AMA Resolutions

Subject:  Assuring Access to Health Data for Optimizing Patient and Population Health

Whereas, Physicians and other public health practitioners need access to reliable and valid health data to: (1) understand the magnitude and distribution of disease, disability, and other health conditions among their patient and local populations; (2) understand the risk factors for and causes of disease, injury, and medical errors; (3) learn about effective courses of treatment; (4) implement prevention measures; and (5) evaluate the outcomes and quality of the care they provide.

Whereas, The technologic revolution in the electronic generation, storage, and transmittal of health-related data, while presenting unparalleled opportunities to strengthen health data, also presents the potential for the unscrupulous and self-interested exploitation of health data; and

Whereas, Individuals have a right to expect that their personal health and medical information will be protected from unauthorized use; and

Whereas, Medical privacy has become a major policy and political issue at both federal and state levels, triggering a variety of regulatory and legislative proposals appropriately aimed at protecting patient’s privacy; and

Whereas, Many of these proposals call for a cumbersome process of informed consent for each use of personal health information that would create restrictions inhibiting the use of data that could otherwise benefit the health of patients and populations; and

Whereas, Such restrictions could hinder efforts to collect complete and reliable data needed to conduct effective disease surveillance, epidemiologic investigations, and outcomes research, posing a risk to patients and populations; and

Whereas, The public benefits of the use of personally-identifiable health data by authorized individuals (e.g., physicians and other public health practitioners) are sufficiently compelling that any new legislation or regulation must assure the continued availability of these data; therefore be it

RESOLVED, That our AMA work with the American College of Preventive Medicine and other national public health organizations as appropriate to develop recommendations as to who shall have access to medical data with personal identifiers, without specific informed consent, under what circumstances, and for what purposes, and to develop guidelines to assure that such access is limited to the purposes specified and compatible with proper institutional human subjects protections; and be it further

RESOLVED, That our AMA support legislative approaches consistent with these criteria and guidelines; and be it further

RESOLVED, That our AMA work with the American College of Preventive Medicine and other national public health organizations to explore the potential effects of privacy policy on the collection and uses of health data.

Strategy 1.2: Provide physicians, patients and communities with timely, credible, and relevant information on improving health status and making informed choices about their medical care.

RELEVANT AMA POLICY

H-315.978 Privacy and Confidentiality

Our AMA policy is that where possible, informed consent should be obtained before personally identifiable health information is used for any purpose. However, in those situations where specific informed consent is not practical or possible, either (1) the information should have identifying information stripped from it or (2) an objective, publicly accountable entity must determine that patient consent is not required after weighing the risks and benefits of the proposed use. Re-identification of personal health information should only occur with patient consent or with the approval of an objective, publicly accountable entity. (BOT Rep. 36, A-99)

(1) Our AMA affirms the following key principles that should be consistently implemented to evaluate any proposal regarding patient privacy and the confidentiality of medical information: (a) That there exists a basic right of patients to privacy of their medical information and records, and that this right should be explicitly acknowledged; (b) That patients' privacy should be honored unless waived by the patient in a meaningful way or in rare instances when strong countervailing interests in public health or safety justify invasions of patient privacy or breaches of confidentiality, and then only when such invasions or breaches are subject to stringent safeguards enforced by appropriate standards of accountability; (c) That patients' privacy should be honored in the context of gathering and disclosing information for clinical research and quality improvement activities, and that any necessary departures from the preferred practices of obtaining patients' informed consent and of de-identifying all data be strictly controlled; and (d) That any information disclosed should be limited to that information, portion of the medical record, or abstract necessary to fulfill the immediate and specific purpose of disclosure.

(2) Our AMA affirms: (a) that physicians who are patients are entitled to the same right to privacy and confidentiality of personal medical information and medical records as other patients, (b) that when patients exercise their right to keep their personal medical histories confidential, such action should not be regarded as fraudulent or inappropriate concealment, and (c) that physicians should not be required to report any aspects of their patients’ medical history to governmental agencies or other entities, beyond that which would be required by law.

(3) Employers and insurers should be barred from unconsented access to identifiable medical information lest knowledge of sensitive facts form the basis of adverse decisions against individuals. (a) Release forms that authorize access should be explicit about to whom access is being granted and for what purpose, and should be as narrowly tailored as possible. (b) Patients and physicians should be educated about the consequences of signing overly-broad consent forms. (c) Employers and insurers should adopt explicit and public policies to assure the security and confidentiality of patients' medical information. (d) A patient's ability to join or a physician's participation in an insurance plan should not be contingent on signing a broad and indefinite consent for release and disclosure.

(4) Whenever possible, medical records should be de-identified for purposes of use in connection with utilization review, panel credentialing, quality assurance, and peer review.

(5) The fundamental values and duties that guide the safekeeping of medical information should remain constant in this era of computerization. Whether they are in computerized or paper form, it is critical that medical information be accurate, secure, and free from unauthorized access and improper use.

(6) Genetic information should be kept confidential and should not be disclosed to third parties without the explicit informed consent of the tested individual.

(7) When breaches of confidentiality are compelled by concerns for public health and safety, those breaches must be as narrow in scope and content as possible, must contain the least identifiable and sensitive information possible, and must be disclosed to the fewest possible to achieve the necessary end.

(8) Law enforcement agencies requesting private medical information should be given access to such information only through a court order. This court order for disclosure should be granted only if the law enforcement entity has shown, by clear and convincing evidence, that the information sought is necessary to a legitimate law enforcement inquiry; that the needs of the law enforcement authority cannot be satisfied by non-identifiable health information or by any other information; and that the law enforcement need for the information outweighs the privacy interest of the individual to whom the information pertains. These records should be subject to stringent security measures.

(9) The AMA must guard against the imposition of unduly restrictive barriers to patient records that would impede or prevent access to data needed for medical or public health research or quality improvement and accreditation activities. Whenever possible, de-identified data should be used for these purposes. In those contexts where personal identification is essential for the collation of data, review of identifiable data should not take place without an institutional review board (IRB) approved justification for the retention of identifiers and the consent of the patient. In those cases where obtaining patient consent for disclosure is impracticable, the AMA endorses the oversight and accountability provided by an IRB.

(10) Marketing and commercial uses of identifiable patients’ medical information may violate principles of informed consent and patient confidentiality. Patients divulge information to their physicians only for purposes of diagnosis and treatment. If other uses are to be made of the information, patients must first give their uncoerced permission after being fully informed about the purpose of such disclosures

(11) The AMA, in collaboration with other professional organizations, patient advocacy groups and the public health community, should continue its advocacy for privacy and confidentiality regulations, including: (a) The establishment of rules allocating liability for disclosure of identifiable patient medical information between physicians and the health plans of which they are a part, and securing appropriate physicians' control over the disposition of information from their patients' medical records. (b) The establishment of rules to prevent disclosure of identifiable patient medical information for commercial and marketing purposes; and (c) The establishment of penalties for negligent or deliberate breach of confidentiality or violation of patient privacy rights.

(12) The AMA will pursue an aggressive agenda to educate patients, the public, physicians and policymakers at all levels of government about concerns and complexities of patient privacy and confidentiality in the variety of contexts mentioned.

(13) Disclosure of personally identifiable patient information to public health physicians and departments is appropriate for the purpose of addressing public health emergencies or to comply with laws regarding public health reporting for the purpose of disease surveillance.

(14) In the event of the sale or discontinuation of a medical practice, patients should be notified whenever possible and asked for authorization to transfer the medical record to a new physician or care provider. Only de-identified and/or aggregate data should be used for "business decisions," including sales, mergers, and similar business transactions when ownership or control of medical records changes hands.

(15) The most appropriate jurisdiction for considering physician breaches of patient confidentiality is the relevant state medical practice act. Knowing and intentional breaches of patient confidentiality, particularly under false pretenses, for malicious harm, or for monetary gain, represents a violation of the professional practice of medicine. (BOT Rep. 9, A-98; Reaffirmation I-98; Appended: Res. 4, and Reaffirmed: BOT Rep. 36, A-99; Appended: BOT Rep. 16 and Reaffirmed: CSA Rep. 13, I-99)

H-315.984 Data Needs of Medical Research and Privacy of Medical Records

The AMA will work to assure that any forthcoming state or federal standards or legislation concerning the protection of privacy of medical records, including electronic transmissions thereof, include sufficient safeguards to prevent breaches of patient confidentiality without imposing unduly restrictive barriers that would impede or prevent access to data needed for medical or public health research. (Res. 812, A-97; Reaffirmation I-99)

H-315.998 Medical Record Privacy

Our AMA supports continued efforts to ensure the confidentiality of information on medical records by encouraging reconsideration of the AMA model state legislation on this subject and by other appropriate means. (Sub. Res. 111, A-79; Reaffirmed: CLRPD Rep. B, I-89; Reaffirmation I-98; Reaffirmation I-99)

The AMA believes that: (1) there has been an erosion of the confidential relationships between the patient and health professional, which has resulted from growing outside demands for the information shared in this relationship for the purpose of patient care;

(2) there is a need to sensitize the public to the intrusions into confidential medical information which can result from increased demands for accountability - in substantiating health insurance claims, in litigation, and in medical care evaluation;

(3) much of the erosion has emanated from the public, and properly so; however, an over-emphasis on society's right to know, at the expense of the individual's right to privacy and confidentiality, has resulted and a better balance is needed;

(4) one important contribution to restoring such balance would be greater education of patients and the public as to the full range of purposes for which confidential information is used, the policies governing the release of such information, and the individual's rights with respect thereto. (Joint BOT/CMS Rep., I-81; Reaffirmed: CLRPD Rep. F, I-91; Reaffirmation I-98; Reaffirmation I-99)

H-460.919 Privacy and Confidentiality

Our AMA policy is that research projects that fall outside the purview of an Institutional Review Board (IRB) process, as well as operational uses of personally identifiable health information, should be subject to review by local Confidentiality Assurance Boards (CABs) and should be held to the same standards that apply to Institutional Review Boards. (BOT Rep. 36, A-99)