The duty of confidentiality is the ethical and legal obligation to protect patients' personal and medical information. Historically, confidentiality was primarily an ethical obligation, but it has become more formalized through legal frameworks like HIPAA. A study published in the BMJ notes, “Breaches of confidentiality are common, albeit usually accidental….Around a third of the calls received by the Medical Protection Society from doctors are related to confidentiality, particularly in general practice.” The principles that protect confidentiality are expanded upon in guidelines and codes issued by organizations like the American Medical Association (AMA) and the American Psychological Association (APA).
Confidentiality in healthcare is defined as the ethical obligation to preserve authorized restrictions on access to and disclosures of such information. It is about maintaining the secrecy of information given by or about an individual in the course of a professional relationship, which is a right of every patient, even after death.
The BMJ study mentioned above provides an apt definition, “The principle of keeping secure and secret from others, information given by or about an individual in the course of a professional relationship,”
The ethical definition of confidentiality encompasses all sensitive personal information, not just protected health information (PHI) covered by HIPAA, and applies to healthcare providers regardless of whether they are covered entities under HIPAA.
The duty of confidentiality is outlined within the principles of the Hippocratic Oath. The oath includes a pledge to keep secret any information learned in the course of professional practice, stating, "Whatever, in connection with my professional practice or not, in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.” The duty establishes trust between patients and healthcare professionals, ensuring that patients feel secure in sharing necessary information for effective diagnosis and treatment.
HIPAA's role in confidentiality is to ensure that healthcare providers, health plans, and clearinghouses safeguard patient data against unauthorized access or disclosure. Here are the ways HIPAA governs confidentiality:
The American Medical Association (AMA) helps in shaping a confidentiality framework through its Code of Medical Ethics, which discusses restricting disclosures of PHI to the bare minimum necessary. The AMA also provides clear guidance on when disclosure is allowed without consent, like for healthcare operations or when required by law.
Similarly, the American Nurses Association (ANA) reinforces confidentiality as an ethical obligation, actively supporting legislation and policies that protect privacy rights and ensure the confidentiality of health information. Organizations like the American College of Healthcare Executives (ACHE) further bring to attention the need for maintaining confidentiality while ensuring the flow of information necessary for patient care, advocating for institutional policies that align with HIPAA and state laws.
Secure communication channels include a wide range of interactions, from provider-to-provider discussions to patient communications and internal hospital communications. Tools like HIPAA compliant email, secure messaging apps, and electronic health records (EHR) systems assist in protecting patient data.
In complex situations where confidentiality must be balanced with other obligations, such as sharing information necessary for treatment or reporting serious health risks, secure communication channels are invaluable. They assist healthcare providers in sharing sensitive information with precision, ensuring that only authorized individuals have access to patient data. It aligns with both ethical guidelines and legal requirements, reinforcing the duty of confidentiality.
From 2016 to 2019, the ePHI of over 1.5 million individuals was exposed online due to inadequate system monitoring and risk analysis. The breach included names, Social Security numbers, and health information. Inmediata settled with the Office for Civil Rights (OCR) for $250,000 and faced a $1.4 million multi-state penalty.
Phishing attacks in 2017 and 2020 led to unauthorized access to the ePHI of 10,840 patients. The hospital failed to provide HIPAA Privacy Rule training and delayed conducting a risk analysis. OCR imposed a $548,265 penalty for these violations.
A former contractor accessed the medical records of over 34,000 patients without authorization after their employment ended. Failures in access controls and system monitoring resulted in a $1.19 million fine from OCR.
A Pennsylvania healthcare provider disclosed a patient’s full medical records to a prospective employer without consent, violating the HIPAA Privacy Rule. The case was settled for $35,581.
A Maryland dental practice denied a patient access to her medical records based on an inappropriate administrative fee and unfounded concerns about insurance fraud. OCR imposed a $70,000 penalty for violating HIPAA’s Right of Access.
HIPAA requires that only the minimum necessary PHI be disclosed to achieve a specific purpose.
If a breach of unsecured PHI occurs, HIPAA mandates that the covered entity notify affected individuals, the Department of Health and Human Services, and in some cases, the media.
Telehealth must adhere to the same stringent confidentiality standards as traditional in-person care.
HIPAA provides guidance on maintaining confidentiality for minors, balancing the rights of the minor with parental rights. For treatments like reproductive or mental health care, providers may have discretion (guided by both HIPAA and state laws) to ensure the minor's privacy is protected when legally appropriate.