A confidential relationship between physician and patient is essential for the free flow of information necessary for sound medical care. Only in a setting of trust can a patient share the private feelings and personal history that enable the physician to comprehend fully, to diagnose logically, and to treat properly. The American Academy of Family Physicians (AAFP) supports full access by physicians to all electronic health information within the context of the medical home.
The AAFP believes that patient confidentiality must be protected. Historically, the privileged nature of communications between physician and patient has been a safeguard for the patient’s personal privacy and constitutional rights. Though not absolute, the privilege is protected by legislative action and case law. NOTE: Nothing herein or below shall be construed as contravening the standards for health information contained in Health Insurance Portability and Accountability Act (HIPAA) relating to privacy, confidentiality, or security of personal health information.
Data sharing is difficult, particularly across state lines given differing state patient privacy/confidentiality requirements. The AAFP believes that state and federal legislators and jurists should seek a greater degree of standardization by recognizing the following principles regarding the privacy of medical information:
A. The right to privacy is personal and fundamental.
B. Medical information maintained by physicians is privileged and should remain confidential.
C. The patient should have a right of access to his/her medical records and be allowed to provide identifiable additional comments or corrections. The right of access is not absolute. For example, in rare cases where full and direct disclosure to the patient might harm the patient's mental and/or physical well-being, access may be extended to his/her designated representative, preferably a physician.
D. The privacy of adolescent minors should be respected. Parents should not, in some circumstances, have unrestricted access to the adolescent’s medical records. Confidentiality must be maintained particularly in areas where the adolescent has the legal right to give consent.
E. Medical information may have legitimate purposes outside of the physician/patient relationship, such as, billing, quality improvement, quality assurance, population-based care, patient safety, etc. However, patients and physicians must authorize release of any personally identifiable information to other parties. Third party payer and self-insured employer policies and contracts should explicitly describe the patient information that may be released, the purpose of the information release, the party who will receive the information, and the time period limit for release. Policies and contracts should further prohibit secondary information release without specific patient and physician authorization.
F. Any disclosure of medical record information should be limited to information necessary to accomplish the purpose for which disclosure is made. Physicians should be particularly careful to release only necessary and pertinent information when potentially inappropriate requests (e.g., "send photocopies of last five years of records") are received. Sensitive or privileged information may be excluded at the option of the physician unless the patient provides specific authorization for release. Duplication of the medical record by mechanical, digital, or other methods should not be allowed without the specific approval of the physician, taking into consideration applicable law.
G. Disclosure may be made for use in conducting legal medical records audits provided that stringent safeguards to prevent release of individually identifiable information are maintained.
H. Policy exceptions which permit medical records release within applicable law:
- To another physician who is being consulted in connection with the treatment of the individual by the medical-care provider;
- In compelling circumstances affecting the health and safety of an individual;
- Pursuant to a court order or statute that requires the physician to report specific diagnoses to a public health authority; and
- Pursuant to a court order or statute that requires the release of the medical record to a law enforcement agency or other legal authority.
I. Electronic health information communication systems must be equipped with appropriate safeguards (e.g., encryption; message authentication, user verification, etc.) to protect physician and patient privacy and confidentiality. Individuals with access to electronic systems should be subject to clear, explicit, mandatory policies and procedures regarding the entry, management, storage, transmission and distribution of patient and physician information.
The AAFP supports the use of patient record information for primary care research, biomedical and pharmaceutical research and other health research, provided there is appropriate protection for research subjects, i.e., Institutional Review Board approval.
(1979) (December 2017 BOD)