Association of American Physicians and Surgeons
The Confidentiality of Patient Records
Both Congress and the White House have expressed well-founded concerns about the privacy of medical records. However, proposed legislation, as well as the standards on "the privacy of individually identifiable health information" recently promulgated by the Department of Health and Human Services as mandated by the Health Insurance Portability and Accountability Act, would have an effect opposite to the stated intention of protecting patient confidentiality. Both the proposed regulations and various legislative proposals establish procedures permitting and facilitating the disclosure of information for which disclosure is now either prohibited or practically impossible.
The objective of writing standards for the electronic transmission of data has been subverted into a pretext for changing the fundamental ethics of the patient-physician relationship and the purpose of medical records.
In the tradition of Hippocrates, the physician serves the patient, who trusts him to abide by the precept that "All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and never reveal." The traditional medical record consists of the physicians' notes and other data, such as laboratory reports, related to the specific, narrow purpose of providing optimal care to the individual patient. The actual information in the record belongs to the patient, who traditionally has had control over the dissemination of that information.
The proposed regulations overturn these basic principles. The patient's right to refuse consent to release his records is abrogated. All patients (or at least those who have any medical records in electronic format) are thus required to serve administratively determined societal objectives: "health services research" as well as medical research; the detection and prosecution of violations of any law, rule, or regulation; monitoring physician compliance with practice "guidelines"; and central allocation of resources. All of these are generally irrelevant to and may actually be contrary to the best interests of the patient. "National priorities," undefined or vaguely defined, are held, at the discretion of an administrative agency, to override the individual's right to liberty (as the liberty to seek care from a physician who guards patients' privacy). Individual Fourth Amendment rights are easily swept aside by assertion of a collective "need." Vastly expanded administrative powers trump the requirement for judicial procedure to obtain a search warrant.
While medical professionals will be placed in the dilemma of violating their professional ethics or committing a federal crime by not releasing data, they will also be held responsible, under pain of prison and enormous fines, for monitoring behavior of other entities with which they contract but over which they have little control. Additionally, they will be required to implement costly and onerous notification and other paperwork requirements that actually provide no meaningful patient protection.
In short, proposed rules and laws serve the interest of expanded use rather than real protections. The expanded use may serve some narrow special interests as well as regulators and prosecutors but will be of very questionable medical or scientific value, especially since accuracy will be compromised by the withholding of sensitive information.
We recommend the following:
1. A moratorium on the proposed regulations. (Comments submitted to HHS are appended.)
2. Legislation that embodies the following basic principles:
2. Electronic data storage or transmission should require the patient's explicit, fully informed consent-before the data are entered.
3. No medical professional may be required to perform any act that violates his conscience as a condition of being permitted to practice his profession or specialty.
4. Patients should have a cause of civil action against any individual, including an agent of the government, who causes him harm by the misuse of computerized data. To this end, any electronic data processing system established under this Act should include a mechanism for tracking all individuals who access identifiable records.
Jane M. Orient, M.D., Executive Director