Welcome to my blog, a place to explore and learn about the experience of running a psychiatric practice. I post about things that I find useful to know or think about. So, enjoy, and let me know what you think.

Wednesday, July 6, 2016

Keeping Mum


This post was prompted by an article written by Ben Goldacre in The Guardian, Care.Data is in Chaos. It Breaks My Heart. The article is about the Health and Social Care Information Centre (HSCIC, in the UK), which, "admitted giving the insurance industry the coded hospital records of millions of patients." These records, according to Goldacre, were line for line, and could be decoded by anyone with an inclination to do so. The purpose of this "gift", by the way, was for the insurance companies' actuaries to figure out premiums, based on likelihood of death (or illness, I assume).

Useless Fun Fact: Years ago, in another professional trajectory, I passed the first of the however many actuarial exams.

Anyway, then the HSCIC said it couldn't share documentation on this release of information, presumably because it's more important to protect insurance company privacy than patient privacy.

Summarily, in Goldacre's words, "...a government body handed over parts of my medical records to people I've never met, outside the NHS and medical research community, but it is refusing to tell me what it handed over, or who it gave it to, and the minister is now incorrectly claiming that it never happened anyway."

So I started to think about patient privacy, including a long-ago post, What, Exactly, Is HIPAA?, where I wrote that I would follow-up with more information about privacy, and I never did. Incidentally, I've looked, and I still haven't found any contradictory information about what constitutes a HIPAA covered entity, and I'm still convinced that I'm not one, because I don't bill patients electronically.

So I was wondering, what is the difference between privacy and confidentiality, as they relate to patients? And I found this article (Prater), which was helpful.

Basically, confidentiality is the, "...obligation of professionals who have access to patient records or communication to hold that information in confidence," while privacy is the, "...right of the individual client or patient to be let alone and to make decisions about how personal information is shared."

In other words, confidentiality is my professional, or at least ethical obligation to my patients, while privacy is a patient right I need to respect. From this I infer that technically, my patients do not have a right to confidentiality, and I don't have an obligation to protect patient privacy.

Here are some more details.


Confidentiality goes back, at least, to the Hippocratic Oath:

And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.

It is a cornerstone of professional association codes of ethics. The AMA's code of Ethics, Opinion 5.05, states:

The information disclosed to a physician by a patient should be held in confidence. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential information without the express consent of the patient, subject to certain exceptions which are ethically justified because of overriding considerations.

And don't forget about postmortem confidentiality:

All medically related confidences disclosed by a patient to a physician and information contained within a deceased patient’s medical record, including information entered postmortem, should be kept confidential to the greatest possible degree...At their strongest, confidentiality protections after death would be equal to those in force during a patient’s life. Thus, if information about a patient may be ethically disclosed during life, it likewise may be disclosed after the patient has died.

In reading this stuff, I also found that the AMA has a slightly different slant on the definitions of privacy and confidentiality:

In the context of health care, emphasis has been given to confidentiality, which is defined as information told in confidence or imparted in secret. However, physicians also should be mindful of patient privacy, which encompasses information that is concealed from others outside of the patient-physician relationship.

An example of support for the legal status of confidentiality, as the privileged communication between patient and doctor, can be found in Jaffee v. Redmond, where the, "...U.S. Supreme Court upheld a therapist’s refusal to disclose sensitive client information during trial." (Prater)

Effective psychotherapy...depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment. (p.10, Jaffee v. Redmond)


There is no constitutional right to medical privacy. Rather, healthcare privacy rights, "...have been outlined in court decisions, in federal and state statutes, accrediting organization guidelines and professional codes of ethics." (Prater)

The big example is HIPAA. Subject to HIPAA, "Individuals are provided some elements of control, such as the right to access their own health information in most cases and the right to request amendment of inaccurate health information...However, in [the] attempt to strike a balance, the Rule provides numerous exceptions to use and disclosure of protected health information without patient authorization, including for treatment, payment, health organization operations and for certain public health activities..."(Prater)

I've been trying to read through the relevant parts of this ponderous document about HIPAA, and on pages 757 and following, in part Squiggle164.512, Uses or Disclosures for which an Authorization or Opportunity to Agree or Object is not Required, I found what appear to be a number of these exceptions to the "privacy" provided by HIPAA. I think. I'm not a lawyer. Such as:

a) required by law
b) public health activities
c) victims of abuse, neglect, or domestic violence
d) health oversight activities
e) judicial and administrative proceedings
f) law enforcement purposes
g) about decedents, i.e. coroners, ME's, funeral directors
h) cadaveric organ, eye, or tissue donation purposes
i) research purposes
j) aversion to serious threat to health or safety
k) specialized government functions
j) worker's compensation

There are many specifics, including disclosing information to a patient's employer, but I'll leave those as an exercise for the reader.

Point being, HIPAA does little to protect patient privacy. I think the value of HIPAA is that it attempts to delineate what patient privacy rights are, and that it has succeeded in making people aware that the privacy of their medical information is vulnerable. It does not solve this difficulty, which becomes hugely magnified by the use of electronic health records. This leads to consideration of one more important term, security, or the means by which patient information is protected, such as a locked filing cabinet, or encrypted data.

What I glean from all this is that there is at least a notion of a patient's right to privacy, which I should try to respect. But that my standards for protecting patient information are much higher than anything HIPAA has to say.


  1. Numerous scholars have written about derivative privacy rights based on existing law as well as primary privacy rights not based on other rights clusters. The critical associated concepts that are not attended very well by the average person on the street and medical professionals is how these rights have been co opted by business and politics.

    The best example for the layperson is the erosion of privacy rights surrounding financial data. The erosion of those rights began when Congress allowed (against their previous mandate) the use of Social Security Numbers so that the credit reporting industry could be more or less invented. As a result millions of Americans are losing money to identity theft and business scams every year that would not be possible if all of their financial information was not made available without their consent to the credit reporting bureaus. There is no option to opt out of this system – even if you have been the victim of identity theft.

    On the medical side, politicians have even less to stand on. I have been writing about HIPPA for years. It was basically a way to share information among business entities rather than provide any added level of privacy/confidentiality for patients. The implementation was poor probably due to the fact that it was poorly written. Clinics, hospital, and doctors were confused for years about what information could be released in emergencies. The penalty language was intimidating. If anyone was perfectly honest this was just another political ruse to grease the skids of business at the expense of physicians and other healthcare professionals. After all who is more likely to leak information – a physician whose very mouse click is monitored on an EHR or a contractor who get tens of thousands of patient names stolen from their laptop. Time and time again it is the business contractors who leak the data and as far as I can tell there are no consequences. On the other hand, I have known professionals who have be warned or fired for looking up their own lab data on the EHR.

    Goldacre sounds fairly clueless about the healthcare industry and their access to personal data. I can walk into any clinic in Minnesota and be asked to sign a release to be seen there. If I don’t sign it – I can’t get treated. If I do sign it the receptionist hands me a pamphlet with about 20 exceptions to my healthcare privacy/confidentiality. That includes the ability of any number of government agencies and businesses to mine that data and come up with any kind of absurd science that they want. It also allows private companies to market directly to me based on any chronic medical conditions that they glean form my records all courtesy of HIPPA.

    Besides being an erosion of privacy that existed prior to the 1970s, this is also an unrecognized attack on physicians. Lawyers continue to have absolute confidentiality with their clients. That may be due to the fact that a large number of politicians are lawyers. From a risk-benefit perspective, the risk of allowing a number of career criminals and sociopaths this level of protection must be the price we have to pay to protect this innocent. There is no such risk-benefit analysis applied to physicians. In the case of Tarasoff, we are mandated to act like the police in the case where out patient might be dangerous. Would that ever happen to an attorney? The tens of exceptions to medical privacy and confidentiality give politicians and businesses additional leverage against physicians to get whatever information they want while never considering the professional mandate and reasons for confidentiality with patients.

    It is just another reason that the medical profession finds itself in such fire straits these days – while businesses and politicians are celebrating Big Data as the next big thing. Big Data or trolling for a hypothesis only happens because governments and businesses want it. You could never sneak that past a Human Subjects Committee.

    1. I didn't get into the details because there was just too much, but it was absolutely scary reading about all the "exceptions". And the confusion about HIPAA is gargantuan. Hospitals won't confirm whether a family member is a patient, but your employer can learn all about your medical history.

    2. And I don't know if you've noticed the irony, but the ads on this page are about downloading a free HIPAA checklist.