Statement of the Issue

Healthcare is among the most personal services rendered in our society; yet to deliver this care, scores of personnel must have access to intimate patient information. In order to receive appropriate care, patients must feel free to reveal personal information. In return, the healthcare provider must treat patient information confidentially.

However, maintaining confidentiality is becoming more difficult. Information systems technology allows instant retrieval of medical information, widening access to a greater number of people. Within healthcare organizations, personal information contained in medical records is reviewed not only by physicians and nurses, but also by professionals in many clinical and administrative support areas.

Healthcare executives must follow the laws governing use and release of information. Releases cannot be made without proper authorization except under limited circumstances. Healthcare executives must determine that patients or their legal representatives consented to the release of information and keep records of most disclosures for review upon patient request.

Some exceptions to patient confidentiality are necessary to promote public health, to protect children and spouses from abuse, and to comply with certain laws. Media representatives also seek access to health information, particularly when a patient is a public figure or when treatment involves legal or public health issues. Nevertheless, the rights of individual patients must be protected. Society's need for information rarely outweighs the right of patients to confidentiality.

Policy Position

The American College of Healthcare Executives believes all healthcare executives have a moral and professional obligation to protect the confidentiality of patients' medical records. Additional legal restrictions imposed by the HIPAA Privacy and Security Rules must also be satisfied. As patient advocates, executives must obtain proper patient authorization to release information or follow carefully defined policies on the release of information without consent.

While the healthcare organization owns the health record, the information in that record remains the patient's personal property. Organizations must determine the appropriateness of all requests for patient information under applicable federal and state law and act accordingly.

In fulfilling their responsibilities, healthcare executives should seek to:

• Limit access to patient information to authorized individuals only. Non-treatment access should be limited to the minimum amount of information necessary.
  
  
• Ensure that institutional policies on confidentiality and release of information are consistent with regulations and laws.
  
  
• Educate healthcare personnel on confidentiality requirements and take steps to ensure all healthcare personnel are aware of and understand their responsibilities to keep patient information confidential, and impose sanctions for violations.
  
  
• Safeguard medical record files and computerized data with security and storage systems that protect against unauthorized access and ensure data integrity and availability.
  
  
• Provide for appropriate disaster recovery.
  
  
• Establish guidelines for masking patient identifiers in committee minutes and other working documents where the identity is not necessary.
  
  
• Ensure that policies concerning the right of patients to have access to their own medical records and an accounting of disclosures are clearly established and understood by appropriate staff.
  
  
• Create guidelines for securing necessary permissions for the release of medical information for research, education, utilization review and other purposes.
  
  
• Adopt a specialized process to further protect sensitive information such as psychiatric, HIV status or substance abuse treatment records.
  
  
• Identify special situations that require consultation with senior management prior to use or release of information.
  
  
• When appropriate, seek written agreements that detail the obligations of confidentiality and security for individuals and agencies who receive medical records information, including business associates (service providers).



• Follow all applicable policies and procedures regarding privacy of patient information even if information is in the public domain.



• Adopt procedures to address patient rights to request amendment of medical records and other rights under the HIPAA Privacy Rule.
  
  
• Educate patients about organizational policies on confidentiality, and use the notice of privacy practices as required by the HIPAA Privacy Rule.
  
  
• Participate in the public dialogue on confidentiality issues such as employer use of healthcare information and public health reporting.
  

The American College of Healthcare Executives urges all healthcare executives to maintain an appropriate balance between the patient's right to confidentiality and the need to release information in the public's interest in accordance with applicable state and federal law.

Approved by the Board of Governors of the American College of Healthcare Executives on November 8, 2004.