The Patient-Physician Relationship: Confidentiality
The Patient-Physician Relationship: Confidentiality
By David L. Freedman, MD, JD, Emergency Department Physician, Chelsea Community Hospital; Associate, Health Law Practice Group, Miller, Canfield, Paddock, and Stone, PLC, Ann Arbor, MI.
The starting point for any discussion of the confidentiality of medical information is that physicians, and other members of the healthcare team, should keep all patient information confidential. With that as the baseline, the various limited exceptions to this general rule can be considered. It can safely be said that patients have an expectation that all patient-physician communications will be kept strictly confidential.
There are a number of ways in which physicians may expose themselves to liability in dealing with medical records and other confidential patient medical information. Physicians should always remember that our ethical duty is not simply to keep the medical record confidential, but rather to keep all information obtained from patients, even information not directly related to medical treatment, confidential. The law requires that information obtained from patients that is directly related to their treatment be kept confidential; our ethical duty, though, is to keep all patient-relative information confidential to the best of our ability. This issue will review the various reasons why medical information should be kept confidential, and then discuss some of the various exceptions to this general rule of confidentiality. Our focus is also to discuss the various forms of liability that may be the consequence of a failure to maintain proper confidentiality of medical information and/or medical records. Finally, I will suggest various recommendations to help enhance physician-patient confidentiality.
Introduction
While maintaining patient confidentiality is a significant problem for physicians generally, it is a particularly difficult problem in the ED. As emergency physicians, we are faced with numerous challenges to our ability to maintain appropriate patient privacy. We are often forced to treat patients behind curtains rather than doors, and we sometimes forget that a patient and his or her family in the next cubicle may easily hear our entire conversation.
State law, statutory and common, varies widely in its handling of physician-patient confidentiality. In this article, I will refer most often to Michigan statutory law, with a somewhat broader treatment of case law. While there is considerable conformity among the states, each practitioner should consult with knowledgeable local health care counsel to develop policies and procedures that conform with the practitioner’s particular state.
Historical Background
Any discussion of the history of the physician’s duty to maintain patient confidentiality starts with mention of the Hippocratic Oath that provides in part:
"Whatever, in connection with my professional practice or not in connection with it, I see or hear in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret."1
Courts, to this day, continue to refer at times to the Hippocratic Oath as a source of the physician’s duty of confidentiality. The American Medical Association’s Code of Medical Ethics addresses patient confidentiality as follows:
"A physician shall respect the rights of patients, of colleagues, and of other health professionals, and shall safeguard patient confidences within the constraints of the law."2
Confidentiality Mandates
Numerous authorities propose that medical records in particular, and patient confidences in general, should be kept confidential. These range from medical tradition and ethical considerations to specific state and federal statutes mandating that physicians, hospitals, and other health care organizations keep medical information confidential.
Ethical Mandates
The AMA’s Ethical Code provision on confidentiality is mentioned above. Various state and local medical societies and specialty societies have their own confidentiality mandates. For example, the American College of Emergency Physicians (ACEP) in 1994 approved a policy regarding patient confidentiality. (See Appendix A.)3 This policy recognizes the basic rationales for the maintenance of confidentiality, privacy, and trust, which, if respected, are felt to lead to freer, more candid, communications between patients and physicians. ACEP also properly recognized that patient confidentiality is not absolute and there are, in certain situations, sufficiently compelling reasons to overcome the ethical principle of confidentiality. It is important that this policy not be read in isolation but rather read and interpreted with pertinent state and federal law in mind.
Caution is advised when reading policies such as this as they do not have the effect of law and, in some cases, may actually conflict with the statutes. As the ACEP policy suggests, whether a patient’s sexually transmitted disease should be disclosed to his or her partners may not be a circumstance "in which societal consensus exists." However, the law in some states (e.g., Michigan) is quite clear; the penalty for unauthorized disclosure may be quite severe. For example, in Michigan, a person who violates the state confidentiality statute regarding HIV (incidentally not an easy collection of statutes to understand) is "guilty of a misdemeanor, punishable by imprisonment for not more than one year or a fine of not more than $5,000, or both, and is liable in a civil action for actual damages or $1,000, whichever is greater . . . "4
Legal Mandates
The Federal Medicare Conditions of Participation include a rule that all "hospital(s) must have a procedure for ensuring the confidentiality of patient records . . . [and] must ensure that unauthorized individuals cannot gain access to or alter patient records."5 The Joint Commission on Accreditation of Healthcare Organizations has a standard that requires that medical records must be kept "confidential" and "secure."6 While this is not a "legal" mandate per se, it has quasi-legal properties in that it is accepted by the Health Care Financing Administration as satisfying the Medicare Conditions of Participationso-called "deemed status."7
States may have statutes mandating that physicians keep patient medical information confidential. Michigan law, for example, provides that "[e]xcept as otherwise provided by law (e.g., suspected child abuse reporting), a person duly authorized to practice medicine or surgery shall not disclose any information that the person has acquired in attending a patient in a professional character, if the information was necessary to enable the person to prescribe for the patient as a physician, or to do any act for the patient as a surgeon."8 In addition, the hospital is required by the state licensing statute to keep patient information confidential. The Michigan statute provides that "[a] patient or resident is entitled to confidential treatment of personal and medical records . . . except as required because of a transfer to another health care facility or as required by law or third-party payment contract."9 Some states, while they might not have a general statute covering the confidentiality of medical information, may have statutes addressing the confidentiality of certain types of medical information (e.g., HIV seropositivity). More often, a state will have both a general statute and a specific statute covering certain conditions.
There are also contract and quasi-contract obligations of physicians to maintain patient confidentiality. Medical staff bylaws normally contain a section requiring medical staff members to maintain patient confidentiality within the constraints of the law. Violation of such a confidentiality provision could subject the physician to medical staff discipline up to and including dismissal from the medical staff.10 Employment contracts and independent contractor agreements are generally drafted with sections requiring the physician to maintain patient confidentiality.
Exceptions to Confidentiality
Medical records and confidential patient information are routinely shared among the various members of the health care team. Consent for this release of medical information, if not expressly given, is implied by the patient’s initial consent to treatment, so long as information is released only to those specific individuals who require the information in order to properly treat the patient. All releases in this regard should be limited to only the information that is required for treating the patient (i.e., not all health care personnel involved in the care of the patient necessarily need all the information in the patient’s medical record).
Medical records are required by third-party payers for reimbursement purposes as well as for quality and utilization audits, and they are routinely provided pursuant to a consent that patients give prior to receiving medical services.11 The individual’s contract with his or her insurance company will also provide for release of medical information to the insurance company. In addition to documentation for billing, government agencies and third-party payers routinely use the records for utilization review activities and quality assurance reviews.
Medical records are routinely reviewed by peer-review and quality assurance committees in the hospital or by outside inspection teams (e.g., JCAHO accreditation inspection teams). Consent for this disclosure, if not covered by federal or state statute and/or regulation, is held to be implied from the patient’s agreement to treatment.12 It is expected that these reviewers will keep the information in the records confidential.
Always make sure that all patient-related materials used at teaching conferences have the patient’s name and any data that would potentially identify the patient removed, unless the patient consents to disclosure of his or her identity. All records used by researchers should be handled in a fashion that will preserve patient confidentiality. Particular attention should be paid to researchers from outside the institution who are given access to patient-specific information.13 Their compliance with the institution’s confidentiality policies must be assured at all times.
Patients generally waive their right to confidentiality of their medical records in personal injury claims where the individual has placed his or her medical condition at issue in the case. This includes cases where the patient has brought suit against the physician for alleged medical malpractice. In this circumstance, the patient also waives any right to confidentiality of his or her treatment records held by other physicians who provided treatment for the injury or condition.
Most states require that physicians and other health care workers (and other individuals owing a duty to a child) report suspected child abuse or neglect to the proper authorities. The law in Michigan requires that a physician (as well as other specific professionals) "who has reasonable cause to suspect child abuse or neglect" immediately make a report to the proper authorities.14 The statute goes on to specify exactly what information must be reported. The law also provides immunity to any person who acts in "good faith" in making such a report or who cooperates in an investigation as required by the Michigan Child Protection Law.15 Interestingly, some states (e.g., Connecticut) have interpreted the immunity provision of their suspected child abuse and neglect statute, despite a requirement of "good faith" on the part of the person making the report, as granting essentially absolute immunity in the reporting of suspected child abuse.16
Many states have a statute requiring hospitals and/or physicians to report violent injuries to the police.17 This occurs often in the ED, particularly on evening and night shifts. Each department should have a policy in place for these reports and educate the department staff in this regard. Many physicians and hospital staff assume, often incorrectly, that only gun and knife injuries are reportable and this is not, at least in Michigan, the case. Michigan law requires the reporting of any injury "inflicted by means of a knife, gun, pistol, or other deadly weapon, or by other means of violence.18 The particular state statute should be reviewed by hospital counsel when the ED disclosure policy is written to determine the extent of the required report; only that information that is statutorily required to be disclosed, should be revealed. The Michigan statute, for example, requires reporting of the name and residence of the victim, the victim’s whereabouts, and the character and extent of the injury.19 It does not require the reporting of any other patient communication and, therefore, absent patient consent, all other information should be kept confidential.
Some states have established statutes requiring the reporting of various communicable diseases.20 Any duty owed to third parties (e.g., contacts or potential contacts of the infected person) is generally discharged by notification of the public health department, who then takes responsibility for contacting the patient and determining those third parties that must be contacted. Remember, however, that HIV is treated differently than other communicable diseases by most states, and specific and strict requirements of confidentiality often apply (see section below on HIV).
All emergency physicians should already be well aware of the provision of the Emergency Medical Treatment and Active Labor Act (EMTALA), which requires that any hospital transferring a patient covered by EMTALA (i.e., a hospital with an ED) must, when transferring a patient, send to the receiving hospital "all medical records (or copies thereof) related to the emergency condition for which the individual has presented available at the time of the transfer, including records related to the individual’s emergency medical condition, observations of signs or symptoms, preliminary diagnosis, treatment provided, results of any tests . . . "21 This, of course, would supercede any contrary state law, statutory or common (i.e., court-created law).
Privilege vs. Confidentiality
The principle of confidentiality of medical information and the rules governing physician-patient "privilege" are often referred to interchangeably and confused but are actually two quite different concepts. Confidentiality is, as described above, an obligation based on ethical principles, traditions, common law, statutes, and regulations, which requires physicians to keep essentially all information pertaining to patients confidential. Privilege, on the other hand, is a principle of evidence law, where certain, otherwise credible information, is excluded from admission into evidence in a legal proceeding. The physician-patient privilege is only a testimonial privilege (a rule to exclude testimony/evidence in a legal proceeding), not a general obligation of confidentiality.
Traditionally, the courts did not allow a physician-patient privilege.22 Most states, however, now provide for a physician-patient privilege in their state evidence code.23 The physician-patient privilege, like all evidentiary privileges, requires that otherwise relevant testimony be excluded from evidence because of some overriding public interesthere the facilitation of communication between patients and their physicians. The theory is that by protecting the privacy of this communication, individuals are more likely to be candid with their physicians, and this candor enhances the public health and welfare. Numerous exceptions to the physician-patient privilege vary among the states, and it must be remembered that the physician-patient privilege covers only physicians, not other members of the health care team.
Physician-patient privilege can be waived either expressly or implicitly. An individual may waive physician-patient privilege by signing an express consent to disclosure of medical informationan express waiver. An individual may also waive physician-patient privilege by conduct. The best example of implied waiver is when the individual puts his or her physical condition at issue in a proceeding (e.g., a personal injury action, including medical malpractice).24
Special Situations
HI
HIV and AIDS have been treated differently than other communicable diseases by the public as well as the medical profession. This presents particularly difficult ethical dilemmas for physicians in balancing the ethical and legal duty of confidentiality with the duty to protect innocent third parties who may be at risk of contracting a fatal communicable disease.25 The difficult balance between maintenance of strict confidentiality, which theoretically encourages possibly infected individuals to seek treatment and then to modify their behavior on advice of their physician vs. disclosure of risk to possible contacts, is highlighted in this context. Which strategy best promotes the general public welfare is a matter of question and debate. State laws governing confidentiality and disclosure of HIV-related medical information vary widely and are often not only quite complex but confusingly drafted and organized. This is an area where clear policies regarding confidentiality and disclosure must be in place, and these policies must be reviewed by counsel prior to their implementation. Potential penalties for violation of the confidentiality provision may be, as discussed above, quite severe. The AMA has taken a position on disclosure of HIV-positive status to contacts when the patient refuses to do so.26 Always remember, though, that any guideline such as this would be superceded by statute and most, if not all states, have specific statutes dealing with HIV confidentiality and disclosure.
Mental Health
There is a duty to warn third parties of risks posed by patients, psychiatric patients in particular, in some states and under certain specific circumstances, despite the general duty of confidentiality owed to the patient. The leading case in this area is Tarasoff v. Regents of the University of California.27 In Tarasoff, a man, after confiding to his psychologist his intent to kill a woman, did in fact kill her. The psychologist, an employee of the University of California at Berkeley, had alerted the campus police who had briefly detained the man, but nobody ever warned the victim of the potential danger. After his release, the man made good on his threat and murdered the woman. The California Supreme Court ruled that the psychologist had a duty to warn the victim who, in this case, was readily identifiable. Generally speaking, a duty would be owed only to identifiable potential victims where a danger is reasonably foreseeable. This is a difficult area of the law, with considerable variation among the states as to who, if anyone, should be warned and how that warning should be accomplished, and each practitioner should consult with competent counsel as to the specific requirements in his or her state.
The Michigan law in this situation, for example, provides that, "if a patient communicates to a mental health professional who is treating the patient a threat of physical violence against a reasonably identifiable third person and the recipient has the apparent intent and ability to carry out that threat in the foreseeable future, the mental health professional has a duty to take action."28 That duty may be discharged, however, not only by notifying the threatened third person and the local police department or county sheriff, but by hospitalizing the patient under civil commitment procedures (voluntary admission would not be adequate), an option that would obviously be somewhat more protective of the patient’s confidential communication.29 The statute also goes on to state that a report made under this circumstance does not result in a violation of physician-patient privilege as established under Michigan law.30 Interestingly, psychiatrists are the only physicians covered by this section.31
Minors
The confidentiality of the medical records of minors raises special issues. A minor is generally incapable of giving consent and consent must be obtained from the minor’s parent or guardian, barring an exception to usual informed consent law (e.g., emergency, state statute). In order for the parent or guardian to give informed consent, logically, that person must be informed of all the pertinent medical information required for a reasonable person to make an informed decision. Therefore, parents will generally be privy to the information in the minor’s medical record. The fact that a parent is not the custodial parent does not generally deny them access to their child’s medical record.32 If, however, a guardian has been appointed for the child, even the parents may be denied access to the child’s medical record (in Michigan).33
There are, naturally, exceptions to this general rule. Many states provide for minors to give consent by statute for treatment in specific situations (e.g., pregnancy, sexually transmitted diseases, or substance abuse treatment). For example, in Michigan a minor may give consent to treatment for substance abuse and, if the minor gives consent for treatment, then only the minor may give consent to release of those treatment records (i.e., the parents have no right to access the record without the consent of the minor).34
Substance Abuse Treatment Records
Federal laws and, in many cases, state laws grant special attention to substance abuse treatment records. Under 42 U.S.C.A. § 290dd-2 and its accompanying regulations, records of the identity, diagnosis, prognosis, or treatment of any patient in a federally-assisted substance abuse treatment program, absent exception, must be kept strictly confidential. It is a violation to even acknowledge the presence of an individual if the facility is publicly identified as a place where only substance abuse diagnosis, treatment, or referral is provided.35 Any consent to disclosure must be express, a general medical records release is not adequate. There is also a regulation requiring that the records must be maintained in a "secure room, locked file cabinet, safe, or other similar container when not in use."36 Since emergency physicians are often involved in the admission of patients to substance abuse treatment facilities, "medical clearance" exams if nothing else, it would be prudent to have a policy in place that can be referred to so as to avoid violation of this very strict non-disclosure law.
Destruction of Medical Records
Multiple copies of medical records, particularly ED records, are routinely generated. The various copies of these records are eventually destroyed at various times (e.g., the department copy may be destroyed after two months and the medical records department copy may be destroyed when the record is transferred to microfilm). Whenever a medical record is destroyed, it is essential that it be done in a manner that ensures confidentiality. This may be a matter of specific state statute. Even if it is not, common law would require reasonable efforts on the part of the physician and hospital to assure the confidentiality of the discarded medical record. Methods such as shredding or incineration are preferable; simply putting the record into the regular trash is ill-advised. Hospitals or physicians that allow a commercial enterprise to destroy their records should do so pursuant to a written agreement that sets forth proper safeguards against breaches of confidentiality.37 Hospital policies regarding the destruction of records should be developed and uniformly adhered to.
Telephone Requests for Patient Information
Emergency physicians are frequently on one side or the other of a telephone request for confidential patient information. We often require confidential patient information on an urgent or emergent basis, and any significant delay in receiving that information that is caused by a rigid compliance to medical records confidentiality policies can have disastrous consequences for a patient. If, for example, the question is whether or not to give thrombolytics, and an old ECG will decide the issue. Time countstime is muscle. We all know that we have a much better chance of getting the information quickly if we get the emergency physician at the other hospital to have the chart pulled and give us the information "informally" over the phone vs. having the information "formally" released by the medical records department. Emergency physicians, on the other hand, are also frequently called upon to give patient information over the phoneperhaps it is the headache patient you discharged earlier in your shift who is now at another hospital and unconscious or the chest pain patient whose treatment depends on the old ECG. Unless the urgency of the situation requires release of information without patient consent, the prudent policy is to release information only after receiving proper authorization.
Computerized Records
The computerization of medical records has resulted in many new issues related to their confidentiality. Obviously, this is an area of rapidly advancing technology, and the law is struggling to keep pace with the technological developments. We are, as a result, often left applying "old" law to "new" situations. Whenever medical records are stored by computer, security of the information becomes more difficult. While it is fairly easy to provide reasonable security for written medical recordsa single copy kept in a locked medical records department with a strict policy regarding the sign-out of the recordsecurity for electronically stored information is much more problematic.
Many people both within and outside the hospital potentially have access to the computerized medical record. There are numerous computer terminals in a typical hospital that could be used to access medical records. The computer system might be shared with another hospital, and access to the information might therefore be possible from an entirely different hospital. Anyone who has access to your computer, or a terminal connected to your computer, will potentially have access to your patients’ medical records. There will undoubtedly be computer vendors and support personnel, often from outside the hospital, who will have access to the information in the system in their technical support role. Many hospital computer systems have call-in capability that substantially increases the difficulty of maintaining adequate medical record security.
It is essential that at least "reasonable" security measures be employed to safeguard medical information stored in the computer. How many ED computer systems use such "unique" passwords as "doc," "er," "erdoc," etc? How many EDs, because of the use of multiple physicians, some of whom are part-time, post the password directly above the computer terminal? Despite the common use of such poor security measures, it is quite possible that a jury or court could find such practices to not have been "reasonable." Would you? Remember, usual and customary practice is just evidence of the standard of care, and a court could find a practice to fall below the standard of care, despite its nearly universal use.38
The recently passed Kennedy-Kasselbaum Bill provides for the establishment of standards and requirements for electronic transfers of certain health information by August 1999. If Congress fails to act, the Secretary of Health and Human Services is authorized to set standards administratively. All providers should, despite the current lack of current standards, maintain safeguards to ensure the confidentiality of health care information. Threats to the security of medical information must be anticipated, and reasonable measures must be taken to protect against breaches of confidentiality. The Department of Health and Human Services is mandated to adopt security provisions for electronic data transmissions. The National Research Council has addressed the issue of the confidentiality of electronic patient records and advises that: l) every person with a legitimate need to view the information should have a unique identifier; 2) computers should be programmed to exit applications automatically if records are left open at unattended computers; 3) information sent over public networks should be encrypted; and 4) patient information in e-mail should be avoided.39
Facsimile (fax) machine use has become common and increasingly popular in the ED. Use of these machines, however, provides another potential for a breach in confidentiality. Policies and procedures should be in place to assure "reasonable" security measures for records that are transmitted by fax. In general, the fax should be used only when time is of the essence and a more secure method of delivering the information is not adequate. Fax machines should be used for medical necessity, not simply for convenience. Never transmit highly sensitive medical record information by fax unless it is absolutely necessary, and then, if possible, send it on a nonpublic channel (e.g., a local area network within a facility).40
Liability for Breaches of Confidentiality
There are both common law and statutory grounds for liability when medical information is disclosed without proper authorization and the resulting liability may be civil, criminal, or both. Tennessee law, for example (as does Michigan law discussed above in the Ethical Mandates Section), addresses both civil and criminal liability:
"A willful violation of the provisions of the [Medical Records Act] is a Class C misdemeanor . . . No hospital . . . shall be civilly liable for violation of the [Medical Records Act] except to the extent of liability for actual damages in a civil action for willful or reckless or wanton acts or commissions constituting such violation."41
The common law theories of liability include: breach of contract, invasion of privacy, defamation, negligence, and breach of fiduciary duty. While there is ordinarily not an express contract between a physician and his or her patient providing that medical information will be kept confidential, some courts are willing to imply a contract that includes terms of confidentiality.42
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.