Jun 17 2009

AMA Adopts Guidelines on Physician Response in the Event of Breach of a Patient’s Electronic Medical Record

On June 15, 2009, the American Medical Association adopted four guidelines outlining steps for physicians to take to protect patient information in the event of a security breach. The AMA policy dictates that in response to a breach, physicians are to place the interest of patients above the interests of themselves, their practice, employer, or institution. The new AMA guidelines ask physicians to:

  1. Ensure patients are properly informed of the breach;

  2. Follow ethically appropriate procedures for disclosure, which should at a minimum include:
    a) carrying out the disclosure in a private setting and within a time frame that provides patients ample opportunity to take steps to minimize potential adverse consequences; and
    b) describing what information was breached; how the breach happened; what the consequences may be; what corrective actions have been taken by the physician, practice, or institution; and what steps patients themselves might take to minimize adverse consequences.

  3. Support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and

  4. To the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The full text of the AMA Reference Committee’s report is available here. The report on physicians’ ethical responsibility regarding electronically stored health information begins on page 54.