About ACHE What New Affiliate Directory My ACHE Affiliates Log In Corporate Partners
ACHE Home
Welcome to ache.org Welcome to ache.org
Join ACHE Credentialing Education Chapters Career Services Books & Journals Reasearch
About ACHE
 
  Information Links:
 
  Policy Statements
Health Information Confidentiality

February 1994
November 1997 (revised)
November 2004 (revised)
November 2009 (revised)

Statement of the Issue

Healthcare is among the most personal services rendered in our society; yet to deliver this care, scores of personnel must have access to intimate patient information. In order to receive appropriate care, patients must feel free to reveal personal information. In return, the healthcare provider must treat patient information confidentially and protect its security.

Maintaining confidentiality is becoming more difficult. While information technology can improve the quality of care through the instant retrieval and exchange of medical information by a greater number of people who can contribute to the care and treatment of a patient, it also can increase the risk of unauthorized use, access and disclosure of confidential patient information. Within healthcare organizations, personal information contained in medical records now is reviewed not only by physicians and nurses but also by professionals in many clinical and administrative support areas.

The need to protect patient confidentiality is evident in legal restrictions imposed by state laws and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and as recently amended under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). Health information cannot be used or disclosed without proper authorization by patients or legal representatives except under very limited circumstances, such as to promote public health, protect children and spouses from abuse, or otherwise comply with certain laws.

While media representatives also seek access to health information, particularly when a patient is a public figure or when treatment involves legal or public health issues, the rights of individual patients must be protected. Society’s need for information rarely outweighs the right of patients to confidentiality.

In order to release patient information, healthcare executives must determine that patients or their legal representatives have consented to the release of information or that the use, access or disclosure sought falls within the exceptions that do not require the patient’s prior consent. Once health information is released, healthcare executives must keep records of most disclosures for review upon patient request.

Policy Position

The American College of Healthcare Executives believes that in addition to following all applicable state laws and HIPAA, healthcare executives have a moral and professional obligation to respect confidentiality and protect the security of patients’ medical records. As patient advocates, executives must ensure their organization obtains proper patient authorization to release information or follow carefully defined policies and applicable laws in those cases for which the release of information without consent is indicated.

While the healthcare organization possesses the health record, outside access to the information in that record can be controlled by patients unless indicated otherwise by applicable laws and regulations. Organizations therefore must determine the appropriateness of all requests for patient information under applicable federal and state law and act accordingly.

In fulfilling their responsibilities, healthcare executives should seek to:

  • Limit access to patient information to authorized individuals only.

  • Ensure that institutional policies on confidentiality, security and release of information are consistent with regulations and laws.

  • Educate healthcare personnel on confidentiality and data security requirements, take steps to ensure all healthcare personnel are aware of and understand their responsibilities to keep patient information confidential and secure, and impose sanctions for violations.

  • Safeguard medical record files and computerized data with security and storage systems (including, if appropriate, the use of encryption) that protect against unauthorized use, access and disclosure and ensure data integrity and availability.

  • Develop systems that enable organizations to track (and, if required, report) the use, access and disclosure of health records.

  • Provide for appropriate disaster recovery.

  • Establish guidelines for masking patient identifiers in committee minutes and other working documents in which the identity is not necessary.

  • Establish policies and procedures to provide to the patient an accounting of uses and disclosures of the patient’s health information.

  • Create guidelines for securing necessary permissions for the release of medical information for research, education, utilization review and other purposes.

  • Adopt a specialized process to further protect sensitive information such as psychiatric records, HIV status, genetic testing information, sexually transmitted disease information or substance abuse treatment records.

  • Identify special situations that require consultation with senior management prior to use or release of information.

  • Obtain written agreements that detail the obligations of confidentiality and security for individuals, third parties and agencies that receive medical records information, unless the circumstances warrant an exception.

  • Conduct due diligence on third parties who will receive medical records information, including a review of policies and procedures appropriate to the type of information they will possess. Ensure where applicable that such third parties adhere to the same terms and restrictions regarding protected health information applicable to the organization.

  • Follow all applicable policies and procedures regarding privacy of patient information even if information is in the public domain.

  • Adopt procedures to address patient rights to request amendment of medical records and other rights under the HIPAA Privacy Rule.

  • Educate patients about organizational policies on confidentiality and use the notice of privacy practices as required by the HIPAA Privacy Rule.

  • Establish adequate policies and procedures to ensure notification of the affected patient or organization without unreasonable delay, in the event of an occurrence of unauthorized use, access or disclosure of health information or of a security breach incident.

  • In the event of a security breach, conduct a timely and thorough investigation and notify patients promptly if appropriate to mitigate harm in accordance with applicable state or federal law.

  • Establish adequate policies and procedures to mitigate the harm caused by the unauthorized use, access or disclosure of health information to the extent required by state or federal law.

  • Participate in the public dialogue on confidentiality issues such as employer use of healthcare information, public health reporting and appropriate uses and disclosures of information in health information exchanges.

The American College of Healthcare Executives urges all healthcare executives to maintain an appropriate balance between the patient’s right to confidentiality and the need to release information in the public’s interest in accordance with applicable state and federal law.

Approved by the Board of Governors of the American College of Healthcare Executives on November 16, 2009.

   
 
HOME | SITE MAP | LOG OUT    FAQ | Update Your Information | Contact Us | Refer a Colleague
ACHE Copyright, Disclaimer, Terms of Usage and Privacy Notice