RM Services
Frequently Asked Questions
Office Practice Risk Evaluations
Arbitration
Self-Evaluation Toolkit
RM Articles
CAPsules Editions
CME Program/Schedule
RM Questions
RM Materials / Forms
RM Alerts
Case Of The Month - Past Issues

Patient Privacy:
Practical Tips to Avoid
Being Caught in a
Legal Crossfire
By Dan Groszkruger,
JD, MPH, Editor

As Congress debates various proposals to protect patient privacy, one thing is clear: physicians now are required to furnish more personal health information to more and more non-treating entities. At the same time, patients have more reasons to be concerned about safeguarding their privacy than ever before. Unless physicians take reasonable precautions to protect both patients and themselves, they risk being caught in the middle.

Keeping faith with their Hippocratic Oath, physicians must safeguard the information disclosed to them "in confidence" by their patients. At one time, protecting patient privacy meant avoiding gossip and securing medical records in a locked file cabinet. But, in our electronic Information Age, circumstances now have clearly changed. Confidential details about individual patients are routinely disclosed to a host of non-treating entities, including payers, employers, utilization reviewers, governmental agencies, and medical researchers. Access to timely, accurate and reliable health information is critical to improving the quality of medical care, controlling costs, improving access and protecting the public's health.

The patient's right to privacy, however, is in direct conflict with all these legitimate purposes. But, protecting patient privacy is critically important, both to respect the patient's rights and to preserve the integrity of the system. Unless patients know that confidential information will be safeguarded in the first place, they may fail to report altogether, or may provide incomplete, inaccurate or misleading information. In other words, patient privacy is just as necessary and important to quality healthcare as accurate reporting of health data.

Reasonable Precautions
1. Use Proper Forms:
State law requires that a "written authorization" for the release of records include: (1) the nature of information to be disclosed, (2) who is authorized to disclose, (3) to whom the information may be disclosed, (4) limitations on the use of such information, and (5) for how long the authorization will remain in effect. Do not treat every signed release form as a blanket authorization. Review the authorization forms used in your own office and determine if they are up to date. Older forms may lack specificity, or fail to include limitations on uses or duration of effect. Most important, examine release forms received from outside sources and insist that the minimum standards are met.

2. Avoid Giving Assurances of Privacy:
Sometimes patients are hesitant to sign medical record release forms and skeptical that their privacy will be respected. Sensitive information, including results of genetic tests, HIV status, mental health, and alcohol or substance abuse treatment, should be handled with care. Practically speaking, physicians cannot safeguard such information after it leaves their immediate control. Electronic storage and transfer of patient information has complicated the task of protecting privacy.

3. Secure Medical Records:
Some state laws, and most legislative proposals for future federal standards, require adequate security measures to safeguard privacy. Reasonable precautions include limiting access to medical records; instructing staff regarding the proper handling, duplication, distribution and destruction of confidential information; and taking care to avoid theft or unauthorized copying of medical information. Adopt your own office policy on the security of patient information and enforce it.