The price of health care privacy violations

By Kevin Manne

BUFFALO, N.Y. — The health care leaders of tomorrow are willing to violate privacy laws—for a price, according to new research from the University at Buffalo School of Management.

Recently published in JMIR Medical Informatics, the study found that when people feel there’s a good chance they could get caught, they’re less likely to violate HIPAA—the federal law restricting release of medical information. But when medical treatment for their friend or family member is on the line, most will give up another person’s information regardless of the probability of getting caught.

“The health care industry has more insider breaches than any other industry,” says Lawrence Sanders, PhD, professor of management science and systems in the UB School of Management. “Soon-to-be-graduates are the trusted insiders of tomorrow, and their knowledge could be used to compromise organizational security systems.”

The researchers developed five scenarios to determine if monetary incentives could be used to convince people to illegally obtain and release health care information. A pilot study surveyed 64 medical residents and 32 executive MBA candidates to test the constructs, while the main study surveyed 523 students with an average age of 21 who are on the cusp of entering the workforce. 

In the pilot study, just 6% of those surveyed would succumb to monetary incentives to violate medical information privacy laws. But in the main study, 46% said there is a price that is acceptable for violating HIPAA. 

When a personal context is involved, the percentages increase dramatically. In the main study, 79% of respondents said they would give a politician’s medical records to a media outlet in exchange for $100,000 to pay for an experimental treatment for their mother that insurance wouldn’t cover.

“The dark side of the abundance of personal information is that it can be compromised by insiders who know how valuable it is,” says Joana Gaia, PhD, clinical assistant professor of management science and systems in the UB School of Management. “The key to reduce privacy violations like these will be to implement organizational procedures, constantly monitor, and develop educational and training programs that encourage HIPAA compliance.”

Sanders and Gaia collaborated on the study with UB School of Management alumni Xunyi Wang, MS ’16, PhD ’20, assistant professor of information systems in the Baylor University Hankamer School of Business, and Chul Woo Yoo, PhD ’14, associate professor of information technology and operations management in the Florida Atlantic University College of Business.