Confidentiality is the right of an individual to have personal, identifiable medical information kept private. Such information should be available only to the physician of record and other health care and insurance personnel as necessary. As of 2003, patient confidentiality was protected by federal statute.
The passage of federal regulations (the Health Insurance Portability and Accountability Act of 1996) was prompted by the need to ensure privacy and protection of personal records and data in an environment of electronic medical records and third-party insurance payers.
Patient confidentiality means that personal and medical information given to a health care provider will not be disclosed to others unless the individual has given specific permission for such release.
Because the disclosure of personal information could cause professional or personal problems, patients rely on physicians to keep their medical information private. It is rare for medical records to remain completely sealed, however. The most benign breach of confidentiality takes place when clinicians share medical information as case studies. When this data is published in professional journals the identity of the patient is never divulged, and all identifying data is either eliminated or changed. If this confidentiality is breached in any way, patients may have the right to sue.
The greatest threat to medical privacy, however, occurs because most medical bills are paid by some form of health insurance, either private or public. This makes it difficult, if not impossible, to keep information truly confidential. Health records are routinely viewed not only by physicians and their staffs, but by the employees of insurance companies, medical laboratories, public health departments, researchers, and many others. If an employer provides health insurance, the employer and designated employees may have access to employee files.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires all professionals and organizations to guard the privacy of their patients and customers. Individuals must provide written consent for any and all releases of medical or health-related information. Employees at all levels are required to maintain confidentiality. Similar policies have been in place for some time. This was a requirement of the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) to maintain accreditation. All confidentiality releases must identify the types of information that can be released, the people or groups that have been permitted access to the information, and limit the length of time for which the release is valid.
Before the enactment of HIPAA, despite having voluntary safeguards, patient confidentiality had eroded with the almost-complete dominance of health-maintenance organizations and other types of third-party payers. Confidentiality is essential for a good relationship between patient and practitioner, whose duty to keep information private stems from the Hippocratic Oath. If personal information is disseminated without the patient's permission, it can erode confidence in the medical profession and expose health care professionals to legal action.
Physicians are increasingly being sued by patients whose information has been released without their permission. Even though the plaintiffs do not always prevail, the costs of legal action are burdensome to both sides.
Each state and the federal government have enacted laws to protect the confidentiality of health care information generally, with particular attention paid to information about communicable diseases and mental health. For example, through the 1960s substance and alcohol abuse were treated as mental illnesses, with patient confidentiality determined by the laws in each state, since at the time the state was responsible for mental health care and treatment.
In the early 1970s, however, the rising numbers of those needing substance abuse treatment came to the attention of the federal government, because drug-related activity, including the treatment for substance abuse, could be the basis for criminal prosecution on a federal level. Congress concluded that this might stop individuals needing treatment from seeking it. HIPAA was enacted to provide a strict confidentiality law and limit disclosure of information that could reveal a patient's identity.
Confusion ensued when practitioners who were treating substance abusers were required to follow two practices for patient confidentiality. One set of requirements was mandated by the state. The federal government dictated the other. With the varying degrees of protection provided by state mental health laws, the confusion increased. While all states specify exceptions to confidentiality, few have spelled out the necessary elements of valid consent for disclosure of mental health information. Some states presently allow disclosure of the following types of mental health information without patient consent:
- to other treatment providers
- to health care services payers or other sources of financial assistance to the patient
- to third parties that the mental health professional feels might be endangered by the patient
- to researchers
- to agencies charged with oversight of the health care system or the system's practitioners
- to families under certain circumstances
- to law enforcement officials under certain circumstances
- to public health officials
Prior to 2003, providers had become increasingly concerned that these exceptions are not addressed uniformly, particularly when providers and payers conducted business across state lines. This resulted in open-ended disclosures that specify neither the parties to whom disclosure is to be made nor the specific information allowed to be revealed.
Both the ethical and the legal principles of confidentiality are rooted in a set of values regarding the relationship between caregiver and patient. It is essential that a patient trust a caregiver so that a warm and accepting relationship may develop. This is particularly true in a mental health treatment.
The Health Insurance Portability and Accountability Act of 1996 was enacted to address the issue of patient confidentiality. Full implementation of HIPAA regulations began in April 2003. If individuals and organizations having patient data adhere to the requirements of HIPAA, patient confidentiality will be enhanced.
HIPAA provides a uniform set of guidelines that apply to all providers and organizations. HIPAA requirements are not affected by state boundaries.
Carter P. I. HIPAA Compliance Handbook 2003. Gaithersburg, Maryland: Aspen, 2002.
Hubbard, M. W., K. E. Glover, and C. P. Hartley. HIPAA Policies and Procedures Desk Reference. Chicago: American Medical Association, 2003.
Pabrai, U. A. Getting Started with HIPAA Boston: Premier Press, 2003.
Radford, Roger. Informed Consent. Booklocker.com , 2002.
Cole A. and K. Oxtoby. "Patient power." Nursing Times 98 (2002: 22–25.
Landrum, S. E. "Patients' rights and responsibilities." Journal of the Arkansas Medical Society 99 (2003): 222–223.
Rosenbaum, S. "Managed care and patients' rights." Journal of the American Medical Association 289 (2003): 906–907.
Sugarman, J. "Missing the informed in consent." Anesthesia and Analgesia 96 (2003): 319–320.
American Academy of Family Physicians. 11400 Tomahawk Creek Parkway, Leawood, KS 66211-2672. (913) 906-6000. http://www.aafp.org . http://email@example.com.
American College of Physicians. 190 N Independence Mall West, Philadelphia, PA 19106-1572. (800) 523-1546, ext. 2600. (215) 351-2600. http://www.acponline.org .
American Medical Association. 515 N. State Street, Chicago, IL 60610. (312) 464-5000. http://www.ama-assn.org .
National Patient Advocate Foundation. 753 Thimble Shoals Blvd, Suite A, Newport News, VA 23606. (800) 532-5274. http://www.npaf.org . http://firstname.lastname@example.org.
American Psychological Association. [cited March 21, 2003] http://www.apa.org/practice/senate_compromises.html .
HIPAA website. [cited March 24, 2003]. http://www.hipaa.org .
National Academy of Sciences. [cited March 21, 2003]. http://www.nap.edu/readingroom/books/for/index.html
Persons United Limiting Substandards and Errors in Health Care (P.U.L.S.E.). [cited March 21, 2003]. http://www.pulseamerica.org .
Stanford University. [cited March 21, 2003]. <http://www.stanford.edu/class/siw198q/websites/HearingMar01/bill html> .
U.S. House or Representatives, Democratic Staff or the Energy and Commerce Committee. [cited March 21, 2003]. <http://www.house.gov/commerce_democrats/pbor/107pborsummary.htm& x003E; .
L. Fleming Fallon, Jr., MD, DrPH