Health Information Confidentiality


February 1994
November 1997 (revised)
November 2004 (revised)
November 2009 (revised)
November 2012 (revised)
November 2012 (revised)
November 2016 (revised)

Statement of the Issue

Healthcare is among the most personal services rendered in our society; yet to deliver this care, scores of personnel must have access to intimate patient information. In order to receive appropriate care, patients must feel free to reveal personal information. In return, the healthcare provider must treat patient information confidentially and protect its security.

All that being said, health care requires immediate access with information required to deliver appropriate, safe and effective patient care. All providers must be ever-vigilant to balance the need for privacy.

Maintaining confidentiality is becoming more difficult. While information technology can improve the quality of care by enabling the instant retrieval and access of information through various means, including mobile devices, and the more rapid exchange of medical information by a greater number of people who can contribute to the care and treatment of a patient, it also can increase the risk of unauthorized use, access and disclosure of confidential patient information. Within healthcare organizations, personal information contained in medical records now is reviewed not only by physicians and nurses but also by professionals in many clinical and administrative support areas.

The obligation to protect the confidentiality of patient health information is imposed in every state by that state's own law, as well as the minimally established requirements under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and expanded under the HIPAA Omnibus Rule (2013). It is imperative that all readers consult their own state patient privacy law to assure their compliance with their own law, as ACHE does not intend to provide specific legal guidance involving any state legislation. When consulting their own state law it is also important that all providers confirm state licensing laws, Joint Commission Rules, accreditation standards, and other authority attaching to patient records. All of these will be referred to collectively as "State Law" for the remainder of this Policy Statement.

Protected health information (PHI) can be used or disclosed by covered entities and their business associates (subject to required Business Associate Agreements in place) for treatment, payment or healthcare operations activities and other limited purposes, and as a "permissive disclosure" as long as the patient has received a copy of the providers Notice of Privacy Practices, has signed acknowledgement of that Notice, the release does not involve Mental Health Records, and the disclosure is not otherwise prohibited under state law. All providers should be sure their Notice of Privacy Practices meets the multiple standards under HIPAA, as well as any pertinent state law.

Mental Health records are included under releases that require a patient's specific consent (their "Authorization") for disclosure, as well as any disclosures that are not related to treatment, payment or operations, such as marketing materials. All providers should be sure their Authorization form meets the multiple standards under HIPAA, as well as any pertinent state law.

While media representatives also seek access to health information, particularly when a patient is a public figure or when treatment involves legal or public health issues, health care providers must protect the rights of individual patients and may only disclose limited directory information to the media. Society's need for information rarely outweighs the right of patients to confidentiality.

In order to disclose patient information, healthcare executives must determine that patients or their legal representatives have authorized the release of information or that the use, access or disclosure sought falls within the permitted purposes that do not require the patient's prior authorization. Healthcare executives must implement procedures and keep records to enable them to "account" for disclosures that require authorization as well as most disclosures that are for a purpose other than treatment, payment or health care operations activities. Patients have the right to request and receive an accounting of these accountable disclosures under HIPAA or relevant state law.


Policy Position

The American College of Healthcare Executives believes that in addition to following all applicable state laws and HIPAA, healthcare executives have a moral and professional obligation to respect confidentiality and protect the security of patients' medical records while also protecting the flow of information as required to provide safe, effective medical care to that patient. As patient advocates, executives must ensure their organizations obtain proper patient acknowledgement of the Notice of Privacy Practices to assist in the free flow of information between providers involved in a patient's care, while also being confident they are meeting the requirements for a higher level of protection under an "authorized" release as defined by HIPAA and any relevant state law.

While the healthcare organization possesses the health record, outside access to the information in that record must be in keeping with HIPAA and state law, acknowledging which disclosures fall out from Permissive Disclosures as defined above, and may require further patient involvement and decision making in the disclosure. Organizations therefore must determine the appropriateness of all requests for patient information under applicable federal and state law and act accordingly.

In fulfilling their responsibilities, healthcare executives should seek to:
  • Limit access to patient information to providers involved in the patient's care.
  • Determine disclosures beyond the treatment team on a case-by-case basis, as determined by their inclusion under the Notice of Privacy Practices or as an Authorized Disclosure under the law.
  • Ensure that institutional policies and practices with respect to confidentiality, security and release of information are consistent with regulations and laws.
  • Educate healthcare personnel on confidentiality and data security requirements, take steps to ensure all healthcare personnel are aware of and understand their responsibilities to keep patient information confidential and secure, and impose sanctions for violations.
  • Implement technical (which in most cases will include the use of encryption under the supervision of appropriately trained HIT personnel), administrative and physical safeguards to protect electronic medical records and other computerized data against unauthorized use, access and disclosure and reasonably anticipated threats or hazards to the confidentiality, integrity and availability of such data.
  • Conduct periodic data security audits and risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic data, at a frequency as required under HIPAA and related Federal legislation, State law, and HIT "Best Practices".
  • Develop systems that enable organizations to track (and, if required, report) the use, access and disclosure of health records that are subject to accounting.
  • Provide for appropriate disaster recovery, business continuity and data backup.
  • Establish guidelines for "sanitizing records" (masking multiple patient identifiers as defined under HIPAA so the patient may not be identified) in committee minutes and other working documents in which the identity is not a permissible disclosure.
  • Establish policies and procedures to provide to the patient an accounting of uses and disclosures of the patient's health information for those disclosures falling under the category of "accountable."
  • Create guidelines for securing necessary permissions for the release of medical information for research, education, utilization review and other purposes.
  • Adopt a specialized process to further protect sensitive information such as psychiatric records, HIV status, genetic testing information, sexually transmitted disease information or substance abuse treatment records under "Authorization" as defined by HIPAA and State law.
  • Identify special situations that require consultation with the designated Privacy or Security Officer and/or senior management prior to use or release of information.
  • Obtain Business Associate Agreements with any third party that must have access to patient information to do their job, that are not employees or already covered under the law, and further detail the obligations of confidentiality and security for individuals, third parties and agencies that receive medical records information, unless the circumstances warrant an exception.
  • Appropriately complete Business Associate Agreements, including due diligence on third parties who will receive medical records information and other personal information, including a review of policies and procedures appropriate to the type of information they will possess. Ensure where applicable that such third parties adhere to the same terms and restrictions regarding PHI and other personal information as are applicable to the organization. Update all Business Associate Agreements annually.
  • Follow all applicable policies and procedures regarding privacy of patient information even if information is in the public domain.
  • Adopt procedures to address patient rights to request amendment of medical records and other rights under the HIPAA Privacy Rule.
  • Adopt a notice of privacy practices as required by the HIPAA Privacy Rule and have it prominently posted as required under the law; provide all patients with a copy as they desire; include a digital copy in any electronic communication and on the provider's website [if any]; and regardless of how the distribution occurred, obtain sufficient documentation from the patient or their legal representative that the required notice procedure took place.
  • Review applicable state and federal law related to the specific requirements for breaches involving PHI or other types of personal information. Establish adequate policies and procedures to properly address these events, including notice to affected patients, HHS if the breach involves 500 patients or more, and state authorities as required under state law.
  • In the event of a security breach, conduct a timely and thorough investigation and notify patients promptly (and within the timeframes required under applicable state or federal law) if appropriate to mitigate harm, in accordance with applicable law.
  • Establish adequate policies and procedures to mitigate the harm caused by the unauthorized use, access or disclosure of health information to the extent required by state or federal law.
  • Participate in the public dialogue on confidentiality issues such as employer use of healthcare information, public health reporting, and appropriate uses and disclosures of information in health information exchanges.
  • Mandate, perform and document ongoing employee education on all policies and procedures specific to their area of practice regarding legal issues pertaining to patient records from employment orientation and at least annually throughout the length of their employment/affiliation with the hospital.
  • ACHE urges all healthcare executives to maintain an appropriate balance between the patient's right to privacy and the need to access data to improve public health, reduce costs and discover new therapy and treatment protocols through research and data analytics.
Approved by the Board of Governors of the American College of Healthcare Executives on November 14, 2016.