PRIVACY AND CONFIDENTIALITY OF PATIENT RECORDS

« Back to Table of Contents



10.1 Summary

The information contained in medical records and confidential reporting is highly protected under federal and District of Columbia (District) law, as well as by the United States Constitution. Moreover, health care providers must provide patients with access to their medical records within a reasonable time after a written request is made.

However, both federal and District law provide exceptions that allow disclosure to public health officials without an individual’s consent. Generally speaking, these exceptions are limited to disclosures for statistical or public health purposes or when essential to safeguard the health and safety of others. Indeed, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) specifically allows disclosure of protected health information (PHI), without the patient’s written authorization, to public officials and organizations for reasons related to a public health emergency (e.g., disease reporting, public health surveillance).

The District of Columbia Mental Health Information Act of 1978, D.C. Official Code § 7-1201.01 et seq., which regulates the privacy of mental health information, is a complex law that is beyond the scope of this Manual.

10.2 Constitutional Right to Privacy

There is no express right to privacy in the United States Constitution. The courts, however, have recognized a constitutional right to privacy, which includes an “individual interest in avoiding disclosure of personal matters.” Whalen v. Roe, 429 U.S. 589, 599-600 (1977). See, e.g., United States v. D.C., 44 F. Supp. 2d 53, 60–61 (D.C. 1999). When such a protected individual interest exists, a court will balance the individual’s privacy right against the governmental interest in disclosure.  Whalen, 429 U.S., at 602-604.

When courts are required to opine on issues related to patient privacy and apply the constitutional balancing test to disclosures of information related to public health emergencies, as a general matter, the community’s interest in containing the public health emergency is likely to outweigh the individual’s privacy interest.

10.3 District of Columbia Law

10.3.1 Access to Patient Records Maintained by Health Care Providers

  1. Obligation to Provide Access to Medical Records – Health care providers are required to provide access, upon written request, to patient medical records within a reasonable time. The request may be made by the patient or a person authorized to have access to the patient’s record under a health care power of attorney. D.C. Official Code § 3-1210.11(a).
     
  2. Time Within Which Medical Records Must be Provided – Physicians must provide, to a patient or the patient’s representative, a copy of the patient’s medical record within 30 days of the request from the patient or the patient’s representative for the records. 17 DCMR § 4612.2.
     
  3. Access to Medical Records in HIV/AIDS Cases – Any entity providing health or medical services must make medical records and histories available to the  Director of the Department of Health (DC Health Director) to facilitate an investigation into a report regarding an HIV infection, potential AIDS case, or pregnancy in an HIV-infected woman. 22B DCMR § 206.4.

10.3.2 Use and Disclosure of Communicable Disease Reporting Information

  1. Use of Communicable Disease Reporting Information – The DC Health Director may use the records generated in relation to a case of a disease or medical condition reported under D.C. Official Code §§ 7-131 to -144 for statistical or public health purposes only. D.C. Official Code § 7-131(b)(1). See section 7.0 of the Manual for more information regarding communicable disease reporting.
     
  2. Disclosure of Identifying Information – Identifying information contained in the records generated in relation to a disease or medical condition reported under D.C. Official Code §§ 7-131 to -144 may be disclosed only when essential to safeguard the physical health of others. No person may disclose information from those records unless:
    • The person reported gives written permission prior to disclosure; or,
    • A court finds, using a clear and convincing evidence standard and after providing the person reported with an opportunity to contest the disclosure, that disclosure:
      • Is essential to safeguard the physical health of others; or,
      • Would provide evidence that relates to the guilt or innocence of an individual in a criminal prosecution.

D.C. Official Code § 7-131(b)(1).

  1. Exceptions – The restrictions set forth above do not apply to the use and disclosure of identifying information pursuant to D.C. Official Code § 4-1301.01 to -1371.14 (child abuse and neglect, Family Division proceedings) or D.C. Official Code §§ 16-2301 to -2399 (delinquency, neglect, or need of supervision, Family Division proceedings). D.C. Official Code § 7-131(b)(2).
     
  2. Penalties for Violation –  Willfully disclosing, receiving, using, or permitting the use of information in violation of D.C. Official Code § 7-131(b) is a misdemeanor, punishable by a fine up to $5,000, imprisonment up to 90 days, or both. D.C. Official Code § 7-140.

It is important to note that many additional laws and regulations govern privacy of health information related to specific diseases and persons, including but not limited to, venereal diseases and HIV. See 22B DCMR § 205.8,  206.5; see also D.C. Official Code § 7-1605 (Hepatitis B), 22B DCMR § 207.9, 209.5 (student health information).

10.3.3 Use and Disclosure of Health and Human Services Information

  1. Definitions –  
    1. Health and human services information” means any information that relates to:
      • The past, present, or future physical or mental health of an individual or family;
      • The provision of health care or human services, including benefits or supports, to an individual or family; or
      • The past, present, or future payment for the provision of health care or human services to an individual or family.
    2. “Service provider” means an entity that provides health or human services to District of Columbia (District) residents pursuant to a contract, grant, or other similar agreement with an agency.
    3. “Use” means the sharing, employment, application, utilization, examination, or analysis of health and human services information.
    4. “Human services” means programs, assistance, supports or benefits of any kind to improve quality of life or to meet the social, physical health, housing, and mental health needs of an individual.
    5. “Individually identifiable information” has the same meaning as it does under the Health Insurance Portability and Accountability Act of 1996.

D.C. Official Code § 7-241.

  1. Use and Disclosure of Health and Human Services Information –  Without prior consent from the identified individual to whom the information pertains, an agency or service provider may use and shall disclose to another agency or service provider health and human services information referencing or relating to the identified individual for certain purposes, such as establishing eligibility for benefits, coordinating treatment, and performing examinations and inspections. D.C. Official Code § 7-242(a).
     
  2. Accordance with the Health Insurance Portability and Accountability ActAny uses or disclosures by an agency or service provider of individually identifiable health information must be in accordance with HIPAA. D.C. Official Code § 7-242(c).  See section 10.4 for more information regarding HIPAA.
     
  3. Minimum Necessary – The agency or service provider using or disclosing health and human services information must follow the “minimum necessary” principle described in HIPAA and disclose the minimum amount of information necessary to achieve the purpose of the use or disclosure. D.C. Official Code § 7-242(d).
     
  4. Written Request A service provider wishing to receive health and human services information must make a written request to an agency or service provider that describes the information sought and purpose for the information. D.C. Official Code § 7-244(a).
     
  5. Civil Penalties – If a person negligently uses or discloses health and human services information in violation of D.C. Official Code §§ 7-241 to -248, the person may be fined $500 per violation. D.C. Official Code § 7-245(a). If a person willfully uses or discloses health and human services information in violation of D.C. Official Code §§ 7-241 to -248, the person may be fined $1000 per violation. D.C. Official Code § 7-245(b).
     
  6. Criminal Penalties – If a person knowingly obtains, uses, or discloses health and human services information in violation of D.C. Official Code §§ 7-241 to -248 or any other District law, the person is guilty of a misdemeanor and may be fined up to $2,500, imprisoned up to 60 days, or both. However, if the offense was committed through deception or theft, the fine is increased to up to $5,000, imprisonment up to 180 days, or both. D.C. Official Code § 7-246

10.3.4 Freedom of Information Act

  1. Right of Access to Public Records – Under the District’s Freedom of Information Act, D.C. Official Code §§ 2-531 to -540 (D.C. FOIA), it is the policy of the District that all persons are entitled to full and complete information about government affairs and the officials acts of public officials and employees of the District. Thus, any person has the right to inspect and copy any public record of a public body unless an exception exists that exempts certain information from disclosure.
     
  2. Personal Information – Information of a personal nature where public disclosure of such information would constitute a clear and unwarranted invasion of personal privacy is exempted from disclosure under D.C. FOIA. D.C. Official Code § 2-534(a)(2).
     
  3. Information Exempted from Disclosure by Another Statute – Certain types of information are protected from disclosure under District law. Such information will be exempt from disclosure under D.C. FOIA, provided the District law either:
  • Requires that the information be withheld from the public with no discretion regarding disclosure;
  • Establishes criteria for withholding; or
  • Refers to particular types of matters to be withheld.

D.C. Official Code § 2-534(a)(6)

  1. Response Plans – District response plans, including public emergency response plans, and specific vulnerability assessments that are intended to prevent or mitigate acts of terrorism, are exempt from disclosure under D.C. FOIA. D.C. Official Code § 2-534(a)(10).

During a communicable disease outbreak or other public health emergency, public agencies may receive requests for information related to the outbreak or emergency. Whether or not such information must be disclosed under D.C. FOIA depends on the type of information to be disclosed. Information may be exempt from disclosure because such disclosure would be an invasion of privacy. Communicable disease reporting information that identifies individuals is protected under D.C. Official Code § 7-131 and may not be disclosed under D.C. FOIA. However, non-identifying information is not protected and must be disclosed. See section 7.3 of the Manual for more details regarding use and disclosure of communicable disease reporting information.

10.4 Federal Law

10.4.1 Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. No. 104-191, 110 Stat. 1938 (1996) protects the privacy and security of protected health information (PHI) unless otherwise provided for in the implementing regulations.

10.4.2 Health Information Technology for Economic and Clinical Health Act

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) Pub. L. No. 111-5, 123 Stat. 115 (2009) was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology. The HITECH Act also increased the scope of privacy and security protections available under HIPAA, broadened the potential legal liability for non-compliance, and provided for more enforcement for violations under HIPAA.

10.4.3 Health Insurance Portability and Accountability Act Privacy Rule

The Federal Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) was adopted in 2002 to implement HIPAA. The Privacy Rule, contained in 45 C.F.R. §§ 160.101-552, 164.102-106, and 164.500-534, provides that a covered entity and its business associates may not use or disclose PHI except as permitted or required by the Privacy Rule.   

  1. Covered Entities – The Privacy Rule applies to three types of entities: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain transactions. These entities are referred to as “covered entities.” 45 C.F.R. §160.103.
     
  2. Business Associates A business associate is defined as a person or entity that creates, receives, maintains, or transmits PHI to perform certain functions or activities on behalf of a covered entity.  Under the Privacy Rule, covered entities are allowed to disclose PHI to business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties.  The HITECH Act makes business associates directly liable for violations of the Privacy Rule.  45 C.F.R. § 160.103.
     
  3. Protected Health Information – PHI is defined as “individually identifiable health information” that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media. 45 C.F.R. §160.103.

    Individually identifiable health information means health information that identifies the individual, or could reasonably be used to identify the individual. Id.

Genetic information is considered to be “health information” under HIPAA and will be protected if it fits the definition of PHI.

10.4.4 Disclosures Permitted by the Health Insurance Portability and Accountability Act

  1. Disclosures Required By Law – A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law. In addition, the use or disclosure must comply with and be limited to the relevant requirements of the law. 45 C.F.R. §164.512(a).
     
  2. Disclosures for Public Health Activities A covered entity may disclose PHI for public health activities and purposes to:
    • A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including:
      • The reporting of disease, injury, and death; and,
      • The conduct of public health surveillance, public health investigations, and public health interventions.
    • An official of a foreign government agency that is acting in collaboration with a public health authority, at the direction of a public health authority;
    • A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
    • A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity;
    • A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; and
    • An employer, about an individual who is a member of the workforce of the employer, under specific circumstances.

45 C.F.R. §164.512(b)(1).

  1. Disclosures to Avert a Threat to Health and Safety – A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose PHI, if the covered entity, in good faith, believes the use or disclosure is:
    • Necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public; and,
    • To a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

45 C.F.R. §164.512(j)(1)(i)(A)-(B).

The HIPAA Privacy Rule specifically allows disclosure of PHI, without the patient’s written authorization, to public officials and organizations for reasons related to a public health emergency (e.g., disease reporting, public health surveillance).

  1. Disclosures for Judicial and Administrative Proceedings –  A covered entity may disclose PHI in connection with a judicial or administrative proceeding under the following circumstances:
    • In response to a court order or the order of an administrative tribunal, provided that only the PHI requested by the order is disclosed; or,
    • In response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal if:
      • The covered entity receives satisfactory assurances from the party seeking the information that it has made reasonable efforts to ensure that the individual who is the subject of the PHI has been given notice of the request; or,
      • The covered entity receives satisfactory assurances from the party seeking the information that it has made reasonable efforts to secure a qualified protective order that:
        • Is in the form of an order from a court, administrative tribunal, or a stipulation by the parties to the proceeding;
        • Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which the PHI was requested;
        • Requires that the PHI and all copies be returned to the covered entity or destroyed at the end of the proceeding; or
        • The covered entity itself makes reasonable efforts to seek a protective order or to provide notice to the individual.

45 C.F.R. § 164.512 (e)(1).



« Back to Table of Contents