1. Right to Privacy — An individual has a right to privacy with respect to individually identifiable health information. The individual should have the right to decide to whom, and under what circumstances, their individually identifiable health information will be disclosed.
2. Informed Consent and Notice — Health information that identifies a specific individual should not be disclosed without that individual’s explicit consent, unless authorized by law. Individuals should be notified about how their medical records are used and when their individually identifiable health information is disclosed to third parties.
- Informed consent is a process, which ensures that patients understand a proposed treatment or procedure, and can intelligently share in responsible decision making. Implicit in this principle is the right of a patient to decline the proposed treatment or procedure. Included among the basic elements of informed consent must be a statement describing the extent to which the confidentiality of the patient’s medical records will be maintained. Use or disclosures without informed consent should be permitted only under exceptional circumstances; for example, if a person’s life is endangered, if there is a threat to the public health, or if there is a compelling law- enforcement need. Disclosure of individually identifiable health information to someone other than the patient or the caregiver solely for marketing or commercial purposes should never be permitted without informed consent.
- Individuals should be given written, easy-to-understand notice of how information will be used, so that they can make informed, meaningful decisions about uses and disclosures of their health information.
3. Security Safeguards and Penalties — Safeguards, including computerized “walls” and electronic audits, should be utilized to prevent the unauthorized release and possession of computerized medical information.
- The increased use of electronic health record data storage creates opportunities for greater protection of health information through a number of computer security methods, many of which already are utilized by other industries. Providers, health plans, and other users of health information should seek to incorporate electronic security measures, such as passwords, electronic audits, and encryption, to avoid unnecessary access and possible misuse of health information. There should be penalties for violation and private right of action for individuals harmed by a breech in the security of their health information. States should adopt common operating standards for data security and patient privacy protection, including clearly established penalties for violations not covered by HIPAA (such as identity theft), and an accountable means for monitoring, enforcement, and prosecution of violations.
4. Individual Right to Access–Health care consumers should have access to their medical record and the ability to propose corrections or amendments to the record.
-
- In order to be an active participant in health care, consumers should be able to obtain, inspect, and, if necessary, offer corrections or amendments to their medical record. Erroneous information contained in the medical record can result in discrimination with respect to insurance and employment.
- No personal health information should be available to a provider or health professional that is not also available to the patient (with exception for cases of danger to the patient).
- Unreasonable or unaffordable fees should not impair the ability of each person to access, review or supplement their personal health information.
- People must be able to receive complete paper copies of any of their information.
5. Right to Private Action — For violations of the right to privacy and security of health information, consumers should have a right to private action.
6. Research Access — Certain needs for health information, such as research and public health interests, should be recognized and met to the extent possible through access to unidentifiable data. Access to identifiable health data for properly constituted institutional review board (IRB)-approved studies should be available, when necessary.
- Research that will improve the health and reduce health risks of all Americans should be supported. In certain research settings, medical information should be made available to researchers without prior written authorization, under certain conditions. Such conditions should include a determination by a properly constituted IRB that the research involves minimal risks to participants, the absence of consent would not adversely affect the rights or welfare of participants, the research could not practicably be carried out if consent were required.
- Researchers should be responsible for removing the personal identifiers and for providing the IRB with assurances that the information will be protected from improper use and unauthorized additional disclosures. In a GAO report published in February 1999 (GAO/HEHS-99-55, Medical Records Privacy), it was stated “IRB review does not ensure the confidentiality of medical information used in research because the provisions of the Common Rule related to confidentiality have limitations.” It is suggested in the report that organizational policies be in place, which restrict access to personally identifiable information to authorized individuals, and that organizations impose data security safeguards and encryption policies to ensure confidentiality.
7. Education–The public and users of health information should be educated about the need to maintain the confidentiality of medical record information (See NCL Consumer Education policy).
- As overwhelming opportunities exist for the public, health professionals, clinicians, insurers, employers, and other users of health information to access private medical records, it is important that there be a national, systemic approach to educating these users about the importance of protecting medical records.
8. Consumer Information Programs–NCL supports pharmaceutical care and pharmacy programs, which provide useful information to consumers about their prescription drugs; however, health information privacy must be protected (See NCL Consumer Education policy). Inappropriate or suboptimal uses of prescription medicines result in needless deaths and suffering, as well as billions of dollars of added hospitalization costs and loss of productivity. Armed with greater and better knowledge about the medicines they take, consumers will be empowered to make more informed decisions about their health and health care. NCL strongly supports programs to provide consumers with truthful and accurate information on prescription drugs. NCL participated in developing and supports HHS’s “MedGuide Action Plan,” which calls for uniformly structured, “consumer friendly” information about the risks and uses of a prescription drug, to be provided to the patient by the pharmacist, at the time a drug is dispensed.
- NCL has also actively supported the concept of pharmaceutical care and pharmacy programs which provide information about appropriate medication regimes, self-monitoring and self-reporting, refill reminders, disease state information programs, and drug therapy education, including information about alternative therapies to help the consumer understand treatment and to assure better health.
- Any consumer information programs should provide the consumer, at the outset, with a complete description of the program, its potential benefits, and an explanation of how the program works. If possible, this information should be provided by the physician or other health care provider. At a minimum, this information should be provided by the pharmacist before the patient becomes involved in the program. Pharmacies, to the best of their knowledge, should fully inform consumers about the intended use of any confidential health care information in pharmacy records at the time they receive their prescription. Participation in these programs should be entirely voluntary, and consumers should have easy-to-exercise options to withdraw from any information program at any time.
––Adopted December 9, 2005