Guidelines for physicians in privacy breaches
Guidelines for physicians in privacy breaches
Obligation to protect info dates to Hippocratic Oath
In light of the growing adoption of electronic medical records — and the fact that its current policy does not address "physicians' ethical responsibilities in the event the security of electronic records is breached," according to a report of its Council on Ethical and Judicial Affairs — the American Medical Association has adopted four guidelines for physicians in such cases.
The guidelines were adopted at the Chicago-based AMA's annual policy-making meeting. They outline four specific steps for physicians to take in the effort to both protect patient information and to respond appropriately should a breach occur.
What the guidelines say
The new AMA guidelines ask physicians to:
- Ensure patients are properly informed of the breach;
- Follow ethically appropriate procedures for disclosure;
- Support responses to security breaches that place the interests of patients above those of physician, medical practice, or institution;
- To the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.
"Protecting the privacy and safety of patient information, whether in a paper record or an electronic medical record, is a top priority for physicians," said AMA board member William A. Dolan, MD, in an AMA news release announcing the guidelines. "Physicians need a standard protocol to follow to maintain patient security in the event of a breach of personal information."
The report states, "A physician's obligation to respect confidentiality and guard a patient's privacy is a well-established principle of professional ethics that dates back to the Hippocratic Oath."
The report also notes that health information is critical to the practice of medicine. But while the advent of electronic medical records to "store, access, and transmit detailed patient information accurately and rapidly" among physicians, administrators, and payers can benefit patients, it also poses risks.
"The flow of medical information from patient to health care provider to health insurance industry and beyond is conducted with limited regulation and oversight," the report states. "Existing data security laws and agencies have been characterized as a 'confusing, sometimes conflicting, patchwork' of policies."
The report notes that in 2008, 38.4% of physicians reported using fully or partially functional EMR systems, compared to 2001, when only 18.2% of office-based physicians reported using EMRs.
Dolan said in the AMA release, "EMRs are the wave of the future, so it is important for both patients and physicians to feel secure. These new guidelines prepare physicians to help . . .patients in the unfortunate situation of an information breach."
The extent of harm to a patient as a result of a security breach depends, the report notes, on several factors, including the intent of the person who inappropriately accessed the information, the nature of the information that was breached, as well as with whom the information may have been shared.
"One profound harm may be medical identify theft, the fastest-growing form of identity theft," the report states. That can lead not only to "inconvenience," but impact a person's credit rating and ability to get care — as well as lead to inaccurate information in the patient's medical record.
Aside from those concerns, breaches may impose "dignitary harm" on a patient. However, disclosure is essential.
"Like being candid with a patient about a medical error, being candid with a patient when his or her information has been inappropriately disclosed may be difficult or uncomfortable," the report states. "However, this does not change the fact that it is the ethically appropriate response."
"Inappropriate disclosure of a patient's personal information violates his or her right to 'informational' privacy, a fundamental expression of autonomy," the report states.
From a legal perspective, the report notes that, currently, 44 states require businesses to notify residents if their information has been breached.
The report also notes that studies have indicated that should a breach occur, the patient does want to be informed.
In light of the growing adoption of electronic medical records and the fact that its current policy does not address "physicians' ethical responsibilities in the event the security of electronic records is breached," according to a report of its Council on Ethical and Judicial Affairs the American Medical Association has adopted four guidelines for physicians in such cases.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.