Physicians have always had a duty to keep their patients' confidences. In essence, the physician's duty to maintain confidentiality means that a physician may not disclose any medical information revealed by a patient or discovered by a physician in connection with the treatment of a patient. In general, AMA's Code of Medical Ethics states that the information disclosed to a physician during the course of the patient-physician relationship is confidential to the utmost degree. As explained by the AMA's Council on Ethical and Judicial Affairs, the purpose of a physician's ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full and frank disclosure of information to the physician with the knowledge that the physician will protect the confidential nature of the information disclosed. Full disclosure enables the physician to diagnose conditions properly and to treat the patient appropriately. In return for the patient's honesty, the physician generally should not reveal confidential communications or information without the patient's express consent unless required to disclose the information by law. There are exceptions to the rule, such as where a patient threatens bodily harm to himself or herself or to another person.
The AMA's ethical guidelines are not binding by law, although courts have used ethical obligations as the basis for imposing legal obligations. Moreover, maintaining patient confidentiality is a legal duty as well as an ethical duty. A physician's legal obligations are defined by the US Constitution, by federal and state laws and regulations, and by the courts. Even without applying ethical standards, courts generally allow a cause of action for a breach of confidentiality against a treating physician who divulges confidential medical information without proper authorization from the patient.
Despite these ethical and legal obligations, access to confidential patient information has become more prevalent. Electronic health information systems allow increased access and tranmission to health data. Physicians in integrated delivery systems or networks now have access to the confidential information of all the patients within their system or network. Confidential information also is disseminated through clinical repositories and shared databases. Sharing this information allows patients to be treated more efficiently and safely. The challenge for physicians is to utilize this technology, while honoring and respecting patient confidentiality.
What is a breach of confidentiality?
A breach of confidentiality is a disclosure to a third party, without patient consent or court order, of private information that the physician has learned within the patient-physician relationship. Disclosure can be oral or written, by telephone or fax, or electronically, for example, via e-mail or health information networks. The medium is irrelevant, although special security requirements may apply to the electronic transfer of information.
The legal basis for imposing liability for a breach of confidentiality is more extensive than ethical guidelines, which dictate the morally right thing to do. Although current law in this area has been referred to as "a crazy quilt of state and federal law," protecting patients' confidentiality is the law of the land. Included in the patchwork are federal and state constitutional privacy rights, federal and state legislation and regulation governing both medical records and licensing, and specific federal and state legislation designed to protect sensitive information (e.g., HIV test results, genetic screening information, mental health records, and drug and alcohol abuse rehabilitation information).
Patient consent to release confidential or privileged information
The general rule regarding release of a patient's medical record is that information contained in a patient's medical record may be released to third parties only if the patient has consented to such disclosure. The patient's express authorization is required before the medical records can be released to the following parties: patient's attorney or insurance company; patient's employer, unless a worker's compensation claim is involved; member of the patient's family, except where the family member has been appointed the the patient's attorney under a durable power of attorney for health care; government agencies; and other third parties. Some state laws expressly allow disclosure to any person upon consent of the patient. Other state laws permit release on patient consent only to specified classes of persons. Further, once the patient has given consent to release the record, the disclosure requirement may be mandatory for the holder of the medical record or merely permissive.
HIPAA has created additional patient confidentiality considerations. Under the privacy regulations, covered entities may usually release protected health information without authorization only to facilitate treatment, payment or health care operations. Visit the AMA's HIPAA Web page for further information.
Managed care organizations (MCO) frequently require members to sign a general release form on enrollment in the plan. These forms authorize the release of medical information to the MCO. Typical language used in a release might be "that any provider may furnish the MCO such medical information as may be required and that the member acknowledges the MCO's right to conduct a professional utilization review program of health services and to coordinate benefits and/or reimbursements with other health or insurance programs." Before forwarding medical records to an MCO, utilization review programs or other health programs, physicians, hospitals, and others should get a signed copy of the patient's release of medical records.
Who can consent to the release?
Who may grant permission to release medical record information is likewise governed by state law. Generally, the authority to release medical information is granted to: (1) the patient, if a competent adult or emancipated minor; (2) a legal guardian or parent if the patient is incompetent or a minor child; and (3) the administrator or executor of the patient's estate if patient is deceased. The patient's right to authorize release of medical records is codified in many state statutes. These statutes all state that medical records are confidential and cannot be disclosed, except in specifically provided circumstances. However, the extent of the patient's right to access varies from state to state. Some states allow the health care professional or provider to determine patient's right of access. In comparison, some states expressly grant patients access to the medical information contained in their medical records.
What has to be in the release?
Typical elements of a valid general release include:
- Patient's name and identifying information;
- Address of the health care professional or institution directed to release the information;
- Description of the information to be released;
- Identity of the party to be furnished the information;
- Language authorizing release of information;
- Signature of patient or authorized individual; and
- Time period for which release remains valid.
Some state laws add other elements, such as specifying on the form the reasons for disclosure or a caveat that the authorization may be revoked.
Failure to get the appropriate release for medical records may have serious results. Twenty-one states punish disclosure of confidential information by revoking a physician's medical license or taking other disciplinary action.
Implied consent and public policy exceptions or required disclosures
A patient's consent to disclosure of confidential information contained in a medical record may also be implied from the circumstances. For example, medical personnel directly involved in a patient's care or treatment generally have access to the medical record. Even if the patient has not expressly authorized disclosure of his or her medical record, such consent is implied from the patient's acceptance of treatment or hospitalization. Consent is also implied when a patient is transferred from one health care practitioner or facility to another. In such circumstances, disclosure of confidential patient information may be necessary to ensure continuation of patient care or treatment. State and federal statutes may also authorize or require disclosure of medical records to health care professionals or providers involved in the patient's treatment or upon transfer of the patient from one facility to another.
Safeguarding patient confidences also is subject to certain exceptions that are ethically and legally justified because of overriding social considerations. If there is a reasonable probability that a patient will inflict serious bodily harm on another person, for example, the physician should take precautions to protect the intended victim and notify law enforcement authorities. Communicable diseases and gunshot and knife wounds should be reported as required by applicable statutes or ordinances. Thus, the physician's duty of confidentiality at times must give way to a stronger countervailing societal interest.
General management safeguards and security tips
Physicians should have their contracts with system vendors, consultants, and all health care providers participating in a data repository reviewed by an attorney. They should also have comparable confidentiality and security policies; implement security controls over sensitive patient information (e.g., HIV status, pregnancy termination, and history of mental health problems or drug and alcohol abuse); maintain good system security; and train staff and secure agreements concerning confidentiality and security. It is also advisable to have security experts periodically assess the security of the clinical data repository and require that users who access the information sign appropriate user agreements.
Physicians should set up office procedures to prevent the release of medical records without a copy of the patient's release. The system could be as simple as attaching an office form to any request for medical records. The form would have a checklist indicating date of receipt of the request, date of receipt of the copy of the patient's release form, and date that the medical records were authorized to be sent to the requester.
Why protecting patient confidentiality is still important
Ethics and laws regarding confidentiality evolved long before the information highway was envisioned. The old laws and ethical precepts do not always fit neatly with today's computerized systems. Given the difficulties with compliance, some physicians and networks have only paid lip service to protecting patient confidentiality. This approach is short-sighted and unwise. The law will gradually catch up with the new system and seek to protect confidential patient information. In the interim, physicians should attempt to protect information to the extent possible and to comply with the "crazy quilt" of federal and state laws.
Physicians should inform patients of the limits of confidentiality protections and allow the patients to decide whether treatment outweighs the risk of the disclosure of sensitive information. A patient expects to have his or her privacy respected by the physician and should not be disappointed. If a record must be released, the patient should sign an appropriate release authorizing the disclosure of information in the medical record. General releases will not suffice for records containing HIV or other sensitive material.
Physicians should become familiar with laws involving the duty to maintain confidentiality. Any breach in confidentiality—even one that seems minor—can result in mistrust and, possibly, a lawsuit and/or disciplinary action.