A confidential relationship between physician and patient is essential for the free flow of information necessary for sound medical care. Only in a setting of trust can a patient share the private feelings and personal history that enable the physician to comprehend fully, to diagnose logically, and to treat properly. The American Academy of Family Physicians (AAFP) supports full access by physicians to all electronic health information within the context of the medical home.
The AAFP believes that patient confidentiality must be protected. Historically, the privileged nature of communications between physician and patient has been a safeguard for the patient’s personal privacy and constitutional rights. Though not absolute, the privilege is protected by legislative action and case law.
Data sharing is difficult, particularly across state lines given differing state patient privacy/confidentiality requirements. The AAFP believes that state and federal legislators should seek a greater degree of standardization by recognizing the following principles regarding the privacy of medical information:
A. The right to privacy is personal and fundamental.
B. Medical information maintained by physicians is privileged and should remain confidential.
C. The patient should have a right of access to his/her medical records and be allowed to provide identifiable additional comments or corrections. The right of access is not absolute. For example, in rare cases where full and direct disclosure to the patient might harm the patient's mental and/or physical well-being, access may be extended to his/her designated representative, preferably a physician.
D. Medical information may have legitimate purposes outside of the physician/patient relationship, such as billing, quality improvement, quality assurance, population-based care, patient safety, etc. However, patients and physicians must authorize release of any personally identifiable information to other parties. Third party payer and self-insured employer policies and contracts should explicitly describe the patient information that may be released, the purpose of the information release, the party who will receive the information, and the time period limit for release. Policies and contracts should further prohibit secondary information release without specific patient and physician authorization.
E. Any disclosure of medical record information should be limited to information necessary to accomplish the purpose for which disclosure is made. Physicians should be particularly careful to release only necessary and pertinent information when potentially inappropriate requests (e.g., "send photocopies of last five years of records") are received. Sensitive or privileged information may be excluded at the option of the physician unless the patient provides specific authorization for release. Duplication of the medical record by mechanical, digital, or other methods should not be allowed without the specific approval of the physician, taking into consideration applicable law.
F. Disclosure may be made for use in conducting legal medical records audits provided that stringent safeguards to prevent release of individually identifiable information are maintained.
(1979) (September 2022 COD)