Statement of the Issue
Many people consider information about their health to be highly sensitive, deserving of the strongest
protection under the law. Doctor-patient privilege have been the mainstay of privacy protection for
Scores of personnel must have access to intimate patient information and patients must feel free to
reveal personal information.
It is vital that healthcare providers treat patient
information confidentially and protect its security.
Maintaining confidentiality is becoming more difficult. Personal information contained in medical
records is reviewed by scores of personnel who have a need to access the information therein.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect the
confidentiality of patient health information. Protected health information (PHI) can only be used or
disclosed by covered entities and their business associates for purposes of treatment, payment or
healthcare operations without the patient’s consent.
While media representatives also seek access to health information, particularly when a patient is a
public figure or when treatment involves legal or public health issues, the rights of individual patients
must be protected. Society’s need for information rarely outweighs the right of patients to
The American College of Healthcare Executives believes that in addition to following all applicable
state laws and HIPAA, healthcare executives have a moral and professional obligation to respect
confidentiality and protect the security of patients’ medical records. We, as patient advocates, must
follow carefully defined policies and applicable laws in those cases for which the release of
information without consent is indicated.
In fulfilling their responsibilities,
healthcare executives should seek to:
1. Limit access to patient information to authorized individuals only.
2. Educate healthcare personnel on confidentiality and data security requirements.
3. Take necessary steps to ensure all healthcare personnel are aware of and understand their
responsibilities to keep patient information confidential and secure.
4. Implement physical safeguards to protect medical record files against unauthorized access.
5. Conduct periodic data security audits and risk assessments.
6. Develop systems that enable organizations to track who accessed health records.
7. Establish policies and procedures to provide to the patient an accounting of uses and
disclosures of the patient’s health information.
8. Create guidelines for securing necessary permissions for the release of medical information
for research, education, utilization review and other purposes.
9. Follow all applicable policies and procedures regarding privacy of patient information even if
information is in the public domain.
10. Educate patients about organizational policies on confidentiality and use the notice of privacy
practices as required by the HIPAA Privacy Rule.