Health care is being challenged to balance the need to share and use information with patients' rights to privacy and confidentiality.
| Jack Justice |
As the concept of pharmaceutical care gains ground, pharmacists are collecting far more sensitive information from patients than simply that related to the dispensing process. Dealing with this information is a serious concern for pharmacists, yet there are no clear laws or rules of law in pharmacy practice to guide the pharmacist, and very little formal training in just why it is important to prevent confidential information from being disseminated.
The necessity of clarifying this issue becomes apparent when one considers that even the well-known "doctor-patient privilege" (with respect to confidentiality) is actually a concession to common law. In other words, it is not mandated by legislation,but rather accepted as common and expected practice. This long-privileged relationship is being tested in the current health care environment, especially with the advent of electronic transmission of patient data, to the extent that its status may in fact be codified in the near future. We should certainly expect that the evolving pharmacist-patient relationship will undergo similar scrutiny.
There are certain concepts that appeal to us because they contribute to what we consider a greater or ultimate good. We describe "good" in this case as an effect that is desirable for us personally, for those around us, or for society in general.
"Freedom," for instance, can be called a concept. The notion of freedom invites an assumption that there is some ideal state in which freedom would be complete or not require improvement, yet a description of the ideal would vary greatly among individuals. For instance, if 10 people are asked to describe "freedom," there will be 10 different descriptions, and virtually all would fall short of what would be ideal. The same is true for such concepts as autonomy, beauty, love, virtue, etc.
Beginning with the concept of autonomy, most people would indicate in some way that to be truly autonomous would indicate that one must be free to think or act without interference from others. How autonomy would be defined would be limited by the fact that we seem to know intuitively that absolute autonomy is abstract. We would concede, for instance, that we cannot freely act in ways harmful to others: no law should be necessary to tell us that we cannot simply set our apartment on fire because we are angry with the landlord.
With regard to privacy, most people understand that in order to be truly autonomous, we must be entitled to some degree of privacy. In the strongest possible terms we might describe our right to privacy as a sovereign right, irrevocably ours to enjoy and manage. For instance, it is hard to imagine anyone not condemning someone for reading another's diary without authorization. We should be able to keep private those things we wish to keep private. For instance, I can think of several reasons a person would not want people to know he or she was taking an anxiolytic. It would not be hard to imagine a situation in which this knowledge could be used to the detriment of the individual.
Confidentiality is rooted in the right to privacy as privacy is rooted in autonomy. On occasion, we will give private information to certain people with an understanding that the person will not, in turn, share the information with others.
The health information shared with the clinician in order to receive the anxiolytic is private, and it is reasonable to expect that the clinician will hold it in confidence. This is true because it is commonly understood that private information provided to health professionals or gleaned by the professional during treatment of an individual should be considered confidential in nature.
Until now, there was no need to establish laws governing these assumptions, even though the information is of a nature that the patient would not want it to be known by everyone. Rather, it is information the patient has yielded sovereignty over, a decision that has become relatively easy based on the physician-patient relationship that has taken centuries to evolve. No professional should ever forget that such a yield in sovereignty by a patient is an expression of uncommon trust.
In the health care arena, individuals typically surrender some measure of privacy to professionals, yet feel that they ought to retain some control over information gathered by a health care professional during treatment.
In the past, when care was in some ways less complicated, a health care professional would not have thought of sharing information about a patient or her care, except perhaps with other professionals directly involved in the care of the patient, without first discussing it with the patient.
However, most patients would be astonished to learn how many people in a health care setting have legitimate access to what they would consider confidential information. One writer1 presents a case of a patient who was concerned about the number of people who seemed to have access to his medical records while he was hospitalized. The patient was so concerned that he threatened to withdraw from treatment.
Upon inquiry, the writer found that many more people than even he would have thought indeed had legitimate needs and responsibilities that required them to examine the patient's chart. In fact, the hospital personnel with legitimate needs to view the patient's medical records numbered 75.
Threats to confidentiality exist throughout the health care industry, especially since it has come to depend on the ability to store and disseminate information electronically, and it has become extremely difficult to limit access on a need-to-know basis.
Beauchamp and Childress2 provide a good example of this evolving problem: "If a company routinely offers medical examinations by a corporate physician, records are computerized and merged with all claims filed by an employee's private physician for reimbursement under corporate insurance policies. Many employees are concerned that this extensive two-track set of records presenting a medical history will be used against them."
This may be a legitimate concern for the following reasons: the private physician is chosen by the patient as an advocate, while the corporate physician is hired by and often serves as an advocate for the corporation. It can be argued, for instance, that the corporate physician has a more compelling interest to provide otherwise "confidential" information about a patient to the corporation than to protect the right of the patient to confidentiality.
Say, for instance, the patient is an employee involved in critical work requiring unusual concentration and in which failure to perform well might lead to his harm or the harm of others, and the physician discovers the patient is taking an antidepressant that routinely affects cognitive function. If there is a possibility that the antidepressant may impair cognitive function of the patient, what should be the physician's priority-the right of the patient to confidentiality, or the right of the corporation to protect its interests or those of its customers?
It should be understood that the right to confidentiality cannot be absolute. A good example of this involves a court decision concerning information provided to a psychotherapist by his patient.3
A mental patient told his psychotherapist that he intended to kill a former girlfriend. The psychotherapist had the name of the woman and would have been able to communicate the threat to her or the police, but he failed to do so. Tragically, the patient later carried out his threat and killed his former girlfriend.
The court held that the psychiatrist was liable for failing to initiate steps to warn the victim, reasoning that the public policy of favoring protection of patient-psychotherapist communication must yield to the extent to which disclosure is essential to avert danger to others. The privilege ends where public peril begins.
This is not all that unusual, and one could argue that the psychotherapist should have logically reasoned so. Many statutes reflect this thinking in requiring clinicians to report certain contagious diseases and suspected child abuse to authorities. These are long-standing laws that clearly focus on protection of others.
Likewise, it is a common practice that clinicians are required to report patients with gunshot and knife wounds. The argument here is different, but similar in that the requirement to report is based on the need to apprehend wrongdoers so that others may be protected from harm.
Practitioners should understand that there is a difference between breach of confidentiality and breach of privacy, at least in the sense in which we are discussing these issues. As stated earlier, confidential information is provided voluntarily or gleaned by the professional during treatment. If the patient agrees beforehand that such information may be shared with others (spouse, employer, insurer, etc.), no breach of confidentiality occurs if the information is shared.
A breach of confidentiality, in other words, occurs when information about the patient or his care is shared with those who do not have authorization to receive the information. In assigning possible blame if a breach of confidentiality is claimed, one must look at whether the person to whom the information was provided had authorization to receive it, and if not, whether there was a compelling reason that justified the breach.
Authorization, by the way, may be situationally necessary. A pharmacist must understand this in discussing patient information with others. Many of the 75 people who had authorization to view confidential patient information in the earlier example had what might be considered situationally necessary authorization, though not expressed or acknowledged, which may not have been in line with the patient's understanding of common practice.
For example: The physician's duties are well-defined as a primary care role. In other words, authorization is expressed and acknowledged in common practice, and it would be very hard to argue that the physician needs less than complete access to all components of the patient history fulfill the primary care role.
This is perhaps not the case for others on the health care team, such as physical therapists, respiratory therapists, dietitians, and patient assistance personnel. One could argue that situational necessity provides for a physical therapist's need to see x-rays without formal authorization; it would be much more difficult, on the other hand, to justify her having access to information concerning the drug or psychological profile of the patient. The prudent primary care practitioner, physician, or pharmacist, should take care that this is understood and not casually discuss confidential issues of patient care with those who do not have a justifiable need to know.
A very serious problem arises when there is a breach of privacy, as discussed in this context. Remember that a breach of confidentiality involves information over which one has been granted authority. It is quite different if no such authority exists. To view information about a patient when you have no authority (situational or otherwise) to do so is a breach of privacy, and to disseminate that information is unforgivable. In the case of an employee at, for instance, a long-term care facility who breaches a patient's privacy, there is no need for discussion. The employee should be summarily discharged.
It is understood in all ethical discussions that confidentiality is important and that the right to confidentiality must be protected. Since trust is an important requirement of civilized behavior, if confidentiality were not so viewed it would be difficult for any society to function well.
When an ethical obligation, individual or collective, is truly important, its expression is often seen in laws. Though specific laws in respect to confidentiality in the physician-patient relationship are lacking, the inviolable nature of the trust finds legal expression in at least two forms: (1) State evidence codes contain a testimonial privilege for confidential patient communication, and (2) outside the courtroom, tort law protects patient confidentiality by allowing litigation for harm caused by the unauthorized release of patient communication.4
Since tort law is apparently accepted as a means of clarifying contemporary problems involving confidentiality, and the issue of confidentiality is dynamic, professionals must routinely consider whether information they acquire can be freely disseminated or should reasonably be considered confidential and protected.
In pharmacy, for instance, there is a great deal of discussion on how and with whom patient information can be shared. If certain information is shared and this results in real or perceived harm to patients, it will be resolved in tort law. Say, for example, that a pharmacist provides information to a manufacturer concerning patients taking a particular drug. The manufacturer, in turn, provides educational information to the patient about the common usage of the drug. A patient, however, understands that he is taking the drug for reasons other than those stated in the educational material and subsequently refuses to continue the medication. If any harm comes to the patient, it is possible to claim the harm was initiated by a breach of confidentiality on the part of the pharmacist.
A common sense approach to avoiding this problem might have been, for instance, to mail a postcard to each patient telling them about the availability of the educational material and inviting them to request it if interested (by return mail or via a toll-free phone number). The desire for the information would, in this case, have been that of the patient. For pharmacists in all areas of practice, being informed of a patient's diagnosis allows them to provide only that information relevant to the patient's care.
Tort law may also clarify the issue of how electronic transmission of medical information should best be handled in order to protect patient confidentiality. Privacy and security of this type of confidential information is even being discussed in respect to information collected through the public health system.5
Many urge that patient-sensitive data must be shared among health agencies in order to provide continuity of care. Take, for instance, the potential treatment of patients with multiple drug-resistant TB. The patient may initially be seen and identified in one of a number of different facilities, including jails, emergency departments, homeless shelters, or clinics for treatment of HIV. Patients at greatest risk may be those who are least likely to return for assistance or seek out a more appropriate treatment facility. Continuity of care might be enhanced if these facilities could share patient-sensitive data.
Assuming that care would be enhanced with shared information, one proposal is that privacy and security assurances also have common standards. In other words, all users of the information (recipients) should be required to honor the same privacy and security assurances expected of the initiator of the information.
A state agency, for instance, may have an elaborate electronic system to protect and store patient-sensitive information but willingly share this information with other agencies in order to provide better care for patients. An agency receiving the information from the initiator should then have a legal obligation to protect and store the data in a manner equal to or exceeding that of the sender.
This policy, if it becomes public policy, is important to pharmacy. In practical terms it implies that the pharmacist should take care to ensure that entities with whom patient-sensitive information is shared provide the same level of protection the pharmacy provides. The whole issue of confidentiality in respect to medical records is being addressed in legislation. Congress has received a mandate to legislate comprehensive medical records privacy legislation by August 1999, and is currently considering six separate privacy bills.6
The team approach in health care, especially in long-term or institutional care, is a valid way to manage limited resources or better manage their allocation in order to reduce health expenditures. By necessity, the team approach allows access to medical information to a greater extent than will other forms of care. Unless explained, this may run counter to the expectations of patients, who may well assume that the more traditional and strict physician-patient relationship is in place.7
There are several things that can be done to ensure that the patient does not feel threatened by the team approach. The first is patient education, which helps the patient understand and accept the value of the team approach. Acceptance will make it easier for the patient to allow broader access by team members to what the patient considers confidential information. Second, many team members will already have a professional obligation to confidentiality but others may not. A fundamental exercise is to ensure that all team members-in fact, all personnel in contact with the patient-understand the importance of patient confidentiality, what it entails, and their obligation to protect it in respect to individual patients.
The principles or rules of liberty, privacy, and confidentiality are derived from the principle of respect for autonomy.8 Adherence to this principle by others allows individuals to act as free moral agents, and the question arises as to whether this is bound to a patient's mental competence-an especially important question in long-term care. The answer is no, but it does place a burden on health care professionals. Care must be taken to continue to respect the principle of the right to autonomy, for mental incompetence is one situation in which the rights of the individual must, in many cases, be overridden by those charged with the patient's care. On the other hand, mental incompetence does not imply that an individual has become an object, or that his or her rights are permanently suspended in some way. Professionals should try to consider situations as best they can so that decisions will be in line with the wishes of the individual if competent. For example, one would not discuss confidential health information with others unless they filled the advocate role of making subsequent health decisions on behalf of the patient. In some ways a breach of privacy or confidentiality in the case of incompetence would seem less defensible, at least morally.
The ideals presented so far are expressed in most professional codes of ethics. A good example is the Code of Ethics for Pharmacists adopted by ASCP (1992).9 In part, the pharmacist is asked to (1) respect the covenantal relationship between the patient and pharmacist, (2) promote the good of every patient in a caring, compassionate, confidential manner, and (3) respect the autonomy and dignity of each patient.
Understanding the importance of the rights of autonomy, privacy, and confidentiality is one thing. Applying them in the work environment is quite another. Health care is dynamic. As such, the individual professional must view his or her own efforts to protect these rights of patients as dynamic.
For example, a pharmacist introduced to the care of patients with communicable diseases (e.g., HIV) faces situations in which these rights are treated differently than if one is caring for patients in other settings. For instance, there are legal requirements for disclosure of certain information involving contagious diseases that one does not normally see. The pharmacist has a duty to understand these obligations as they differ. The same is certainly true in long-term care and in dealing with patients less competent than those seen in most health care environments.
The pharmacist is in a position to influence the health care environment in which he or she practices. With a personal commitment to protect patients' rights to autonomy, privacy, and confidentiality, the pharmacist can set an example for other professional and non-professional associates responsible for the care of patients.
Even though the intent would rarely be to purposefully breach individual rights, they are breached nonetheless. It would, for instance, be unusual in today's practice environment to find a primary care professional hesitant to discuss a patient's care with family members (especially the spouse), even if he or she had not first informed the patient of the intent to do so.
This lack of hesitancy would probably exist, too, in sharing health information with other health care team members, irrespective of their need to know. Pharmacists should use these questionable practices to form their own approach to their obligations to protect patient confidentiality.
For example, in many clinical settings it can be observed that patient records are not handled with the care they deserve if the rights of patients are to be protected. Most consultant pharmacists can attest to the fact that patient records in institutional and long-term care facilities are too often easily accessible, occasionally even to the public. Such practices are intolerable, and calling attention to these inadequacies is just one example of how an attentive pharmacist can influence the environment in which he or she works so that the environment operates efficiently while the fundamental rights of patients are both respected and protected.
1. Siegler M. Confidentiality in medicine-a decrepit concept. N Eng J Med 1982;307:1516-21.
2. Beauchamp TL, Childress JF. Principles of Biomedical Ethics, 4th edition. New York, NY: Oxford University Press; 1994.
3. Tarasoff V. Regents of the University of California, 131 Cal. Rptr. 14 (1976)
4. Hall MA, Ellman IM. Health Care Law and Ethics. St. Paul, MN: West Publishing; 1990.
5. Gostin LO, Lazzarini A, Neslund VS, Osterholm NT. The public health information infrastructure, a national review of the laws on health information privacy. JAMA 1996;24:1921-27.
6. Cacciatore G. Issues in Pharmacy: Confidentiality of Records, January/February 1997, Tomorrow's Pharmacist. Old Saybrook, CT: Merritt Communications; 1997.
7. Waymack MH, Taler GA. Medical Ethics and the Elderly. Chicago, IL: Pluribus Press; 1988.
8. Childress JF. Practical Reasoning in Bioethics. Bloomington, IN: Indiana University Press; 1997.
9. Code of Ethics for Pharmacists, adopted by the membership of the American Society of Consultant Pharmacists in 1992.
Jack Justice, PharmD, MBA, FASCP, the former Director of Clinical Information Services for Revco, is currently president of Adherence, Inc., a healthcare consulting firm, and an adjunct faculty member with the College of Pharmacy, University of Cincinnati.
Copyright © 1997, American Society of Consultant Pharmacists, Inc. All rights reserved.