Jessica Wilen Berg is Professor of Law and Bioethics, Case Western Reserve University's School of Law and at the Department of Bioethics, Case Western Reserve School of Medicine, Cleveland, OH.

What is Confidentiality and When is It Not Protected?

Many people are familiar with the idea of confidentiality as an integral part of the professional code of ethics in the legal, medical, and mental health fields. What you tell your doctor, lawyer, or psychologist is supposedly protected information that cannot be shared with others, no matter how intimate, gory, or revealing it may be.

Whether or not to disclose personal medical information is often said to be a balancing act between the benefits of keeping confidentiality and the benefits of waiving it.

In the medical field, confidentiality even dates back to the Hippocratic Oath, but there are many updated versions of confidentiality, defined by various medical associations around the word. Recent years have muddied our understanding of medical confidentiality. Developments in technology have challenged our traditional understanding of "personal" information and privacy. As a result, officials have tried to develop privacy protections that apply to different settings and circumstances.

Why Confidentiality May Be Waived
As important as patient confidentiality is, there are certain times that most people would agree that medical (doctor-patient) confidentiality needs to be waived. For instance, parents need to have access to their kids’ medical information, which makes sense to most people, since children don’t have the capacity to manage their own medical situations themselves. If a patient wishes (and signs a waiver), his or her doctor can share medical information with the patient’s family or friends. And if a patient is declared legally "incompetent," then his or her caretaker can be legally authorized to have access to medical information that would otherwise be confidential.

Other situations, however, are not so clear-cut. For example, when, if at all, should the state have access to people’s medical information? If divulging personal health information to the state protects or serves public health, is it ok? Is sharing information with other doctors or researchers acceptable if it is for research purposes that ultimately advance public health?

Whether or not to disclose personal medical information is often said to be a balancing act between the benefits of keeping confidentiality and the benefits of waiving it. The U.S. Supreme Court has stated that "disclosures of private medical information to doctors, to hospital personnel, to insurance companies, and to public health agencies are often an essential part of modern medical practice." It’s just a matter of figuring out under what circumstances disclosures should occur.

So there are a couple of questions that are up for debate. The first is how to define confidentiality, since there are many different types, with different objectives at heart. The second issue, which stems from the first, is under what circumstances confidentiality should be broken. How do we weigh the pros and cons of sharing personal health information with others in the medical community and with the government? This article will explore how confidentiality should be conceived and if and when it should be broken.

Many Definitions of Patient Confidentiality

Codes and Theories of Ethics
The physician’s duty to keep patient information confidential dates back at least to the earliest codes of medical ethics. The Hippocratic Oath, for example, requires the physician to promise that "What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about."

Consequentialist theory suggests that without assurances of confidentiality, patients are less likely to disclose important medical information to their doctors.

More modern ethical codes also include statements on confidentiality. The World Medical Organization’s Declaration of Geneva and the International Code of Medical Ethics both instruct the physician to maintain confidentiality, even after the patient’s death. The American Medical Association’s Code of Medical Ethics states that "[t]he information disclosed to the physician during the course of the relationship between the physician and patient is confidential to the greatest possible degree."

On the other hand, in contrast to other definitions, the AMA immediately recognizes a number of exceptions to confidentiality, which include reporting of threats to inflict serious bodily harm on others, certain communicable diseases, and gunshot wounds or knife wounds.

Ethical theories provide many different ways to view confidentiality laws. For example, according to the medical ethics scholars Tom Beauchamp and James Childress, confidentiality protections can be justified using three types of arguments:

  • Consequentialist theory suggests that without assurances of confidentiality, patients are less likely to disclose important medical information to their doctors.
  • Rights-based theory states that patients have a right to control how their medical information is used.
  • Fidelity-based confidentiality suggests that physicians have an obligation not to disclosure information shared with them in their medical role.

Interestingly, none of these philosophical arguments suggests that confidentiality should not be breached under certain circumstances. Again, it is a matter of weighing the pros and cons between keeping and breaching confidentiality.

Legal Definitions
Although confidentiality is certainly related to professional ethics and norms, it is also based in law. But just as ethical theories do not suggest that confidentiality can’t be waived, neither do legal ones.

An Implied Contractual Relationship?
The law defines confidentiality in a number of ways. One definition of confidentiality is based on contract law: the idea that there exists an implied promise in all physician-patient treatment relationships not to reveal information gained as part of that relationship. But because implied contract has to be proven in each case, there’s no guarantee for the patient that he or she will have it.

Protecting the Vulnerable
Another legal definition is based on fiduciary theory, which arose out of contractual relationships where one party was particularly vulnerable and unable to protect itself against a breach. In some ways, the fiduciary model makes sense in the medical setting — the patient is clearly a vulnerable party. But in reality, physicians do not fit into the fiduciary model so well as they often have responsibilities to promoting the health of the broader population in addition to the specific patient, and fiduciary theory is not so easily applied when determining how and when confidentiality should be waived. Fiduciary theory would state that it should be to benefit the vulnerable party. But which benefit? Should the focus be on prolonging life? Minimizing suffering? Curing disease?

For example, if the physician’s primary role is to prolong life, confidentiality should be breached when the disclosure would serve to prolong life, or the failure to disclose would shorten life. But what if a patient threatens suicide? Disclosing this information would prolong his or her life, but it might also prolong suffering. These are the kinds of questions that are important to consider, and difficult to answer using legal theories of confidentiality.

Privacy
Since neither contract nor fiduciary theory provides clear guidance in defining the scope of confidentiality protections, perhaps we should think about general privacy protections, like those found in the federal or state constitutions, or in common law, in order to address confidentiality. Privacy is usually thought of as a "fundamental" right, and there are a variety of legal protections that may fall into this category, like protections of one’s home, body, and personal information.

The problem is that personal information (which is what’s at stake with medical confidentiality) is not protected at law in the same way one’s home or bodily integrity is protected. In fact, quite a lot of personal information is not protected at all. For example, it is much easier to obtain a person’s credit history (even legally) than it is to gain access to his/her medical history, even though both may be considered highly personal and private information.

The problem is that personal information (which is what’s at stake with medical confidentiality) is not protected at law in the same way one’s home or bodily integrity is protected. In fact, quite a lot of personal information is not protected at all.

The bottom line is that not all information, even medical information, is automatically granted legal protection from disclosure: only information that is particularly sensitive is protected (and even sensitive information may be disclosed under certain circumstances). Legal protections for confidentiality are the result of our society’s interest in privacy, but they can still be outweighed in cases where other society values (such as public health and safety) outweigh them.

State Confidentiality Laws

State confidentiality protections vary widely. Only a few states have comprehensive confidentiality laws, and many states control disclosure of health information through a combination of statutes addressing everything from particular disease information to autopsy records.

One of the biggest problems in confidentiality protections is the lack of clarity about when patient confidentiality can be breached. Another problem, however, is what to do regarding the patient who has discovered a breach of confidentiality. The obvious solution is to go to court, but this means making public the information they did not want anyone to know in the first place! Therefore, it is important to develop "front-end" safeguards that prevent unauthorized breaches from occurring. But these safeguards must be designed to achieve a balance between protecting confidentiality and the need to share information in order to need to treat patients, assure quality health care, and conduct research that will lead to health advances.

One of the biggest problems in confidentiality protections is the lack of clarity about when patient confidentiality can be breached. Another problem, however is what to do regarding the patient who has discovered a breach of confidentiality.

State laws typically either address the type of information (usually based on disease or illness) or the entity holding the information (such as government agencies), or both. Thirty-seven states require physicians to maintain confidentiality of medical records — almost all states have placed some restrictions on the use of information contained in medical records that are held by state agencies. In the next section, we will look at the circumstances under which confidentiality may be broken.

When You Cannot Expect Medical Information to Remain Confidential

All of the different ways of conceptualizing confidentiality include exceptions, allowing disclosure under certain circumstances or to particular agencies. All states allow disclosure to third party payers (insurance companies), although in most cases the patient will provide consent to this practice at the time of treatment (generally in a section of most hospital or physician office intake forms) or when one signs the initial coverage contract.

The most obvious examples of public health concerns outweighing individual rights to confidentiality are from contagious disease cases.

This section outlines the mandatory reporting situations (those that require disclosure to specific authorities) as well as the permissive exceptions (those that allow a physician to use his or her own discretion in deciding whether to disclose a patient’s information). In the latter situation, the laws usually provide protections against liability for disclosure. In the former situation, liability may be imposed for failing to disclose.

The statutes and case law governing exceptions can be separated into a number of different areas, including public health, public safety, protection of vulnerable persons, and research. The first three categories are circumstances in which physicians’ obligations to maintain health (usually of the public, or sometimes of a particular individual) outweigh the need to maintain patient confidentiality. The final category, waiving confidentiality for research purposes is a little bit different, but even here the goal is linked to health — specifically advancing general knowledge so as to achieve future health benefits.

Public Health and Safety
Physicians have an ethical responsibility to society as well as to individual patients. This is usually taken to mean that physicians have a duty to protect the public health, though the extent of this duty is not completely clear, There are some definite restrictions: For example, a physician cannot experiment on a patient in the hopes of benefiting society without the patient’s consent. In this case, of course,, the obligation to the patient outweighs the obligation to society. But this example highlights the limits of the physician’s duty to promote public health. It is less clear how to deal with the physician’s responsibility to prevent harm to the public. In particular, should a physician be able to breach confidentiality when public health or safety is threatened?

Public Health
The most obvious examples of public health concerns outweighing individual rights are from contagious disease cases. A number of states have legislation requiring disclosure of specific diseases, such as sexually transmitted diseases (STDs), HIV/AIDS, or general communicable diseases like tuberculosis and syphilis. Reporting laws usually requre disclosure of these diseases to the appropriate public health agencies. But these statutes may also include provisions allowing for disclosure to specific at-risk individuals. As a result, disclosure may be not to public health authorities and other medical care providers, but also to partners, family or even needle sharers.

At least one court has held that a physician may have a duty to disclose genetic information about a patient to immediate family members.

Disclosing genetic information is another issue in public health. Although many genetic traits may be passed on to one’s children, they clearly are not transmissible in the same way as contagious diseases and thus do not exactly fit under a discussion of public health concerns. But genetic information does have implications for the health of blood relatives. Should a doctor disclose to a patient’s family members the fact that the patient carries a gene for cancer or Alzheimer’s disease? Given the health concerns, at least one court has held that a physician may have a duty to disclose genetic information about a patient to immediate family members. Similar issues apply to postmortem disclosure. Genetic information is likely to be regarded as extremely useful to family members for predicting their own health care needs (possibly even more so than other types of medical information), and thus there may be a strong argument in favor of disclosure after a patient has died.

Public Safety
In addition to concerns about public health, there are also a number of situations in which physicians must disclose information in order to protect public safety. However, it is less clear whether doctors have the same ethical responsibility to protect public safety as they do public health, and as a result, mandatory reporting laws for public safety reasons are less well-defined. Many states have reporting statutes for injuries from criminal behavior, injuries from alcohol, motor vehicle impairments, and burns. Ohio, for example, has a statute mandating the reporting of drug abuse when the individual in question is a public transportation employee, and New Jersey requires physicians to report cases of epilepsy to the Division of Motor Vehicles.

A Doctor’s Duty to Warn
Disclosure in these cases is usually to law enforcement authorities. In some situations, however, a doctor might be obligated to disclose information to a particular individual or group of individuals. The classic example is the psychotherapist’s duty to warn. This concept originated in a California case, Tarasoff v. Regents of California. In Tarasoff, a patient informed his therapist of his intention to kill a young woman. After her murder, the family sued, claiming that the physician should have warned the victim. The court held that a therapist might be required to reveal information gathered during counseling if the patient’s statements indicate that he is likely to seriously injure an identifiable third party.

In Tarasoff, a patient informed his therapist of his intention to kill a young woman. After her murder, the family sued, claiming that the physician should have warned the victim.

A number of states have adopted this principle, and some have extended it to all physicians or mental health professionals. Duty to warn cases focus on (1) the seriousness of the threat of harm and (2) the identifiability of the victim (whether there is a specific individual at risk). Therefore, a doctor is not under any obligation to reveal threats of minor harm, threats that the doctor does not believe are serious, or general threats where there is no identifiable individual at risk. Given these parameters, duty to warn cases are not without controversy, and some people believe that they place the physician in the undesirable role of law enforcer, rather than healer. It is unclear how this issue affects confidentiality, and, many states have been hesitant to extend such a duty to health professionals.

Protecting the Vulnerable
Cases involving the protection of "vulnerable" persons, such as children, are slightly more clear-cut. Although doctors (along with other professionals) have at least some responsibility to protect vulnerable persons, it is not clear whether this should extend to the general public, or whether it should outweigh individual confidentiality protections.

With respect to children under 18, however, these protections are generally thought to be appropriate, particularly in cases when a physician may suspect a child's injury he or she has been called upon to treat may be the result of child abuse.

Almost all states have child abuse reporting statutes. Missouri specifically requires physicians to report drug dependent minors to the health department, and New Jersey expands the requirement to all drug dependent patients. In addition, some states have statutes that require reporting of abuse of hospital patients or long-term care patients, elder abuse, spousal abuse, and domestic abuse.

Research and State Registries
Besides reporting for health and safety, there are also laws that address reporting for informational or research purposes. Informational disclosure is usually the least controversial since the information is provided to state or federal agencies and not the public. The data gathered is incorporated into registries that allow officials to keep track of various health care statistics like HIV/AIDS and cancer rates. In addition, Indiana keeps track of children with developmental disabilities, and Montana requires reporting of occupational diseases.

Some states have statutes that require reporting of abuse of hospital patients or long-term care patients, elder abuse, spousal abuse, and domestic abuse.

These registries are usually kept confidential, and in many cases the information is kept separately from any individually identifying information. Recently, however, there have been some concerns raised about such databases, especially when the information can be linked to individuals (in other words, it is not completely anonymous) or it is stored electronically without adequate security.

Sharing medical information for research purposes is more controversial. In some research protocols, identifiers remain so that data can still be traced to particular individuals. While it is generally accepted that patients must consent before being entered into a research study, some state laws explicitly carve out an exception to confidentiality restrictions, allowing access to medical records for research purposes.

Because research allows better treatments to be developed and in this way serves the general public, it seems reasonable that disclosure should be permissible under certain circumstances, provided that individuals have the option of remaining anonymous.

Conclusion

We are a society strangely obsessed both with privacy and obtaining information. There are many aspects of our lives that are available for anyone to access, and yet most people are either unaware of these possibilities, or unconcerned with this loss of confidentiality.

Knowing what confidentiality laws in your area cover can help you make informed decisions about how your information is shared.

The sharing of medical information is one of the most complicated areas, and most patients are not even aware of the extent to which information about their care is shared within a hospital setting. Still, they are horrified by the potential that their insurance company may need access for reimbursement purposes.

There are many ways to define confidentiality, and how we conceptualize it affects how it functions in our everyday lives. Confidentiality laws regarding medical information are currently undergoing changes at both the state and federal levels. Although much attention is currently focused on the federal privacy rule (HIPAA), there are a number of state confidentiality protections. It is important not only for health professionals to be aware of the many considerations of confidentiality laws, but it is also important for the individual.

Knowing what confidentiality laws in your area cover can help you make informed decisions about how your information is shared. As citizens become more aware of the many issues involved in medical confidentiality, they can help shape the discussion and make their voices heard as lawmakers address the issues.