In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient’s electronic medical record were to be breached. The new AMA guidelines ask physicians to:
- ensure patients are properly informed of the breach and the potential for harm;
- follow ethically appropriate procedures for disclosure, including:
a) confidential disclosure of the breach in a timely manner; and
b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
- support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and
- to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.
The report itself states that the "suggestions are not intended to be comprehensive" and its right — these general rules raise more questions than they answer:
i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient’s best interest?
iii) how is a physician to know the "potential for harm"?
In particular, that third element — placing the interests of patients above those of physicians, their practice or hospital — is going to make this difficult for physicians in the real world to adopt. What about when the interests are not clear, or the interests of patients conflict? No answers to these questions are provided by the AMA.
It’s not clear why the AMA felt compelled to jump into the EMR fray, given that there’s no lack of state or federal regulation or attention at this point. It’s even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.