key: cord-0723830-8fwa2c24 authors: Moskop, John C.; Marco, Catherine A.; Larkin, Gregory Luke; Geiderman, Joel M.; Derse, Arthur R. title: From Hippocrates to HIPAA: Privacy and confidentiality in Emergency Medicine—Part I: Conceptual, moral, and legal foundations date: 2004-12-01 journal: Ann Emerg Med DOI: 10.1016/j.annemergmed.2004.08.008 sha: 77943f83d13697f86b9d1eb3cfa86581ed9965e6 doc_id: 723830 cord_uid: 8fwa2c24 Respect for patient privacy and confidentiality is an ancient and a contemporary professional responsibility of physicians. Carrying out this responsibility may be more challenging and more important in the emergency department than in many other clinical settings. Part I of this 2-part article outlines the basic concepts of privacy and confidentiality, reviews the moral and legal foundations and limits of these concepts, and highlights the new federal privacy regulations implemented under the Health Insurance Portability and Accountability Act of 1996. Part II of the article examines specific privacy and confidentiality issues commonly encountered in the ED. Respect for patient privacy and confidentiality has been affirmed as a professional responsibility of physicians since antiquity. In the famous oath attributed to Hippocrates, ancient Greek physicians pledged to respect confidentiality in these words: ''What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.'' 1 Privacy and confidentiality are no less significant in Western medicine today, and contemporary medical oaths echo the Hippocratic principle of respect for confidentiality. The World Medical Association's Declaration of Geneva, for example, contains the statement ''I will respect the secrets which are confided in me, even after the patient has died.'' 2 In the United States, a variety of state and federal statutes and common law rules establish legal obligations of physicians to protect patient confidentiality. 3 Potential threats to patient confidentiality from electronic health care transactions were the impetus for US federal regulations recently implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These regulations require physicians and health care institutions to adopt a variety of new procedures to protect patient information. 4, 5 Privacy and confidentiality also figure prominently in the ''Principles of Ethics for Emergency Physicians,'' part of the Code of Ethics of the American College of Emergency Physicians. Principle 5 states: ''Emergency physicians shall respect patient privacy and disclose confidential information only with consent of the patient or when required by an overriding duty such as the duty to protect others or to obey the law.'' 6 Because respect for privacy and confidentiality is a basic professional responsibility, it is essential that emergency physicians understand how to protect patient interests in the distinctively open setting of the emergency department (ED). For a variety of reasons, protecting privacy and confidentiality may prove more difficult and more important in the ED than in most other practice settings. It is particularly difficult to ensure privacy and confidentiality in the ED because the ED is typically a public, crowded environment in which many people are present, including multiple patients, physicians (attending physicians, consultants, and residents), nurses, emergency medical technicians, students, family, friends, law enforcement officers, and others. Until recently, many EDs recorded patient information on a ''status board'' in plain view of passersby and other patients. 7 Endemic crowding in today's EDs also interferes with protection of privacy and confidentiality. 8, 9 Semiopen wards, congested hallways, and a fishbowl atmosphere provide little or no physical privacy and limited opportunities to communicate personal information confidentially. These physical challenges to privacy and confidentiality are paradoxical, because ED patients frequently need treatment for conditions most people find embarrassing and strongly desire to keep confidential. Such sensitive conditions include sexual assault, family violence, sexually transmitted diseases, unwanted pregnancy, suicide attempts, acute psychoses, drug overdoses, and disfiguring trauma, to name but a few. Despite risks to their privacy and confidentiality, however, severely ill or injured patients often have little choice but to accept care in the ED, because they depend on others for transportation and only the ED offers round-the-clock care to all in need. Thus, acutely ill or injured ED patients are highly vulnerable to harmful disclosures and remain at the mercy of their caregivers to protect their confidential information. To carry out the difficult and important responsibility of guarding patient privacy and confidentiality in the ED, emergency physicians must have a clear understanding of the nature, scope, and limits of that responsibility. This 2-part article is intended to help emergency physicians achieve such an understanding. Part I of the article will outline the concepts of privacy and confidentiality and examine moral and legal foundations and limits of respect for privacy and confidentiality, including federal privacy regulations recently implemented under HIPAA. Part II of the article will examine specific privacy and confidentiality issues frequently encountered in the ED. To show appropriate respect for patient privacy and confidentiality, physicians must first understand clearly what is meant by these terms. Although they have overlapping meanings and are sometimes used synonymously, privacy and confidentiality are distinct concepts. Both terms can be used to refer to matters of fact, social values, and moral or legal rights. Defined simply in an early and influential law review article by Warren and Brandeis 10 as ''the right to be let alone,'' privacy is often characterized as freedom from exposure to or intrusion by others. Allen 11 distinguishes 3 major usages of the term ''privacy'': physical privacy, informational privacy, and decisional privacy. Physical privacy refers to freedom from contact with others or exposure of one's body to others. In contemporary health care, physical privacy is unavoidably limited. Patients grant their caregivers access to their bodies for medical examination and treatment, but expect caregivers to protect them from any unnecessary or embarrassing bodily contact or exposure. Informational privacy refers to prevention of disclosure of personal information. Informational privacy is also limited in health care by the need to communicate information about one's condition and medical history to one's caregivers. In disclosing this information, however, patients expect that access to it will be carefully restricted. This use of the term ''privacy'' is most closely related to the concept of confidentiality. Decisional privacy refers to an ability to make and act on one's personal choices without interference from others or the state. The US Supreme Court has relied on a constitutional right to privacy to protect freedom of choice about contraception 12 and abortion, 13 and state courts have used it as the basis for termination of life-sustaining medical treatment. 14 Because decisional privacy is closely linked to the principle of respect for autonomy and the doctrine of informed consent to treatment, and because these latter topics have already been widely discussed in the medical and bioethics literature, 15 the remainder of this article will focus on the physical and informational aspects of privacy. As noted above, confidentiality is closely related in meaning to one of the major uses of the term ''privacy,'' namely, informational privacy. In health care interactions, patients communicate sensitive personal information to their caregivers so that the caregivers can understand patients' medical problems and treat them appropriately. By calling such information confidential, we indicate that those who receive the information have a duty to protect it from disclosure to others who have no right to the information. Caregivers can breach confidentiality intentionally by directly disclosing patient information to an unauthorized person or inadvertently by discussing patient information in such a way that an unauthorized person can overhear it. In discussions of limiting access to patient information, most authors prefer the term ''confidentiality'' to ''privacy.'' A notable exception, however, is the HIPAA privacy rule, because that document consistently refers to the privacy of health care information and only infrequently uses the term ''confidentiality.'' Unless otherwise noted, the rest of this article will use the term ''privacy'' to refer to protection from the physical presence of or exposure of one's body to unauthorized persons and ''confidentiality'' to refer to protection of patient information from disclosure to unauthorized persons. As noted above, pledges to protect patient privacy and confidentiality have been standard features of medical oaths and codes of ethics since antiquity. The centrality and persistence in medical ethics of the commitment to privacy and confidentiality is no historical accident. Rather, these values are grounded in fundamental moral principles of human dignity, autonomy, and beneficence. Respect for privacy and confidentiality recognizes the unique moral worth, or dignity, of patients as persons. Human beings are accorded special status as persons based, in part, on their ability to make moral choices and act on them. To make effective life plans and choices, persons require significant control over their physical environment and private information about themselves. Without such control, each of us would be powerless to avoid the physical intrusions of others or prevent the unwelcome disclosure to others of our most intimate personal information. Privacy and confidentiality are, therefore, necessary preconditions for personal autonomy. In addition to protecting personal autonomy, respect for privacy and confidentiality is also essential for securing the benefits of a strong therapeutic alliance between physician and patient. If patients are confident that their physicians will protect their privacy and confidentiality, they are more likely to seek medical care and to communicate personal information fully and accurately, thereby enabling caregivers to diagnose and treat them more effectively. Despite their importance in health care, privacy and confidentiality are not absolute values, that is, values that must always be maximized. Instead, privacy or confidentiality may sometimes be limited or overridden by still more important moral considerations. Privacy and confidentiality are, therefore, best understood as prima facie duties, duties that must be honored unless there exists a stronger conflicting duty. 16 Professional duties that may conflict with respecting privacy or confidentiality include duties to protect the patient, duties to protect others, and duties to obey the law. When morally complex situations arise in medicine, physicians typically confront a variety of interests and moral or legal duties that appear to conflict. In response, physicians must engage in careful clinical and moral reasoning. Such reasoning should generally include a clear statement of the problem, collection of relevant information, identification of options for action, comparative evaluation of the options, a decision, action, and assessment of the consequences. In evaluating options for action, physicians must weigh the various reasons (rights, duties, values, interests) for and against different options and choose the option that, all things considered, has the strongest reasons in its favor. Emergency care often requires rapid decisions. Emergency physicians should, therefore, examine potential moral conflicts involving privacy and confidentiality in advance of actual emergency situations and settle on appropriate courses of action for particular circumstances. Using this critical reasoning process, emergency physicians will decide in some situations to protect confidentiality and in others to override it to secure another important value or carry out another important duty. Legal obligations to protect patient privacy and confidentiality are grounded in state and federal statutes and the common law. The privacy rule implemented in 2003 under HIPAA establishes significant new confidentiality protections, and that federal rule will be described below. This section will outline common law rules and statutes designed to protect privacy and confidentiality. As noted above, Warren and Brandeis 10 described privacy in an 1890 law review article as ''the right to be let alone.'' The first US legal case based on this right addressed a health care setting. 11 In De May v. Roberts (1881), a Michigan court upheld a couple's interest in physical privacy after a physician allowed an ''unprofessional young, unmarried man'' to enter their home and help deliver their baby. 17 As the right of privacy has evolved in US common law, courts have recognized 4 distinct kinds of invasion of privacy, including ''unreasonable and highly offensive intrusion upon the seclusion of another'' (physical privacy) and ''public disclosure of private facts'' (confidentiality). 18 To succeed in an action for intrusion on a person's ''seclusion,'' the intrusion must be into a private place or matter and must be ''offensive or objectionable to a reasonable person.'' 18 In addition to invasion of privacy, US courts have found physicians liable for unauthorized release of medical information through the concept of a fiduciary duty of confidentiality in the physician-patient relationship. 3 Physicians who reveal a patient's personal information to third parties without appropriate justification may be liable for damages if the patient experiences harm as a result of the disclosure. Breach of confidentiality has also been recognized as a malpractice offense because it violates a professional standard of care. 3 (Other court rulings have established physician duties to disclose medical information in specific circumstances; these exceptions to the legal duty to keep confidentiality will be addressed below.) A variety of state statutes create general and specific obligations to protect patient confidentiality. Many medical licensing statutes include clauses that identify disclosure of medical information as a type of unprofessional conduct. Statutes in a majority of states also grant testamentary privilege to the physician-patient relationship; this privilege allows defendants to constrain physicians from disclosing patient information in a trial or other legal proceeding. In addition to these more general statutory protections, other statutes create special confidentiality protections for specific conditions. Among the conditions granted such protection are alcohol and drug abuse and HIV-AIDS. 3 Federal statutes also provide protection for health information, including information held by federal agencies, by health care institutions operated by the federal government, and by health care institutions participating in Medicare, Medicaid, and other federal health care programs. 19 In addition to the longstanding legal protections for confidential medical information described above, federal regulations that went into effect in 2003 impose new standards for health care confidentiality across the United States. 4, 5 These new regulations, implemented under HIPAA, require providers to protect the confidentiality, integrity, and availability to patients of ''individually identifiable personal health information'' in any form, whether electronic, written, or oral. Personal health information includes information that relates to a person's physical or mental health, the provision of health care, or the payment for health care. The regulations apply to all health care organizations, including hospitals, physicians' offices, health care plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems, and ''any . person or organization who furnishes, bills or is paid for health care in the normal course of business.'' HIPAA regulations require provision of a written ''notice of privacy practices'' to patients on contact in the ED. This notice must be written in plain language; it must explain who will have access to personal health information and describe patient rights about access, inspection, retrieval, and correction of their health information. The notice must also explain provider duties, grievance procedures, and any anticipated uses or disclosures of patient information. Patients are required to acknowledge receipt of this privacy notice in writing. Under the HIPAA regulations, emergency physicians may use and disclose personal health information without the patient's written authorization only in the following circumstances. (1) Personal health information may be given to the patient himself or herself. (2) Caregivers may use and disclose personal health information for their own treatment, payment, and health care operations activities. (''Health care operations'' includes a variety of activities, such as quality assessment, education of health care professionals, insurance underwriting, and business management.) (3) With the patient's ''informal permission,'' caregivers may disclose personal health information to family members or in facility directories. (4) Caregivers may use and disclose personal health information for 12 ''national priority purposes'' listed in Figure 1 . The original version of the HIPAA privacy rule required that patients give explicit consent for all uses or disclosures of personal health information for treatment, payment, and health care operations. 20 Before the compliance deadline of April 14, 2003, however, the rule was revised to omit this consent requirement on the grounds that it was unnecessary and too burdensome. 21 Some privacy advocates objected that this change severely compromised patients' abilities to protect their health information. 22 Under the privacy rule, EDs must implement policies and procedures for ensuring that disclosures of personal health information are limited to the ''minimum necessary'' to accomplish the purpose of disclosure and nothing more. ''Minimum necessary'' standards do not, however, apply to disclosures to a health care provider for treatment purposes, disclosures to the patient, and disclosures required by law. For disclosures made in error, the HIPAA regulations assess civil penalties of US$100 per violation up to a maximum of US$25,000 per year. Although patients cannot sue privately for a HIPAA privacy violation, the Office of Civil Rights of the Department of Heath and Human Services is responsible for overseeing and enforcing the privacy regulations. Maximum criminal penalties for egregious violations include US$5,000 and 1 year's imprisonment for wrongful disclosure, US$100,000 and 5 years' imprisonment for disclosure under false pretenses, and US$250,000 and 10 years' imprisonment for disclosure for profit or malice. In the first year of implementation of the HIPAA privacy rule, the Office of Civil Rights received more than 5,000 complaints of infractions and referred several dozen cases to the Department of Justice for prosecution. 23 Emergency medical researchers are permitted to use personal health information if they have specific patient authorization. In the absence of such authorization, researchers may use personal health information only if they have obtained a waiver of authorization from an institutional review board or privacy board and if it is clear that the research may not be conducted without access to the personal health information. The HIPAA Privacy Rule waiver requires that personal identifiers be protected from improper use. Researchers must provide written assurances that personal health information will not be reused or disclosed, and they must provide a written plan to destroy any identifiers at the conclusion of the research, absent a legal justification to retain them. Health care institutions may also enter into agreements with researchers to disclose ''limited data sets'' of health care information for research purposes. Such limited data sets must exclude the 16 specific identifiers listed in Figure 2 . 24 State laws relating to deidentification of health information may impose additional burdens and limit areas where HIPAA-compliant deidentified information may be used. In law, as in ethics, obligations to respect the privacy and confidentiality of patients are not absolute. Several exceptions to these obligations are widely recognized in the law, including duties to warn third parties of harm, duties to report various medical conditions, and duties to inform legal guardians and other surrogates about the care of minors and other incompetent patients. In particular circumstances, physicians have a legal obligation to breach the confidentiality of a patient to warn another individual not under the care of the physician, a so-called third party, of a risk of danger posed by the patient. Early in the past century, in cases of infectious disease, a legal duty was ascribed to physicians to warn third parties of dangers of transmission of the disease to them, despite the fact that this disclosure would breach the confidentiality of the patient. [25] [26] [27] [28] A sentinel case, Tarasoff v. the Regents of the University of California, involved the failure of a psychologist and supervising psychiatrist to warn of the danger posed by their patient to a woman whom the patient identified and threatened, who was not the psychiatrist's patient, and who was later murdered by the patient. 29 The holding of this case asserted that the physician has a duty to warn a third party of danger posed by the patient. Other state courts have varied about whether that duty is a duty to warn or a duty to protect and whether the duty owed is to an identified victim or to any ''foreseeable'' victim. The level of risk of harm that engenders the duty to warn has also varied from decision to decision. Nonetheless, the duty to breach confidentiality to warn a potential victim has been established in US common law during the past 30 years. As noted above, statutes in a number of states require special measures to protect the confidentiality of persons infected with HIV. These measures are counterbalanced by common law duties to protect third parties from harm and by reporting requirements described below. A federal law, the Ryan White Comprehensive AIDS Resources Emergency Act, also requires that, in response to requests for information by emergency response employees, medical facilities must notify emergency care providers of any HIV exposure. 30 Statutory law requires the reporting of confidential information about a variety of health conditions. Some of these involve a duty closely related to the duty to warn, namely, the duty to protect the public health. Thus, physicians have for centuries had a legal duty to report to the authorities certain infectious diseases, such as tuberculosis and sexually transmitted diseases, despite the patient's wish to keep the information confidential. 31, 32 Lists of reportable diseases are established and updated by state public health authorities; current lists include bioterrorism agents (eg, anthrax, smallpox, plague, botulism, tularemia, viral hemorrhagic fevers) and new epidemic diseases such as severe acute respiratory syndrome. In addition to infectious diseases, physicians in most states are by law permitted or required to report conditions that affect a patient's ability to operate a motor vehicle safely. Such reporting is obviously intended to protect travelers from dangers posed by medically impaired operators of public or private modes of transportation. Legislation in all states mandates reporting of injuries that are suspected to be caused by child abuse, and protects from liability physicians who report in good faith, but in error, a condition which later does not prove to be abuse. 33 Although many emergency physicians have been unaware of family violence reporting statutes involving adults, 34 most states also have mandated the reporting of suspected abuse of elders or dependent adults, 35 and several have mandated reporting of domestic violence against intimate partners. 36 Most states require reporting of any injury, including injuries inflicted by an intimate partner, if the injury was caused by a gun, knife, or other deadly weapon. 37 Requirements vary greatly from state to state about who must report (physician, any health provider, any citizen) and to whom to report (hospital administrator, police, social services agency). A current American Medical Association Code of Ethics opinion opposes mandatory reporting for intimate partner violence on the grounds that the adult victims of domestic violence should retain control over whether and when to report these actions. 38 Similarly, the American College of Emergency Physicians has a policy opposing mandatory reporting of domestic violence to the criminal justice system. 39 Mandatory reporting for conditions such as gunshot wounds may be defended on public health grounds (because society wishes to prevent another injury inflicted by the person who caused the original injury), but are more clearly related to law enforcement goals of capturing and punishing perpetrators of violent crimes. Generally, mandatory reporting laws do not require reporting of ''victimless crimes'' (eg, drug abuse or prostitution) or crimes that are less deadly (eg, battery). Parents, as the natural guardians of their minor children, legal guardians, and other legally recognized representatives for incompetent patients are authorized to make health care decisions on behalf of those patients. To make informed health care choices, these individuals must be informed about the medical condition and care of the patients. In the case of minors, the law recognizes several exceptions to the duty to provide medical information about minor patients to parents or guardians. Although state laws vary, most states have established a status of emancipation for certain minors; criteria for emancipation often include being married and being financially independent. 40, 41 Emancipated minors may make health care decisions without parental involvement and are entitled to the same confidentiality protections as adult patients. Additionally, many states recognize the concept of the ''mature minor'' and grant some decisionmaking and confidentiality protections to minors who have reached a certain age and are intellectually and emotionally capable of making certain health care decisions. Many states also have laws permitting or requiring confidential treatment for minors for such issues as pregnancy, contraception, substance abuse, and sexually transmitted disease. 42 Legal guidelines about disclosure of patient information may exist in other specific situations. Deceased patients, for example, are incapable of protecting their own interests, but federal law requires the reporting of their vital statistics. Disclosures to family and others must be made discreetly to preserve the decedent's reputation and dignity where possible. 43 The Joint Commission on Accreditation of Healthcare Organizations (JCAHO), the recognized accreditation agency for US hospitals, has adopted explicit standards requiring respect for patient confidentiality and privacy. Although not legally required, JCAHO accreditation is a practical necessity for most hospitals. Failure to meet established JCAHO standards may jeopardize a hospital's accreditation. The 2003 JCAHO standards on Patient Rights and Organization Ethics includes this statement: ''The hospital demonstrates respect for the following patient needs: confi-dentiality; privacy; .''. 44 The accreditation manual goes on to describe the following as ''examples of implementation'' of these standards: ''Policies and procedures, based on applicable law and regulations, address confidentiality of patient information. The patient is informed of the hospital's policy on confidentiality at the time of admission''; ''cubicle curtains in the emergency area give visual privacy''; and ''spacing of stretchers and examination areas in the emergency area give auditory privacy.'' As these examples illustrate, accreditation requirements provide additional safeguards for protection of privacy and confidentiality in hospitals and EDs. In summary, respect for patient privacy and confidentiality is a professional responsibility with both ancient origins and contemporary significance. After a brief review of the concepts of privacy and confidentiality, this first part of the article has outlined the moral and legal foundations and limits of privacy and confidentiality. Part II of the article will examine the claims of privacy and confidentiality in specific ED contexts. Medical information, records, and confidentiality Standards for privacy of individually identifiable health information; security standards for the protection of electronic protected health information; general administrative requirements including civil monetary penalties: procedures for investigations, imposition of penalties, and hearings. Regulation text. 45 CFR Parts 160 and 164 Office for Civil Rights. Summary of the HIPAA privacy rule American College of Emergency Physicians. Code of Ethics for Emergency Physicians The ED status board as a threat to patient confidentiality Emergency department crowding as a health policy issue: past development, future directions Emergency department overcrowding in Florida The right to privacy Privacy in health care Superior Court, 179 Cal A History and Theory of Informed Consent Principles of Biomedical Ethics Prosser and Keeton on the Law of Torts Medical Records and the Law HIPAA standards for privacy of individually identifiable health information: an introduction to the debate DHHS wisely proposed to remove the ''consent'' requirement from the HIPAA privacy standards The proposed changes to the final privacy rule suggest a disturbing reduction in an individual's ability to exercise a right to healthcare privacy One year later, mixed reviews for privacy rule [American Medical News Web site Regents of the Univ of Cal., 17 Cal.3d 425, 131 Cal Confidentiality, the law in England, and sexually transmitted diseases Tuberculosis, noncompliance and detention for the public health Diagnostic and Treatment Guidelines on Child Sexual Abuse Abuse and neglect of the elderly: are emergency department personnel aware of mandatory reporting laws? House Select Committee on Aging. Elder Abuse: What Can Be Done? Washington, DC: Government Printing Office Violence-inflicted injuries: reporting laws in the fifty states Laws mandating reporting of domestic violence Abuse of spouses, children, elderly persons, and others at risk. CEJA opinion E-2.02 American College of Emergency Physicians. Mandatory reporting of domestic violence to law enforcement and criminal justice agencies. ACEP policy, reaffirmed Evaluation and treatment of minors: reference on consent Emergency department treatment of minors Legal Issues in Pediatrics and Adolescent Medicine On harming the dead Joint Commission on Accreditation of Healthcare Organizations