Confidentiality of Medical Records
A Situation Analysis and AHIMA's Position
for the chart: Flow of Patient Health Information Inside and Outside
the Healthcare Industry (updated 2003)
Every American, from the beginning of life to its end, enjoys a fundamental,
but not absolute, right to privacy that is deeply rooted in both tradition
and law. In no area is this right more cherished, or more unsettled, than
in protecting the confidentiality of identifiable personal health information,
as lawmakers, judges, and healthcare professionals struggle to balance
individual privacy interests against other strong societal interests.
The Hippocratic Oath, dating to the fourth or fifth century B.C., requires
physicians to keep secret all knowledge of individual patients "which
ought not to be spread abroad."1 In the modern world, however, the reality
is that health information by more than just patient and physician.
Personal health information is maintained not only by physicians but
also in the records and/or databases of hospitals and clinics that provide
treatment or diagnostic services, laboratories that perform tests, pharmacies,
and insurance companies and managed care organizations to which claims
are submitted or coverage is made. In addition, personal health data frequently
is shared with universities and pharmaceutical companies for medical and
health-services research purposes.
Certain medical information, by law, also must be reported to state and
local governments, where it is maintained in databases. For instance,
U.S. jurisdictions typically require the reporting of venereal disease
to public health agencies, of child abuse to child welfare agencies, and
of injuries caused by firearms to law enforcement agencies.2
The flow of medical information carries numerous personal and societal
benefits. The ability to access medical records has saved the lives of
unconscious patients brought into hospital emergency rooms. Pharmacists
have detected dangerous, sometimes potentially lethal, drug combinations.
In the public health arena, computerized records have made possible the
prompt detection of infectious disease epidemics and enabled health authorities
to take emergency action. Researchers have used databases to analyze the
causes of illnesses, a process that, for instance, established the connection
between smoking and lung cancer.
On the other hand, the vast accumulations of personal medical data give
rise to serious privacy concerns as a result of the potential for misuse.
As a national magazine recently noted:
[I]t's hard to keep a secret if more than a couple of people are in
on it; in a typical five-day stay at a teaching hospital, as many as
150 people -- from nursing staff to X-ray technicians to billing clerks
-- have legitimate access to a single patient's records.3
Breaches of confidentiality, in fact, have been widespread, if not ubiquitous.
In some instances, breaches occur within the parameters of present law:
Pharmacies in some states legally sell individual prescription records
to pharmaceutical companies for use in marketing campaigns.4 A San Francisco
mailing list broker, in fact, sells the names of some 75,000 women who
suffer yeast infections and another 65,000 who suffer incontinence or
bladder-control problems for $130 per thousand names.5
Other breaches have been illegal: The medical records of a candidate
for Congress, indicating that she once had attempted suicide, were sent
to the New York Post on the eve of her primary election.6
A Colorado medical student sold patient records to lawyers soliciting
malpractice plaintiffs.7 A public health
worker in Florida carelessly leaked the names of 4,000 HIV-positive patients
to two newspapers.8
The collateral social consequences of improper or illegal dissemination
of personal health information are far more devastating than solicitations
from drug companies and malpractice lawyers. They include the denial of
such basic social rights as employment, insurance, healthcare, housing,
and education. The consequences of HIV/AIDS stigmatization have been particularly
As genetic testing becomes more common and as the potential dangers lurking
in DNA become better understood, the danger of illegal discrimination
against persons at risk of developing serious conditions is likely to
increase. A recent article in the Journal of the American Medical Association
Participants in genetic testing should be informed that the genetic
testing for cancer susceptibility may limit their ability to obtain
health, life, or disability insurance; may lead to limitations in health
insurance coverage; or may result in higher premiums for insurance products.
Participants also should be informed that genetic testing may pose a
risk to their present or future employment.9
The confidentiality of personal health information, thus, is an issue
that profoundly affects every American, and the fundamental question,
to quote U.S. department of Health and Human Services Secretary Donna
E. Shalala, PhD, is: "Will our health records be used to heal us or reveal
In the months ahead, Congress will endeavor to meet a self-imposed deadline
of August 21, 1999, to enact comprehensive standards protecting the privacy
of individually identifiable health information. If Congress misses the
deadline, which was established by legislation popularly known as the
Kennedy-Kassebaum law,11 the Secretary
of Health and Human Services is required to promulgate standards by regulation.
On September 11, 1997, Secretary Shalala presented recommendations for
federal legislation to the Senate Committee on Labor and Human Resources
and observed, in accompanying testimony:
The computer revolution means that our deepest and darkest secrets
no longer exist in one place and can no longer be protected by simply
locking up the office doors each night.
And, revolutions in biology mean that a whole new world of genetic
tests have the potential to help either prevent disease or reveal our
families' most personal secrets. Because without safeguards that assure
citizens that getting tested won't endanger their families' privacy
or health insurance or jobs, we could, in turn, endanger one of the
most promising areas of research our nation has ever seen.
We are at a decision point. Depending on what we do over the next months,
these revolutions in healthcare, communications, and biology could bring
us great promise or even greater peril. The choice is ours. For example,
will healthcare information flow safely to improve care, cut fraud,
ensure quality, and reach citizens in under-served areas? Or will it
flow recklessly into the wrong hands?13
Current legal protections of the privacy of health information are fragmented
All 50 states provide statutory protection for personal health data maintained
by public agencies, but also permit disclosure for one or more purposes,
the most common of which are statistical evaluation, contact tracing of
persons diagnosed to have sexually transmitted and infectious diseases,
epidemiological investigations, and use in court pursuant to subpoena
or court order. However, only 42 states provide either criminal or civil
penalties for improper disclosure.14
On the federal level, the Privacy Act of 197415
provides limited protection against the disclosure by the government of
individual health records maintained by government agencies, such as the
Veterans Administration and the Department of Defense. But the act contains
a "routine use" exception that privacy advocates complain guts the protection.
16 The Americans with Disabilities Act
of 1990 prohibits discrimination on the basis of a disability, including
HIV or AIDS, but does not directly protect privacy; rather it only provides
a remedy for discrimination based on breaches of confidentiality.17
The U. S. Supreme Court, in 1977 in its only major encounter with the
constitutional risks arising from the storage of health information in
government data banks, unanimously recognized a qualified constitutional
right to privacy of personal information that could reflect unfavorably
on an individual.18 However, at the
same time, the unanimous court upheld the constitutionality of a New York
statute requiring physicians to forward to the State Health Department
the name, age, and address of every patient obtaining certain dangerous,
yet legitimate, drugs.19
Of course, the constitutional protection of private information, such
as it is, applies only to violations by the government -- not by private
parties, who sometimes are responsible for the most intrusive invasions
The majority of states protects privately held medical information to
at least some extent. Thirty-six states impose a general duty upon physicians
to maintain patient confidentiality, and 26 of those extend that duty
to other healthcare providers. However, only four states have legislation
specifically extending the duty to insurers, and only nine impose restrictions
on employers.20 This patchwork of state
and federal laws obviously falls far short of providing consistent, comprehensive
protection of the privacy of health information nationwide.
Aside from legal shortcomings, first, in regulating what information
is available to whom and for what purposes and, second, in protecting
the security of databases containing personal health information, there
also is no standard legal mechanism allowing consumers to verify the accuracy
of their personal health information.
Accuracy is a huge issue. The Massachusetts-based Medical Information
Bureau, for example, a clearinghouse for some 750 insurers, has acknowledged
that as many as 3.5 percent of its approximately 15 million individual
files contain inaccurate information. Because the information relates
to life expectancy -- blood pressure, weight, and cholesterol level --
and is used by the insurers for underwriting purposes, inaccuracies may
result in a decision to deny coverage or charge higher rates.21
Yet, until the insurance industry reached a voluntary agreement with
the Federal Trade Commission in 1995 to inform applicants when a report
plays a role in the denial or rating of insurance, few consumers knew
that such reports existed. Those who might have known could not find out
what their reports said. Under the agreement, applicants receive notices
that they are entitled to a free copy of their reports and have30 days
to request and verify that the information is correct.22
Employers, however, have no obligation to inform present or prospective
employees when medical information is used in making employment decisions.
Because most Fortune 500 companies are self-insured and, therefore, have
access to employees' prescription and other health records, unreliable
data may have serious consequences, but there presently is no mechanism
to allow employees or job applicants to review or correct the information.
To address the various health privacy issues, the department of Health
and Human Services has developed proposed standards for the consideration
of Congress as it endeavors to meet the 1999 deadline set by the Kennedy-Kassebaum
law -- proposals designed, in the words of Secretary Shalala, to "strike
a balance between the privacy needs of our citizens and the critical needs
of our healthcare system."23
The proposed standards embody five principles that the American Health
Information Management Association (AHIMA), a professional association
representing 38,000 health information management professionals, believes
"comprise the exact formula necessary to protect the privacy of Americans
[and] place the needs of individuals ahead of powerful commercial interests
that use health information for purposes well outside the boundaries of
The first principle set forth by Secretary Shalala is that "With very
few exceptions, healthcare information about a consumer should be disclosed
for health purposes and health purposes only. It should be easy to use
it for those purposes, and very difficult to use it for other purposes."
In this regard, Secretary Shalala said, the legislation must include
requirements that persons who legally receive individual health information
take "real and reasonable steps" to safeguard it, ensuring that it is
not used improperly by those who have access to it and is not obtained
by "hackers or others on the outside." The steps, she added, should include
administrative and management techniques, education of employees, and
disciplinary sanctions against those who use individual health information
The second principle is that the legislation must contain technical security
safeguards for computerized data. These would include audit trails showing
who accessed data, facilitating the identification of, and thereby the
prosecution or other appropriate action against, anyone who may have used
health records for illegal or improper purposes.
The third principle is consumer access, an area in which state laws also
are inconsistent. All patients should be able to access to their medical
records. They also should be able to find out who has access to them,
and how to inspect, copy, and, if necessary, correct them. Patients also
should have access to information about the laws, regulations, or policies
that protect their information. In her testimony before the Senate Committee
on Labor and Human Resources, Secretary Shalala cited the example of a
California woman who was denied disability and life insurance. The woman
discovered that the Medical Information Bureau had provided her prospective
insurers with information falsely indicating she suffered heart problems
and Alzheimer's disease. "What if she hadn't requested her records?" the
Secretary asked rhetorically.
The fourth principle is accountability, which is closely linked with
security and consumer control. Secretary Shalala called for criminal penalties
(fines and imprisonment) against those who breach security of personal
health information, and civil remedies (actual and punitive monetary damage
recoveries) for injured parties. The penalties, said the Secretary, should
be higher when violations are committed for monetary gain.
The fifth and final principal is public responsibility. In other words,
the legislation must balance personal privacy interests against the national
priorities of public health, research, and law enforcement. The free flow
of information, without patient authorization, is essential to the prompt
discovery, investigation, and intervention in public health crises, such
as the recent outbreak of e. coli in ground beef that resulted in the
largest recall of meat products in history.25 Patient consent should not
be required for the dissemination of personal health information for research
purposes, provided that the disclosures will not adversely affect the
rights or welfare of the patients and that the research would not be practical
if consent were required.
The principles outlined by Health and Human Services, of course, are
but a broad outline of a sensible public policy that, if codified, would
reasonably balance personal privacy interests and other important societal
Why All Types of Healthcare Should Be Treated the Same
Because the misuse of any individually identifiable medical information
is potentially destructive to the health and well-being of patients
-- sometimes leading to discrimination in employment, insurance,
and healthcare -- the American Health Information Management Association
(AHIMA) strongly believes that federal legislation must protect
all types of information equally.
As destructive as the unauthorized dissemination of genetic, psychiatric,
or HIV/AIDS information may be, for instance, the danger is no greater
than that relating to many other chronic conditions, such as heart
disease or cancer. Restricting the legitimate use of any type of
individual health data, however, could thwart one of the principle
purposes for which it is gathered -- research in pursuit of more
Thus, AHIMA believes that creating special categories of healthcare
information ultimately would be more dangerous than beneficial.
The remaining task for Congress, or for the department of Health and
Human Services, should Congress fail to act before the Kennedy-Kassebaum
deadline, is to resolve such issues as whether national privacy standards
should preempt existing state legislation and whether genetic information
should be treated differently than other personal health information for
AHIMA is on record in support of federal preemptive health information
confidentiality legislation that protects all types of health information
State laws, as previously noted, are far from uniform. Protections regarding
the redisclosure of health information vary, depending on the type of
information and who holds it. Several years ago, the National Conference
of Commissioners on Uniform State Laws developed, with the cooperation
of AHIMA, a model state law designed to stimulate uniformity among the
states on healthcare information management issues. However, to date,
only two states, Montana and Washington, have enacted the model legislation.27
Modern realities, including the movement of patients and their healthcare
information across state lines, the exchange of such information through
automated databases, and the emergence of multi-state providers, simply
render anything less than federal standards impractical. The resolution
of these issues and others, in the context of the five principles advocated
by the department of Health and Human Services, will result in a comprehensive
national standard that will at once enhance individual privacy, foster
research, and protect the public health.
AHIMA's Interest in Healthcare Privacy
Since its founding in 1928, the American Health Information Management
Association (AHIMA) has worked to protect the confidentiality of
individually identifiable health information.
AHIMA's 38,000 members are specialists who manage patient records
throughout the United States, handling millions of requests annually
for individual healthcare records from, among others, insurance
companies, employers, researchers, lawyers, and federal, state,
and local agencies.
Guided by the principle that confidentiality is essential in fostering
trust between patients and healthcare providers, AHIMA members are
committed to ensuring that patient records are disclosed only pursuant
to informed consent or pursuant law -- a task that is complicated
by the lack of uniform national guidelines governing healthcare
In view of the facts that healthcare providers and payers operate
across state lines, that healthcare information is maintained in
databases accessible from any location, and that patients routinely
move from state to state, AHIMA believes there is a critical need
for federal legislation preempting current state laws, which are
inconsistent and sometimes conflicting.
AHIMA is committed to fair and reasonable healthcare information
practices embodying these principles:
Patient's right to know -- Each patient, directly or through
a representative, must have the right to know by whom and for what
purpose his or her healthcare information is maintained.
Restrictions on collection -- Individual healthcare information
must be collected only for legitimate purposes, such as medical
research, enhancing public health, and combating fraud.
Use of information -- Healthcare information must be used
only for necessary and lawful purposes.
Notification -- Any entity maintaining healthcare information
must prepare and make available to patients upon request a written
statement outlining its information practices.
Restriction -- Healthcare information must not be used for
purposes other than those for which it is collected, except as provided
Patient access -- Each patient, directly or through a representative,
must have access to his or her healthcare information and the right
to amend or correct it.
Safeguards -- Any entity maintaining individually identifiable
healthcare information must be required to implement reasonable
Penalties -- Both criminal and civil penalties must be provided
for persons who violate privacy laws and regulations.
Computer Records Are as Safe as Paper Records
Based on the day-to-day experience of its 38,000 members -- professionals
who handle millions of individual healthcare records each year --
the American Health Information Management Association (AHIMA) believes
that computer-based medical records need not compromise patients'
Because computerized records hold tremendous promise for improving
healthcare both for individuals and the general population, it would
be folly to unnecessarily limit their potential for facilitating
the development of new cures for chronic diseases and the prompt
identification of dangers to the public health.
However, in AHIMA's view, it is essential that standards be established
by federal law to guard against both the accidental and intentional
misuse of personal health data, whether maintained by the government
or the private sector. These must include data-security measures
limiting access to only persons and entities with clearly defined
and legitimate purposes for receiving it, mandatory education for
all who gather or use individual healthcare information, stringent
criminal and civil penalties for anyone who violates the standards,
and reasonable patient access to their own records.
||Stedman's Medical Dictionary, 24th
ed., Baltimore: Williams & Wilkins, 1982.
||See Whalen v. Roe, 429 U.S. 589.
|| "Who's Looking at Your Files," Gorman,
Time, May 6, 1996, p. 60, et seq.
||"Gore to Announce 'Electronic Bill of Rights'
Aimed at Privacy," Broder, The New York Times, May 14, 1998,
||"They're Selling Your Secrets," Jay Green,
Orange County Register, Apr. 21, 1996, p. 1 et seq.
|| Goldman and Mulligan, Privacy and Health
Information Systems: A Guide to Protecting Patient Confidentiality,
Fairfax, VA: Center for Democracy & Technology, 1996, p. 3.
||"Private Medical Records Make Public Rounds,"
Davis, USA Today, Apr. 27, 1998, p. 4D et seq.
|| "Medical Privacy Parameters for the Information
Age," testimony of Sen. Patrick Leahy, Committee on Labor and Human
Resources, Oct. 28, 1997.
||"Genetic Testing for Cancer," Geller, et
al, Journal of the American Medical Association, May 14, 1997.
||Speech before the National Press Club,
Washington, D.C., July 31, 1997. Text available at http://aspe.os.dhhs.gov/admnsimp/pvcmiles.htm.
||The Health Insurance Portability and Accountability
Act, Public Law 104-191, signed by the President, Aug. 21, 1996.
||Id., Sect. 264.
||Full text available at http://aspe.os.dhhs.gov/admnsimp/pvcmiles.htm.
||Report to U.S. Centers for Disease Control,
Gosin, Lazzarini, and Flaherty, "Legislative Survey of State Confidentiality
Laws," June 1996.
||5 U.S.C.S. 552(a)
||See Alderman and Kennedy, The Right
to Privacy, New York: Alfred A. Knopf, 1995, p. 330.
||42 U.S.C.S,, 121101 et seq. See also, supra
note 15 at 143.
||Whalen v. Roe, 429 U.S. 589 (1977).
||Id. at 600.
|| Supra, note 14.
|| "Your Medical Records, Perhaps Your Most
Personal Information, Also are the Most Vulnerable to Public Scrutiny,"
Jay Greene, Orange County Register, Apr. 24, 1996.
||"Nation's Largest Insurance Reporting Agency
Agrees to Expand Consumer Rights," Federal Trade Commission Bureau
of Consumer Protection press release, June 21, 1995.
||Supra, note 13.
||"AHIMA Thanks HHS Secretary for Confidentiality
Recommendations," press release reporting letter to Donna E. Shalala,
PhD, from Linda L. Kloss, executive vice president and chief executive
officer, American Health Information Management Assn., Aug. 7, 1997.
||See "Company Agrees to Huge Recall of its
Beef," Nancy Millman, Chicago Tribune, Aug. 22, 1997.
||See statement of Kathleen A. Frawley, JD,
MS, RRA, vice president, Legislative and Public Policy Services, American
Health Information Management Assn., to task force on Health Records
and Genetic Privacy, July 22, 1997.
||See testimony of Merida L. Johns, PhD,
RRA, president, American Health Information Management Assn., Subcommittee
on Government Management, Information and Technology, Government Reform,
and Oversight Committee, June 5, 1997.