January 26, 2004
Recently enacted federal privacy regulations require faculty to exercise increased vigilance in protecting the confidentiality of all our patients and research participants at Johns Hopkins Medicine. This is extremely important when employees are also patients. Unfortunately, there have been several recent instances where School of Medicine and Health System personnel have inappropriately accessed the private medical information of other Hopkins’ personnel. In these instances, the patients have been very angry and upset. As a result, it is likely that these patients will complain to federal authorities and bring legal actions against Johns Hopkins University and the person at Johns Hopkins who inappropriately accessed their medical records. Hopkins insurance will not provide coverage for faculty in instances where a faculty member has acted intentionally outside his or her authorized employment relationship and has inappropriately accessed a patient’s medical record. In addition, access of medical information by faculty for a non?professional reason constitutes professional misconduct, and, as explained in this letter, likely will result in termination.
Faculty must provide the leadership in insuring the confidentiality of patient information. This letter explains the background for JHM confidentiality policies, the possible consequences for faculty non?observance and steps that faculty must take to assure, to the extent possible, that patient confidentiality is respected.
Both Maryland and federal law and regulations protect the identifiable health information of individuals.
- Providers must keep medical information confidential and may disclose it only upon the authorization of the individual or for specific operational, clinical or educational purposes.
- Federal law allows the imposition of monetary fines and criminal penalties against covered entities and the individuals working at those entities for violations of these privacy provisions.
- State law also allows for the recovery of damages for breaches of patient confidentiality.
Applying these principles at Hopkins is a challenge in light of the open architecture of the electronic patient record (EPR). These records may be accessed for legitimate reasons such as: the physician/patient relationship; consultations; research approved by an IRB; quality assurance; billing; malpractice inquiries; peer review; accreditation, etc. However, these records may not be accessed for any non?professional reason, such as: checking on a famous person’s medical condition; investigating whether a resident or intern has medical problems; "surfing" the EPR to see who among staff may have a particular disease or condition (unless part of an approved IRB study); checking on the health of a friend, ex?boyfriend or girlfriend or staff member, etc.
The University and Health System have established a process for investigating suspected breaches of patient confidentiality, i.e., intentionally assessing an individual’s patient or research record for no legitimate professional reason. If a breach is suspected:
- The University/Health System HIPAA Privacy Officer will investigate the matter, involving other personnel as needed.
- In the case of faculty, the Privacy Officer’s investigation report will be submitted to the Vice Dean for Faculty and the appropriate Department Director.
- The Department Director will consider the reported situation and base his/her recommended action on all the circumstances involved. However, except in extraordinary circumstances, (e.g., confusion as to whether a consulting relationship existed or a mistake as to which records were to be included for research, etc.), the recommended action for a breach will likely be termination.
- As set forth in the Policies and Guidelines Governing Appointments, Promotions, and Professional Activities of the Full?Time Faculty, if the matter involves a recommendation of termination, the matter would be referred to the Advisory Board of the Medical Faculty.
It is essential that all faculty, including residents and interns under their supervision, understand the Maryland law and HIPAA requirements.
- Training Courses are available at https://secure.lwservers.net. Everyone should have taken or should take General Patient Privacy. In addition, anyone involved in research should have taken or should take Privacy Issues Relating to Research.
- If you are credentialed or re?credentialed at one of the Hopkins’ hospitals, you will be asked to complete Tracking and Accounting Disclosures of Health Information and Release of Patient Information courses as well.
- All faculty will be asked to sign an agreement to respect the confidentiality of medical information throughout JHM.
We expect the faculty of Johns Hopkins Medicine to maintain the highest standard of professionalism in assuring patient confidentiality personally as well as by anyone under their supervision. Faculty must support a culture of compliance that includes protecting the rights of patients to the confidentiality of their medical information. Serious institutional, governmental and personal sanctions will follow if violations occur.
With your help and attention to Hopkins’ high standards, we expect to be a leader in the area of patient confidentiality.
Edward D. Miller, M.D.
Janice E. Clements, M.D.