Legal Review and Commentary

Records release yields $26,000 settlement in UT

News: In the midst of a contested divorce proceeding, the plaintiff-husband's medical records were released by a treating physician who employed the defendant-wife. The records contradicted the husband's claim for support payments that he was trying to establish. After the husband brought suit against the doctor for unlawfully releasing confidential medical information, the parties settled for $26,000.

Background: A husband and wife were in the midst of a hotly contested divorce. The plaintiff-husband was seeking support payments from his wife, claiming that he was unable to work due to medical conditions. The plaintiff's treating physician was also the defendant-wife's employer. The treating physician filed an affidavit in the divorce action in which she challenged the claim that the husband was unable to work. The physician's opinion was based on several pre-divorce action examinations and/or treatments she had provided to the plaintiff-husband in the year prior to his filling for divorce. The physician's affidavit allegedly included medical information obtained during those treatments and examinations.

The plaintiff claimed negligence in the unauthorized release of confidential medical information. The matter was settled for $26,000 prior to going to trial.

What this means to you: Despite the low settlement amount, confidentiality of patient medical records is a serious concern for risk managers. Although medical records are the property of those who prepare them (medical professionals) and not of those about whom they are concerned (patients), patients have several rights relating to the records. For example, a patient generally has the right to review his or her medical records, demand copies of them, and to demand their confidentiality based on their privacy right in the information contained in the records.

In certain circumstances, a health care provider may have a duty to release medical records or medical information without the patient's knowledge or consent, such as when the police are warned of a mentally unstable or potentially violent person. In Utah, the location of this scenario, doctors are required to make certain disclosures relating to suspected child abuse and to communicable and infectious diseases, including HIV and AIDS. This duty to warn or report is considered to trump the patient's right to confidentiality or privileged communication with a doctor.

Mandatory disclosure was not the context of this scenario, however. The doctor in this case completely ignored patient confidentiality, notes Tracey H. Dehm, RRT, MHA, a risk management coordinator in Florida.

Confidentiality can stem from the physician's common law duty of confidentiality, the Hippocratic Oath, the Principles of Medical Ethics promulgated by the American Medical Association, constitutional provisions under the Fifth and 14th Amendments, and, most notably, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Department of Health and Human Services' Privacy Rule. Specifically, health care providers are required to obtain consent before sharing information regarding treatment, payment, and health care operations. Dehm notes that from a legal perspective, the last right the patient loses is the right to make decisions for his or her health care.

"Even though the physician was giving the medical record to the patient's spouse, that act stripped the patient of all rights regarding his health care decisions," she says. "Would the physician want anyone and everyone to view her personal medical record?"

Unfortunately, the unauthorized release of patient medical records is not an uncommon occurrence. In one notable Illinois case, a hospital released a woman's medical records to anti-abortion activists without the patient's knowledge or consent a few days after she was treated following complications from an abortion, and the records were subsequently posted on the Internet.

In California, a woman authorized her insurance company to release information pertaining to her wrist injury to her employer, but the file released contained the woman's entire medical history, including records on recent fertility treatment and pregnancy loss. In the Washington, DC, area, a woman was automatically enrolled in a "depression program" by her employer after her prescription drugs management company reported that she was taking antidepressants.

In New York, a congresswoman's medical records, including details of a bout with depression and a suicide attempt, were faxed from a hospital to a local newspaper and television station on the eve of her 1992 primary election.

Finally, in Washington state, two health care organizations were discovered to be discarding medical records, including patient names, addresses, Social Security numbers, and detailed descriptions of sensitive medical procedures, in unlocked Dumpsters. Patients aggrieved by such conduct often file suits for invasion of privacy, breach of the constitutionally guaranteed right to privacy (where the disclosing party is a governmental entity), breach of confidential relationship, breach of contract, defamation, medical malpractice, negligence, and intentional infliction of emotional distress.

Dehm recognizes how easy it would be for a health care provider to avoid liability under the scenario presented in this case. She advises simply getting permission of the patient, in writing and signed, before releasing the record. Medical providers or custodians of medical records should be wary of accepting signed consent form by facsimile transmission; an original signature also is best. And, if the medical record becomes the subject of a legal matter, the patient can simplify the process by authorizing his or her attorney to obtain copies of records or review originals.

If these steps are followed, the physician can defend his or her conduct when the patient comes back and complains that someone gained access to his or her medical record, Dehm says. "It's bad enough that health care providers take away the privacy from patients when they enter the hospital by stripping them naked, redressing them in a thin gown that does not cover all the important parts, and asking them to allow themselves to be poked and prodded all hours of the day and night without putting up any resistance," Dehm says. The least that can be done is protecting the patient's privacy when it comes to third parties.


Thomas Lowery v. Walstir Fonseca, MD, Central Utah Medical Clinic, and Nancy Lowery, ARNP, Salt Lake County (UT) District Court, Case No. 020914688.