What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread, I will keep to myself . . .
The Oath of Hippocrates
The central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.
Justice William Brennan, Whalen v. Roe, 429 U.S. 589, 607 (1977) (Brennan, J. concurring)
When the chairman of the Walt Disney Company - Michael Eisner - suffered heart
problems, he registered in a hospital under an assumed name, fearful of the impact
a disclosure of his illness would have. He did not want to submit his medical bills
to his company's insurer. Political foes of Daniel Ellsberg, who leaked the Pentagon
Papers to the New York Times, broke into Ellsberg's psychiatrist's office to gain
access to potentially damaging information. In a recent Harris poll, most consumers
expressed feeling uncomfortable with the increased collection and use of their personal
information and they sense a loss of autonomy.
Today, individual health and medical data can be collected, collated, stored, analyzed and distributed in unprecedented quantities and put to diverse uses. Payers can not only tap patient data for claims payment; they use it for utilization review, underwriting and coverage decisions. Employers use health data to reduce their health care and workers compensation costs, as well as to identify employees who may be costly in the future. Health care providers use the data for research, to collect reimbursement, coordinate diagnosis and treatment, conduct quality assurance and monitor other providers. Clinical data repositories and management systems will likely reduce health care costs and improve patient care.
Clinical data management (CDM) also presents significant patient privacy and confidentiality issues, among others, which executives and planners must recognize. Understanding these issues insures that CDM systems are effective without exposing its hosts and users to liability.
Risks Exemplified
Consider the following:
Successfully identifying which of the above scenarios expose the CDM system's host or its partners to liability for invasion of privacy, defamation or a statutory violation is difficult, at best. Some of the above examples are based on actual circumstances where allegations of invasions of privacy and defamation have been successfully prosecuted against providers and employers, albeit in a paper record environment.
The Law: Too Much or Too Little Protection?
Current federal and state statutes and case law represent an erratic, non-uniform morass of regulation of privacy and confidentiality protections. Thus, the above practices may be lawful in one state, but not another, or alternatively may be lawful under state law but illegal or tortious under a federal statute. The interstate reach of evolving and mature CDM systems may implicate the host and its partners/users in risky, if not illegal, practices. Private and legislative efforts have been proposed to standardize and increase patients', employees' and insureds' privacy protections in their health records. The physician-patient relationship and physicians' ethical obligations proscribe uses of data which are unrelated to the diagnosis or treatment of individual patients.
It is uncertain how privacy laws apply to non-health care providers. It is also unclear whether the dissemination of patient-identifying information to a non-health care provider is permissible without a concomitant purpose involving treatment, quality assurance, or claims payment.
The disclosure of aggregate, anonymous patient data does not implicate the privacy concerns that apply to patient-identifiable information. Consequently, potential prohibitions against such disclosure should evaporate. However, no relevant cases or statutes addressing this issue have been uncovered and CDM system planners should tread carefully.
The Contours of Informational Privacy Rights
Definitions of privacy and confidentiality rights have largely depended upon the definitions of a medical record and decisions about who owns it. A useful general definition of a medical record is any data which are collected and used to diagnose or treat a patient's health problems.
A plethora of state statutes, case law and federal laws regulates the ownership and use of patient medical records and data. Some statutes and common law doctrines apply to any medical records stored in any medium; others appear to have no application to electronically-stored records. Still others apply only to records created and maintained by certain types of providers.
Those laws which do exist seek to protect individual privacy by limiting or prohibiting the disclosure of information which may identify an individual or which may publicly disclose private facts about an individual. The applicable federal laws, such as the Privacy Act, largely regulate permissible uses by government agencies and employees, or uses of certain narrowly-defined types of medical information. Very few state laws have universal applicability, concentrating instead on certain types of information (e.g., HIV test results) or certain types of providers. But the single most generalizable characteristic of the current body of law on medical record privacy and confidentiality is that it is not uniform and is often contradictory.
Under most state laws, the originator or creator of a medical record generally owns the record. This ownership, however, is almost universally subject to a patient's interests in the information contained within the record. In other words, the patient has the right (though not always absolute) to limit or otherwise define the disclosure. He may compel the dissemination of the information or she may require that the information not be disclosed, subject to many exceptions.
In the CDM environment, where no single entity creates the record, it is unclear with whom the record's ownership rests. It is also unclear, as non-treatment related data are included in patient records and as derivative records are created, just what constitutes the patient's medical record.
The bundle of privacy rights is based upon ethical, common law and statutory requirements - all of which protect one's autonomy or privacy in one's medical information. It is helpful to understand these rights as what some commentators have termed "information privacy rights."
Ethical and Fiduciary Obligations
The physician-patient relationship is confidential. Were that not the case, patients would be reluctant to divulge information necessary to the diagnosis and treatment of their problems. The physician's duty to keep information private and confidential derives from ancient physician oaths, presently unchanged at their core, and from more recent legal recognition that an individual has a right to keep those things private which he desires to be kept private.
The American Medical Association and most states' physician licensure statutes mandate that, except as the law otherwise requires and unless directly related to the treatment and care of an individual patient or consented to by the patient, a physician must keep all client confidences. Pennsylvania, for example, provides that a physician may be subject to disciplinary procedures for "revealing identifiable facts, obtained as the result of a physician-patient relationship, without the prior consent of the patient, except as authorized or required by statute." Courts in an increasing number of states have held hospitals to this same obligation, pursuant to a fiduciary or contractual duty to the patient, or as provided in a statute.
Privacy and Confidentiality
Confidentiality is the sine qua non of the physician-patient relationship. Rules of physician-patient confidentiality and other related doctrines protect one's privacy. Confidentiality is a significant mechanism by which a patient's right to privacy is maintained and respected.
Privacy protection, however, is not absolute. Privacy may be conditioned upon the public's right to know, or the government's legitimate interest in, certain information. It may be waived or consented to by the patient. A waiver or consent must be the product of a decision made after being informed of the risks and benefits of such disclosure.
Privacy, confidentiality and informed consent doctrines are nothing new to health care or to medical records managers. CDM systems, however, create new or magnify existing legal issues.
Guarding the Safe
From at least the 1970s through the present, groups such as the Privacy Protection Study Commission, the Office of Technology Assessment (OTA), the GAO, the Institute of Medicine (IOM), the Work Group for Electronic Data Interchange (WEDI), JCAHO and the American Medical Association have studied privacy protections in electronic health records systems. They have also advocated various safeguards which are instructive to CDM system planners.
For example, the AMA Current Opinions require the "utmost effort and care" to protect the confidentiality of computerized medical records. Among the AMA's guidelines are requirements that both the patient and physician be advised about the very existence of computerized medical data bases. In addition, the AMA requires that this information be communicated to the patient and physician before the physician releases the information to the data base. Most importantly, the AMA characterizes fully disclosure to the patient of this information as necessary to obtaining the patient's fully-informed consent to treatment. See AMA Opinion 5.07 and AMA Opinion 5.075.
CDM systems should define and insure security. Security, as defined by the National Information Infrastructure Task Force is the totality of safeguards in a computer-based information system. Methods should protect both the system and the information contained within it from unauthorized access and misuse, and accidental damage. It consists of hardware, software, personnel policies, information management policies, and disaster preparedness. The most effective CDM system will design safeguards which ensure that information privacy rights are respected. Planners should, at a minimum, consider the following general principles from the 1993 WEDI Report. First, ensure that the patient has authorized the release of health information by signing a release, and by disclosing the intended uses of the information disclosed. Second, ensure that the information actually released is in strict compliance with the written release. Last, establish security procedures for others who have access to identifying information.
Methods of achieving the above can include:
1. Establishing institutional and employment policies which outline permissible and non-permissible uses of patient data and establish mechanisms for reviewing and enforcing these policies;
2. Executing User Agreements which specify users' obligations regarding system access and the collection, use and dissemination of patient data;
3. Using public-key encryption of information so that information is safeguarded and the originator of data can be identified;
4. Re-designing patient consent forms and releases which allow patients to consent to the release and use of information which can be readily associated with the patient and is used for diagnosis, treatment, utilization review, quality assurance and reimbursement;
5. Establishing mechanisms for patient access to all of the information collected identifying that patient and institute methods which allow patients to correct erroneous information;
6. Blocking user access, through varying security levels of access codes, to data fields or records which the user is not authorized to access pursuant to the patient consent;
7. Using patient identifiers other than the patient's social security number to ensure that users (authorized or unauthorized) cannot access and collate records they weren't intended to access.
As health care delivery systems integrate and managed care pervades the marketplace, the ability to collect, interpret and disseminate health care data becomes the Rosetta Stone of cost-efficient, quality, outcome-driven health care delivery. Clinical data management (CDM) systems enable health care organizations, employers and payors, through a core central data repository, to better manage and deliver care to patients, employees and insureds.
CDM system planners must find the highest common denominator, in terms of privacy protection, in order to comply with differing and often contradictory statutory and regulatory requirements. In today's litigious environment, the poorly planned and implemented CDM system (from a legal perspective) will result in the legal tail wagging the technological dog.
Medical Records and Medical Informatics
A collection of information and useful links to medical records practices and standards
Continuing education and international studies in medical informatics
Archives of JCAHO survey reports on medical records practices, organized by institution surveyed.
Selected Medical Record Privacy-Related Statutes & Legislation
Back to The Health Law Resource Page