Posted on June 19, 2009 by David Kopans

AMA Adopts New Guidelines on Responding to Breaches of Patient Records

On June 15, 2009, the American Medical Association (AMA) approved new guidelines for physicians on responding to breaches of patients' electronic medical records (EMR).

According to the AMA Council on Ethical and Judicial Affairs (CEJA) in its report, CEJA Report 3-A-09, these guidelines are intended to fill an important gap in the AMA's policy, which, until now, did not "address physicians' ethical responsibilities in the event the security of electronic records is breached and patient data are inappropriately accessed." The CEJA identified the need for the guidelines particularly in light of the newly enacted American Recovery and Reinvestment Act of 2009 (ARRA), which amended the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to mandate that patients be notified in the event of certain breaches of their medical records.

As adopted, the guidelines state:

"When there is reason to believe that patients’ confidentiality has been compromised by a breach of the electronic medical record, physicians should:

  1. Ensure that patients are promptly informed about the breach and potential for harm, either by disclosing directly (when the physician has administrative responsibility for the EMR), participating in efforts by the practice or health care institution to disclose, or ensuring that the practice or institution takes appropriate action to disclose.
  2. Follow ethically appropriate procedures for disclosure, which should at minimum include: 
    1. carrying out the disclosure in a private setting and within a time frame that provides patients ample opportunity to take steps to minimize potential adverse consequences; and
    2. describing what information was breached; how the breach happened; what the consequences may be; what corrective actions have been taken by the physician, practice, or institution; and what steps patients themselves might take to minimize adverse consequences.
  3. Support responses to security breaches that place the interests of patients above those of the physician, medical practice, or institution.
  4. To the extent possible, provide information to patients to enable them to mitigate potential adverse consequences of inappropriate disclosure of their personal health information, such as credit monitoring services or identity theft hotline."

Now, physicians and other health care providers who intend to establish policies to address responses to breaches of their patients' EMR must not only take into account the above AMA guidelines and the recent amendments to HIPAA but they also must remember to consult the applicable laws of their own state.

Tags: , , , , , , , , , ,
Posted on June 20, 2008 by Jarad Hunter

Ohio's Physician-Patient Privilege and Grand Jury Subpoenas

The Fourth District Court of Appeals in Ohio recently released an opinion indicating that the trial court erred by refusing to grant a motion to quash a grand jury subpoena requesting medical records from a physician.  The grand jury had issued a subpoena ordering the physician to produce the medical records of over 50 patients.

The case is instructive regarding application of the physician-patient privilege to grand jury subpoenas in Ohio.  Under Federal privacy regulations, a covered entity may disclose protected health information without a "HIPAA-compliant" authorization in compliance with and as limited by the relevant requirements of a grand jury subpoena.  See 45 C.F.R. 164.512(f)(1)(ii)(B).  However, an Ohio court has recognized that the state law physician-patient privilege is more stringent than the Federal privacy regulations.  See Grove v. Northeast Ohio Nephrology Assoc., 2005-Ohio-6914, Paragraphs 18-23.

The Ohio Supreme Court has stated that in the absence of a prior authorization, a physician or hospital is privileged to disclose confidential medical information in those special situations where disclosure is made in accordance with a statutory mandate or common law duty, or where disclosure is necessary to protect or further a countervailing interest that outweighs the patient's interest in confidentiality.  Biddle v. Warren Gen. Hosp., 1999-Ohio-115 (syllabus).

In this case, the Court found no statutory exception to the physician-patient privilege.  In addition, the Court refused to "judicially create a public policy exception to the privilege statute for grand jury subpoenas."  Physicians and hospitals should be aware of this opinion (and its analysis) when responding to grand jury subpoenas requesting medical records.

Tags: , , , , , ,