At a lecture some years ago, a psychiatrist described one of his patients whose problems were felt to be instructive to the group. To draw a complete picture for the audience, certain physical characteristics were included in the overall description. By the time the lecturer had completed the physical description and even before he started to mention the problems faced by this individual, I realized that I knew the individual and had been using him as an expert in some of my cases. As I sat there listening I learned some of the most intimate and embarrassing aspects of this individual’s life, details he had shared in the mistaken belief that they were going to be kept confidential. I wondered how he would have felt knowing that an audience of 100 of his peers knew his problems and at the same time I wondered how many times my expert psychiatrist, while lecturing, had also breached patient confidences.
Of course, had this lecturer’s practices been called into question, he probably would have argued that the presentation did not identify the particular individual and that it was necessary to discuss relevant cases for the furtherance of medical education and training. The lecturer would not have argued that the patient had given his consent for disclosure. In this case, it would have been highly unlikely that the patient ever would have agreed to open discussion of his emotionally charged problems.
This individual assumed that the information being given to his psychiatrist was going to be held confidential. In so doing, he was no different from any other patient who visits psychiatrists, psychologists, physicians, and every other health practitioner. As a patient he did not consider how, as a physician, he had used medical information and how medical information is routinely disseminated to many unknown individuals with and without the patient’s consent. This fact is quite outside of those areas in which release of medical information is permitted or required by the statutes and in those situations in which the patient has given their written consent.
When a client sees a lawyer — to draw up an estate plan or to file a negligence — he or she often has no idea that participating in a legal process could expose his or her medical records to scrutiny by some unlikely people. Lawyers should explain the limits of the so-called physician-patient privilege so that their clients know exactly what they are getting into.
Two Patient Groups
There are two basic groups of patients, and their records will be handled somewhat differently. The first group consists of those individuals who have no insurance, including Medicare or Medicaid coverage. These individuals could be those wealthy enough that they are willing to pay for all of their care with cash or those individuals such as the homeless who will pay for none of the care they receive. The second group includes the majority of individuals who have some form of insurance. The coverage would include that provided by a managed care company, Medicare, Medicaid or any other insurance plan.
When individuals in the first group enter a hospital or a practitioner’s office, they are not concerned about having any involvement with an insurance company. They are not required to sign forms automatically releasing their records to an insurance carrier. Therefore, the patient may be under the assumption that whatever care received will be held confidential. In the setting of the private office they will be sharing that information with the practitioner and the practitioner in turn will share that information with the staff. While one would not expect the shared information to become the subject of dinner or cocktail party conversation, one also does not expect that the information will become part of discussions between professionals not involved in the care and treatment.
Yet that is just what occurred with my expert when he visited his psychiatrist. Health practitioners routinely use patient information for the purposes of teaching and when accumulated data becomes the subject of professional articles including case studies and epidemiological research. As an example, it is not unusual to pick up a learned journal and read an article which is the case study of 600 cases of laparoscopic gall bladder surgery. The reader never considers the fact, but in all probability none of the 600 patients ever consented to their data being used in any study.
The mechanism of the research is relatively simple. Taking the one fact of laparoscopic gall bladder surgery the researcher would have a computer search done for all such cases done in the office or in a particular hospital for a given number of years. The researcher would then review the patient charts and elicit information on morbidity and mortality. It is this method of research that led to the information that asbestos exposure caused pulmonary damage and certain cancers.
The self same individual entering the hospital exposes personal medical information to an even greater audience. The records are normally available to every individual involved in the care of the patient. An open chart sitting in the nurses station is also available to every other person visiting that station. In one actual case, a depressed dermatologist wrote in her final note that she had observed colleagues not involved in her treatment and, before visiting her in her room, review her chart in the nursing station. She then threw herself out of a 17-story window.
Any individual’s chart may become a subject for review by the Committee for Medical Records, Quality Assurance, Morbidity and Mortality Conferences, and Clinical Conferences all without the patient’s knowledge and consent. Indeed in some institutions where there is a question as to whether there had been malpractice committed, the chart is sent to Risk Management and may well be shared with counsel in anticipation of a suit. While that suit may never arise, the record and its contents have had wide distribution.
If an individual is insured, then the likelihood of information being disseminated is even greater, and he or she has no choice in the matter. If you want to have the care you receive paid for by the insurance carrier or covered by the HMO, you must sign the release forms when they are presented to you. It is absolutely immaterial how sensitive the information is or how disturbed you maybe about having anyone other than the treating practitioner know the information. When you enter the hospital, the patient is required to sign an authorization form releasing the records to the insurance company. The physician must release records and information to the insurance company.
If you are a member of the HMO, before you can receive care, your medical information will be reviewed by your physician and by some clerks within the company. These clerks have the authority to share that information with anyone within the company and approve or disapprove your request for care. In the traditional insurance plan as well as in the HMO, the patient’s treatment will be reviewed after it is completed. The patient has no control over who within the carrier sees the records or what is done with those records thereafter.
Patients receiving psychiatric or psychological care are even more vulnerable. These practitioners must submit an Outpatient Treatment Request form to get prior approval for patient visits. These forms are long and require detailed information about the patient’s case. The greater the detail and the greater the problem delineated, the greater the likelihood that visits will be authorized.
The ultimate exposure of patient information may now occur with the computer age. Hospital systems are computerizing their medical records and coordinating the systems with practitioners’ offices outside of the hospital’s physical plant. Using the phone lines to transmit information allows for computer hackers to access the private information of all patients within the system.
However, with the exception of the authorized release of the records to the insurance carriers, or that information whose release is mandated by law, all other use of the patients information in the above situations is either illegal or unethical.
Ethical Canons and Statutes
According to the Report of the Council on Ethical and Judicial Affairs of the American Medical Association (Updated June 1994) and as published in the Directory of the Medical Society of the State of New Jersey, there is the following statement:
The patient has the right to confidentiality. The physician should not reveal confidential communications or information without the consent of the patient, unless provided for by law or by the need to protect the welfare of the individual or the public interest.
As defined in New Jersey state law, a confidential communication between a patient and a physician means:
Such information transmitted between physician and patient, including information obtained by an examination of the patient, as is transmitted in confidence and by a means which, so far as the patient is aware, discloses the information to no third persons other than those reasonably necessary for the transmission of the information or the accomplishment of the purpose for which it is transmitted
Any patient can waive the privilege. The problem is that most patients do not realize that they automatically waive the privilege when they are insured or under the care of a health practitioner.
The state of Minnesota has become acutely aware of the problem. In a 1996 statute which went into effect in January of 1997, there are clear limitations on how a patient’s medical records may be put to use.
Confidentiality of records. Patients and residents shall be assured confidential treatment of their personal and medical records, and may approve or refuse their release to any individual outside the facility.
This provision and accompanying provisions essentially prohibit the epidemiological research that would be included in a paper collecting the 600 cases of laparoscopic gall bladder surgery. The statue will also preclude the epidemiological research done by institutions within Minnesota such as the Mayo Clinic. The statue would make it a practical impossibility to retrospectively review and do case studies. Such studies would include patients who had long since left the institution or those who may have become incompetent or died. If the authorization was not obtained before treatment the authorization would not be available or producible and the research could not be carried out.
Patients should have a complete understanding of the fact that when information is given to a health practitioner that information may not be kept confidential. If there is any question concerning a particular issue, patients should be counseled that if that information is given to a practitioner and is recorded in a chart, that in spite of their wishes, their expectations, ethical and legal protections, there is no confidentiality.
Copyright 1997 New Jersey Law Journal. Reprinted with permission.