Electronic medical records privacy confidentiality liability

This article has been cited by other articles in PMC.

Electronic medical records privacy confidentiality liability

LinkedIn By John W. Although the majority of physicians still rely on telephone or paper correspondence to communicate with patients, physicians are becoming more comfortable with the use of e-mail in the practice of medicine.

Those physicians who Electronic medical records privacy confidentiality liability integrated e-mail in their practices are employing it to perform a variety of functions, including anything from enhancing patient education to improving adherence to treatment plans.

Although e-mail communication provides a direct and expedited means of communicating with physicians, it presents various pitfalls to physicians because it presently offers less security and confidentiality than other forms of communication.

The ability to transmit and forward messages to thousands of users, the ease with which a message can be mistakenly transmitted to an unintended recipient, and risk of unauthorized disclosure are features of electronic messaging systems which can expose a physician to liability.

Some of the legal and ethical issues presented by electronic medical communications include patient confidentiality, security and privacy, informed consent, standard of care and malpractice, medical records and licensing.

Unique issues also arise out of physician maintained web sites. Patient Confidentiality Physicians have long had an ethical and legal duty to protect the confidentiality of patient communications and information.

In Pennsylvania, for example, it constitutes unprofessional and immoral conduct for a physician to reveal personally identifiable facts of a patient obtained as a result of the physician-patient relationship, unless the patient has consented to the disclosure or the disclosure is otherwise authorized or required by statute.

This confidentiality standard applies irrespective of the form in which the confidential information is transmitted. Therefore, a physician who communicates with her patients through e-mail the contents of which contain personally identifiable facts of the patient has a duty to protect those communications from disclosure absent patient consent or some statutory authority or mandate.

Security and Privacy E-mail communication between physicians and patients presents significant security and privacy concerns. If a physician is going to maintain an e-mail account, the physician must ensure that any individually identifiable patient information transmitted electronically is secure from third party interception.

This becomes especially important where the physician maintains an Internet e-mail account which can be monitored and accessed by the Internet service provider. Inadequate protections can lead to unauthorized use and disclosure, which can result in liability to the physician for, among other things, invasion of privacy and breach of confidentiality.

Although the federal Electronic Communications Privacy Act of ECPA imposes civil and criminal penalties for the unlawful interception of digital communications such as e-mail, it provides physicians little, if any, comfort since ECPA cannot prevent the dissemination of such information once the interception has occurred.

Additionally, when the e-mail communication becomes part of the medical record, it arguably loses the protections afforded by ECPA and is controlled by state privacy and confidentiality statutes.

Electronic medical records privacy confidentiality liability

Accordingly, physicians should take steps to secure electronically transmitted patient information from unauthorized disclosure and interception, including establishing policies and safeguards governing the gathering, storing, use and disclosure of identifiable patient information.

Physicians should also consider implementing enhanced systems technology, such as encryption software which can scramble messages until received by the patient and guarantee the authenticity and integrity of such messages.

Further, physicians should determine when and under what circumstances their practices may be governed by the medical records privacy and security standards proposed by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of The proposed regulations would preempt less stringent state medical privacy laws as well as impose significant civil monetary and criminal penalties against certain health care providers, including physicians for their failure to protect, under certain circumstances, individually identifiable electronic health information.

Informed Consent Informed consent for surgical and certain other procedures is a well established legal doctrine. Under Pennsylvania law, a physician is required to obtain full, knowing and voluntary informed consent from a patient for certain nonemergency procedures, including surgery.

The purpose of informed consent is to permit patients to participate fully in the medical decision-making process. Informed consent results where the physician gives the patient a description of the procedure and the risks, benefits and alternatives that a reasonably prudent patient would need to consider in making an informed decision as to whether or not to undergo the procedure.

Although no Pennsylvania law has been proposed for e-mail consent, given the potential exposure of liability to physicians for unauthorized disclosure, invasion of privacy, breach of confidentiality and the like, physicians should engage patients in a similar dialogue about the risks and benefits inherent in the use of electronic medical communications and available alternatives.


Specifically, physicians should discuss with their patients the scope of foreseeable uses of e-mail and the potential privacy implications. Once the physician has advised the patient of the risks and benefits inherent in the use of e-mail and available alternatives, then the patient can make an informed decision as to whether or not to use it as a mode of communication with the physician.

Standard of Care and Malpractice Although patient consent will likely deter some litigation with respect to electronic medical communications, malpractice actions are sure to arise out of issues of standard of care. Generally, a physician owes a duty of care to a patient through the existence of a physician-patient relationship.

Electronic Medical Records: Privacy, Confidentiality, Liability

Given that some jurisdictions have recently found the existence of a physician-patient relationship where a physician communicates with a patient solely by telephone, it is not difficult to foresee courts concluding that such a relationship is formed by e-mail as well.

Courts will then be left to grapple with the issue of which community standard applies if the physician and patient are not located in the same geographic area or whether a national standard should be adopted if the physician is practicing nationwide.

Jurisdictional issues such as where the suit may be filed and which state law applies if the e-mail communication is across state boundaries will need to be addressed as well.A key issue in electronic health systems is the underlying security and privacy risk.

For example, confidential patient information or medical records ending up in the hands of a person not privy. Unless confidentiality and privacy concerns regarding electronic medical records are addressed, the full benefits of electronic technology in the health care industry will not be obtained.

The federal government has not done enough since the enactment of HIPAA and its implementing regulations to safeguard personal medical information to. Ethical issues in electronic health records: A general overview Keywords: Confidentiality, electronic health record, paper record, security breaches.

PRIVACY AND CONFIDENTIALITY. Justice Samuel Dennis Warren and Justice Louis Brandeis define privacy as the right “to be let alone.”. In Section I, this commentary addresses the importance of patient medical records to our health care system, as well as the background of regulations that protect patient privacy.

Section II discusses potential benefits and current controversies concerning the electronic storage of medical records. Keywords: Confidentiality, electronic health record, paper record, security breaches INTRODUCTION An electronic health record (EHR) is a record of a patient's medical details (including history, physical examination, investigations and treatment) in digital format.

©— Bioethics Research Library Box Washington DC

Electronic Medical Records: Privacy, Confidentiality, Liability