Confidentiality and Privilege
I. CASE EXAMPLES
A. CASE EXAMPLE 1
A 27-year-old man appears at a psychiatric hospital’s emergency room looking dirty and disheveled. His communications are impaired by marked loosening of associations. He is judged by the examining resident to require hospitalization, but because he has already included the doctor in his fluid paranoid system and has made a number of threatening remarks toward him, the resident requests that a security guard stand by in the room as the patient is processed for admission. During the course of eliciting the basic demographic data, the resident is stunned to hear the patient blurt out a confession to a murder. Expressing great remorse and desire for punishment, the patient recounts that he bludgeoned an elderly woman to death the previous night on the water-front and then dumped the body into the harbor. The resident completes the admission but is then uncertain how to proceed.
B. CASE EXAMPLE 2
For 2 years, a 34-year-old woman with schizophrenia and persistent paranoid delusions has been seen intermittently for medication and supportive therapy by the same psychiatrist. Several hospitalizations have taken place during this period. The patient has given birth to two children, but because one was given up for adoption several years before and the other is living with a foster family under the supervision of the state’s child welfare agency, they play little role in her life and are rarely mentioned. To the psychiatrist’s surprise, she receives a subpoena to testify at a hearing concerning the younger child. Discussion with the patient reveals that the agency is now seeking permanent custody of the child. A call to the agency reveals that it is hoped the psychiatrist’s testimony will complete the case by depicting the patient as an unfit mother. The psychiatrist’s protestations that she knows nothing of the patient’s capacity to raise children, because they have never discussed it, are dismissed. The patient firmly requests that the doctor not testify. In light of this, the doctor fears that any information she gives will be perceived as a hostile act and will impair the fragile therapeutic alliance. She would like to avoid that outcome but does not know how.
C. CASE EXAMPLE 3
A 28-year-old, newly married man is referred to a community mental health center from a nearby hospital. The social worker making the referral mysteriously refuses to say why it is being made. When the patient arrives, he is clearly distraught. After considerable discussion, he reveals that he has just received the results of a human immunodeficiency virus (HIV) antibody test, which was positive. He denies any history of same-sex sexual activity or intravenous drug use, although he has been sexually active and comes from a neighborhood in which experimentation with drugs is common among young men. The patient is uncertain whether he wants psychotherapy but agrees to a short-term contract to allow him to explore the issues surrounding his HIV status. During the second session, the patient mentions casually his intention to have a child with his new wife. When confronted, he says clearly that he does not intend to tell her about his HIV-positive status, because despite his physician’s reassurance, he fears that would mean they could never have a child and he would not be a “real” husband. Over the next two sessions, the therapist discusses the risks posed to the patient’s wife and to a child who may be conceived. However, the patient still refuses to discuss the issue with his wife or to permit her to be notified. Motivated by concern about his responsibility to the patient’s wife on the one hand and about maintaining the patient’s confidentiality on the other, the therapist ponders what to do.
D. CASE EXAMPLE 4
A certain amount of atypical behavior is not unexpected in the waiting room of a small group psychiatric practice, and the receptionist and file clerk are neither particularly surprised nor distressed by the curious actions of the man sitting in the corner. He is a tall, well-dressed man in his 30s who has acknowledged that he is 2 hours early for his appointment, but that he does not mind waiting. While waiting, however, he is seen to scribble occasionally on a pad; stare off into space with his head cocked, as if responding to internal stimuli; and turn his head sideways at intervals, apparently listening to his cupped hand. After some wary glances reassure them he is not a threat, the receptionist continues to answer calls, handle faxes, and chat with the file clerk, while the latter attends to multiple clerical duties, responding to requests via her intercom and her portable telephone headset to bring specified files back to the doctors’ offices.
At the appointed hour, Dr. Bell’s voice on the intercom intones, “Please tell the risk manager to come on in.” Having stiffened momentarily at the words “risk manager,” the receptionist calls out, “Dr. Bell will see you now; he is the second door on your right.” Gripping his notepad, the man thanks her and strides into the doctor’s office, fixes the doctor with a piercing eye, and—before sitting down—states emphatically: “Dr. Bell, you have a serious HIPAA problem here!” An anxious look crosses Dr. Bell’s face, but old clinical reflexes reassert themselves, and he indicates the “patient’s chair,” saying, “Why don’t you sit down and tell me about it?”
II. LEGAL ISSUES
A. CONFIDENTIALITY
Confidentiality refers to the right of an individual not to have communications that were imparted in confidence revealed to third parties. It is derivative of the broader right to privacy, which guards against a variety of intrusions on an individual’s freedom from unwanted attention.
Privilege, often more accurately called testimonial privilege, can be viewed as a narrow off-shoot of the right to confidentiality. An individual with testimonial privilege has the right to bar another person from testifying based on information that person has gained from communications with him or her. Privilege applies only in judicial or parajudicial settings, and its extent is strictly limited by case law or statute.
1. Historical Evolution of a Right to Privacy
In English common law, the corpus of court decisions reaching back to the Middle Ages that is the foundation of Anglo-American jurisprudence, no explicit formulation of a right to privacy exists.
In the United States, it was not until 1890 that Warren and Brandeis’ landmark article, “The Right to Privacy,” offered the first theoretical construction of a general right to privacy, although before then a variety of doctrines had protected narrow interests in freedom from intrusion and in the confidentiality of particular communications (e.g., mail or telegraph messages). Individuals, however, had no remedies for invasions of privacy except in unusual cases in which a criminal statute was violated by the disclosure of personal communications, or the information revealed was untrue and thus constituted grounds for libel. The innovative idea in Warren and Brandeis’ formulation was that all citizens shared a general right to privacy, which could be enforced by bringing suit for damages against those who violated it.
In the United States, it was not until 1890 that Warren and Brandeis’ landmark article, “The Right to Privacy,” offered the first theoretical construction of a general right to privacy, although before then a variety of doctrines had protected narrow interests in freedom from intrusion and in the confidentiality of particular communications (e.g., mail or telegraph messages). Individuals, however, had no remedies for invasions of privacy except in unusual cases in which a criminal statute was violated by the disclosure of personal communications, or the information revealed was untrue and thus constituted grounds for libel. The innovative idea in Warren and Brandeis’ formulation was that all citizens shared a general right to privacy, which could be enforced by bringing suit for damages against those who violated it.
A right to privacy caught on slowly but ultimately became firmly ensconced in American common law. This right consists of four separate components: guaranteeing freedom from intrusion on seclusion, appropriation of one’s name or likeness for commercial purposes, publicity given to one’s personal life, and publicity that places one in a false light. The area covered by the right to privacy has grown tremendously in recent decades, as it has been declared by the US Supreme Court to be inherent in the other rights granted by the US Constitution; it has served as the basis for decisions at all levels of the judiciary, in such disparate areas as the right to use contraception, access to abortions, and the right to refuse psychopharmacologic agents.
The rights of patients in treatment to protection of their confidences received little attention in the development of the law of privacy. None of the four subcategories of a right to privacy is easily applied to physicians’ or therapists’ breaches of patient confidentiality. The one that comes closest—publicity given to one’s personal life—has generally been held to require actual publication of the disclosure to a general audience. In contrast, those situations most disturbing to medical and psychiatric patients usually involve disclosures to a single person (e.g., a spouse or an employer) or a small number of persons (e.g., law enforcement authorities). Although the law was paying little attention to protecting patients’ confidences, the helping professions themselves had not neglected the area.
2. Ethical Bases for Protecting Confidentiality
Long before the development of a legally recognized right to privacy, medicine had embraced an ethical proscription against the needless divulgence of patients’ confidences. The Hippocratic Oath, as well as later codes, enjoined physicians from disclosing information they acquired from their patients: “[W]hatsoever I shall see or hear in the course of my profession… if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.”
The ethical foundations of confidentiality in medicine and the other helping professions are twofold. First, confidentiality is based on the belief that revelation of patients’ confidences—communicated in the course of diagnosis and treatment—would discourage patients from seeking medical and mental health care. The resulting harm to society would exceed the benefits of disclosure. Thus, the greater good lies in shielding patients’ communications. This argument is based on the utilitarian principle that we should follow the rule that yields the greatest good for the greatest number of people. Note that it depends on empirically testable propositions, such as the assumption that incursions on confidentiality affect patients’ motivations to seek treatment.
Does such empirical support exist? Numerous surveys of therapists, patients, and nonpatients support the importance of confidentiality in treatment settings. Adolescents seem particularly sensitive to the possibility that their medical care, including treatment for substance abuse and other psychiatric conditions, might not be confidential (see Suggested Readings, Berlan and Brovender). It is harder to demonstrate that patients would be deterred from seeking treatment if confidentiality were not protected, although anecdotal evidence and patients’ beliefs appear to support this. Most patients surveyed, however, are ignorant of legal protections of their confidentiality (or the lack thereof), instead trusting their clinicians to protect their disclosures. Does this mean that legal protection is unimportant or only that patients believe they can take it for granted? The answer is unclear.
In contrast to the utilitarian approach, the second argument in favor of confidentiality does not rely on the consequences of the rule chosen for its justification. Advocates of this approach argue that medical and mental health professionals induce their patients to reveal personal information
by creating situations in which confidentiality is implicitly or explicitly promised. Having made such a promise, the clinician is obligated to keep it. An ethical argument of this sort falls into the category of a “deontologic” justification, dependent on an analysis of moral duties rather than on the consequences of the act. Even when considered through this approach, though, confidentiality is not an absolute principle. In the face of countervailing duties (as seen in Sec. II-A-5), it may have to give way.
by creating situations in which confidentiality is implicitly or explicitly promised. Having made such a promise, the clinician is obligated to keep it. An ethical argument of this sort falls into the category of a “deontologic” justification, dependent on an analysis of moral duties rather than on the consequences of the act. Even when considered through this approach, though, confidentiality is not an absolute principle. In the face of countervailing duties (as seen in Sec. II-A-5), it may have to give way.
Most mental health professionals would probably offer both utilitarian and deontologic reasons for protecting patients’ confidentiality, although it is the former that are most frequently discussed in the literature. Regardless of the ethical underpinning, every mental health discipline endorses the importance of confidentiality in its code of ethics.
3. Current Legal Bases for Confidentiality
The lack of clear-cut common-law doctrines for protecting confidentiality has not prevented the development of substantial legal protections for patients. Three mechanisms have been used to achieve this end: judicial, statutory, and regulatory. Courts have used traditional privacy doctrines to impose liability on physicians and psychotherapists who have disclosed information communicated to them in confidence by their patients. Courts have also begun crafting a new doctrine explicitly recognizing the right of persons in certain professional settings—including psychotherapy—to protection from disclosure. This new theory has generally gone under the term breach of confidence. One limit to this approach, of course, is that it provides a monetary remedy only after the damage has been done.
Simultaneous with this activity in the courts, state legislatures have passed statutes attempting to prevent breaches of confidentiality in the first place. Prohibitions against disclosure may be found in physician or psychotherapist licensure statutes (in some states), physician-patient or psychotherapist-patient privilege statutes (see Sec. II-B), and in laws creating a “patient’s bill of rights.” All these sources of the doctrine of confidentiality prescribe a common standard governing the release of information: With rare exceptions, identifiable data can be transmitted to third parties only with patients’ explicit consent.
Perhaps the most important development in the last several decades has occurred on the regulatory front. Authorized by the 1996 Health Insurance Portability and Accountability Act (HIPAA), the federal Department of Health and Human Services (DHHS) issued a detailed set of regulations governing medical confidentiality (referred to in the regulations as “medical privacy”), which went into effect in 2003. The promulgation of the regulations was motivated by the desire to facilitate the development of what has been called a “health information infrastructure.” Advocates envisioned electronic health record (EHR) systems covering all patients that could be linked for clinical, administrative, and research purposes into a system capable of providing both access to individual records and comprehensive aggregate medical and care utilization data. The promoters of this interlinked medical information network—who foresaw benefits from improved clinician access to patients’ records and from the ability to identify anomalous patterns of use—recognized that some minimum level of confidentiality protections would be essential for the public to support their proposal. Hence, the requirement for the confidentiality regulations was built into the HIPAA legislation, along with such provisions as the development of unique identifiers for every patient and every provider, and standardization of formats for electronic transmission of health information.
Many of the specifics of the voluminous HIPAA regulations are discussed in the following sections. However, several aspects of the regulations deserve emphasis here. First, only clinicians or health care entities that engage in specified electronic transmission of health information—for purposes such as verification of insurance eligibility and billing—are covered by the regulations. Although it seems probable that the reach of the regulations will be extended more broadly in the future, for now clinicians who avoid the specified electronic activities are exempt from HIPAA-based obligations. Second, the regulations are intended to set a floor for privacy protections, in the absence of more stringent legal rules. Thus, state laws or other federal laws that are more deferential to privacy concerns than the HIPAA regulations take precedence and must be obeyed. Finally, although the HIPAA rules permit disclosure of health information to third parties in a variety of circumstances, they do not mandate disclosure in any situation (other than to patients themselves—see Sec. II-A-4-b-iii). Clinicians and facilities always retain the discretion to be more
protective of patients’ interests in confidentiality by adhering to stricter standards for disclosure. Several helpful reviews of the HIPAA regulations aimed at mental health professionals have appeared and can be consulted for further details (see Suggested Readings, Appelbaum 2002; Brendel and Bryan).
protective of patients’ interests in confidentiality by adhering to stricter standards for disclosure. Several helpful reviews of the HIPAA regulations aimed at mental health professionals have appeared and can be consulted for further details (see Suggested Readings, Appelbaum 2002; Brendel and Bryan).
4. Release of Information to Third Parties
a. General principles. Although the principles of confidentiality embodied in professional ethics and most state laws on medical privacy generally require patients’ consent before disclosure, the HIPAA regulations take a more permissive approach. For functions related to treatment, payment, or health care operations, the HIPAA rules allow disclosure without patient consent. Among the persons or entities to whom identifiable health information can be released under these categories are other treaters involved in the patient’s care, insurers, utilization reviewers, accrediting agencies, and a host of others. For other purposes, release of information requires what the federal regulations refer to as “authorization”—which resembles traditional written consent, with certain aspects of the form specified by the HIPAA rules. Thus, forms must indicate the information to be disclosed, the purposes to which it will be put, the recipients of the information, and the expiration date of the authorization. There are, in addition, 12 uses of information that are exempt from the authorization requirement, including release “to avert a serious threat to health or safety” or to report child abuse or neglect. Several kinds of disclosures to law enforcement authorities and for purposes of litigation are also included.
Surveys of patients’ views on confidentiality have consistently reported that patients believe that they should determine who has access to their medication information, even when it comes to physicians and other professionals who may be involved in their care. Although the HIPAA rules reject that approach, they do not prevent clinicians and facilities from adopting more traditional approaches to disclosure based on patients’ consent. We encourage mental health professionals to seek patients’ consent before information disclosures except in emergencies, when disclosure is required by law, and in other exigent circumstances. When possible, consent should be written and time-limited. This approach has been endorsed by the Ethics Committee of the American Psychiatric Association as most in keeping with psychiatrists’ responsibilities to their patients. Of course, where state statutory or case law requires consent before disclosure, clinicians must obtain consent regardless of the more permissive approach of the HIPAA regulations. Within this general framework, we turn to specific situations in which disclosure may occur.
b. Specific instances of disclosure
i. Other physicians and therapists. The exchange of information among medical and mental health professionals has long been a hallmark of relations among caregivers. These informal relationships, however, are often no longer dependent on patient consent. Integrated health care systems have electronic medical record systems that permit any clinician caring for a patient to access information from the patient’s record. Because psychiatric records are particularly sensitive (although psychiatric data are by no means the only sensitive information contained in medical records), we would argue that patient control of access to these records should be maintained by partitioning them from the general medical record. Access should require a special password and be limited only to those caregivers directly involved in patients’ treatment, for whom patients have given consent to view their records. Model electronic record systems of this sort have been developed, although most commercially available systems do not allow this degree of patient control. At a minimum, if this is not the case in any facility or system, patients should be informed at the outset of the way in which records are kept and who has access to them.
Even outside of integrated health care systems, HIPAA’s permissive approach to exchange of information among clinicians has accelerated the sharing of clinical data. Insurers routinely require primary care physicians who are referring patients to specialists, including psychiatrists, to send detailed consultation requests and, in turn, require specialists to send information concerning patients’ evaluations and treatment back to the referring physicians. Hospitals, eager to hold on to the goodwill of referring practitioners in the community, require their physicians to maintain contact with patients’ community-based physicians during hospitalization and to rapidly send patients’ operative notes and discharge summaries to those physicians after patients leave the hospital. This increased communication is, in most cases, beneficial to patients’ care, which can more easily be coordinated.
Nonetheless, patients may have good reasons for wanting their confidential treatment information not to be transmitted from one caregiver to another. This is especially true for psychiatric data, which may be embarrassing or otherwise compromising. If patients are willing to pay the cost in reduced coordination of their care, they should have this right. Thus, before sending out information to other caregivers, clinicians should always obtain patients’ consent. If patients refuse consent, and insurers inquire why their policies regarding communication with referring physicians were not adhered to, it is perfectly acceptable from a legal and ethical standpoint to indicate that the information was withheld because the patient did not consent to its disclosure.
Two additional points regarding disclosure of information to other physicians and therapists should be noted. First, the useful practice in many academic centers and group practices of obtaining informal consultations from colleagues and peers can, of course, continue, so long as the patient’s privacy is protected by omission of his or her name and other identifying data. Continuing case conferences and presentations in rounds and seminars should be governed by similar rules. Second, it is often particularly difficult to resist sharing information with clinicians who have previously had contact with the patient, but who are no longer actively involved. Having left the circle of those caring for the patient, however, these clinicians are no longer entitled to receive confidential information. Although this may require a good deal of tact to accomplish in practice, responding to such requests with a sincere apology, but a firm refusal, best protects the interests of the patient. Follow-up, to be sure, is an important element in the clinical growth of the therapist, but this is one occasion in which it must be sacrificed for a more important end.
ii. Insurers and managed mental health care companies. Disclosure of information to third-party payers and the entities with which they contract to manage mental health benefits has become among the most problematic issues of confidentiality. Patients usually are required to sign blanket consents for release of all medical and psychiatric records as a condition of insurance coverage; occasionally these blanket consents do not constitute informed consent, identifying to whom the material is released and what consequences may follow. Insurers and managed care organizations (MCOs) have an unquestioned need to assess, in general terms, the basis for, and progress of, treatment. Pressures to contain health costs, though, have led insurers and MCOs to demand increasing amounts of data before, during, and after treatment. No longer satisfied with summaries of patients’ care, perhaps because mental health professionals have been less than frank in the past about patients’ diagnoses, insurers demand actual records (sometimes in their entirety) in many cases.
Professional organizations have attempted to work with insurers and MCOs to change these practices, but they are widespread. It is difficult for clinicians to protect patients’ confidentiality when insurers can compel patients to consent to release all data or bear the cost of the treatment. Although some outpatients choose to pay the full cost of therapy to avoid passing records to their insurers, this is often not a practical option, especially for hospitalized patients. Threats to confidentiality are even greater when insurance forms are processed in-house by patients’ employers in an effort to hold down health care costs. Insurers’ dedication to confidentiality is suspect in the absence of state or federal laws prohibiting redisclosure. The requirement in the HIPAA regulations that only the “minimum necessary information” be released (except to other treaters) may ultimately be helpful here, but it has not yet been tested with regard to insurers. In the mean-time, the only reasonable approach is for clinicians to exercise great care in the information they include in patients’ records in the first place, eliminating compromising information not essential to patients’ care. Of course, this does not deal with the entire problem because even the fact of psychiatric diagnosis and treatment may be highly stigmatizing.
The federally and state-funded Medicare and Medicaid programs have given rise to numerous controversies over confidentiality of records. Aggressive fraud control units have demanded access to full patient records to determine if services billed for were actually provided. Therapists have argued, in opposition to such broad requests, that access should be restricted to billing records and appointment books, or that records should be redacted to eliminate personal information before inspection. The courts have split in their response to these cases, but at least several opinions have supported the importance of confidentiality and denied prosecutors blanket access. Legislative options to restrain overbroad prosecutorial initiatives have not been pursued but would seem to be a promising approach in this area.
iii. Families. Family members are not usually viewed as third parties by therapists. In fact, those who take a family or systems approach to therapy consider the family to be as much a focus of the therapeutic effort as the identified patient. Families of persons with severe mental illnesses, who are starting to play an active role in formulating mental health policy, often complain most bitterly of the failure of clinicians to discuss their relatives’ conditions with them, even when they are the primary caretakers. Although efforts in Congress to relax restrictions on disclosure to families of people with serious mental illnesses have failed, the Office of Civil Rights (OCR), which enforces the HIPAA regulations, has responded to these concerns with guidance regarding the circumstances under which clinicians can release information without patients’ consent (see Suggested Readings, Office of Civil Rights). If patients are present and do not object to the disclosure of information to family members and other caregivers, information relevant to their care can be communicated. In addition, “where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.”
Even when competent patients object to the release of information to their family members, it may be possible for mental health professionals to be more helpful than they have been. Greater efforts can be made to obtain patients’ consent for discussions; nonconfidential items can be revealed; and information relating generally to persons with mental illness (e.g., the side effects of medication and how they can be treated) can be discussed without referring specifically to the situation of a patient who refuses to grant permission for disclosure. It may be the attitude of mental health professionals, which has often communicated the absence of an interest in collaboration, more than what is or is not disclosed, that has most upset family members.
iv. Patients themselves. Although patients themselves are technically not third parties, the question of patients’ access to their own records is generally considered along with other confidentiality issues. The HIPAA regulations grant patients the right to view and obtain a copy of their own records, although the records themselves belong to the facility or clinician. Only a small number of exceptions exist to this fairly sweeping right of access, the most important being when “the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.” If patients believe their records are factually inaccurate, they can request an amendment. These regulations set the first national standards for patient access to medical records.
A growing number of studies have been performed in inpatient and outpatient settings to assess the effects of allowing psychiatric patients to see their records. Almost all studies suggest a positive effect from greater patient access, particularly when efforts are made to prepare patients for the session and someone is on hand to explain material that may be unclear or confusing. In contrast, most studies of clinicians’ perspectives on this process demonstrate their concern about the emotional impact on patients of reading progress notes and other materials. Clinicians are also troubled by the possibility that their charting practices may be distorted by the knowledge that patients will have access to records in the future. Some detrimental impact on the quality of charts that are made available to patients has been found.
An issue of special concern when patients receive information from their own charts is the possibility that the records contain comments solicited from relatives or friends of the patient, based on assurances that patients would not learn of their role. Although ethical considerations similar to those involving patients apply to these other sources of information, the legal situation is not as clear-cut. In principle, data obtained from sources who have requested anonymity should be excised from records before they are released. The HIPAA regulations, however, do not recognize the importance of this step, instead granting total access to patients. This is one area in which recording practices might need to change, with greater care taken to protect sources of information, or informants may need to be told frankly about patients’ right of access to records. In fact, many clinicians who are reluctant to keep secrets from their patients already routinely tell informants that they disclose any such information to patients. This practice obviously precludes later problems.
c. Psychotherapy notes. The HIPAA regulations define a category of records referred to as “psychotherapy notes,” similar to what used to be referred to among clinicians as “process notes” (see Sec. III-G-2). To be included in this category, the records in question must consist of
the contents of the patient’s disclosures or reflections on them; not include general information such as medications, diagnosis, and treatment plans; and be kept separately from the rest of the patient’s records. Records that meet these restrictive qualifications can usually not be released for any purpose without the patient’s specific authorization, although they still may be subject to a subpoena in jurisdictions without a testimonial privilege or where an exception applies (see Sec. II-B). Unfortunately, only a small part of the information generated in the course of treatment is eligible for the added protections afforded by psychotherapy notes, and with the growing use of electronic medical record systems, which generally make no provision for two categories of entries, the proportion of notes covered by this provision continues to decline.
the contents of the patient’s disclosures or reflections on them; not include general information such as medications, diagnosis, and treatment plans; and be kept separately from the rest of the patient’s records. Records that meet these restrictive qualifications can usually not be released for any purpose without the patient’s specific authorization, although they still may be subject to a subpoena in jurisdictions without a testimonial privilege or where an exception applies (see Sec. II-B). Unfortunately, only a small part of the information generated in the course of treatment is eligible for the added protections afforded by psychotherapy notes, and with the growing use of electronic medical record systems, which generally make no provision for two categories of entries, the proportion of notes covered by this provision continues to decline.
d. Release of information for research purposes
i. Protecting patient confidentiality in research procedures. Gathering information for research purposes often creates risk that identifiable information about patients will become available to third parties. Federal regulations governing the conduct of research, which apply to most medical research in this country, require patients’ consent for research participation in most cases and hence have served to insure that medical information will not be disclosed to researchers without patients’ knowledge and agreement. Exceptions are limited to situations in which the risks of the research—including those related to confidentiality of medical information—are minimal and it would be infeasible to obtain consent. Projects involving larger-scale medical record reviews constitute the most frequent category of projects conducted without patients’ consent.
The HIPAA regulations have added another layer of complexity to the process of review and approval of research projects, which is conducted by institutional review boards (IRBs). HIPAA rules require patient authorization (now usually incorporated into research consent forms) for access to protected medical information by researchers but allow IRBs or specially designed privacy boards to waive these requirements according to criteria similar to the usual federal research standards. The major impact of HIPAA in the research realm has come not from the terms of the regulations themselves, which impose few new requirements, but from their interpretation by IRBs. Despite permissive interpretations from the federal agency that administers the HIPAA regulations, many IRBs incorrectly believe that HIPAA does not allow them to grant researchers access to patient information for screening and recruitment purposes. This has significantly complicated the work of research personnel, with little gain for patients’ privacy.
Beyond any explicit legal requirements, there are many things that researchers themselves can do to limit threats to confidentiality. Two useful means of protecting confidentiality in research are to limit the number of people with access to identifiable data and to separate patient identifiers and confidential information. Data forms should contain codes, rather than patient names. If it is necessary to retain a record that links codes and names (e.g., to conduct a follow-up some months or years later), these forms can be kept separate from the data. Most IRBs require that research data files be securely locked and that identifiers be destroyed as soon as it is feasible to do so. The advantage to confidentiality in the last requirement is balanced by the loss of opportunity to use the same sample in subsequent studies not yet conceived. The possibility of future investigations must be considered carefully when confidentiality protections are being designed.
In an effort to bolster protections for research subjects, the National Institutes of Health (NIH) recently announced that all NIH-funded projects would automatically receive a Certificate of Confidentiality. These certificates prevent compelled disclosure of identifiable information about research subjects by a subpoena or court order. Such certificates have existed for many years, but they previously required researchers to make explicit requests for them. Although they have not been tested frequently in the courts, there is good reason to believe that the protection they provide will generally be upheld. Investigators conducting research not funded by NIH can also receive a Certificate of Confidentiality, but they need to make a formal request to the agency.
ii. Publication of identifiable information. Not all research in psychiatry originates in formal protocols. Many important contributions have been made by clinicians who have reviewed and reported their clinical experiences with one or more patients.
Patients’ privacy can be infringed by publication of data that are not sufficiently disguised to render them anonymous. The most famous case to reach the courts dealt with a psychoanalyst who published detailed transcripts of analytic sessions in a book (Doe v. Roe). The courts held that even though the work was intended as a scientific demonstration for a professional audience, the
patient’s right to privacy had suffered. Obtaining the patient’s consent to publication would have obviated the problem; however, a casual mention that the therapist was working on a book that might use case material of the patient, as occurred in the case noted here, was not sufficient. As the Group for the Advancement of Psychiatry noted, “Sometimes material may be so impossible to camouflage that it should not be published at all, in spite of its scientific value. Such ethical requirements take priority over research objectives.” Of course, the same principles hold for videotapes and audiotapes of sessions or interviews with patients (see also Chap. 4, Sec. II-D-2).
patient’s right to privacy had suffered. Obtaining the patient’s consent to publication would have obviated the problem; however, a casual mention that the therapist was working on a book that might use case material of the patient, as occurred in the case noted here, was not sufficient. As the Group for the Advancement of Psychiatry noted, “Sometimes material may be so impossible to camouflage that it should not be published at all, in spite of its scientific value. Such ethical requirements take priority over research objectives.” Of course, the same principles hold for videotapes and audiotapes of sessions or interviews with patients (see also Chap. 4, Sec. II-D-2).
An international group of editors of medical journals has noted that “complete anonymity is difficult to achieve” when case reports are presented and suggested that “informed consent should be obtained if there is any doubt” that patients’ anonymity will be protected (see Suggested Readings, ICJME). Journal editors and publishers seem clearly to be moving in this direction, as are organizers of grand rounds and other professional presentations.
e. Liability resulting from release of information to third parties. Patients whose confidential disclosures have been released without their consent can seek compensation from those responsible for harms they may have suffered, including emotional harms consequent on others knowing of their affairs. Courts have developed a variety of theories under which such claims are adjudicated, including actions in tort (the law of civil wrongs) for invasion of privacy, breach of confidentiality, and malpractice; and actions in contract for breach of an implied warranty that confidentiality will be maintained (see Chap. 4, Sec. II-D-2). Several cases have indicated that those persons who induce a therapist to reveal confidential information (e.g., the patient’s employer) may also be held liable for resulting harms.
Under the HIPAA regulations, fines can be imposed on violators, an approach that may deter breaches of confidentiality but offers no compensation to patients who may have been harmed. At the time this edition was written, the OCR had received more than 165,000 HIPAA-related complaints, the largest number of which alleged unauthorized disclosure of medical information. These have included both intentional and accidental disclosure of information (e.g., theft of an unencrypted laptop from a parked car), as well as failures to take sufficient precautions to protect confidential information (e.g., Web portals that allow unauthorized access to patient records). Although the majority of complaints have been found to be unwarranted, the OCR has exacted financial penalties for HIPAA noncompliance from 52 covered entities, with fines that often reached many millions of dollars. Clearly, compliance with the HIPAA regulations is something that needs to be taken seriously by every health care provider.
Other options for the aggrieved patient include seeking punitive action against the clinician from the state’s professional board of licensure. A complaint alleging breach of professional ethics can also be brought before the therapist’s professional association. If a “patients’ bill of rights” exists in the jurisdiction, penalties for violation may also apply.
5. Exceptions
As important as confidentiality is to patients, from both utilitarian and deontologic perspectives, few people question that there are times when other interests must take priority. Disclosure of information without patients’ consent may be legally justified, or even required in circumstances such as those outlined in the following sections. However, in most instances such disclosures are covered by HIPAA’s “minimum necessary” rule, which limits communication of confidential medical information to the minimum amount necessary to accomplish the desired end. (Note that the minimum necessary rule does not apply to disclosure made for treatment purposes, and for a small number of other reasons.)
a. During an emergency. Physicians and other clinicians retain the obligations of a fiduciary relationship—to act in the best interests of the patient. When, in an emergency situation, a patient refuses to give consent or cannot be located for consent, a clinician may sometimes disclose appropriate data in the patient’s interest. The situations in which this might be thought to be the case are so numerous—almost any refusal to grant consent can be construed as not in the patient’s interest—that if the exception is not to exceed the rule, such action should be limited to situations in which the patient’s immediate welfare is clearly at stake. Such release is permitted by the HIPAA regulations for treatment purposes.
Some examples are fairly clear-cut. When the therapist is contacted by a hospital emergency room where the patient, thought to be psychotic and unwilling to answer questions, is being evaluated, information concerning the patient’s diagnosis, medications prescribed, pattern of illicit drug use, and the like may be essential to proper evaluation and treatment. Such information should be revealed, in the patient’s interests, even without explicit consent, and if the patient’s physical well-being is at stake, probably even over his or her explicit objections, with the justification for such action carefully documented.
When the patient’s physical integrity is not at stake, the extent of an emergency exception becomes harder to define, especially under the HIPAA regulations, which narrowly define the exceptions as limited to serious threats to health or safety. A social service agency, for example, may contact a therapist asking for information that would establish the patient’s continuing eligibility for subsidized housing. The patient has not been seen for some weeks, and consent for a disclosure of this sort was not previously obtained. Without the therapist’s evidence, though, the patient will lose her apartment. Is this enough of an emergency to warrant a response in the absence of consent? Pre-HIPAA, we would have urged clinicians to rely on the assumption that a reasonable person would want a disclosure to be made and to act accordingly. Now, however, unless the social service agency can obtain the patient’s authorization, the likely impact on the patient’s health or safety must be considered prior to disclosure.
b. When the patient is incompetent. If the treating clinician believes that the patient is not legally competent to give or to withhold consent (e.g., for release of information for disability benefits), he or she should attempt to obtain a substitute consent. If the patient has a guardian, that person is legally entitled to act on the patient’s behalf. Many patients who are functionally incompetent, however, have never had a formal adjudication and lack guardians. In such cases, the consent of a close relative may be adequate. HIPAA allows everyone who is authorized to make health care decisions for another person to make decisions about his or her medical records as well. In situations in which a substitute for the patient’s consent cannot be obtained (e.g., he or she has neither a guardian nor relatives available), the legal situation is ambiguous, but we believe that the clinician should be able to release information that is necessary to serve the patient’s best interest. This position is supported by the HIPAA guidance from the OCR cited previously (see Sec. II-A-4-b).
c. Acting to hospitalize or commit the patient. When disclosure of information is required to effect the involuntary commitment (as by giving evidence of a patient’s inability to care for himself or herself) or voluntary hospitalization of a patient, such release is permitted in most states and under HIPAA. Some jurisdictions, however, restrict patients’ treating clinicians from releasing confidential information in commitment proceedings over patients’ objections. In those states, special examiners conduct commitment evaluations without input from their clinicians.
d. Acting to protect third parties. Before the mid-1970s, psychiatrists’ legal obligations to protect third parties from their patients’ violent acts were limited to situations in which psychiatrists took physical control of a potentially dangerous person (i.e., hospitalized that person). Their duties extended only to ensuring that these patients did not escape or were not prematurely released because of the psychiatrist’s or facility’s negligence. Confidentiality did not need to be breached to fulfill this duty.
Tarasoff v. Regents of the University of California, a case ultimately decided by the California Supreme Court in 1976, changed that. Tarasoff recognized the duty of all mental health professionals, not just psychiatrists, to protect their patients’ potential victims, even if the patient had never been hospitalized. Although the court required mental health professionals to take “whatever steps are reasonably necessary” to discharge their duty, it especially emphasized the possibility that warnings may have to be issued to the victim or the police, or both. Most states have similar judicial decisions or have adopted statutes defining some sort of obligation analogous to the one fashioned in Tarasoff, and the HIPAA regulations permit disclosure for this purpose. Most experts advise clinicians in states without current law relating to a duty to protect to act as if some version of the obligation exists in their jurisdiction. (For a more complete discussion of potential liability resulting from a failure to fulfill the duty to protect, see Chap. 4, Sec. II-A-3-e.)
As noted, the duty to protect is not synonymous with a duty to warn. Other measures can be taken without breaching confidentiality and should ordinarily be considered first, including changing the nature of therapy to focus on the feared violence, adding or changing medications, expanding therapy to include a threatened intimate of the patient, and hospitalizing the patient. Circumstances exist, however, in which disclosure is necessary to protect potential victims. If harm results from the therapist’s failure to disclose information, liability may be imposed. Conversely, disclosure made in a good-faith belief that a third party is endangered does not result in liability for breach of confidence. Many states have adopted statutes providing explicit immunity from suit in such circumstances.
The duty to protect was developed in the context of violent behavior by patients, but it has been extended by some courts to include property damage and harm caused by dangerous driving. Among the most discussed areas to which a duty to protect may apply is the protection of sexual partners of persons infected with HIV. Laws in some states forbid disclosure of patients’ HIV status to sexual partners, whereas others allow it. Suits against physicians for failure to inform a sexual partner have been rare, and there are substantial problems of proof (e.g., was the partner infected before or after the therapist learned of the patient’s condition?). It is generally agreed that efforts should be made to get the HIV-infected patient to discuss the issue with his or her partner and to bring that person in for counseling. Failing that, however, the American Medical Association and the American Psychiatric Association have issued statements indicating their support for disclosure when necessary to protect a sexual partner. The salience of this issue has faded somewhat with the development of combinations of medications that effectively suppress viral load and reduce (though not eliminate) the risk of transmission.
e. Acting in conformance with reporting requirements. States are imposing an ever-growing number of obligations on physicians, other mental health professionals, and other caregivers to report specified conditions and behavior. The HIPAA regulations permit required reports to be made. Although each reporting obligation adopted by the legislature represents a decision that public knowledge of the condition or behavior in question is more important than the maintenance of confidentiality, one must question the cumulative impact of these requirements.
Historically, all states have required the reporting of cases of specified communicable diseases to allow public health measures to be implemented. The range of conditions, symptomatic and asymptomatic, associated with infection with HIV is a controversial addition to this group. Similarly, all jurisdictions require professionals to notify authorities about cases of suspected child abuse, although the statutes vary considerably in their requirements. Some impose an obligation only if the professional has seen the child or if the abuse is recent and likely to continue; others require reporting even of abuse that occurred in the distant past, regardless of whether the child has been seen in person.
More recent legislation has been enacted analogous to child abuse reporting statutes to cover other groups at risk of abuse. These include the elderly and the mentally and physically disabled. Some states are attempting to enforce older requirements for reporting of persons who may be unsafe drivers, including but not limited to, the mentally ill, epileptic patients, and drug and alcohol abusers. Impaired health care professionals, especially physicians, who come to the attention of other providers, must be reported in some jurisdictions. Furthermore, in some jurisdictions mental health professionals are required to report instances of sexual contact between therapists and patients when these are revealed by their patients.
Most recently, with the goal of reducing gun violence, New York State has required mental health professionals to report patients who are “likely to engage in conduct that would result in serious harm to self or others”—potentially a very large proportion of patients seen in the state. These reports are checked against a gun license database to ascertain persons whose handgun licenses may be revoked and whose guns may be confiscated. Because the state has resisted releasing data on the outcome of these cases, it is impossible to know how effective it has been. However, it is yet one more illustration of the temptation that many lawmakers experience to gather data that arguably advance important ends by requiring disclosure by health and mental health professionals.
Clinicians who do not to live up to their mandatory reporting obligations may be subject to civil and criminal penalties that are part of many statutes. In addition, should harm later occur that would have been prevented had they reported the situation, potential civil liability may exist as well.
It should be noted that in almost every jurisdiction, and under federal law, previous crimes of a patient that come to the therapist’s attention do not have to be reported. The common-law doctrine of misprision, which required all citizens to report felonies of which they became aware, has been rejected repeatedly by courts in this country, although a few states retain misprision statutes. Some state mental health systems and the Veterans Affairs system may have administrative rules requiring reporting of past crimes. When evidence of a past crime raises the strong possibility of future crimes, as in the case of a repetitive sex offender, a clinician’s duty to protect potential victims may require that some action (not necessarily reporting) be taken.
f. Supervisors and collaborators. Disclosure of information to those who are assisting the primary caregiver’s efforts is not considered a breach of confidentiality and is included under the “treatment” exception to HIPAA’s requirement for patient authorization. This includes supervisors, members of the treatment team on a hospital inpatient unit, and colleagues who are involved directly in the patient’s treatment. These individuals, once in possession of the data, are likewise under the same obligation to maintain confidentiality as the primary clinician. In-house quality assurance proceedings are undertaken under similar presumptions, as are reviews by accrediting agencies.
g. Administrative requirements. Under HIPAA, along with learning new rules for disclosure of medical information, clinicians and facilities have to meet a number of administrative requirements. Formal privacy policies and procedures need to be developed, and a staff person must be designated as a “privacy official” to receive complaints and provide information to patients. All staff members must be trained in these policies, and as noted below, new patients must be provided with a notice of the relevant privacy practices. Patients have the right to receive an accounting of all disclosures from their medical records in the past 6 years, except for those made for treatment, payment, or health care operations; those that they themselves have authorized; and a small number of other categories. Every clinician, practice, or facility needs to create and sign contracts with all business associates who are given access to identifiable information about patients (e.g., billing, transcription, and accounting services), binding them to observe the terms of the regulations—to which, under the terms of HIPAA itself, they would not otherwise be subject. Many professionals and specialty societies, including the American Psychiatric Association, have developed model forms and procedures to help members fulfill these requirements.
B. PRIVILEGE
1. Historical Evolution
Related posts:
Stay updated, free articles. Join our Telegram channel
Full access? Get Clinical Tree
