Improper Disclosure of Confidential Information

CHAPTER 13 Improper Disclosure of Confidential Information

David R. Donnersberger, Jr. , M.D., J.D., M.A., F.C.L.M.

GOLDEN RULES

1. Physicians who transmit health information in electronic form for billing or transferring funds for payment are subject to all of the rules and penalties of HIPAA.
2. Disclosure of Personal Health Information (PHI) is appropriate if:
(a) given to the patient;
(b) given to anyone specifically authorized by the patient;
(c) required by law; or
(d) used for purposes of treatment, payment, or in usual business operations.
3. Physician disclosures of PHI to hospital quality assurance, risk management, institutional research, and ethics review committees are appropriate.
4. Beware of disclosure of PHI to patients’ family members and “representatives”:
(a) Know the recipient of the PHI.
(b) Ask the patient to specifically authorize who can receive PHI.
(c) If the patient cannot make decisions, consult advance directives or ask the family to appoint a spokesperson.
(d) Document the process in the chart.
5. Use caution when sharing PHI with health care entities not in the usual course of your business operations, treatment, or billing.
6. Never “lend” your EHR password to anyone else, especially your family members, secretary, or nurse.
7. Close all EHR accounts before leaving a terminal or PDA!

The physician–patient relationship creates an obligation on the part of the physician to protect certain confidential patient information. Cultural assumptions about the relationship between the physician and the patient create a duty on the part of the physician to keep information private. Improper disclosure of that information, or breach of that duty, should necessitate some punishment of the physician and some compensation to the patient. The concept seems self-evident. This chapter will differentiate between commonly cited assumptions, advisory guidelines, and binding laws that populate the landscape of physician disclosure of confidential information.

CASE PRESENTATIONS

Case A.

On busy medical rounds in the Intensive Care Unit (ICU) an attending physician stops in to see her patient with advanced dementia and aspiration pneumonia on a mechanical ventilator. The physician knows that the patient’s dedicated daughter is the power of attorney for health care decision making and assumes that there is a happy family situation. While in the ICU, the physician is notified of a phone call from the patient’s son in a distant state. The physician explains the patient’s dire situation. The son asks the physician to explain the medical details to the “family” attorney on speakerphone so that the son can begin to “tidy up” his dad’s affairs. The physician also faxes the lawyer some medical records. Later that day, the patient’s daughter calls the physician in an irate state. She explains that her estranged brother filed papers alleging that she has committed elder abuse. He is seeking the appointment of a guardian to strip her of her status as power of attorney and that she may no longer be able to access her father’s sizable estate to pay for his ongoing care at home. She states that her brother is manipulative and has a long history of attempts to access their father’s estate for his own use.

Case B.

A busy private, multi-specialty medical group has been recruited by a local hospital system to have its paper medical records merged into the hospital’s comprehensive electronic health record (EHR) system. The relationship is mutually beneficial to the hospital and the group. The hospital and its many specialty centers gain increased accessibility, uniformity, and continuity of records for thousands of patients from a new referral source. The private multi-specialty group is able to free up space and reduce document expenses by going “paperless,” and in doing so convert a chart storage room into a new lab. The cost of computerizing the medical records is paid by the hospital system. Three months after the merger of medical records, a patient of the multi-specialty group learns that her private records (formerly kept in paper form in the group’s locked offices) were accessed electronically by a medical student rotating at the hospital. The medical student had no legitimate, professional reason to access the confidential information, but has spread sensitive psychiatric and obstetric information in the community. The patient is outraged and wonders why her confidential medical information was converted into electronic records without her permission and then shared with a hospital system, thousands of hospital employees, and hundreds of caregivers with whom she has no professional relationship. She asserts that her records were shared without her permission and done so for the financial benefit of her former medical group and the hospital system.

ISSUES

Introduction

Physician stewardship of patient confidential information is not as clearly articulated in the law as many think.

First, new federal regulation known as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)1 creates federal civil monetary and criminal penalties for improper disclosure of confidential patient information, but does so without giving patients rights to personally sue a doctor for misuse of confidential information. Under HIPAA, patients make complaints of improper disclosure of confidential information to the Office of Civil Rights of the Department of Health and Human Services and proceedings are brought in administrative hearing.

Second, prior to HIPAA, physician responsibilities for protecting confidential patient information were explicitly codified only in the ethical and professional standards of the profession and the language of state licensing acts. A cause of action in court to recover financially for losses caused by an improper disclosure must be grounded on less specific state common law theories of breach of confidence or invasion of privacy. Of course, myriad mandatory reporting laws make it obligatory for physicians to disclose certain confidential patient information to protect public health or prevent crimes. In those cases, there is no violation of professional standards or a breach of confidentiality cause of action.

Third, the legal concept of doctor–patient privilege needs to be differentiated from the topic discussed in this chapter. Legal actions are governed by rules of evidence that determine the admissibility or discoverability of certain information. Privilege refers to a class of information that is exempted from use in court. The right to exert privilege to prevent certain information from being used belongs in some instances to the person in possession of the information (physician) and in some instances to the person who is the subject of the information (patient). Specifically, the doctor–patient privilege never historically existed in English and American law. The privilege was created only later by state statutes. Today, however, there are many exceptions to statutory doctor–patient privilege stemming from mandatory reporting of public health information, in all matters pertaining to criminal cases, and in malpractice and workers compensation cases where the patient puts his medical condition into issue. Despite popular cultural assertions to the contrary, the concept of doctor–patient privilege is largely without legal viability.

Foundations of Physician Confidentiality

Thousands of years ago the original version of the Hippocratic Oath enunciated the physician’s duty to honor patient confidences, describing a breach of that duty as something shameful. Modern versions of the Hippocratic Oath, recited at medical school commencements everywhere, do not diminish the original oath’s emphasis on the duty of the physician to keep private the confidences of patients.2 If anything, the modern version elevates the importance of patient privacy by situating it in the paragraph that reminds physicians to save life, to be humble witnesses to death, and never “to play at God.”

The ancient Greeks no doubt understood that medical care was a societal good. Healing loved ones, prolonging life, and promoting a healthy community serve basic human desires and put to good use the technological and scientific advancements created by society. Both in ancient and modern times, medical care functions most successfully when the patient is assured of complete confidence on the part of the physician.

The inevitable vulnerability one feels when sharing both nakedness and illness is surely the most fundamental source of the need for physician confidence. Within the family relationship the sharing of nakedness and illness is accepted because there exists an automatic assumption of protection, selflessness, and love. Expert medical care, however, is provided to an enormous degree outside of the protections of the family structure. Only if one is guaranteed that their vulnerabilities are protected—body, behavior, and illness—can patients feel secure in divulging their most human conditions. Medical care and the benefits it imparts on society are optimized when patients are honest with their physicians. The guarantee that society holds the physician responsible for confidential stewardship of that private information is an absolute requisite for medicine to function and yield benefits to the community.

Related posts:

  1. Professional Liability Insurance
  2. Medical Malpractice Stress Syndrome
  3. Miscellaneous Torts
  4. Neonatology and Pediatrics

Stay updated, free articles. Join our Telegram channel
Tags:
Mar 25, 2017 | Posted by in GENERAL & FAMILY MEDICINE | Comments Off on Improper Disclosure of Confidential Information

Full access? Get Clinical Tree
Get Clinical Tree app for offline access