Module 4: Confidential/HIPAA
Upon completion of this module, the resident should be able to:
- Describe the history and current status of the physician's duty to protect patient confidentiality.
- Describe and utilize the ethical rationales for the physician's duty to protect patient confidentiality.
- Identify the grounds for justifiable, ethically valid breaches of patient confidentiality.
- Describe the requirements imposed on physicians by the Health Insurance Portability and Accountability Act.
Module: 4 / Respecting Privacy and Maintaining Confidentiality
Mr. X is a 78-year old man who has been referred to you by his internist for a suspected diagnosis of prostate cancer. During the physical examination you notice suspicious bruises on his back and upper arms. You inquire about the bruises and Mr. X appears to be very uneasy and brushes them off as the result of a fall. Your intuitions tell you that he is not leveling with you.
Mr. B is 42-year old man who has been referred to you for work-up and treatment of sexually transmitted disease. In taking his history, particularly his sexual history, you elicit from his a candid admission of his numerous encounters with prostitutes; he also describes the often risky sexual behaviors he has engaged in with these individuals, despite the fact that he is married.
You enter an elevator on the ground floor of the teaching hospital where you are training; you press “11” for the eleventh floor where you will meet other members of your team to begin morning rounds. There are two other physicians in the elevator and they are clearly discussing the details of a patient’s case and in the process, one of them mentions the name of the patient.
Privacy and confidentiality are fundamental concepts in medical ethics. The concept of privacy is one that is deeply woven into Western thinking about individuals and communities. In legal as well as ethical contexts, appeals are made to the right to privacy – i.e., to one’s legal and/or moral right to limit access to one’s body and/or mind and, in deference to self-determination and personal integrity, to assert control over many aspects of one’s person. There are negative rights to privacy: these refer to rights to non-interference. There are, as well, positive rights to privacy: these have to do with the prerogative to control. To one degree or the other, the patient-physician relationship requires the patient to surrender privacy in return for guarantees of confidentiality: confidentiality is a critical means to the end of honoring the privacy, self-determination, and integrity of the patient.
Some of the most enduring ethical precepts in the history of medical ethics are those that enjoin physicians to safeguard the confidentiality of what they see and hear in their encounters with patients. As noted in module 1, the Hippocratic Oath includes the following provision: “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about.” The fourth principle in the American Medical Association’s Principles of Medical Ethics reads: “The physician … shall safeguard patient confidences within the constraints of the law.” And, the fourth element of the AMA’s Fundamental Elements of the Patient-Physician Relationship states that “(T)he patient has the right to confidentiality. The physician should not reveal confidential communications or information without the consent of the patient, unless provided for by law or by the need to protect the welfare of the individual or the public interest.” Finally, the fourth principle of the Code of Ethics of the American Urological Association states that “[P]hysician-patient confidences will be safeguarded within the constraints of the law.”
As previously noted, the relationship between a physician and a patient is a fiduciary relationship: it is grounded in, and dependent upon mutual trust. Patients have little choice but to trust their physicians: to trust that their physicians will use their knowledge and skill for patient benefit and that they will protect the often sensitive information that is exchanged in the relationship. Without a presumption favoring the maintenance of confidentiality, patients might withhold rather than convey information critical to effective diagnosis and treatment. Maintaining confidentiality is also a means to the end of respecting the patient’s autonomy in decision making – i.e., their exercise of rights to self-determination, including determining what, how, and when personal information may be disclosed to others. Finally, maintaining confidentiality can help patients avoid the potentially adverse consequences of unethical disclosure, including stigmatization and discrimination.
In developing ethical rationales for maintaining–and, in certain circumstances, for breaching–confidentiality, one could appeal to:
- The virtue of trustworthiness as a virtue integral to the fully virtuous physician: a lived, demonstrated commitment to maintaining confidentiality exemplifies this particular habitual disposition to seek and achieve the good of the patient
- To the consequences of maintaining confidentiality, that is, that patients are more likely to divulge sensitive information if they are assured that that information will be protected from unauthorized exposure
- To the concept of maintaining confidentiality as a duty – a duty that is responsive to the patient’s right to privacy
- To the principle of respect for autonomy, that is, to the argument that self-determination is intimately bound up with and dependent upon the ability to control information about oneself
If maintaining confidentiality is conceived as a duty, as such, it both prohibits and enjoins certain actions by the physician: it prohibits the physician from disclosing information about the patient and it enjoins the physician to take positive steps to protect this information to ensure only authorized access to the information.
Moreover, if maintaining confidentiality is conceived as a duty, then we may ask “Is this duty an absolute one that admits of no exceptions?” Does this duty hold at all times, in all places, and in all circumstances? The answer is “no” and one of the key milestones in the evolution of the ethics–and the law–of confidentiality occurred in 1974, in a decision handed down by the California Supreme Court in the case of Tarasoff vs. Regents of the University of California. Tatiana Tarasoff was the girlfriend of a young man who was under the care of a psychologist, to whom the young man confessed his desire to kill his girlfriend. The psychologist reported the threat to authorities who arrested the young man but released him after he promised to keep his distance from Tatiana. Two months later, however, he did, indeed, kill her. Tatiana’s parents brought suit against the psychologist. In its first decision on the case, the California Supreme Court stated that health professionals have a duty to warn an individual or individuals who are the targets of credible threats of harm by patients under the care of those professionals: “When a doctor of psychotherapist, in the exercise of his professional skill and knowledge, determines, or should determine, that a warning is essential to avert danger arising from the medical or psychological condition of his patient, he incurs a legal obligation to give that warning.” In the second decision on the case in 1976, the Court went one step further and stated that not only is there a duty to warn: there is also a duty to protect a threatened individual from harm.
There are five conditions that must be met in order to justify an ethical breach in confidentiality:
- The potential harm is serious
- The likelihood of the harm is high
- There is no alternative for warning or protecting the at-risk third party
- Breaching confidentiality will prevent the potential harm
- Harms to the patient are minimized and acceptable
Protecting Third Parties: Although there is variability from jurisdiction, state and local laws often require physicians to set aside their duty to maintain confidentiality and report patients to public authorities in such defined situations as:
- Infectious disease: in some jurisdictions physicians, laboratories, hospitals, and clinics are required to tell public health officials the names of patients with such infectious diseases as tuberculosis, gonorrhea, and syphilis.
- Human immunodeficiency virus (HIV): Early in the AIDS epidemic in the United States, public reporting of patients testing positive for HIV was highly controversial as a proposal and practice. Improvements in therapy and prognosis as well as in public understanding and acceptance have helped to ease the stigma attached to the disease and its sufferers such that public reporting practices for HIV are now more or less aligned with those of other infectious diseases.
- Impaired drivers: In many states, physicians must report to motor vehicle departments patients suffering from epilepsy, syncope, Alzheimer’s disease and other dementias, sleep apnea and other consciousness-impairing conditions.
- Injuries caused by crimes: Again, most states require physicians to report to public authorities the names of patients who have been injured through allegedly criminal acts.
You should acquaint yourself thoroughly with the laws of your local and state jurisdiction.
Protecting Patients: The laws of the 50 states and the District of Columbia also, in general, require physicians and other health care professionals to report the following suspected or documented harms to patients: domestic violence; child abuse; and elder abuse. Again, it is important to know the laws of your jurisdiction of practice.
The Health Insurance Portability and Accountability Act (1996): In 1996, the U.S. Congress passed – and then-President Clinton signed – the Health Insurance Portability and Accountability Act (HIPAA). The “basic philosophy” of the Act is straightforward: medical information pertaining to a patient is protected by the patient’s right to privacy and physicians, as well as other health professionals and the institutions in which they practice, have a corresponding duty to protect the privacy of this information. This guarantee of confidentiality is critical: it encourages patients to disclose to their physicians information that is necessary for effective treatment and care. Moreover, disclosure of medical information to third parties requires explicit patient consent. Finally, patients should have access to—as well as the ability to reproduce and make appropriate corrections to—their medical records. Critics of HIPAA argue that the Act seeks to promulgate this basic philosophy in excessively and needlessly complicated ways. Despite the ongoing controversy surrounding the implementation of the Act and its accompanying regulatory framework, it is important for practicing physicians to understand the fundamental requirements of the Act:
(1) Only the “minimum necessary” amount of health information about an identifiable individual patient should be released for a given purpose with the exception of disclosures (a) explicitly authorized by the patient, (b) to other health professionals involved in the treatment and care of the patient, or (c) required by law. Thus, it will rarely be the case that a patient’s entire medical record can be disclosed—outside the context of treatment—without the patient’s explicit authorization.
(2) At the very beginning of the delivery of health care services, every patient must be provided with a written notice of privacy practices—a notice that must also be posted in the site of service delivery. This notice must describe (a) who will see and use the patient’s medical information, (b) the uses of that information in need of explicit authorization by the patient, (c) the patient’s right to review, reproduce, and revise medical information (when incorrect) as well as to receive a detailed accounting of disclosures of that information. The notice must also inform the patient of the possible disclosure of his or her medical information for purposes related to treatment, payment, or “health care operations” without additional notification or authorization. In this context, “health care operations” refers to such activities as quality improvement, performance evaluation, training and education programs, business planning and management.
(3) The forms by which authorization to release health information is sought and obtained must describe (a) the information to be disclosed, (b) the person(s) authorized to disclose the information, (c) the person(s) to whom disclosure is to be made, (d) the purpose of the requested disclosure or use, and (e) the “end” or expiration date for use of the information.
(4) In general, a patient has the right to scrutinize and receive a copy of his entire medical record. There are exceptions to this general rule. For example, psychotherapy notes, kept separately from the medical record, and information maintained for use in a civil or criminal proceeding are exceptions. In addition, physicians may refuse to make the entire medical record available to a patient if (a) in the professional judgment of the health professional, access to the medical record is likely to harm the patient or another individual, (b) the record makes reference to another person and access to the record is likely to harm that person, or (c) the request for access is made by the patient’s personal representative and such access is likely to harm the patient or another person.
Some of the more challenging aspects of maintaining confidentiality lay beyond the immediate sphere of the patient-physician relationship: patient-related information is often recorded, stored, and utilized in multiple contexts of complex organizations (e.g., health maintenance organizations, hospitals, etc.), which are ultimately beyond the control of the treating clinicians. Multiple individuals – and organizations – have and need access to sensitive patient information, including members of the health care team, pharmacists, other allied health care workers, administrators, secretaries, and others. Often such information is in electronic format, which speeds its retrieval and transmission but can also make it more vulnerable to unauthorized access. Circumstances such as these led clinical ethicist Mark Siegler to declare that confidentiality in medicine is a “decrepit concept.” Passage of HIPAA was motivated, in part, by the aim of addressing this criticism.
In addition, there is the persistent problem of casual, often unintended indiscretions: for example, conversations about patients between clinicians in crowded elevators, or busy hallways. Although these frequent breaches of confidentiality may be “innocent” in terms of motivation, they act as a corrosive on the trust that is essential to effective physician-patient relationships.
One remaining challenge to the ethics of confidentiality deserves attention. In some circumstances, patients may request the omission or deletion of information from their medical records due to fears of disclosure. It is understandable that information about such conditions as sexually transmitted diseases, substance abuse, and psychiatric disorders may engender such concerns in patients, but the question is how should physicians respond to such requests? Among the pivotal considerations are these:
- The honesty, trustworthiness, and sensitivity of the physician: patients depend upon their physicians to be sensitive to their concerns about their conditions, including concerns about inappropriate disclosure of information. In addition to the patient, however, others—the physician’s colleagues, other patients, hospitals, insurance companies, etc.—rely upon these same qualities in the physician.
- The possible consequences of omitting clinically relevant information from a medical record, e.g., for subsequent treatment of the patient, possibly by other health care professionals (e.g., emergency room personnel). Ignorance can be a precondition to harm
You are caring for and treating a 36-year-old married male for infertility. Your patient’s wife has been seen, on occasion, by one of your colleagues in your practice. In taking his sexual history, you elicit from your patient the information that he has periodic encounters with prostitutes and that he has, in fact, been treated on several occasions in the past for sexually transmitted disease. He acknowledges all of this and then adds worriedly “I trust that my medical records are seen by your eyes and your eyes only.” You say nothing in response, but you do feel compelled to describe the possible relationship between his history of STDs and his current problems with fertility.
- When your patient said, worriedly, “I trust that my medical records are seen by your eyes and your eyes only,” was there anything by way of a response that you should have said in return?
- Is there anything that you are obligated to do with the information that your patient has divulged to you about his sexual history, particularly about his encounters with prostitutes and his past infections with and treatment for infectious disease?
- Assume that you are talking with your colleague who has treated your patient’s wife. Should you say anything to her about your patient, his behavior, and his wife?
- Is there a conflict of obligations in this case? If so, why? If not, why not?
A provocative article on the presentation of confidentiality issues on ER can be found at http://www.bioethics.net/articles.php?viewCat=7&articleId=133
The Electronic Privacy Information Center has a comprehensive biography on confidentiality in health care at http://www.epic.org/privacy/medical/gellman.html
A good, brief summary of the confidentiality and privacy issues in health care can be found at http://www.uky.edu/Classes/PHI/305.002/conf.htm
The issue of adolescents, privacy and confidentiality is explored at http://www.theage.com.au/news/general/mind-your-own-medicine/2004/06/12/1086749940114.html
The Park Ridge Center for Health, Faith and Ethics is a good source of information on a range of topics in medical ethics, including the role of physicians as stewards of health information. See http://www.parkridgecenter.org/ethics_june03.html
The “myth of confidentiality” is exposed and explored at http://www.academyprojects.org/lerobe1.htm
The federal Agency for Health Research and Quality offers a comprehensive bibliography of resources on confidentiality at http://www.ahrq.gov/news/ulp/hcbiblio.htm
The various ways in which confidentiality can be breached in health care are explored at http://www.leaonline.com/doi/pdf/10.1207/S15327027HC1602_6?cookieSet=1