Imagine sitting with your friends, enjoying dinner. Your friend Jane tells you that she is taking medication for depression after having an abortion. Jane then turns to another friend and announces that her husband has herpes. She leans across the table to inform another companion that her daughter is being treated for bulimia. She openly tells your hosts that her son is being counseled for substance abuse.
Few of us would discuss our medical problems so candidly. You would not want such information to be readily available to others, and there are laws and regulations that safeguard this information, though your specific rights may depend on the state in which you live and the circumstances of your situation.
Remember signing all those forms at the doctor’s office—the ones that allowed your doctor to share your medical information with the insurance company? Ever wonder who else gets to see that information? As patients, we often have to bare our souls, among other things, in order for doctors to properly diagnose us and to prescribe the correct treatment. Although a thorough medical examination is certainly needed to properly diagnose and treat us, the information it reveals is often very personal, sometimes embarrassing.
The fact is that dozens of doctors, nurses, secretaries, and other professionals in the health care field have legitimate access to this medical information. But what about that accountant at the insurance company? Your spouse? Your children? Your employer? You may be surprised to learn that many of those people have access to an amazing amount of information about you.
There are laws that protect your privacy, especially on the state level, but they vary considerably.
Your medical file contains
The wrong person can do a lot of damage with this information. In one instance, a Maryland banker sat on the state health commission. He got his hands on a list of cancer patients and compared that list with the loan records at his bank. He then called due any loans to individuals whose names were on the list of cancer patients.
According to one survey, one-third of human resources employees admitted to using medical or insurance records in deciding whom to hire, promote, or fire.
In another case, a company executive found out which employees were taking certain medications and realized that one employee in particular was taking a drug to fight AIDS. The executive then told co-workers. The employee sued the company, but the company won the case. Would you want your employer to know that you are taking birth control pills? Heart medication? Drugs for a sexually transmitted disease? Probably not, but it’s all in your file.
There is no outright guarantee of privacy under the Constitution. There is, though, an implied right to privacy under the Constitution that has been consistently expanded throughout the past thirty years. This is the right under which the United States Supreme Court placed a woman’s right to obtain an abortion. This privacy right was extended by the Court to individually identifiable medical data. This is any medical data by which someone could find out your name, address, or Social Security number.
A New York law required doctors to report to the state any person taking certain prescription drugs that could be sold by the patient for illegal use by others (such as morphine). The Court ruled that this did not violate the patient’s right to privacy because the state took sufficient security measures to protect the data. When deciding whether the state can get access to your medical data, a court will look at
TALKING TO A LAWYER
Access to Your Own File
Q. I asked my doctor for a hard copy of my medical file. My doctor told me that he is not required to provide me with a hard copy. What legal right do I have to a copy of my own file?
A. Medical records of your care and treatment are technically the property of the physician or health facility providing the care. Your right to access to your medical records is generally governed by your state’s laws. Most states have laws granting access to your own records. However, access is limited to the official record and does not include personal notes of the provider. Moreover, if the provider, to a reasonable degree of medical certainty, believes that access to such information will cause substantial harm to the patient, the provider may deny the request in whole or in part. You generally will have a right to appeal this denial to an outside agency; therefore, you should put your request in writing and further request that a written response be given if the provider does not honor your request.
In most cases providers will comply with your request. They may also require a reasonable fee for reproduction of such records.
Answer by Salvatore J. Russo, Executive Senior Counsel, New York City Health & Hospitals Corporation, New York, New York
There is no federal law at this point that comprehensively and specifically applies your right of privacy to individually identifiable medical information. (However, at present, each state has its own laws governing this information. Moreover, state lawmakers around the country are busily considering an array of proposed new laws, discussed later, to strengthen such protections.) There are also standards that all Medicare and Medicaid facilities must meet. And some federal privacy laws provide some protection of medical data, such as HIV status or psychiatric treatment. These are discussed in later chapters.
The Privacy Act of 1974 requires that government agencies act fairly when collecting, using, and releasing any information that identifies you. The agency collecting the data is required to notify you that information is being collected and why. You have the right to see this data and to correct any errors within it. The information may not be released to another person without your consent except in certain situations. Your consent is not required if the information is released for a reason that is compatible with the reason for which the information is collected in the first place. Any hospital or health care facility that is operated by the federal government or that maintains records under a government contract must follow the Privacy Act.
The Privacy Act does not protect data that is required to be released under the Freedom of Information Act. The Freedom of Information Act, though, grants an exception to some personal medical information. This information will not be released by the government agency if to do so would clearly violate your privacy.
Patient privacy is a major political issue right now, and legislators are in the process of trying to come up with a law that finds the right balance between your privacy rights and the rights of insurance companies, hospitals, and health care providers. These proposed laws typically grant you a clear right of privacy when it comes to your medical information. Some allow you to separate certain portions of your medical records, such as mental health information, from the rest of your record. Many of these proposed laws seek to give you the right to sue in civil court anyone who abuses your personal health information. Other proposals include criminal sanctions for breaches of patient confidentiality or misuse of personal medical information.
Proposed laws such as these will be on the agenda for federal and state legislators to consider for the next few years. The trend is to give you greater rights to privacy, although the penalties for violating your rights are uncertain.
Hospitals that participate in the Medicare program must comply with the Medicare Conditions of Participation for Hospitals. These conditions require that hospitals take certain steps to keep your information confidential. The hospital may release copies of your records only to authorized individuals, such as your doctor. The hospital must also take steps to make sure that unauthorized individuals cannot access your records. Furthermore, your original medical records cannot be released by the hospital except by court order, subpoena, or a state or federal law. In most cases where your records are released, the hospital will provide a certified copy of the record, which is accepted in lieu of the original.
For the most part, health care issues are deferred to each state, including the protection of medical data. The Tenth Amendment to the Constitution gives this power to the states. The result is that your right to privacy regarding your medical information depends in large part on where you live. State law protects your medical data through laws against invasion of privacy and the special duty your doctor has to keep your information confidential.
In short, the law recognizes that a special relationship exists between you and your doctor. Your doctor, as a medical professional, must protect that special relationship by acting in a way that is appropriate for the profession. This includes keeping your information confidential. Breach of patient confidentiality constitutes professional misconduct for licensed health care professionals. National and state medical associations have many guidelines as to what constitutes breach of confidentiality.
The patient-doctor relationship is also regulated by state statutes concerning professional misconduct. Laws against invasion of privacy protect you from a doctor who takes your personal information and gives it to the public. Some state laws provide criminal sanctions for breaches of patient confidentiality. Civil lawsuits for money damages may also be possible.
Some states consider the relationship between you and your doctor to be a contract. These states assume that any time you are treated by a doctor, that doctor enters into an unwritten contract with you and agrees to keep your information confidential unless you grant your permission to do otherwise. Patients are having more success with this contract theory than with invasion of privacy because rarely is medical data released openly to the public. Not all states recognize that a contract exists between you and your doctor, though.
Nearly every state already has laws dealing with privacy of medical records. Many are considering new legislation dealing with medical records, especially when it comes to keeping pace with developments on the information superhighway. The proposed legislation usually contains a common thread—hospitals and health care providers may not disclose your medical information to any unauthorized person. If your information is released, the punishment could be monetary fines or even imprisonment. Approximately ten states already have laws on the books that protect your personal data that is stored in the state’s databanks, including medical information. New York requires that insurance companies keep private any medical information received in order to make payments on claims.
Professional associations are not legal bodies that can make laws. However, they can come up with standards and require their members to adhere to those standards. Those standards are not laws but guidelines for you to use to determine whether your information is as secure as it could be. If a doctor or a hospital violates these standards, they may be subject to professional disciplinary procedures. State and federal laws are still needed to back those standards and to give you an opportunity to seek damages when your privacy is violated.
Many hospital administrators put their own procedures into place to ensure that your information stays private. One lawyer who worked as general counsel to a small Chicago hospital reports that both clinical and administrative hospital staff went to extraordinary lengths to ensure patient confidentiality. On more than one occasion, clinical staff members contacted her to inform her of possible breaches of patient confidentiality—in some instances reporting the behavior of persons who were senior to them.
In addition, a great number of hospitals belong to professional organizations or associations that obligate member hospitals to use caution when dealing with patient records. Additionally, the hospital may face tort liability (discussed in Chapter 17) for breaching patient confidentiality.
JCAHO furnishes standards to its member hospitals regarding patient confidentiality. The standards require that confidentiality and security of patient information are maintained. The hospital is supposed to design its computer system to allow for easy access to information by doctors and nurses while not compromising the confidentiality of your records. These standards are meant to ensure that your records are accessible when needed but that people who do not need to see your information are denied access. (This is where precautions such as passwords come into play.)
The AMA released a statement on medical information confidentiality. The statement recommends that only authorized personnel be allowed to enter medical information into a patient’s computerized medical record. The AMA also recommends that no information be released from the patient’s record without the patient’s permission. In addition, the AMA’s Code of Medical Ethics requires that doctors treat your information with the most confidentiality possible. The American Nurses Association follows a similar code of confidentiality.
Any time you enter a hospital or other medical facility, you automatically agree—whether you know it or not—to let anyone directly involved with your care see your medical record. This includes secretaries, nurses, interns, residents, doctors, nutritionists, pharmacists, and technicians. Obviously, it makes sense that anyone involved with your care have access to your medical information. (Medical researchers generally must obtain permission before getting access to your medical records.)
While providing access is necessary to provide you with the best treatment possible, it can be a bit unsettling to realize just how many people get to see your records.
There are three terms to keep in mind when it comes to medical information:
In everyday language these terms might seem interchangeable, but from a legal standpoint, they have distinct definitions.
Confidentiality means that a doctor should not reveal your personal information to anyone except those people who are caring for you. This duty is rooted in the Hippocratic Oath, which states in part: “Whatever, in connection with my professional practice, or not in connection with it, I see or hear in the life of men, which ought not to be spoken abroad, I will not divulge, as reckoning that all such should be kept secret.”
LEARNING THE LINGO
Confidentiality: Doctors should not reveal personal information of patients to anyone except those people involved in the care of the patients.
Confidentiality refers to your expectation that what you tell your doctor will not be repeated to anyone not involved in your treatment. It is your decision as to what other uses may be made of the information. It should be up to you whether your information is released to pharmaceutical companies, other patients, or anyone else not involved in your care.
The doctor-patient privilege means the doctor cannot disclose the patient’s personal information during a legal proceeding without the patient’s consent. This privilege is a right held by the patient, but not every state grants patients this right. Privilege can stop a doctor from giving the patient’s medical information to the court, but it does not prohibit a doctor from providing the information to the patient’s employer, insurance company, or other doctors. That ban comes from privacy and confidentiality rights. Privilege is not absolute. It may be overridden by a court order.
The right to privacy allows you
Unlike the doctor-patient relationship, in most locations there is no duty on the part of the insurance company to keep your personal information private. One employee of a large insurance company would reportedly look up the names of prospective dates on his computer, although he didn’t need access to that information to perform his job. He had access to millions of files. If he saw that a woman asked about or sought coverage for an abortion or for medications used to treat sexually transmitted diseases or substance abuse, he would refrain from asking her on a date. As insurance companies and health maintenance organizations (HMOs) merge and become linked, such renegade employees will have access to more information about more people.
TALKING TO A LAWYER
Law Enforcement
Q. My health plan is being investigated by the state attorney general’s office. Will they notify me before they look at my medical records?
A. In general, federal law at this time does not allow law enforcement officials to gain access to your medical records without your consent. (There is an exception for the Secret Service.) Law enforcement may, however, get a search warrant, court order. or subpoena in order to get access; but in that case you would be notified of their need to see your medical records. In cases of Medicare or Medicaid fraud, your medical records may be given to the investigating agency without notifying you. This is because the government is paying for the medical care on your behalf.
Answer by Cindy J. Moy, attorney and author, Golden Valley, Minnesota
In theory, you have the right to dictate which people can and cannot see your medical information. In the real world, doctors, nurses, and other health care workers have considerable discretion in releasing your personal information. For example, your doctor can decide to share your personal information with your spouse and close relatives, but only if the doctor believes in good faith that it is in your best interest.
When is such disclosure in your interest? The therapeutic privilege requires that a physician make a reasonable medical judgment that disclosure of the patient’s medical condition and obtaining an informed consent would cause an adverse and substantial effect on the patient’s medical condition. This is a rigorous standard rarely relied on by physicians.
If you are unconscious or unable to make decisions regarding your care, the doctor has the right to provide your family members with all the information necessary to make an informed decision on your behalf. Otherwise, doctors should use only very general terms, such as “stable,” when describing your condition.
Many people have anticipated that at some point in the future they might not be able to make decisions and have written and signed a living will, health care advance directive, or health care proxy. Through any of these devices, you can appoint a health care agent (sometimes called a health care power of attorney) to make decisions for you. If you have such a document, then that person alone is entitled to information regarding your medical condition. This subject is discussed further in Chapter 26.
Just as the law requires some information to be kept under wraps, it also requires doctors, nurses, and other health professionals to release information in certain circumstances. For instance, most states have laws requiring doctors to file birth and death certificates. Doctors are also usually required to report injuries caused by guns or sharp instruments, such as knives.
There is a duty to protect that is spelled out by law in many states. For instance, when child abuse is suspected, doctors, nurses, and other health professionals must report the abuse. The same is true for situations when a doctor or a therapist decides that the patient is a danger to others or to himself. If the doctor or therapist feels that disclosing the patient’s statements is necessary to protect the patient or a third person, the doctor or therapist must do so.
As an example of what can happen when this information is not shared, a patient told his therapist that he intended to kill his former girlfriend. The therapist believed the patient meant to kill the young woman but did not warn her or confine the boy to a mental institution. After the patient killed the girl, her parents sued the therapist. The therapist claimed the patient’s statements were confidential. Although that case was eventually settled out of court, cases such as this and statutes in many states now generally require doctors to warn those who are at risk of the patient’s violence or to take other reasonable steps, such as involuntary commitment of the patient or the notification of the police.
Many states require doctors to report cases of communicable diseases, including (but not limited to) smallpox, tuberculosis, pneumonia, measles, chicken pox, mumps, syphilis, gonorrhea, AIDS, and HIV. AIDS and HIV present a special challenge to patient privacy and confidentiality. This topic is covered more thoroughly in the section on AIDS and disabilities.
In general, confidentiality is needed so that people will be comfortable being tested for AIDS or HIV. That need for confidentiality must be balanced with the desire to protect others from contracting the disease. Although doctors in all states are required to report AIDS cases to state public health departments, states differ in how this information is used.
Medical information is commonly used in legal proceedings, even when a privilege exists between the doctor and the patient. Any time you make your health or physical condition the focus of a lawsuit, such as in a suit for worker’s compensation or for injuries from a car accident or medical malpractice and in some child custody cases, your doctor can be brought into court to testify about your medical condition.
A doctor is allowed to discuss a patient with health care professionals that are not involved in the patient’s care, but only if the patient consents or if the doctor doesn’t reveal the patient’s identity. In other circumstances, you have a right to maintain your privacy. For example, imagine that a doctor shows up to examine you—and is trailed by a group of medical students. You have the right to refuse to let the medical students watch your examination.
To a certain extent, you control what goes into your child’s medical record, particularly when your child is very young. If you do not tell the pediatrician that your child received medical treatment from an opthamologist or a chiropractor, the pediatrician will not be aware of that treatment.
The situation is very different for older children, who might be able to keep information from you. What happens when your child becomes a teenager? Do you still get to see your child’s medical information?
Once again, the law differs from state to state. Overall, states recognize that parents need to be able to give doctors medical information about their children before those children take medication or undergo surgery. In many states, though, such as Illinois, if your child becomes pregnant and asks for an abortion, you may no longer be given access to her medical records. In Montana, however, parents retain the right of access to a child’s medical records because her parents are considered to have the right to protect her from decisions she makes as a minor. Some states resolve the issue by letting the doctor decide whether it would be in the child’s best interest to let parents see the information.
Tell your doctor that you are concerned about who has access to your medical information. Ask her what steps are taken to keep that information confidential. Don’t let your concerns be brushed aside.
Take your time and read every form you are asked to sign at the doctor’s office or hospital. If you want insurance to pay your claim, you will have to sign the release form allowing the doctor to send your information to the insurance company. On the other hand, you can also specify that the doctor release only the specific information necessary to pay the claim—no more.
For particularly private or embarrassing medical issues, if possible, pay for the visit, medication, or therapy yourself so that the information will not be sent to the insurance company for reimbursement. This may seem unfair after paying insurance premiums, but it is the best way to keep the information out of your insurance company’s database.
Ask your doctor for the clinic’s or the hospital’s policy on discussing patients among the medical staff. Notice whether the staff discusses personal information of patients while at the nurses’ station, in the elevator, or in the cafeteria. In one situation, while sitting in a hospital visiting room with her young daughter, an attorney listened as four medical residents discussed in very unflattering terms the personal hygiene of a patient in the maternity ward. Report such breaches to your doctor and ask that the situation be corrected.
Do not discuss your medical concerns while talking on a cellular or cordless phone. A simple baby monitor will allow your neighbors to hear your conversation. Think twice before e-mailing an Internet discussion group and providing information about your medical history. This information can be traced back to you, compiled by the discussion group “host,” and sold to marketing companies.
If you believe your medical information is not being treated confidentially by medical staff members, discuss your concerns with your doctor. If you feel your doctor is violating your confidentiality or privacy, report the situation to a managing partner in the clinic or to the chief of staff—even doctors have bosses. You can also report the problem to your state’s medical licensing board and the local medical professional association. Both numbers are in your phone book.
The general rule is that you must consent before your medical information is released to another party, such as your insurance company. Some states have laws that allow your information to be released to any requesting party once you have signed a general release form. In other states your information may only be released to certain parties, such as your HMO or the department of health. Your consent will be required if you plan to submit claims to your insurance company. There are also special authorization forms for HIV and drug-treatment program information, which have further requirements.
Typically a release form will include:
Almost half of the states will take disciplinary action against a doctor if it is discovered that a doctor released confidential information without the patient’s consent. This may include revoking the doctor’s medical license, though reprimand is the more likely remedy. Remember, though, that the doctor may legally give your information to other health care professionals who are taking part in your medical care or to the state department of health if you suffer a knife or gunshot wound or have a communicable disease.
As part of an ongoing effort to reform managed health care, Congress continues to debate a federal Patient’s Bill of Rights. Both Republicans and Democrats agree that a bill of rights is needed, but they cannot seem to agree on what should be included. At a minimum, these proposed bills tend to include
In 1997, President Bill Clinton appointed the Advisory Commission on Consumer Protection and Quality in the Health Care Industry to research the question of how to provide quality health care for all Americans. To read the advisory commission’s report, visit the commission’s website at http://www.hcqualitycommission.gov/. A summary of the commission’s proposed patient’s bill of rights is available at http://www.hcqualitycommission.gov/press/cbor.html#head1. This summary goes into greater detail regarding the preceding list of rights.