This post was prompted by an article written by Ben Goldacre in The Guardian, Care.Data is in Chaos. It Breaks My Heart. The article is about the Health and Social Care Information Centre (HSCIC, in the UK), which, "admitted giving the insurance industry the coded hospital records of millions of patients." These records, according to Goldacre, were line for line, and could be decoded by anyone with an inclination to do so. The purpose of this "gift", by the way, was for the insurance companies' actuaries to figure out premiums, based on likelihood of death (or illness, I assume).
Useless Fun Fact: Years ago, in another professional trajectory, I passed the first of the however many actuarial exams.
Anyway, then the HSCIC said it couldn't share documentation on this release of information, presumably because it's more important to protect insurance company privacy than patient privacy.
Summarily, in Goldacre's words, "...a government body handed over parts of my medical records to people I've never met, outside the NHS and medical research community, but it is refusing to tell me what it handed over, or who it gave it to, and the minister is now incorrectly claiming that it never happened anyway."
So I started to think about patient privacy, including a long-ago post, What, Exactly, Is HIPAA?, where I wrote that I would follow-up with more information about privacy, and I never did. Incidentally, I've looked, and I still haven't found any contradictory information about what constitutes a HIPAA covered entity, and I'm still convinced that I'm not one, because I don't bill patients electronically.
So I was wondering, what is the difference between privacy and confidentiality, as they relate to patients? And I found this article (Prater), which was helpful.
Basically, confidentiality is the, "...obligation of professionals who have access to patient records or communication to hold that information in confidence," while privacy is the, "...right of the individual client or patient to be let alone and to make decisions about how personal information is shared."
In other words, confidentiality is my professional, or at least ethical obligation to my patients, while privacy is a patient right I need to respect. From this I infer that technically, my patients do not have a right to confidentiality, and I don't have an obligation to protect patient privacy.
Here are some more details.
Confidentiality goes back, at least, to the Hippocratic Oath:
And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.
It is a cornerstone of professional association codes of ethics. The AMA's code of Ethics, Opinion 5.05, states:
The information disclosed to a physician by a patient should be held in confidence. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential information without the express consent of the patient, subject to certain exceptions which are ethically justified because of overriding considerations.
And don't forget about postmortem confidentiality:
All medically related confidences disclosed by a patient to a physician and information contained within a deceased patient’s medical record, including information entered postmortem, should be kept confidential to the greatest possible degree...At their strongest, confidentiality protections after death would be equal to those in force during a patient’s life. Thus, if information about a patient may be ethically disclosed during life, it likewise may be disclosed after the patient has died.
In reading this stuff, I also found that the AMA has a slightly different slant on the definitions of privacy and confidentiality:
In the context of health care, emphasis has been given to confidentiality, which is defined as information told in confidence or imparted in secret. However, physicians also should be mindful of patient privacy, which encompasses information that is concealed from others outside of the patient-physician relationship.
An example of support for the legal status of confidentiality, as the privileged communication between patient and doctor, can be found in Jaffee v. Redmond, where the, "...U.S. Supreme Court upheld a therapist’s refusal to disclose sensitive client information during trial." (Prater)
Effective psychotherapy...depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment. (p.10, Jaffee v. Redmond)
There is no constitutional right to medical privacy. Rather, healthcare privacy rights, "...have been outlined in court decisions, in federal and state statutes, accrediting organization guidelines and professional codes of ethics." (Prater)
The big example is HIPAA. Subject to HIPAA, "Individuals are provided some elements of control, such as the right to access their own health information in most cases and the right to request amendment of inaccurate health information...However, in [the] attempt to strike a balance, the Rule provides numerous exceptions to use and disclosure of protected health information without patient authorization, including for treatment, payment, health organization operations and for certain public health activities..."(Prater)
I've been trying to read through the relevant parts of this ponderous document about HIPAA, and on pages 757 and following, in part Squiggle164.512, Uses or Disclosures for which an Authorization or Opportunity to Agree or Object is not Required, I found what appear to be a number of these exceptions to the "privacy" provided by HIPAA. I think. I'm not a lawyer. Such as:
a) required by law
b) public health activities
c) victims of abuse, neglect, or domestic violence
d) health oversight activities
e) judicial and administrative proceedings
f) law enforcement purposes
g) about decedents, i.e. coroners, ME's, funeral directors
h) cadaveric organ, eye, or tissue donation purposes
i) research purposes
j) aversion to serious threat to health or safety
k) specialized government functions
j) worker's compensation
There are many specifics, including disclosing information to a patient's employer, but I'll leave those as an exercise for the reader.
Point being, HIPAA does little to protect patient privacy. I think the value of HIPAA is that it attempts to delineate what patient privacy rights are, and that it has succeeded in making people aware that the privacy of their medical information is vulnerable. It does not solve this difficulty, which becomes hugely magnified by the use of electronic health records. This leads to consideration of one more important term, security, or the means by which patient information is protected, such as a locked filing cabinet, or encrypted data.
What I glean from all this is that there is at least a notion of a patient's right to privacy, which I should try to respect. But that my standards for protecting patient information are much higher than anything HIPAA has to say.