confidentiality and respecting privacy rights, regardless of one's status in society.

HIPAA Violations and Sanctions

There are many types of HIPAA violations, and some happen accidentally with no malintent and no severe repercussions for the patient. According to TotalHIPAA.com, The HIPAA Sanction corresponds with the type of violation, and the following factors should be taken into consideration when classifying the level of the violation:

• Was the PHI disclosure intentional?

• Was the violation a single incident or a pattern of behavior?

• Did the offender simply expose information? Or, did they use someone’s PHI for a specific purpose, like personal monetary gain?

Employers may find it difficult to enforce sanctions on employees who break the rules. However, it is important to do so consistently for the well-being of the company.

First Do No Harm, Or Else

If I had it my way, violators that set out to harm a patient’s reputation or profit from their PHI would be slapped with a lifetime ban from working in healthcare and put on the HIPAA equivalent of the National Sex Offenders Registry. That would make someone think twice before taking an unsanctioned gander. As a marketing professional, I understand that a practice’s or hospital’s response to any HIPAA violation needs to protect the organization and rebuild trust in the community. This requires a straightforward approach to rebuild good faith that also is sensitive to the patients and staff at that organization. The protection of every human soul—mind, body and spirit is paramount.

Read the article in British newspaper, The Independent: Hospital staff where Kate had surgery ‘tried to access her medical records’