Health Information Confidentiality

February 1994
November 1997 (revised)
November 2004 (revised)
November 2009 (revised)
November 2012 (revised)

Statement of the Issue

Healthcare is among the most personal services rendered in our society; yet to deliver this care, scores of personnel must have access to intimate patient information. In order to receive appropriate care, patients must feel free to reveal personal information. In return, the healthcare provider must treat patient information confidentially and protect its security.

Maintaining confidentiality is becoming more difficult. While information technology can improve the quality of care by enabling the instant retrieval and access of information through various means, including mobile devices, and the more rapid exchange of medical information by a greater number of people who can contribute to the care and treatment of a patient, it also can increase the risk of unauthorized use, access and disclosure of confidential patient information. Within healthcare organizations, personal information contained in medical records now is reviewed not only by physicians and nurses but also by professionals in many clinical and administrative support areas.

The obligation to protect the confidentiality of patient health information is imposed by a myriad of state laws and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). Protected health information (PHI) can only be used or disclosed by covered entities and their business associates for purposes of treatment, payment or healthcare operations without the patient’s consent.

While media representatives also seek access to health information, particularly when a patient is a public figure or when treatment involves legal or public health issues, the rights of individual patients must be protected. Society’s need for information rarely outweighs the right of patients to confidentiality.

In order to disclose patient information, healthcare executives must determine that patients or their legal representatives have consented to the release of information or that the use, access or disclosure sought falls within the permitted purposes that do not require the patient’s prior consent. Healthcare executives must implement procedures to enable them to account for such disclosures. Once health information is released, healthcare executives must keep records and implement other procedures to ensure that they are able to account to the patient for such disclosures, upon the patient’s request.

Policy Position

The American College of Healthcare Executives believes that in addition to following all applicable state laws and HIPAA, healthcare executives have a moral and professional obligation to respect confidentiality and protect the security of patients’ medical records. As patient advocates, executives must ensure their organization obtains proper patient authorization to release information or follow carefully defined policies and applicable laws in those cases for which the release of information without consent is indicated.

While the healthcare organization possesses the health record, outside access to the information in that record can be controlled by patients unless indicated otherwise by applicable laws and regulations. Organizations therefore must determine the appropriateness of all requests for patient information under applicable federal and state law and act accordingly.

In fulfilling their responsibilities, healthcare executives should seek to:

  • Limit access to patient information to authorized individuals only.
  • Ensure that institutional policies and practices with respect to confidentiality, security and release of information are consistent with regulations and laws.
  • Educate healthcare personnel on confidentiality and data security requirements, take steps to ensure all healthcare personnel are aware of and understand their responsibilities to keep patient information confidential and secure, and impose sanctions for violations.
  • Implement technical (including, if appropriate, the use of encryption), administrative and physical safeguards to protect medical record files and computerized data against unauthorized use, access and disclosure and ensure data confidentiality, integrity and availability.
  • Conduct periodic data security audits and risk assessments.
  • Develop systems that enable organizations to track (and, if required, report) the use, access and disclosure of health records.
  • Provide for appropriate disaster recovery.
  • Establish guidelines for masking patient identifiers in committee minutes and other working documents in which the identity is not necessary.
  • Establish policies and procedures to provide to the patient an accounting of uses and disclosures of the patient’s health information.
  • Create guidelines for securing necessary permissions for the release of medical information for research, education, utilization review and other purposes.
  • Adopt a specialized process to further protect sensitive information such as psychiatric records, HIV status, genetic testing information, sexually transmitted disease information or substance abuse treatment records.
  • Identify special situations that require consultation with senior management prior to use or release of information.
  • Obtain written agreements that detail the obligations of confidentiality and security for individuals, third parties and agencies that receive medical records information, unless the circumstances warrant an exception.
  • Conduct due diligence on third parties who will receive medical records information, including a review of policies and procedures appropriate to the type of information they will possess. Ensure where applicable that such third parties adhere to the same terms and restrictions regarding PHI applicable to the organization.
  • Follow all applicable policies and procedures regarding privacy of patient information even if information is in the public domain.
  • Adopt procedures to address patient rights to request amendment of medical records and other rights under the HIPAA Privacy Rule.
  • Educate patients about organizational policies on confidentiality and use the notice of privacy practices as required by the HIPAA Privacy Rule.
  • Review applicable state and federal law related to the specific requirements for breaches involving PHI or computer systems containing PHI. Establish adequate policies and procedures to properly address these events.
  • In the event of a security breach, conduct a timely and thorough investigation and notify patients promptly (and within the timeframes required under applicable law) if appropriate to mitigate harm in accordance with applicable state or federal law.
  • Establish adequate policies and procedures to mitigate the harm caused by the unauthorized use, access or disclosure of health information to the extent required by state or federal law.
  • Participate in the public dialogue on confidentiality issues such as employer use of healthcare information, public health reporting, and appropriate uses and disclosures of information in health information exchanges.

The American College of Healthcare Executives urges all healthcare executives to maintain an appropriate balance between the patient’s right to confidentiality and the need to release information in the public’s interest in accordance with applicable state and federal law.

Approved by the Board of Governors of the American College of Healthcare Executives on November 12, 2012.