Psychiatrists are legally and professionally obligated
to ensure the physical security of patient records wherever those records
may be stored. This means that records must be reasonably protected
from natural disasters (e.g., flood or fire), unauthorized access (e.g.,
theft), or inadvertent disclosure (e.g., lost or mislaid files).
There
are three major sources of the duty to keep patient information secure:
federal law, state law, and ethical obligations.
The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
HIPAA has been in effect since 1996, thus liability for maintaining
the security of patient information under HIPAA already exists, separate
and apart from any of the administrative regulations required by HIPAA
(i.e., the Privacy Rule or the Security Rule) which are currently being
promulgated by HHS. The law requires covered providers to "maintain
reasonable and appropriate administrative and physical safeguards to
ensure the integrity and confidentiality of the information and to protect
against any reasonably anticipated threats or hazards to the security
or integrity of the information and unauthorized uses or disclosures…"
(1).
The
regulations promulgated by HHS under HIPAA are much more specific than
the general law. HIPAA says only that confidential information must
be secure, whereas the regulations indicate how the law is to be complied
with. For example, the upcoming Security Rule will give more detail
on exactly what providers must do to protect the security of health
information.
42
CFR Part 2
Another example of existing federal law relating to the security of
patient information is the federal regulation entitled "Confidentiality
of Alcohol and Drug Abuse Patient Treatment Records". This regulation
applies to those entities that are providing substance abuse treatment
and are receiving federal funds. In addition to protecting and limiting
the release of substance abuse information, it includes specific requirements
for written security procedures.
Psychiatrists must already comply with state laws regarding the
security of medical records. Florida, for example, requires healthcare
practitioners to "develop and implement policies, standards, and
procedures to protect the confidentiality and security of the medical
records. Employees of records owners shall be trained in these policies,
standards, and procedures" (2).
Ethically, psychiatrists have a duty to "safeguard patient
confidences within the constraints of the law" (3). Moreover, "psychiatric
records, including even the identification of a person as a patient,
must be protected with extreme care" (4). Meeting the obligation
to protect confidentiality necessitates maintaining the security of
patient records.
Endnotes:
(1) 42 USC §1320d-2
(2) FL Code §456.057(9)
(3) AMA Principles of Medical Ethics
(4) The Principles of Medical Ethics, with Annotations Especially Applicable
to Psychiatrists
