Principles for Protection of Medical Record Privacy: In developing privacy legislation, Texas Medical Association adheres to the following principles for protection of medical record privacy:
(1) Medical information privacy protections should follow the information. Any requirements for the handling, including transmission, of medical information should apply to any entity in possession of or with access to such information regardless of the form in which the information exists or is transmitted (paper, electronic, etc.) Any penalties for the misuse of such information also shall apply to any entity violating privacy laws or regulations.
(2) Employers should not have access to individually identifiable medical information regarding employees. While it is reasonable for employers to receive aggregate information regarding their employee health care utilization and expenditures, they should not have access to individually identifiable information regarding the health care conditions or treatments of their employees, except for legitimate employee health and safety purposes with appropriate privacy safeguards.
(3) Medical information should not be used for nonmedical purposes without the informed and non-coerced consent of the individual involved. The increasing horizontal and vertical integration of the financial services sector of the economy may provide nonmedical entities with access to individual’s medical records. These organizations, such as financial institutions and credit reporting entities, should not use individuals’ medical records without their informed written consent. Treatment through or membership in a particular health plan should not be contingent upon release of such information against a patient’s will.
(4) Medical information should be carefully defined and should include prescription drug information. Records made through the purchase of prescription medications can reveal the medical condition of an individual. For this reason legislation should clarify that prescription drug records are considered protected medical information.
(5) Consideration should be given to special protections for “sensitive health information.” Certain conditions, such as HIV, sexually transmitted diseases, psychiatric conditions and domestic violence, are particularly sensitive and may require special protections. Such protections may include complete prohibition of disclosure outside certain circumstances or additional consent for disclosure.
(6) Consent for the use or release of medical information should meet specific standards. Individuals, and in some cases treating health care professionals, should be required to provide informed consent regarding the use or transfer of medical information. Standards should be established to ensure such consent is understandable and clearly communicated. Individuals should be required to give consent in order to purchase insurance coverage or receive medical treatment or payment for that treatment.
(7) Research activities should be protected, but not at the expense of individual privacy. Information should be required to be de-identified in an acceptable manner to support legitimate clinical research without unnecessary risk to the patient’s privacy.
(8) Penalties should be severe and readily enforceable. Databases are extremely valuable in today’s marketplace. Given the potential financial gains from selling medical information, penalties must be severe to deter these lucrative activities. There should be clear enforcement directives and the ability of an individual to seek redress in the courts should enforcement measures prove inadequate.
(9) Patients should have the right to their medical records. Patients should have the right to inspect and obtain copies of their medical records except for that information which, in the opinion of the health care professional, would cause harm to the patient or to others (TF Rep. 1-A-01; reaffirmed CSE Rep. 8-A-11).