AMA Adopts New Guidelines on Responding to Breaches of Patient Records
On June 15, 2009, the American Medical Association (AMA) approved new guidelines for physicians on responding to breaches of patients' electronic medical records (EMR).
According to the AMA Council on Ethical and Judicial Affairs (CEJA) in its report, CEJA Report 3-A-09, these guidelines are intended to fill an important gap in the AMA's policy, which, until now, did not "address physicians' ethical responsibilities in the event the security of electronic records is breached and patient data are inappropriately accessed." The CEJA identified the need for the guidelines particularly in light of the newly enacted American Recovery and Reinvestment Act of 2009 (ARRA), which amended the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to mandate that patients be notified in the event of certain breaches of their medical records.
As adopted, the guidelines state:
"When there is reason to believe that patients’ confidentiality has been compromised by a breach of the electronic medical record, physicians should:
- Ensure that patients are promptly informed about the breach and potential for harm, either by disclosing directly (when the physician has administrative responsibility for the EMR), participating in efforts by the practice or health care institution to disclose, or ensuring that the practice or institution takes appropriate action to disclose.
- Follow ethically appropriate procedures for disclosure, which should at minimum include:
- carrying out the disclosure in a private setting and within a time frame that provides patients ample opportunity to take steps to minimize potential adverse consequences; and
- describing what information was breached; how the breach happened; what the consequences may be; what corrective actions have been taken by the physician, practice, or institution; and what steps patients themselves might take to minimize adverse consequences.
- Support responses to security breaches that place the interests of patients above those of the physician, medical practice, or institution.
- To the extent possible, provide information to patients to enable them to mitigate potential adverse consequences of inappropriate disclosure of their personal health information, such as credit monitoring services or identity theft hotline."
Now, physicians and other health care providers who intend to establish policies to address responses to breaches of their patients' EMR must not only take into account the above AMA guidelines and the recent amendments to HIPAA but they also must remember to consult the applicable laws of their own state.
