Robert L McCarthy

DOI: https://doi.org/10.1331/JAPhA.2008.07144

Abstract:Objective: To provide a brief introduction to the ethical and, to some extent, the legal issues surrounding patient privacy and confidentiality. Data synthesis: The privacy of patient medical records and patient confidentiality has moved to the forefront of ethical and legal issues in health care. Technological advances, the growth and expansion of managed care, the emergence of consumerism, and the dramatic increase in the number of individuals and organizations with access to or a need to access patient medical information have all contributed to patient concerns about who has access to their records and for what purposes. Conclusion: Questions of patient privacy and confidentiality are likely to remain at the forefront of health care ethics and law in the coming years. Health professionals, including pharmacists, have a greater responsibility than ever before to ensure that safeguards exist to prevent inappropriate access to patient information.

Lawrence Gostin

DOI: https://doi.org/10.7326/0003-4819-127-8_part_2-199710151-00050

IF: 39.2

1997-10-15

Annals of Internal Medicine

Abstract:During the early 1990s, the U.S. government addressed the issue of providing universal health care to all its citizens. Although this issue has not been completely resolved, centralization of electronic data and sharing of health care information among insurers and providers have been pursued. The emergence of electronic data banks in health care has raised another issue: each citizen's right to privacy compared with the collective benefit to society when critical data on quality assurance and scientific research are shared by an array of network users. The choices we face are difficult, and the solution may necessarily reflect a compromise that alters traditional beliefs in the right to personal privacy. However, Congress can take the initiative by enacting statutes to ensure that sensitive information contained in electronic patient records is not divulged without a patient's consent and is protected against fraudulent access and abuse.

medicine, general & internal

Julie Myers,Thomas R Frieden,Kamal M Bherwani,Kelly J Henning

DOI: https://doi.org/10.2105/AJPH.2006.107706

Abstract:Public health agencies increasingly use electronic means to acquire, use, maintain, and store personal health information. Electronic data formats can improve performance of core public health functions, but potentially threaten privacy because they can be easily duplicated and transmitted to unauthorized people. Although such security breaches do occur, electronic data can be better secured than paper records, because authentication, authorization, auditing, and accountability can be facilitated. Public health professionals should collaborate with law and information technology colleagues to assess possible threats, implement updated policies, train staff, and develop preventive engineering measures to protect information. Tightened physical and electronic controls can prevent misuse of data, minimize the risk of security breaches, and help maintain the reputation and integrity of public health agencies.

Ingrid Ann Whiteman

DOI: https://doi.org/10.1177/1477750915591293

2015-06-17

Clinical Ethics

Abstract:It is reasonable to consider and trust that information taken from us about our medical health and history will be protected by rules on confidentiality and consent. Apart from very rare cases, perhaps of major public interest or for public health reasons, this information will not be shared with others without our consent. However, both a number of reforms in National Health Service patient data management policy (now enshrined in legislation) and developments in the general law on privacy challenge this traditional view of our control and choice over our medical information, as this article will show. In doing so, it analyses the question as to whether in spite of the rhetoric do any of us now really have choice over the access to and use of our medical data? In reality, our choices are limited and in any relationship of trust and shared decision making this ought to be transparent.

Andrew D Feld

DOI: https://doi.org/10.1111/j.1572-0241.2005.50621.x

Abstract:The Health Insurance Portability and Accountability Act (HIPAA), and its final rule, raised fears among practitioners of new and complex regulations that might interfere with medical practice, lead to inadvertent liability and unwanted expense. It generated a dizzying set of health-care administrative activities and a new work for legal consultants. It has extensive scope, and includes most health plans and practitioners. It has regulated both privacy and security, including electronic, paper, and oral communications. However, after a HIPAA compliant office structure is established, and the privacy notice is reviewed and signed by the patient, disclosure of medical information for treatment, payment or "health-care operations" is permitted without recurrent consent forms, thus allowing substantially familiar patterns of doctor-to-doctor communication about treatment. Further, the initial approach to enforcement appears to some legal observers to be more likely corrective rather than punitive, although providers remain uneasy over the mere possibility of criminal penalties. As regards medical research, uncertainties about the application of HIPAA seem less resolved and more variably interpreted by different institutions, with ongoing fear in the research community that important public health and epidemiologic research activity may be compromised by well meaning IRBs using inconsistent, overly strict or erroneous interpretation of the intent of HIPAA regulations.

Jennifer Skarda-McCann

2006-06-22

Abstract:I. INTRODUCTION Using personal medical and financial information to blackmail unsuspecting individuals may sound like the plotline to a conspiracy theory movie. In reality, it may also be a consequence of the practice of outsourcing electronic data to foreign countries for business processing. Since the fall of 2003, major newspapers have reported at least two instances of threats by foreign medical record transcriptionists to release patients' medical information via the Internet. (1) On October 7, 2003, a medical transcriptionist in Karachi, Pakistan, sent an email message to the University of California San Francisco Medical Center ("UCSF"), demanding payment for her work, with patient files attached. (2) In a similar incident only a few weeks later, Heartland Information Services ("Heartland"), an Ohio-based company, received an email message from its own employees in Bangalore, India, who attempted to extort money by threatening to reveal confidential material. (3) The average patient would not normally know if her medical information was transmitted abroad following a hospital visit. Transcription of medical records generally is classified as one of the operations for which health care providers can disclose individuals' information without meeting the statutory requirement of obtaining consent. (4) Sometimes medical records awaiting transcription are forwarded, without the knowledge of the health care provider, to several different individuals through subcontracted relationships. For example, in the UCSF incident, the medical center had outsourced its medical record transcription to a California-based company, which in turn had subcontracted with an individual in Florida. (5) Against the terms of her original contract with the California-based firm, the subcontractor in Florida had subcontracted work to an individual in Texas, who, unbeknownst to her, had solicited work from the freelance transcriptionist in Karachi. (6) On the other hand, some health care providers knowingly outsource their records transcription to companies that use overseas employees to complete the work. (7) Heartland's extortion threat is perhaps more alarming than the UCSF incident because, while its clients knew their work was being sent overseas, the company never informed them of this incident. (8) Moreover, the company's representative failed to mention the incident during his appearance at a hearing before state legislators in California on the subject of industry safeguards to protect outsourced information. (9) Although the Supreme Court has implied that it might recognize a right to privacy of personal information, (10) the current legal environment provides limited remedies to those whose privacy rights are transgressed. (11) In the face of a technological world advancing at a rapid rate, legislative action is the only way to guarantee individuals protection of their private information. However, legislators fear that adequate privacy protections will only be implemented as a result of some future scandal. (12) Privacy rights experts warn that just such a scandal is on the horizon. (13) This article addresses the threat of disclosure to consumers' private, personal information due to the increasing practice of outsourcing business processes to foreign companies. By way of introduction, it examines the trend of outsourcing: what jobs are commonly outsourced, in which industries, and the reasons why the practice has become increasingly common in the global economy. The article continues by describing the kinds of personal information that are commonly shared in outsourcing practices and examines two industries in depth: Internet-based loan processing and medical record transcription. To analyze consumer rights and remedies in this context, the article considers the notion of a right to privacy in one's personal information, and then discusses federal statutes and case law which may enable such a right, in particular, the Health Insurance Portability and Accountability Act of 1996 (14) and the Gramm Leach-Bliley Act. …

Engineering,Law

Christine M O'Keefe,Donald B Rubin,Christine M. O'Keefe,Donald B. Rubin

DOI: https://doi.org/10.1002/sim.6543

2015-06-05

Statistics in Medicine

Abstract:Health and medical data are increasingly being generated, collected, and stored in electronic form in healthcare facilities and administrative agencies. Such data hold a wealth of information vital to effective health policy development and evaluation, as well as to enhanced clinical care through evidence-based practice and safety and quality monitoring. These initiatives are aimed at improving individuals' health and well-being. Nevertheless, analyses of health data archives must be conducted in such a way that individuals' privacy is not compromised. One important aspect of protecting individuals' privacy is protecting the confidentiality of their data. It is the purpose of this paper to provide a review of a number of approaches to reducing disclosure risk when making data available for research, and to present a taxonomy for such approaches. Some of these methods are widely used, whereas others are still in development. It is important to have a range of methods available because there is also a range of data-use scenarios, and it is important to be able to choose between methods suited to differing scenarios. In practice, it is necessary to find a balance between allowing the use of health and medical data for research and protecting confidentiality. This balance is often presented as a trade-off between disclosure risk and data utility, because methods that reduce disclosure risk, in general, also reduce data utility.

public, environmental & occupational health,medicine, research & experimental,medical informatics,mathematical & computational biology,statistics & probability

D Y Dodek,A Dodek

1997-03-15

CMAJ

Abstract:Although patient confidentiality has been a fundamental ethical principle since the Hippocratic Oath, it is under increasing threat. The main area of confidentiality is patient records. Physicians must be able to store and dispose of medical records securely. Patients should be asked whether some information should be kept out of the record or withheld if information is released. Patient identity should be kept secret during peer review of medical records. Provincial legislation outlines circumstances in which confidential information must be divulged. Because of the "team approach" to care, hospital records may be seen by many health care and administrative personnel. All hospital workers must respect confidentiality, especially when giving out information about patients by telephone or to the media. Research based on medical-record review also creates challenges for confidentiality. Electronic technology and communications are potential major sources of breaches of confidentiality. Computer records must be carefully protected from casual browsing or from unauthorized access. Fax machines and cordless and cellular telephones can allow unauthorized people to see or overhear confidential information. Confidentiality is also a concern in clinical settings, including physicians' offices and hospitals. Conversations among hospital personnel in elevators or public cafeterias can result in breaches of confidentiality. Patient confidentiality is a right that must be safeguarded by all health care personnel.

Robin Fretwell Wilson

Abstract:Medical ethics evolved over the past half-century. This brought close reexamination and scrutiny of medical education and the "hands-on training" of future medical practitioners. Likewise societal opinions have intensified regarding the rights of patients, especially those deemed less likely to express their humiliation if they should discover themselves in compromising positions during treatment. Informed consent is modern medico-legal terminology; if the public felt that all patients were treated with the self-determination and dignity required by current HIPAA regulations, then there would be no reason to legislate such requirements. Law professor Robin Fretwell Wilson, Esq., and obstetrics and gynecology professor Nancy G. Chescheir, MD, present evidence and opinions from the legal and medical perspectives regarding conducting pelvic exams on anesthetized women without or with vague consent.

Yawen Guo,Rachael Zehrung,Katie Genuario,Xuan Lu,Qiaozhu Mei,Yunan Chen,Kai Zheng

2023-11-20

Abstract:Abortion is a controversial topic that has long been debated in the US. With the recent Supreme Court decision to overturn Roe v. Wade, access to safe and legal reproductive care is once again in the national spotlight. A key issue central to this debate is patient privacy, as in the post-HITECH Act era it has become easier for medical records to be electronically accessed and shared. This study analyzed a large Twitter dataset from May to December 2022 to examine the public's reactions to Roe v. Wade's overruling and its implications for privacy. Using a mixed-methods approach consisting of computational and qualitative content analysis, we found a wide range of concerns voiced from the confidentiality of patient-physician information exchange to medical records being shared without patient consent. These findings may inform policy making and healthcare industry practices concerning medical privacy related to reproductive rights and women's health.

Human-Computer Interaction

Peter Angelos

DOI: https://doi.org/10.1016/j.thorsurg.2005.06.006

Abstract:HIPAA regulations have been seen by many physicians as providing innumerable administrative hoops that require jumping through with no clear benefit for individual patients. Although this article has not comprehensively explored the requirements of HIPAA regulations, it has focused on the issues of "incidental disclosures" that are so important to the daily interactions of physicians and patients. Through the use of illustrative cases, it has been shown that HIPAA regulations frequently are based on well-accepted ethical principles. Although one should never conclude that changing something from an ethical responsibility to a legal responsibility makes it more important, there is no question that HIPAA regulations have forced physicians to consider more carefully how confidential information may be transmitted to others. As such, physicians should look on HIPAA regulations as largely supporting the use of professional judgment in providing good quality medical care. Although not all aspects of HIPAA are grounded in ethical practices, the overall thrust of the HIPAA regulations is consistent with the ethical practice of medicine and surgery. As a result of this general alignment of the legal and ethical requirements, more attention should be directed by physicians at using good judgment in deciding how to disclose private information, rather than adopting an unreasonable approach that confidentiality may never be breached. As Lo and colleagues have very appropriately pointed out: In the context of inadvertent disclosure, the legal risks of good practice are very low. Physicians should work with risk managers and practice administrators to develop policies that promote good communication in patient care, while taking appropriate steps to protect patient privacy. By adopting such an approach to HIPAA, physicians can abide by the regulations while maintaining high ethical standards and minimizing the impact of the new requirements on physician-patient relationships.

Judith A Wiener,Anne T Gilliland

DOI: https://doi.org/10.3163/1536-5050.99.1.005

Abstract:Objective: The investigation provides recommendations for establishing institutional collection guidelines and policies that protect the integrity of the historical record, while upholding the privacy and confidentiality of those who are protected by Health Insurance Portability and Accountability Act (HIPAA) or professional ethical standards. Methods: The authors completed a systematic historical investigation of the concepts of collection integrity, privacy, and confidentiality in the formal and informal legal and professional ethics literature and applied these standards to create best practices for institutional policies in these areas. Results: Through an in-depth examination of the historical concepts of privacy and confidentiality in the legal and professional ethics literature, the authors were able to create recommendations that would allow institutions to provide access to important, yet sensitive, materials, while complying with the standards set by HIPAA regulations and professional ethical expectations. Conclusion: With thoughtful planning, it is possible to balance the integrity of and access to the historical record of sensitive documents, while supporting the privacy protections of HIPAA and professional ethical standards. Although it is theorized that collection development policies of institutions have changed due to HIPAA legislation, additional research is suggested to see how various legal interpretations have affected the integrity of the historical record in actuality.

Sharona Hoffman,Andy Podgurski

DOI: https://doi.org/10.1111/jlme.12040

2013-01-01

Journal of Law, Medicine and Ethics

Abstract:The accelerating adoption of electronic health record (EHR) systems will have profound impacts on clinical care. It will also have far-reaching implications for public health research and surveillance, which in turn could lead to changes in public policy, statutes, and regulations. The public health benefits of EHR use can be significant. However, researchers and analysts who rely on EHR data must proceed with caution and understand the potential limitations of EHRs. Much has been written about the risk of EHR privacy breaches. This paper focuses on a different set of concerns, those relating to data quality. Unlike clinical trial data, EHR data is not recorded primarily to meet the needs of researchers. Because of clinicians’ workloads, poor user-interface design, and other factors, EHR data is surprisingly likely to be erroneous, miscoded, fragmented, and incomplete. Although EHRs eliminate the problem of cryptic handwriting, other kinds of errors are more common with EHRs than with paper records.

Brian R Jackson,Bonnie Kaplan,Richard Schreiber,Paul R DeMuro,Victoria Nichols-Johnson,Larry Ozeran,Anthony Solomonides,Ross Koppel

DOI: https://doi.org/10.1055/a-2432-0329

2024-10-03

Abstract:Objectives: Empirically investigate current practices and analyze ethical dimensions of clinical data sharing by healthcare organizations for uses other than treatment, payment, and operations. Make recommendations to inform research and policy for healthcare organizations to protect patients' privacy and autonomy when sharing data with unrelated third parties. Methods: Semi-structured interviews and surveys involving 24 informatics leaders from 22 US healthcare organizations, accompanied by thematic and ethical analyses. Results: We found considerable heterogeneity across organizations in policies and practices. Respondents understood "data sharing" and "research" in very different ways. Their interpretations of these terms ranged from making data available for academic and public health uses, and to HIEs; to selling data for corporate research, to contracting with aggregators for future resale or use. The nine interview themes were that healthcare organizations: (1) share clinical data with many types of organizations, (2) have a variety of motivations for sharing data, (3) do not make data sharing policies readily available, (4) have widely varying data sharing approval processes, (5) most commonly rely on HIPAA de-identification to protect privacy, (6) were concerned about clinical data use by electronic health record vendors, (7) lacked data sharing transparency to the general public, (8) allowed individual patients little control over sharing of their data, and (9) had not yet changed data sharing practices within the year following the US Supreme Court 2022 decision denying rights to abortion. Conclusions: Our analysis identified gaps between ethical principles and healthcare organizations' data sharing policies and practices. To better align clinical data sharing practices with patient expectations and biomedical ethical principles, we recommend: updating HIPAA, including re-identification and upstream sharing restrictions in data sharing contracts, better coordination across data sharing approval processes, fuller transparency and opt-out options for patients, and accountability for data sharing and consequent harms.

Nicolas Terry

DOI: https://doi.org/10.1378/chest.13-2909

IF: 9.6

Chest

Abstract:In the 13 years since their promulgation, the Health Insurance Portability and Accountability Act (HIPAA) rules and their enforcement have shown considerable evolution, as has the context within which they operate. Increasingly, it is the health information circulating outside the HIPAA-protected zone that is concerning: big data based on HIPAA data that have been acquired by public health agencies and then sold; medically inflected data collected from transactions or social media interactions; and the health data curated by patients, such as personal health records or data stored on smartphones. HIPAA does little here, suggesting that the future of health privacy may well be at the state level unless technology or federal legislation can catch up with state-of-the-art privacy regimes, such as the latest proposals from the European Commission.

Rebecca R. Lee,Janet E. McDonagh,Albert Farre,Sarah Peters,Lis Cordingley,Tim Rapley

DOI: https://doi.org/10.1111/1467-9566.13408

2021-11-23

Abstract:With the most recent developments to the European General Data Protection Regulations (GDPR) introduced in May 2018, the resulting legislation meant a new set of considerations for study approvers and health-care researchers. Compared with previous legislation in the UK (The Data Protection Act, 1998), it introduced more extensive and directive principles, requiring anybody 'processing' personal data to specifically define how this data will be obtained, stored, used and destroyed. Importantly, it also emphasised the principle of accountability, which meant that data controllers and processors could no longer just state that they planned to adhere to lawful data protection principles, they also had to demonstrate compliance. New questions and concerns around accountability now appear to have increased levels of scrutiny in all areas of information governance (IG), especially with regards to processing confidential patient information. This article explores our experiences of gaining required ethical and regulatory approvals for an ethnographic study in a UK health-care setting, the implications that the common law duty of confidentiality had for this research, and the ways in which IG challenges were overcome. The purpose of this article was to equip researchers embarking on similar projects to be able to navigate the potentially problematic and complex journey to approval.

public, environmental & occupational health,social sciences, biomedical,sociology

Mark A. Rothstein

DOI: https://doi.org/10.1111/jlme.12178

2014-01-01

Journal of Law, Medicine and Ethics

Abstract:In the United States the delivery of health care traditionally has been hierarchical and strictly controlled by physicians. Physicians typically provided patients with little information about their diagnosis, prognosis, and treatment plan; patients were expected to follow their physicians’ orders and ask no questions. Beginning in the 1970s, with the widespread adoption of the doctrine of informed consent to treatment, the physician-patient relationship began to be more collaborative, although the extent of the change has been subject to debate. At a minimum, physicians began to give patients more information and asked them to consent to recommended treatment, the therapeutic privilege to withhold information from patients lost support and eventually was repudiated, and physicians embraced — at least in theory — a more patient-centered conception of health care. More recently, health care and health promotion activities have moved beyond clinical encounters and the strict confines of physician-patient interactions.

Bridget C Calhoun,Joan M Kiel,Allison A Morgan

DOI: https://doi.org/10.1097/JPA.0000000000000215

Abstract:Students enrolled in medical schools, nursing schools, and physician assistant (PA) programs are required to have instruction on patient privacy and protection of health-related information. The medical literature has several examples of breaches of patient privacy by clinicians, which likely represents only a fraction of the violations that occur. Patient privacy and the protection of health-related information constitute both an ethical issue and a legal issue and are associated with significant consequences. Medical, PA, and allied health students are required to comply with the same federal laws related to patient privacy and confidentiality as licensed professionals. Universities must work diligently to create a culture in which students are taught about the legal requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) and are held accountable for compliance with such requirements. The Health Insurance Portability and Accountability Act must be considered part of standard classroom instruction and be embedded and upheld at all clinical training sites. We present a series of 7 HIPAA violations by PA students, along with a brief description of the HIPAA provisions associated with each case. These real-life examples provide a comprehensive overview of important HIPAA components and illustrate how easily violations can occur in clinical settings.

A W Shuren,K Livsey

Abstract:The Privacy Rule: Limits the use and disclosure of PHI to purposes of treatment, payment, or routine health care operations. Requires covered entities to provide advance notice to the public of its policy governing disclosure of PHI. Requires entities covered by the Standard to secure general client consent to use and to disclose PHI for treatment, payment, or routine health care operations and to obtain specific client authorization to use or to disclose PHI for all other purposes unless the disclosure is specifically permitted without consent or authorization (e.g., a covered entity may disclose PHI to a health care oversight agency such as the Office of the Inspector General without first obtaining client authorization). In certain situations, a covered entity need only obtain client agreement to disclose PHI which may be oral or inferred from the circumstances surrounding the disclosure. For example, a covered entity could disclose PHI to a relative caring for the individual who is the subject of the health information. Expects covered entities to take measures to protect PHI from both inadvertent and deliberate misuse and disclosure. Requires, except in certain circumstances, the amount of PHI disclosed on any occasion to be limited to the minimum necessary to achieve the purpose of the disclosure. Gives individuals more control of their health information by permitting them to review and amend health information pertaining to themselves and to demand an accounting of persons to whom their health information has been disclosed. Establishes terms under which a covered entity may disclose PHI to a business associate. Permits states to maintain state laws that are more stringent than the Privacy Rule. The statute provides for significant civil and criminal penalties for failure to comply with the Standards. Violations are punishable by fines as much as $250,000 and 10 years imprisonment. The HHS, Office of Civil Rights is charged with enforcing the Standards. The HHS is expected to issue a single Enforcement Rule applicable to all three of the HIPAA Administrative Simplification Standards. Many worksite records will not be protected under the HIPAA Privacy Rule because employers are not covered entities and few occupational health professionals meet the criteria of being considered a covered entity. Nevertheless, occupational health professionals need to be knowledgeable about the application of HIPAA in the occupational health care setting. Furthermore, given that the Rule does not preempt state privacy laws that are more stringent than the Standards, occupational health professionals should monitor legislative activity related to privacy in the states in which they practice. To date, Oregon, Texas, and New Jersey have broadened HIPAA's definitions to create more covered entities and services.

Jean V McHale,June Jones

DOI: https://doi.org/10.1136/jme.2010.041186

2011-06-27

Journal of Medical Ethics

Abstract:The precise nature and scope of healthcare confidentiality has long been the subject of debate. While the obligation of confidentiality is integral to professional ethical codes and is also safeguarded under English law through the equitable remedy of breach of confidence, underpinned by the right to privacy enshrined in Article 8 of the Human Rights Act 1998, it has never been regarded as absolute. But when can and should personal information be made available for statistical and research purposes and what if the information in question is highly sensitive information, such as that relating to the termination of pregnancy after 24 weeks? This article explores the case of In the Matter of an Appeal to the Information Tribunal under section 57 of the Freedom of Information Act 2000, concerning the decision of the Department of Health to withhold some statistical data from the publication of its annual abortion statistics. The specific data being withheld concerned the termination for serious fetal handicap under section 1(1)d of the Abortion Act 1967. The paper explores the implications of this case, which relate both to the nature and scope of personal privacy. It suggests that lessons can be drawn from this case about public interest and use of statistical information and also about general policy issues concerning the legal regulation of confidentiality and privacy in the future.

ethics,medical ethics,social issues,social sciences, biomedical