Protect Yourself by Protecting The Privacy of Your Patients

By Mike Folio, J.D.

I know what you’re doing,” said the management services organization administrator, stopping me in mid-sentence. “You’re just trying to generate fees. I don’t like attorneys padding their billable hours.” I was negotiating an MSO contract for a family practice physician, trying to explain the potential patient privacy problems of the MSO affiliation. And actually, I wasn’t too surprised by the administrator’s remark. Because patient privacy is not a cure for the balance-sheet blues, it can seem like seeing that distant aunt at Christmas: You give her the obligatory holiday smooch and ignore her the rest of the year.

But ignoring patient privacy could topple even the most profitable providers. With computerized medical records, medical information marketers and managed care alliances forever changing health care, patient privacy is becoming a hot topic. Ask the West Virginia doctor who disclosed the fraudulence of a patient’s alleged injury after meeting in the patient’s absence with his employer–and then was sued by the patient for breach of confidentiality.

Many states, spurred in part to shield the identity of persons with HIV and other communicable diseases, have enacted expansive privacy laws and patient “bills of rights” that, if violated, could result in civil liability, medical license revocation or even criminal conviction. So resist the temptation to dismiss patient privacy. It’s really a managed care reality check, a barometer of a performance-based delivery system, capable of crippling your practice and, yes, even giving you the balance-sheet blues.

Hidden behind the unexceptionable watchwords of patient privacy (“physician-patient privilege,” “fiduciary duty,” and so on) lies a conflicting combination of history, ethical canons, statutes, court decrees, accreditation standards and patient expectations sharpened over time by everyone from Hippocrates to your state senator. There’s no single physician’s guide to patient privacy, and the hodgepodge of privacy law makes its thorny requirements all the more elusive and a doctor’s risks all the more confusing. But there are some basic patient-privacy principles physicians should know.

What the law says

About 40 states and the District of Columbia formally recognize a physician-patient privilege. While the scope of the privilege varies, it generally prohibits a physician from testifying about any patient matter learned by the doctor in the course of the physician-patient relationship unless otherwise required by law. In some states the patient’s very identity is privileged. In other states a court order–not just a subpoena–is required for a physician to testify about or disclose a patient’s medical information, and a physician who testifies pursuant to a subpoena may be sued by the patient. Still other states treat physicians as fiduciaries, much like a trustee or an attorney, and permit patients to sue physicians for the unauthorized disclosure of their medical and business information. Finally, some states treat the physician-patient relationship as a contract, implying a duty of confidentiality. If a physician discloses a patient’s medical or business information without the patient’s consent, the physician may be sued for breach of contract.

Many states also have medical records confidentiality statutes and hospital records privacy laws, which typically tell physicians and hospitals how, and if, they may disclose patient medical and business records. These laws create a presumptive confidentiality interest in medical and business records and prohibit their disclosure except in specific situations. Statutes in Utah and Idaho, for example, can be interpreted as prohibiting the disclosure of medical billing information and may bar the sale of anonymous patient data to drug companies and insurers.

In other states, medical information may be released only upon a patient’s informed consent. This requirement creates a pesky problem: What are the risks of releasing medical information? The physician may need to know what the recipient will do with the records. For example, will the recipient sell the records or market the patient’s medical information to HMOs, pharmaceutical companies, or insurers? If so, the physician may need to disclose this to the patient, and without such disclosure the patient’s consent may not be deemed “informed.” Of course, some states require the recipient to treat the medical records as confidential, and in those states informed consent may not be a big burden.

Medical ethics and accreditation standards are also patient privacy components. For example, while the AMA’s Code of Medical Ethics is not law, some courts have applied it as a legal duty and permit patients to sue physicians who violate the code. Physician licensing regulations in many states also require physicians to keep confidential a patient’s medical and business information, and may give a patient a basis to sue a physician. Finally, the American Hospital Association’s “Patient’s Bill of Rights” and the accreditation standards of the Joint Commission on Accreditation of Healthcare Organizations contain confidentiality requirements that may create de facto legal duties to protect patient privacy.

There’s no simple resolution of patient privacy. Each state has its own privacy laws, and federal codes sometimes conflict with state statutes. But it’s always best to disclose to patients the known risks before releasing any medical information, and to obtain the patient’s signature on an appropriately crafted consent form.

A trove of data

Medical and business records are a treasure chest of demographic profiles, risk factors, life- style choices and dietary patterns that in the hands of slick copywriters can be marketed into millions. One health insurer, for example, has targeted persons at risk for heart disease by thumbing through HMO claims for diagnosis codes to identify persons with high cholesterol and hypertension. In states with HMO member privacy laws, this practice could cause the HMO’s physicians or the HMO itself to lose a license or be sued. Reportedly, some physicians and hospitals also have marketed patient data gathered at wellness fairs and medical screenings.

While these deeds create privacy and informed consent problems, a more perilous practice is the way medical records are funneled to the Medical Information Bureau. The MIB, a nonprofit organization run by about 700 life insurers, maintains medical records on about 15 million people. The MIB compiles coded reports on blood pressure, cholesterol and other health risk factors such as sexual practices, leisure activities and driving records, plucked from medical records. The reports are used by insurance companies to identify high-risk individuals and fraudulent insurance applications.

The MIB has far-reaching implications for physicians. Suppose a physician is feuding with the patient’s insurer, trying to obtain coverage for a proposed treatment under the patient’s health plan. The insurer’s utilization review committee demands the patient’s medical records. The patient signs the physician’s general consent form and the physician releases the medical records. The insurer’s UR committee then distributes the records to the MIB. Suppose the records are later used to charge higher premiums or to deny the patient future health insurance coverage. Even worse, suppose the patient’s MIB file is one of the 450,000 to 600,000 that reportedly contain errors, and the MIB falsely identifies the patient as having cancer or Alzheimer’s disease.

Could the physician be liable to the patient? You bet! Why? Three reasons. First, the physician failed to disclose the risk of the insurer circulating the medical records. Second, the consent form failed to prohibit the insurer from disclosing the records. Third, the medical records were released so the physician could be paid, and only a few states expressly excuse the physician’s duty of confidentiality when the physician is seeking payment from the patient’s insurer.

There’s another common practice. The insurer wants the patient’s medical records. The patient signs the physician’s general consent form and the physician releases the medical records. But the released records include illnesses and treatments unrelated to the disputed claim and identify other risks or pre-existing conditions. The insurer gives the records to the MIB. At the policy’s anniversary or the patient’s application for life or health insurance, the insurance is terminated or the application is rated or denied.

Is the physician on the hook? Absolutely! The physician released records unrelated to the disputed claim. That’s a breach of the physician-patient relationship, and perhaps of a state confidentiality law, too. The physician also failed to prohibit the insurer from circulating the records, and that violates informed consent.

So how can physicians overcome these menacing obstacles? Disclosure and consent! Tell patients how the disclosure is made and what records are released, and then obtain the patient’s consent on a form that prohibits the recipient from circulating the patient’s medical records.

What managed care has wrought

Not long ago, medical records were secure in filing cabinets, locked away in a doctor’s office. Today they’re increasingly likely to be on-line, owned by partnerships and provider networks, and accessible by computer hackers, alliance affiliates and persons not directly involved in medical treatment. Also, managed care’s new economics has rewritten the definition of a profitable practice. It no longer means treating as many patients as possible, but limiting patient visits efficiently under capitated contracts–and, often, having that efficiency checked by utilization tracking that puts patient records in new hands.

These changes mean that medical records are now hot commercial commodities, used for claims reviews, compliance surveys and credentialing decisions as well as assessing market penetration and gauging provider productivity. But these practices may skirt informed consent and patient privacy laws, perhaps exposing the physician to a lawsuit.

Managed care marriages create other problems for physicians. MSOs and computer networks that provide billing, management and claims processing services have access to private patient information. Many of these companies, presumably unknown to physicians, market that information to pharmaceutical companies, HMOs and insurers. This defies the physician-patient relationship, according to the AMA’s code, because it may violate principles of informed consent and patient confidentiality. And because the AMA’s code prescribes de facto legal duties, this practice may expose the physician to a lawsuit.

Managed care contracts may also blind-side physicians. Many of them require physicians to comply with the AMA’s Code of Medical Ethics. If the physician’s patient information is marketed without the patient’s consent, the physician could be in breach of the contract.

Though risky, managed care contracts pale in comparison to computerized information systems. These systems give network physicians quick and easy access to a patient’s latest medical history and allow greater utilization tracking to control costs, monitor referral patterns and streamline quality assurance. But computerized information systems also make clandestine copying easier, leaving little or no trace of a records robbery, especially if the files are on-line. Invisible alteration of patient records is also much simpler, and only when a patient clamors for a correction may the breach be detected.

The AMA has promulgated a laundry list of computerized medical record protection guidelines. Chief among them is informing the patient of the existence of the computerized data base, the persons or companies who have access to the patient’s computer files and the nature of the access. Security systems also should be installed. The AMA recommends “passwords, encryption (encoding) of information, and scannable badges or other user identification.” Finally, computer access should be limited to authorized persons and, while the AMA doesn’t suggest it, employees and persons with access to the data base should sign a confidentiality agreement.

As managed care continues to test and taunt the physician-patient relationship, patient privacy’s grip will doubtless tighten in response, creating greater burdens for physicians.

The anatomy of a patient’s consent

When it comes to the privacy of medical records, physicians have no perfect protection. But asking patients to sign a properly prepared consent form can help. Here’s what such a form should include:

  • Name of the provider releasing the information
  • Recipient’s name and address
  • Patient’s name, address, and date of birth
  • Purpose of the disclosure, e.g., insurance dispute, referral, life insurance application, etc.
  • Identification of exact records being released, with precise treatment dates or illness
  • Date or occasion when the consent will expire unless the patient revokes the consent earlier
  • Date the consent is signed
  • Patient’s or legal representative’s signature
  • Provision prohibiting the recipient’s disclosure of the information without the patient’s written permission

The person disclosing the records should sign and date the consent form. A copy of the form should be kept in the patient’s medical file, which should be stored in a secure place, with only authorized persons allowed access. If medical files are computerized, the system should contain appropriate security controls and access passwords should be changed frequently.

Use these five contract clauses to safeguard patient privacy

Management services organizations, offsite billers and other entities can create legal troubles for you if they misuse your patients’ medical records. To protect yourself, advises attorney-author Mike Folio, make sure your contracts with such organizations include these five clauses:

  • The company must preserve patient privacy in medical and business records.
  • The company must indemnify the physician for the company’s unauthorized release of patient medical and business records.
  • The company’s duty to preserve patient privacy in medical and business records must survive the termination and/or expiration of the agreement.
  • Access to and use by company’s employees of patient medical and business records must be defined.
  • The means by which the physician will provide patient medical and business records to the company must be defined.

The author is a health care lawyer with the Charleston, W.Va., firm of Lewis, Friedberg, Glasser, Casey & Rollins.

Our most popular topics on