Warning! OUTDATED BROWSER DETECTED!   Please update your browser immediately for a better experience on this website. Learn More
    • eLearn
    • Patient Privacy

    • Answer to Question 1

      The correct answer to Question 1 is B (refer Mr Portland to his mother-in-law and her treating physician).

      Concerns surrounding the unauthorized access to medical records involve both legal and ethical considerations. From a legal perspective, the Health Insurance Portability and Accountability Act (HIPAA) mandates that physicians and hospitals take “reasonable measures” to prevent the disclosure of protected health information. In addition, physicians must access the “minimum necessary” information to perform their job, without needlessly viewing records.

      Although Dr Houston might want to help her administrative assistant for professional and/or personal reasons, she has no medical reason or duty to view this patient’s records. Because Dr Houston is not currently involved in caring for her assistant’s mother-in-law, reviewing her medical records would exceed the “minimum necessary” information provision. Therefore, answer A is incorrect. The same is true for the radiology resident who read the previous body CT scan, but who is no longer interpreting imaging studies for this patient. Even if the resident or Dr Houston had accessed the records appropriately while interpreting a study on Mr Portland’s mother-in-law, it would be a breach of privacy to share this medical information with a family member. In addition, physicians have ethical and legal duties to maintain patient privacy and to obtain explicit consent from patients before sharing information with family members. Therefore, answer D is incorrect.

      Password security, firewalls, and encryption technology are some of the “reasonable measures” that have been instituted in hospitals across the nation to prevent unauthorized access to medical records. Standard usage practices mandate that individuals with password-protected accounts log out of sessions during idle periods to prevent others from accessing patient records. At some institutions, automated log-outs from computer workstations are used to prevent inadvertent and unauthorized access to patient information. Ultimately, an individual who provides a password to a colleague or leaves a session open and unmonitored is responsible for the actions of individuals who use it to review confidential files. Therefore, answer C is incorrect.

      Failure to protect the security of a patient’s medical records may lead to steep federal fines and sanctions against a hospital, while clinicians who ignore privacy standards may place their jobs and professional reputations at risk. However, beyond concrete financial penalties, breaching confidentiality can threaten the foundation of the patient-doctor relationship (1). If patients cannot trust their physicians to maintain their privacy, they may be reluctant to share information with their clinical team. If physicians are unable to preserve patient privacy, there is a risk that public trust will be fundamentally eroded. Ultimately, this may represent a loss much greater to a medical system than a financial penalty.