Further steps must be taken to shelter confidential medical information in electronic databases, Steven K. Hoge, M.D., chair of APA's Council on Psychiatry and Law, told officials at the Department of Health and Human Services (DHHS).

Hoge made his remarks February 18 to the DHHS National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality at a hearing in Washington, D.C. Hoge and others appeared before the subcommittee as part of an APA effort to shape confidentiality legislation related to the passage last year of the Kassebaum-Kennedy health care reform measure. That bill contained general references to confidentiality, but left the specifics to be determined either through subsequent legislation, or, if legislation was not enacted within three years of the original bill, by regulatory fiat from the Secretary of Health and Human Services.

The confidentiality provision mandated that within a year from the passage of the original Kassebaum-Kennedy health care legislation, the Secretary of Health and Human Services was to submit recommendations related to privacy to the Senate Labor and Finance Committee, the House Commerce Committee, and the House Ways and Means Committee. That deadline falls this August, and the February hearings were designed to elicit expert input that could be used to shape legislation.

APA successfully fought an earlier confidentiality bill on grounds that it provided too many loopholes for managed care companies and insurers seeking access to confidential patient information.

Despite the recent flurry of activity, there is no firm timetable for consideration of new confidentiality legislation, according to Cathleen Brady, J.D., an assistant director in APA's Division of Government Relations.

Donald Palmisano, M.D., an AMA trustee, and John Nielsen, J.D., of the American Hospital Association, joined Hoge in testimony. Nielsen is senior counsel and director of government affairs at Intermountain Health Care of Utah.

Hoge reiterated APA's long-standing position that patients should ultimately have the right to determine what is or is not done with their medical records. The physician, said Hoge, has a special role as "guardian of the medical record." This "has been recognized in professional standards, impressed upon physicians in their training, and acknowledged as legitimate by the courts," he added.

But in the emerging world of managed care, medical records have increasingly become a commodity subject to commercial use. Most disturbing, said Hoge, is the use of medical-record data banks to determine risk ratings. Such data may be used to deny disability or life insurance to the patient or family members deemed genetically at risk.

As third-party demands for access to medical records have increased, privacy has become more and more jeopardized, said Hoge. This trend has been accelerated by electronic storage of medical records, which "opens the potential for access to the universe of people with the ability to gain entry to the data bank," said Hoge. Various information technologies now "make it possible for more people to know more about the private lives of others."

Hoge reiterated APA's basic principles on management of patient records in electronic form.

First, said Hoge, it should be clear that medical data exist to enhance patient care and should be used to serve patients. Psychiatrists must play an active role in protecting patients' confidential medical records. Nonmedical use of medical records should occur only with proper authorization.

Second, patients, or their parents or guardians, have the right to remain informed about how their medical data will be recorded, stored, and used.

Third, existing legal and ethical sanctions for violating patient privacy should not be undermined by new technology. "Appropriate legal sanctions need to be developed to cover insurers, managed care entities, and medical-record data banks that handle and store sensitive information."

Hoge urged the panel to remember that "patient privacy is fragile; once lost, it cannot be regained, and its loss cannot be truly compensated."

AMA's Palmisano noted that "the patient-physician relationship is based first on trust." Unless patients believe that they can disclose to their physician "personal facts and information that they would not want others to know," they will not want to provide information critical to proper diagnosis and treatment.

Outside demands for information have eroded the confidential relationship between patient and physician, said Palmisano. The "need to know" argument of parties outside the doctor-patient relationship contends that confidential information must be accessible to protect public health and safety. But AMA policy "clearly states that 'conflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient, except where that would result in serious health hazard or harm to the patient or others,' " he added.

The essence of the AMA position, according to Palmisano, is that first, there exists "a basic right of patients to privacy of their medical information and records, and that this right should be explicitly acknowledged; that patients' privacy should be honored unless waived by the patient in a meaningful way (i.e., informed, noncoercive) or in rare instances of strongly countervailing public interest; and that information disclosed should be limited to that information, portion of the medical record, or abstract necessary to fulfill the immediate and specific purpose (i.e., no fishing expeditions)."

When assessing confidentiality legislation, policymakers should recognize the main purpose of medical records is to serve as a reliable tool for clinical diagnosis and treatment. Further, he added, there need to be "firewalls" to "preclude a patient's first consent from applying to all subsequent disclosures" unless the patient specifically agrees to waive his rights to protection from future disclosure without consent.

While there may be cases where exceptions to patient consent to disclosure are needed--as in law enforcement--"they should be minimal and narrowly drawn," he continued. The burden should be on the party asking for the exception to prove why that party's need should override patient confidentiality. This burden would apply whether the request comes in the context, for example, of research or law enforcement. As regards research, the AMA recommends that medical information used for research should have all identifying information removed unless the patient consents otherwise.

Federal law should set minimal confidentiality standards, but should not preempt stricter standards at the state level.

Serious penalties should apply to deliberate disclosure in violation of confidentiality and lesser penalties to accidental disclosure, the AMA believes.

(Psychiatric News, April 4, 1997)