AMA Adopts Principles on EMR Breach

Posted on June 22, 2009 by Colin J. Zick

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient's electronic medical record were to be breached.  The new AMA guidelines ask physicians to:

  1. ensure patients are properly informed of the breach and the potential for harm;
  2. follow ethically appropriate procedures for disclosure, including:
    a) confidential disclosure of the breach in a timely manner; and
    b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
  3. support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and 
  4. to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The report itself states that the "suggestions are not intended to be comprehensive" and its right -- these general rules raise more questions than they answer: 

i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient's best interest?
iii) how is a physician to know the "potential for harm"?

In particular, that third element -- placing the interests of patients above those of physicians, their practice or hospital -- is going to make this difficult for physicians in the real world to adopt.  What about when the interests are not clear, or the interests of patients conflict?  No answers to these questions are provided by the AMA.

It's not clear why the AMA felt compelled to jump into the EMR fray, given that there's no lack of state or federal regulation or attention at this point.  It's even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.

Tags: , , ,

$150,000 Penalty for Disclosure of Physician Information

Posted on March 1, 2009 by Colin J. Zick

This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed.  Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over.

The Queen's Medical Center ("QMC") of Hawaii recently agreed to pay $150,500 in civil money penalties for allegedly violating the confidentiality requirements applicable to National Practitioner Data Bank ("NPDB") information. OIG alleged that QMC improperly disclosed confidential information.

<>According to the settlement documents, QMC obtained the NPDB information and disclosed it to QMC’s captive insurance carrier, which in turn disclosed to its insurance broker.

 

Tags: , ,