We will be performing site maintenance on AAOS.org on February 8th from 7:00 PM – 9:00 PM CST which may cause sitewide downtime. We apologize for the inconvenience.


Published 5/1/2013
Thomas B. Fleeter, MD

Patient Confidentiality in the Age of Instant Communications

Safeguards to protect patient information

As physicians, we have both a legal and an ethical responsibility to protect the privacy of patient information. This covenant of confidentiality is necessary for our patients to feel comfortable in sharing the full range of their medical information. If we, as physicians, do not have access to the full range of our patients’ medical information, our ability to diagnose and treat would be compromised.

Federal law prohibits unauthorized access to confidential medical data. However, the increasing prevalence of electronic health records (EHRs) is a new threat to patient privacy. As integrated networks of physicians expand, physicians and staff across the network have unprecedented access to confidential data, and the chances that someone may gain unauthorized access to confidential patient information increase.

Two recent high-profile cases provide examples of unauthorized access to patient information and breach of confidentiality. In the first, a duty nurse released confidential information about the pregnancy of the Duchess of Cambridge to two callers without verifying the callers’ identities. The nurse later committed suicide. In the second, several Kaiser employees were found to have disclosed confidential information about the hospitalization of the “Octomom.” The hospital was fined $250,000.

These cases highlight the importance of protecting patient medical data from unscrupulous parties and media sources. The prevalence of the internet and instant communications, combined with widespread EHR implementation, make privacy breaches increasingly common.

Inadvertent breaches can also occur. Recently, the Hospice of Northern Idaho reported to the Department of Health and Human Services (HHS) that an unencrypted laptop had been stolen. Despite the fact that fewer than 500 individuals were potentially affected, this was a violation of the Health Insurance Portability and Accountability Act (HIPAA) and HHS fined the hospice $50,000.

What constitutes a breach?
A breach of confidentiality is any unauthorized disclosure of medical information to a third party. The breach can be written, oral, or electronic. However, the greatest concern today is abuse of access to EHRs. Increasingly, unauthorized persons gain access to insurance data and use that data for financial gain. (See “Tips to Secure Patient Data.”)

Medical identity theft or misuse of insurance identifiers has become more commonplace. The Centers for Medicare and Medicaid Services is aware of more than 300,000 compromised Medicare subscriber numbers. Abuse of insurance identifiers and other forms of healthcare fraud make up nearly 10 percent of claims, resulting in higher premiums. The Coalition Against Insurance Fraud estimates that more than $80 billion per year is lost secondary to healthcare fraud.

Identity fraud can also affect the quality of health care. Incorrect diagnoses can be added to the record when another person fraudulently uses the insurance identifier.

It is clear that unauthorized use or access to private healthcare data can have deleterious effects. However, in a number of instances, release of private information is appropriate. The patient’s express authorization is required before releasing information. Most insurance companies require enrollees to sign a release prior to enrollment in the plan. A patient, legal guardian, or parent can legally authorize release of medical information. To comply with HIPAA regulations, a release must include the following information:

  1. Patient’s name
  2. Address of the healthcare institution directed to release the information
  3. Description of the information to be released
  4. Name of the recipient of the information
  5. Signature of the authorizing person
  6. Time period during which the release is valid

Failure to obtain the appropriate release can have significant consequences. As physicians, we have a responsibility to protect patient confidentiality and to keep up with the applicable regulations.

For more information on steps to protect and secure information, particularly electronic information, visit healthIT.gov/mobiledevices

Thomas B. Fleeter, MD, chairs the AAOS Medical Liability Committee. He can be reached at bonedock@comcast.net

Tips to Secure Patient Data
Whether you use a personally owned mobile device or one provided to you by another entity, the following tips from HealthIT.gov will help you secure your patients’ private information:

  1. Install and enable encryption to protect health information data.
  2. Use a password or other user authentication.
  3. Install and activate wiping and/or remote disabling to erase data on a lost or stolen device.
  4. Disable and do not install or use file-sharing applications.
  5. Install and enable a firewall to block unauthorized access.
  6. Install, enable, and keep up-to-date security software.
  7. Research mobile applications (apps) before downloading.
  8. Maintain physical control of your mobile device and know where it is at all times to limit unauthorized use.
  9. Use adequate security to send or receive health information over public Wi-Fi networks.
  10. Delete all stored health information on your mobile device before discarding it.