As noted on the AMA website under “legal issues” (http://www.ama-assn.org/ama/pub/category/4610.html) patient confidentiality is and has always been a matter of concern.
We physicians have always had a duty to maintain a patient’s confidences. Our responsibility is not to disclose any medical information revealed by a patient or discovered in connection with the treatment of a patient. In general, AMA's Code of Medical Ethics states that the information disclosed to a physician during the course of the patient-physician relationship is confidential to the utmost degree In order to allow the patient to feel free to make a full and frank disclosure of information to the physician with the knowledge that the physician will protect the confidential nature of the information disclosed. Full disclosure enables the physician to diagnose conditions properly and to treat the patient appropriately
Courts have used ethical obligations as the basis for imposing legal obligations. A physician's legal obligations are defined by federal and state laws and regulations, and by the courts. Even without applying ethical standards, courts generally allow a cause of action for a breach of confidentiality against a treating physician who divulges confidential medical information without proper authorization from the patient.
The electronic medical record is being scrutinized by physicians, patients, legislators, accrediting bodies and by lawyers after the public disclosure of high profile breaches in confidentiality.
Electronic health information systems allow increased access and transmission of protected health data. Confidential information is disseminated through clinical repositories and shared databases. Although the sharing of this information allows patients to be treated more efficiently and safely, breaches do occur. I have discovered a website that lists 28 pages of “Health Privacy Stories” (http://www.healthprivacy.org/usr_doc/Privacystories.pdf), here are just a few related to the EMR:
· Kaiser Permanente announced that a laptop computer containing names, membership identification numbers, dates of birth, gender, and physician information on 38,000 was stolen in the Denver area in early October from a car belonging to a Kaiser Permanente employee in California. Rocky Mountain News, November 29, 2006)
· Two computers containing health records on participants in Indiana's Breast and Cervical Cancer Program were stolen from a Jeffersonville health clinic, leaving more than 7,500 Indiana women at risk of identity theft, according to the Indiana Department of Health. Data stored on the computers may include names, addresses, Social Security numbers, medical information or other data. Associated Press, November 27, 2006)
· The Government Accountability Office said it discovered 47 weaknesses in the computer system used by the Centers for Medicare and Medicaid Services to send and receive bills and to communicate with health care providers. The agency oversees health care programs that benefit one in every four Americans. Its massive amount of data is transmitted through a computer network that is privately owned and operated. However, CMS did not always ensure that its contractor followed the agency's security policies and standards, according to the GAO report. "As a result, sensitive, personally identifiable medical data traversing this network are vulnerable to unauthorized disclosure," the federal investigators said. The network handling Medicare claims transmits extremely personal information, such as a patient's diagnosis, the types of drugs the patient takes, plus the type of treatment facility they visited, including treatment centers for substance abuse or mental illness. (Freking, K., Auditors: health records at risk, Associated Press, October 3, 2006)
· Providence Health Systems agreed to reimburse the state of Oregon more than $95,000 in costs as part of a deal to settle a nine-month invetigation into the largest data breach ever reported in Oregon. Medical records of 365,000 patients, stored on computer disks and digital tape, were in a car stolen from a Providence home services employee. The data was not encrypted. The theft revived efforts to enact stronger privacy protections in Oregon and spurred some patients to back a class-action lawsuit seeking damages from Providence. (Rojas-Burke, J., Providence settles data breach, The Oregonian, September 27, 2006)
· New York City's public hospital system will suspend 39 employees without pay for peeking at the private medical records of a 7-year-old girl, who died in Brooklyn in January from beatings and torture, become a tabloid and TV news sensation, and dozens of workers at the Woodfull Medical and Mental Health Center apparently couldn't resist looking at the child's computerized medical file. The suspensions will last from 30 to 60 days, and each of the sanctioned employees will be required to undergo training in patient privacy rules before they return to work. (Caruso, D., PryingN.Y. hospital workers suspended, Washington Post, September 25, 2006)
A breach of confidentiality is a disclosure to a third party, without patient consent or court order, of private information that the physician has learned within the patient-physician relationship. Disclosure can be oral or written, by telephone or fax, or electronically, for example, via e-mail or health information networks. The medium is irrelevant, although special security requirements may apply to the electronic transfer of information. The legal basis for imposing liability for a breach of confidentiality is more extensive than ethical guidelines, which dictate the morally right thing to do. HIPAA has created additional patient confidentiality considerations. Under the privacy regulations, covered entities may usually release protected health information without authorization only to facilitate treatment, payment or health care operations.
Medical personnel directly involved in a patient's care or treatment generally have access to the medical record; such consent can be implied from the patient's acceptance of treatment or hospitalization. For physicians the EMR overlaps both ethical and legal confidentiality issues. Breaches in confidentiality are neither novel, nor are they exclusive to the EMR. The increased surveillance (some might say paranoia) of breaches and the headline reporting have brought the issue front and center. Physicians need to inform patients of the present limits of confidentiality protections, but also must clearly address the benefit to patient care and safety that the EMR can add. Despite the great advances in the electronic medical record and the emergence of viable personal health records our progress threatens to be derailed by highly publicized and gross breaches in patient confidentiality. Without a doubt, the next impediment will be an onslaught of lawsuits and class-action suites should the legal profession smell blood in the water.
No great deed, private or public, had ever been undertaken in a bliss of certainty.
Leon Wieseltier,
