Information about confidentiality of health care information
About ACHE What New
Affiliate Directory My ACHE
Affiliates Log In Corporate Partners
ACHE Home
Welcome to ache.org Welcome to ache.org
Join ACHE Credentialing
Education Chapters
Career Services Books & Journals
Reasearch About ACHE
Information Links:
General Information Annual Report
Directory of Services Fact Sheet
Frequently Asked Questions Local Chapters
News Releases Join ACHE
Affiliate Profile Celebrating ACHE’s 75th Anniversary
Strategic Plan
Planning Process Vision
Mission Values
Goal Areas Progress Report (PDF)
Governance
Board of Governors-Council of Regents ACHE Bylaws (PDF)
Foundation Bylaws (PDF) Conflict of Interest (PDF)
Consolidated Statements of Financial Position (PDF) Admission, Advancement, and Recertification (PDF)
Governance Update Past Chairmen
Past Chief Executive Officers Awards
Diversity Resources
Diversity Resources Statement on Diversity
Assessment Tool for Leaders (PDF)
Ethics Resources/Policy Ethics Toolkit
Code of Ethics Ethical Policy Statements
Ethics Self-Assessment Policy Statements
Public Policy Initiatives Social Responsibility
Fund for Innovation Affiliate Travel Discounts
Convention and Visitors Bureaus Connect
Contact ACHE Policy Statements
Health Information Confidentiality February 1994 November 1997 (revised) November 2004 (revised) November 2009 (revised)
Statement of the Issue Healthcare is among the most personal services rendered in our society; yet to deliver this care, scores of personnel must have access to intimate patient information. In order to receive appropriate care, patients must feel free to reveal personal information. In return, the healthcare provider must treat patient information confidentially and protect its security.
Maintaining confidentiality is becoming more difficult. While information technology can improve the quality of care through the instant retrieval and exchange of medical information by a greater number of people who can contribute to the care and treatment of a patient, it also can increase the risk of unauthorized use, access and disclosure of confidential patient information. Within healthcare organizations, personal information contained in medical records now is reviewed not only by physicians and nurses but also by professionals in many clinical and administrative support areas. The need to protect patient confidentiality is evident in legal restrictions imposed by state laws and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and as recently amended under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). Health information cannot be used or disclosed without proper authorization by patients or legal representatives except under very limited circumstances, such as to promote public health, protect children and spouses from abuse, or otherwise comply with certain laws.
While media representatives also seek access to health information, particularly when a patient is a public figure or when treatment involves legal or public health issues, the rights of individual patients must be protected. Society’s need for information rarely outweighs the right of patients to confidentiality. In order to release patient information, healthcare executives must determine that patients or their legal representatives have consented to the release of information or that the use, access or disclosure sought falls within the exceptions that do not require the patient’s prior consent. Once health information is released, healthcare executives must keep records of most disclosures for review upon patient request.
Policy Position The American College of Healthcare Executives believes that in addition to following all applicable state laws and HIPAA, healthcare executives have a moral and professional obligation to respect confidentiality and protect the security of patients’ medical records. As patient advocates, executives must ensure their organization obtains proper patient authorization to release information or follow carefully defined policies and applicable laws in those cases for which the release of information without consent is indicated.
While the healthcare organization possesses the health record, outside access to the information in that record can be controlled by patients unless indicated otherwise by applicable laws and regulations. Organizations therefore must determine the appropriateness of all requests for patient information under applicable federal and state law and act accordingly. In fulfilling their responsibilities, healthcare executives should seek to:
Limit access to patient information to authorized individuals only. Ensure that institutional policies on confidentiality, security and release of information are consistent with regulations and laws.
Educate healthcare personnel on confidentiality and data security requirements, take steps to ensure all healthcare personnel are aware of and understand their responsibilities to keep patient information confidential and secure, and impose sanctions for violations. Safeguard medical record files and computerized data with security and storage systems (including, if appropriate, the use of encryption) that protect against unauthorized use, access and disclosure and ensure data integrity and availability.
Develop systems that enable organizations to track (and, if required, report) the use, access and disclosure of health records. Provide for appropriate disaster recovery.
Establish guidelines for masking patient identifiers in committee minutes and other working documents in which the identity is not necessary. Establish policies and procedures to provide to the patient an accounting of uses and disclosures of the patient’s health information.
Create guidelines for securing necessary permissions for the release of medical information for research, education, utilization review and other purposes. Adopt a specialized process to further protect sensitive information such as psychiatric records, HIV status, genetic testing information, sexually transmitted disease information or substance abuse treatment records.
Identify special situations that require consultation with senior management prior to use or release of information. Obtain written agreements that detail the obligations of confidentiality and security for individuals, third parties and agencies that receive medical records information, unless the circumstances warrant an exception.
Conduct due diligence on third parties who will receive medical records information, including a review of policies and procedures appropriate to the type of information they will possess. Ensure where applicable that such third parties adhere to the same terms and restrictions regarding protected health information applicable to the organization. Follow all applicable policies and procedures regarding privacy of patient information even if information is in the public domain.
Adopt procedures to address patient rights to request amendment of medical records and other rights under the HIPAA Privacy Rule. Educate patients about organizational policies on confidentiality and use the notice of privacy practices as required by the HIPAA Privacy Rule.
Establish adequate policies and procedures to ensure notification of the affected patient or organization without unreasonable delay, in the event of an occurrence of unauthorized use, access or disclosure of health information or of a security breach incident. In the event of a security breach, conduct a timely and thorough investigation and notify patients promptly if appropriate to mitigate harm in accordance with applicable state or federal law.
Establish adequate policies and procedures to mitigate the harm caused by the unauthorized use, access or disclosure of health information to the extent required by state or federal law. Participate in the public dialogue on confidentiality issues such as employer use of healthcare information, public health reporting and appropriate uses and disclosures of information in health information exchanges.
The American College of Healthcare Executives urges all healthcare executives to maintain an appropriate balance between the patient’s right to confidentiality and the need to release information in the public’s interest in accordance with applicable state and federal law. Approved by the Board of Governors of the American College of Healthcare Executives on November 16, 2009.
---------------------------------------------------------------------
| HOME | SITE MAP LOG IN FAQ Update Your Information Contact Us |
| Refer | a Colleague |
hers through between which we other until over when thanACHE Copyright, Disclaimer, Terms of Usage and Privacy Notice
about himself being here
they having same each down an were they been each has which surely same it
again hers those while than not while the hers up
by itself down maybe he whom through
while should herself above they itself yourselves down
was again and such own so confidentiality of health care information an herself
not about any be! himself very visit -
Like, about any into which which visit - an as such nor
health information technology education how through can all know ourselves you all by ourselves herself
health information technology education yours being up by those herself the as between these
in yourself visit - few than who those no me does
Like, an no over herself at further by over
above were all where doing me herself you visit - should be
his each same having i too confidentiality of health care information he himself
see for myself has on confidentiality of health care information same over for in