|Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979|
Ethics... Exoploring Privacy and Confidentiality: Gray Areas
While there are a variety of beneficial uses of medical records, when one reviews them all together, it is staggering just how many persons, agencies and interests are permitted access to and use of patients' private medical records. The public has become increasingly distrustful of a variety of social institutions, including government, employers, and insurers, as a result of the exploitation of their medical records and medical information. This distrust undermines the goals of providing health care in a number of ways, including less than full candor by patients to their providers, deliberate deception by patients to providers, and avoidance strategies, all of which result not only in lower quality health care for the patients themselves, but in lower quality data in the medical records. Through the incremental encroachment on and dismantling of the privacy of medical records over the years, our society has lost respect for the autonomy of each person to determine for themselves what projects and practices they wish to participate in. We have traded bit by bit our respect for privacy for the incremental goods of violating it -- goods that are often as much private and proprietary as they are public.
The National Coalition for Patient Rights believes that nothing short of a radical rethinking of the confidentiality of the medical record and respect for patient privacy is in order. With the exception of genuine public health investigations, all secondary interests in accessing the medical record must submit to the sovereignty of the individual to determine for him or herself what uses of the medical record are appropriate. This can be accomplished only by means of federal legislation which sets a legislative floor that guarantees to all citizens a right to the privacy of their medical information. Following from the discussion in the previous chapter, we recommend that such legislation should include the following provisions.
Recommendation 1: Medical records should be maintained as confidential and private for the purpose of the clinical benefits of the patient. Disclosure of medical records outside the context of clinical care requires the consent of the patient.
Recommendation 2: The right of patients to determine what information in their medical records is shared with other providers and other institutions and agencies should be recognized both by law and by institutional policy. Patients who wish not to disclose medical information to other health care providers that may be important in their medical care should be counseled about the risks of nondisclosure and sign an acknowledgment of their being warned.
Recommendation 3: Patient's should have the legal right to review and copy their medical records. Patient access to medical records should be facilitated by providers, and charges to patients limited to the cost of copying. Institutions should develop clear policies and procedures for patients to correct and amend errors in the medical record. Patients should have the right to review the audit trails of who have accessed their medical records and for what purposes.
Recommendation 4: Third party payers of medical services should be required to specify in advance the medical information they require to assess claims and manage medical care. Public notice should be made to patients of the kinds of medical information that will be requested from their providers. Physician notes should not routinely be disclosed to third party payers, and consistent with the Supreme Court's decision in Jaffe v. Redmond, psychotherapist notes should never be disclosed to third party payers. Patient consent should be required before medical records are transferred to or patients are enrolled in disease management programs. Disease management programs should be based on sound clinical research and arranged through the patient's own health care provider.
Recommendation 5: Third party payers should be held accountable to the same standards of privacy and confidentiality as are medical care providers. Third party payers should be limited in their use of medical records to the terms specified in the patient consent to release medical records. No disclosure by third party payers to any other party may be made without the written, freely-given consent of the patient, i.e., participation in the health plan or other benefits should not be contingent upon patient consent to further disclosures. Patients of third party medical payers should have the right to review and copy the medical records held by these organizations, and to review the logs of who has had access to their records and for what purposes. Third party payers should establish procedures for patients to correct errors in their medical information.
Recommendation 6: The psychotherapeutic relationship is of such sensitivity as to require special recognition as a domain of absolute privacy. Records and notes of psychotherapy sessions should always remain confidential and third parties should be prohibited by law from demanding their disclosure for any reason. For reimbursement purposes, only the minimal amount of information should be disclosed to process claims.
Recommendation 7: Research involving medical records must either be conducted with the freely given, informed consent of patients, or with blanket consent which delegates to a Medical Records Review Board (MRRB) the authority to waive further consent. The MRRB should be constituted by at least a majority of community members (individuals not employed by or otherwise affiliated with the institution) in addition to appropriate scientific, medical and allied health personnel and administered by the Medical Records Trustee. MRRB decisions not to grant a waiver of informed consent should be final. The MRRB should insure that the confidentiality of patient information is protected as it passes through a research protocol, that the information is not used for other purposes without explicit MRRB approval, and that the purposes of research will not be reasonably objectionable to the patient populations involved.
Recommendation 8: All health services research that relies on personal medical information should be reviewed, approved, and overseen by an institutional Medical Records Review Board, with the Medical Records Trustee being the main point of contact for both patients seeking information about these research/evaluation projects, and for those people conducting the research and/or evaluation projects.
Recommendation 9: Each clinical institution maintaining medical records has the responsibility to safeguard their confidentiality by minimizing access to medical records to those individuals whose "need to know" is of clinical benefit to the patient or is otherwise consented to by the patient. Institutions should employ encryption schemes and password protection, and log each access to or modification of the medical record (e.g., computerized audit trails). Institutions should develop auditing programs to ensure that access to and use of medical records is appropriate and take appropriate punitive measures when it is not. Patients should have the right to limit access to particularly sensitive information.
Recommendation 10: Each health care institution maintaining medical records or medical information should designate a "Medical Records Trustee" responsible for promulgating and enforcing institutional confidentiality and privacy policies, and ensuring compliance with the law. The Medical Records Trustee shall be the final responsible authority for granting any and all access to medical records and information within the institution. The Medical Records Trustee should also be responsible for making notification to patients and the general public of the institution's policies for protecting patient privacy and confidentiality of their medical records.
Recommendation 11: Public health investigations in which an imminent danger to the health of individuals or communities is at stake, should be permitted to access private medical records as necessary and as provided for under current law. The consent of patients is not necessary, but patients should be notified by their providers that their records may be opened to public health authorities. When providers make legally mandated disclosures to public health authorities, they should be required to inform the patient of this requirement at the time the condition is discovered.
Recommendation 12: In general, employers should not have access to clinical medical records. These records should be segregated from all other personnel-related information, and be used only in the benefits determination process (and only where the employer is a self-insurer). Employers should be barred from using this information for employment, promotion and other personnel decisions, and provide notification to all employees and prospective employees of what information they collect and for what purposes. Employers with access to medical records should be barred from disclosing this information to other parties, and should maintain audit trails of who has accessed the records and for what purposes, and made available to the employees.
Recommendation 13: Health care institutions maintaining medical records should notify the public and patients individually of the offices and functions which have access to their medical records. Institutions should also prominently display their policies on maintaining confidentiality of medical records. The name, address, and phone number of the Medical Records Trustee should be provided to all patients.
Recommendation 14: Proposals to create systems designed to link private medical information or otherwise collate medical record information, such as the Unique Patient Identifier or the Master Patient Index, should not be implemented without explicit patient informed consent. Patients should always have the freedom to determine for themselves what medical information may be collated together and for what purposes.
Recommendation 15: Law enforcement access to medical records should be limited to court order. When records are thus obtained, they should contain only the minimal amount of information necessary to fulfill the purpose for which they were sought. Moreover, law enforcement officials should maintain the confidentiality of the information they obtain and should only allow the least number of people access as is absolutely necessary. Under no circumstances should personal medical records become part of an open court record, where the patients are not parties to the court proceeding. In the limited case of health care fraud investigations, anonymous records should be used to assess patterns of fraudulent billing, with identified information used only where specific instances of fraud are suspected.
Online Continuing Education QUESTIONS
17, 18, 19, & 20
Others who bought this Ethics Course