A. The right to privacy is personal and fundamental.
B. Medical information maintained by physicians is privileged and should remain confidential.
C. The patient should have a right of access to his/her medical records and be allowed to provide identifiable additional comments or corrections. The right of access is not absolute. For example, in rare cases where full and direct disclosure to the patient might harm the patient's mental and/or physical well-being, access may be extended to his/her designated representative, preferably a physician.
D. The privacy of adolescent minors should be respected. Parents should not, in some circumstances, have unrestricted access to the adolescent’s medical records. Confidentiality must be maintained particularly in areas where the adolescent has the legal right to give consent.
E. Medical information may have legitimate purposes outside of the physician/patient relationship, such as, billing, quality improvement, quality assurance, population-based care, patient safety, etc. However, patients and physicians must authorize release of any personally identifiable information to other parties. Third party payer and self-insured employer policies and contracts should explicitly describe the patient information that may be released, the purpose of the information release, the party who will receive the information, and the time period limit for release. Policies and contracts should further prohibit secondary information release without specific patient and physician authorization.
F. Any disclosure of medical record information should be limited to information necessary to accomplish the purpose for which disclosure is made. Physicians should be particularly careful to release only necessary and pertinent information when potentially inappropriate requests (e.g., "send photocopies of last five years of records") are received. Sensitive or privileged information may be excluded at the option of the physician unless the patient provides specific authorization for release. Duplication of the medical record by mechanical, digital, or other methods should not be allowed without the specific approval of the physician, taking into consideration applicable law.
G. Disclosure may be made for use in conducting legal medical records audits provided that stringent safeguards to prevent release of individually identifiable information are maintained.
H. Policy exceptions which permit medical records release within applicable law: