This was successfully posted to your pofile.
This box will close automatically in a few seconds. Close this window
We don't have an e-mail address on file for you. To use AAFP Connection, you must have an e-mail address in our records. Click Here
The AAFP believes that patient confidentiality must be protected. Historically, the privileged nature of communications between physician and patient has been a safeguard for the patient’s personal privacy and constitutional rights. Though not absolute, the privilege is protected by legislative action and case law.
However, data sharing across state lines is difficult given differing state patient privacy/confidentiality requirements. This Academy believes that state and federal legislators and jurists should seek a greater degree of standardization by recognizing the following principles regarding the privacy of medical information:
- The right to privacy is personal and fundamental.
- Medical information maintained by physicians is privileged and should remain confidential.
- The patient should have a right of access to his/her medical records and be allowed to provide identifiable additional comments or corrections. The right of access is not absolute. For example, in rare cases where full and direct disclosure to the patient might harm the patient's mental and/or physical well-being, access may be extended to his/her designated representative, preferably a physician.
- The privacy of adolescent minors should be respected. Parents should not, in some circumstances, have unrestricted access to the adolescent’s medical records. Confidentiality must be maintained particularly in areas where the adolescent has the legal right to give consent.
- Medical information may have legitimate purposes outside of the physician/patient relationship, such as, billing, quality improvement, quality assurance, population-based care, patient safety, etc. However, patients and physicians must authorize release of any personally identifiable information to other parties. Third party payer and self-insured employer policies and contracts should explicitly describe the patient information that may be released, the purpose of the information release, the party who will receive the information, and the time period limit for release. Policies and contracts should further prohibit secondary information release without specific patient and physician authorization.
- Any disclosure of medical record information should be limited to information necessary to accomplish the purpose for which disclosure is made. Physicians should be particularly careful to release only necessary and pertinent information when potentially inappropriate requests (e.g., "send photocopies of last five years of records") are received. Sensitive or privileged information may be excluded at the option of the physician unless the patient provides specific authorization for release. Duplication of the medical record by mechanical, digital, or other methods should not be allowed without the specific approval of the physician, taking into consideration applicable law.
- Disclosure may be made for use in conducting legal medical records audits provided that stringent safeguards to prevent release of individually identifiable information are maintained.
- Policy exceptions which permit medical records release:
- To another physician who is being consulted in connection with the treatment of the individual by the medical-care provider;
- In compelling circumstances affecting the health and safety of an individual;
- Pursuant to a court order or statute that requires the physician to report specific diagnoses to a public health authority; and
- Pursuant to a court order or statute that requires the release of the medical record to a law enforcement agency or other legal authority.
- Electronic health information communication systems must be equipped with appropriate safeguards (e.g., encryption; message authentication, user verification, etc.) to protect physician and patient privacy and confidentiality. Individuals with access to electronic systems should be subject to clear, explicit, mandatory policies and procedures regarding the entry, management, storage, transmission and distribution of patient and physician information.
- The Academy supports the use of patient record information for primary care research, biomedical and pharmaceutical research and other health research, provided there is appropriate protection for research subjects, i.e., Institutional Review Board approval.