Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979
Add to Shopping Cart

Ethics... Exoploring Privacy and Confidentiality: Gray Areas
Privacy and Confidentiality in the Therapeutic RelationshipEthics: Exploring Privacy & Confidentiality - Gray Areas!

Section 17
Ethics and The Myth of Patient Confidentiality

CEU Questions 22 - 24 | Ethics CEU Answer Booklet | Table of Contents
Counselor CEUs, Psychologist CEs, Social Worker CEUs, MFT CEUs,Nurse CEUs

The word "confidential" has virtually no meaning for medical or other personal records.

The best thing that health privacy rules offer is the guarantee that further erosions of privacy interests will not take place without public awareness and debate. If we can stop things from becoming worse, that will be a significant accomplishment.

Robert Gellman is a Washington, DC-based privacy and information policy consultant and former chief counsel to the House of Representatives subcommittee on information, justice, transportation, and agriculture.

In announcing the publication of draft health privacy regulations, President Clinton described the objective of the proposal as protecting the "sanctity of medical records." He said, "We owe it to our families to protect their privacy in the most comprehensive way possible." The rhetoric from the President is similar to statements that other politicians and policymakers routinely make about the vital importance of confidentiality in the relationship between physician and patient.

There is just one problem. Medical records are not confidential, and they haven't been confidential for decades.

In fact, the word "confidential" has virtually no meaning for medical or other personal records. Banks tell customers that depositor records are confidential. But the banks give the records -- without any notice to customers and without customer consent -- to the Internal Revenue Service, credit bureaus, bank regulators, courts, lawyers, auditors, process servers, police, and maybe even telemarketers. Federal law also protects the confidentiality of student records, but the records can still be disclosed without notice or consent to the Secretary of Education, school officials with "legitimate educational interests," the Comptroller General of the United States, state educational authorities, banks in connection with student loan applications, educational researchers, accreditation organizations, and others.

Medical records have the same pattern of widespread use. If you are hospitalized, hundreds of hospital employees may see some or all of your records. Records may be shared with labs, x-ray facilities, nursing homes, physical therapists, pharmacists, and others involved in treatment. At each institution, computer operators, lawyers, and accountants can access records. If you have third party insurance, bills will be sent to claims processors and clearinghouses before the bills reach your insurer. If your employer pays for your health insurance, then the employer may be able to obtain your treatment records. Records are also routinely shared with or used by public health authorities, medical researchers, dozens of government agencies at the federal, state, and local levels, schools, courts, fraud and abuse investigators, cost containment managers, outcomes researchers, licensing and accreditation organizations, police, coroners, and others. Some records are routinely sent overseas for transcription.

Medical records are simply not confidential. Indeed, of all the records about individuals maintained by third party recordkeepers -- banks, schools, employers, supermarkets, marketers, credit grantors, government agencies, and others -- medical records are probably the most widely shared. The routine sharing of patient records is an essential feature of the culture of the medical establishment in the United States. Most disclosures occur without notice to patients and without any patient consent. Most individuals are completely unaware of the routine sharing of health records, and even many health professionals still think that records are private.

Will privacy legislation help? Maybe. However, just about every community of medical record users has asked for some type of exemption from any health privacy rules. Every user believes that its function is so vital and so important that no barriers to access and use should be erected. Of course, every institution is willing to have a law that applies to others. Everyone believes in privacy. But no one in the user community wants to be affected by a privacy law.

Neither the privacy rules announced by the President nor any of the legislative proposals floating around Capitol Hill will make any material change in the routine disclosure of patient records. The proposals establish disclosure rules and procedures, but it is difficult to identify any major set of current disclosures that would be prohibited by proposed laws or regulations. Even stronger rules are likely to make changes only at the margins, although marginal improvements in privacy protection will still be welcome.

This is not to say that the regulatory or legislative efforts are useless. We need fair information practices to govern the maintenance, use, and disclosure of medical records. However, we are not going to get anywhere if the goal is to preserve the "sanctity" of the records. We have made too many decisions that require the sharing of records to act like we can preserve the illusion of confidentiality. We need to be more honest with the public. We need to lower expectations.

We can no longer promise that medical records will be confidential. We effectively abandoned the notion of confidentiality when we decided to have third party payment for health care, fraud and abuse controls, and public health protections. These and other health care institutions developed without any consideration to the consequences for privacy. The best thing that health privacy rules offer is the guarantee that further erosions of privacy interests will not take place without public awareness and debate. If we can stop things from becoming worse, that will be a significant accomplishment.

Another result of privacy rules should be to restrict the current "worst practices." Pharmacies and other providers should be prohibited from giving patient information to marketers without patient consent. Prosecutors should be prevented from making public filings of patient records in fraud and abuse prosecutions of physicians. Employers should be prevented from obtaining medical records for cost containment and then sharing the data with an employee's colleagues or supervisors. These activities fall within a gray zone today, and the lines need to be sharper so that these specific abuses stop.

Technology is sometimes cited as the real threat to privacy or as the savior of privacy. It is easier to exploit records. The truth is that technology makes things better and worse at the same time. Technology makes it easier to exploit records, and the technological imperative is that anything that can be done profitably must be done. That is the real threat of technology. Activities that were unthinkable, unethical, and unprofitable ten years ago, like marketing, are becoming more routine, because technology allows for easy manipulation of data, and because the activities promise profits. Health plans and even some health care providers are happy to share records for the right price.

At the same time, however, we can also use technology to provide greater protection for records. Electronic records permit the sharing of information by the byte rather than the megabyte. Computers make it easier to slice and dice electronic records so that users can receive only the data fields that they really need, and identifying information can be left behind. It would be wonderful to conclude that technology allows for the greater use of deidentified records. That would be the free lunch of health privacy -- more record sharing without any threat to patient privacy.

To some extent, better information technology may help to limit data sharing, but a free lunch is highly unlikely. So much data about individuals is available in public and private files that almost all patients can be identified no matter how much detail is removed from their records. The nonidentifiable patient record, like health confidentiality itself, is a privacy myth. But, it is a myth to be debunked on another day.

Released: November 22, 1999 Information Impacts Magazine, http://www.cisp.org/imp/november_99/11_99gellman-insight.htm © Copyright 1999. Robert Gellman.

Online Continuing Education QUESTIONS 22, 23, & 24
We effectively abandoned the notion of confidentiality when we decided to have
To select and enter your answer go to Ethics CEU Answer Booklet.

Personal Reflection Exercise #5
The preceding section gave examples regarding how “the word ‘confidential’ has virtually no meaning.” Compare the ideas in this section with the preceding Section #4 which “idealized” confidentiality in a Consumer Alert. With the more realistic view of confidentiality presented in this section, how could the Consumer Alert in Section #4 be revised? Or should it be revised? What do you think?

Others who bought this Ethics Course
also bought…

Scroll DownScroll UpCourse Listing Bottom Cap

Ethics CEU Answer Booklet for this course
Forward to Section 18
Back to Section 16
Table of Contents

CEU Continuing Education for
Counselor CEUs, Psychologist CEUs, Social Worker CEUs, MFT CEUs, Nurse CEUs
Ethics: Exploring Privacy & Confidentiality - Gray Areas!

OnlineCEUcredit.com Login

Forget your Password Reset it!