The Confidentiality of Personal Health Information in the Information Age


With today's technological advances in computerized communications, personal health information and medical records are made available to a large number of health care providers, insurance companies and other third party payors through legitimate channels. These records may contain highly sensitive and personal information pertaining to communicable diseases, sexual orientation, substance abuse, and psychiatric treatment. If inadvertently disclosed to the wrong parties, such information could result in loss of employment or insurance, embarrassment or other unfavorable treatment.

Health Records and Privacy

Now, more than ever, with the wealth of information available electronically, health care providers are subject to greater potential liability for inadvertent disclosure or misuse of confidential medical and health records. It is imperative that the confidentiality of this information be maintained to ensure that persons pursue and receive proper medical treatment and that public health care objectives, such as the control of infectious diseases, are achieved.

The basis for protection of an individual's personal health records is largely unattributed, but it is generally characterized in terms of an expectation of privacy. The United States Constitution does not explicitly provide a right of privacy. The United States Supreme Court has recognized a right of privacy pertaining to family related decisions, but it has narrowly applied the right of privacy in the context of the disclosure of personal information. While a number of federal statutes and regulations protect the disclosure of personal health records by federal agencies and others that receive federal funds, disclosure by states, insurance companies, employers and other third party payors is not prohibited by federal law.

An Example: Health Records in Florida

Unlike the United States Constitution, the Florida Constitution specifically enumerates a right of privacy with respect to personal matters, but it only prohibits interference in such matters by the state, and not by private parties. In addition, Florida has a privacy statute, but the statute protects only the appropriation of a person's name, photograph or likeness for a commercial purpose without the person's consent. If there is no commercial use, statutory relief is unavailable. However, the Florida Supreme Court has recognized a common law right of privacy prohibiting, among other things, disclosure of private facts. An invasion of privacy would result from the unauthorized disclosure of medical information and unlike in the case of libel, the truth of the disclosed information is not a defense. It is unclear to what degree a cause of action exists for an invasion of privacy absent widespread publicity of confidential information.

In addition, a Florida statute recognizes the physician-patient privilege of confidentiality with respect to patient records. According to the statute, patient records cannot be furnished to or discussed with anyone other than the patient or the patient's legal representative or other health care provider, other than in one of three situations:

  1. where the patient provides written authorization for disclosure;
  2. in the context of a medical negligence action, where the health care provider is or reasonably expects to named as a defendant; or
  3. where disclosure is compelled by subpoena at a deposition, evidentiary hearing or trial and proper notice has been given.

Another Florida statute deals specifically with the disclosure of HIV information. By statute, a provider regulated through the Division of Medical Quality Assurance may disclose positive HIV results to a sexual partner or a needle-sharing partner of an HIV-positive patient in limited circumstances, such as:

  1. where the patient who has tested positive for HIV discloses to the provider the identity of a sexual partner or a needle-sharing partner; or
  2. where the provider recommends that the patient notify the sexual partner or the needle-sharing partner of the positive test and refrain from engaging in sexual or drug activity in a manner likely to transmit the virus, the patient refuses, and the provider informs the patient of his or her intent to inform the sexual partner or needle-sharing partner.

Further Considerations

In short, while the right of privacy with respect to personal health information is an unsettled and evolving area of law, with the rapid increase in the electronic transmission of such information, this is certainly an area ripe for litigation and resulting liability.

Health care providers should consider establishing and following written policies pertaining to maintaining the confidentiality of their patients' personal health information. In addition, providers should closely analyze their contracts with third party payors, since many of these contracts disclaim liability for damages resulting from improper disclosure of personal health information. These contracts should require payors to maintain the confidentiality of health care information. Providers should also seek indemnification for losses attributable to breaches of the confidentiality provisions.