Breach of Security in Electronic Medical Records

When used with appropriate attention to security, electronic medical records (EMRs) promise numerous benefits for quality clinical care and health-related research. However, when a security breach occurs, patients may face physical, emotional, and dignitary harms.

  1. Ensure that patients are promptly informed about the breach and potential for harm, either by disclosing directly (when the physician has administrative responsibility for the EMR), participating in efforts by the practice or health care institution to disclose, or ensuring that the practice or institution takes appropriate action to disclose.
  2. Follow all applicable state and federal laws regarding disclosure. Physicians have a responsibility to follow ethically appropriate procedures for disclosure, which should at minimum include:
  3. Carrying out the disclosure confidentially and within a time frame that provides patients ample opportunity to take steps to minimize potential adverse consequences.
  4. Describing what information was breached; how the breach happened; what the consequences may be; what corrective actions have been taken by the physician, practice, or institution; and what steps patients themselves might take to minimize adverse consequences.
  5. Supporting responses to security breaches that place the interests of patients above those of the physician, medical practice, or institution.
  6. Providing information to patients to enable them to mitigate potential adverse consequences of inappropriate disclosure of their personal health information to the extent possible.
AMA Principles of Medical Ethics: IV, VIII

Council Reports

Related Opinions

Opinion 3.2.1

Confidentiality

Physicians have an ethical obligation to preserve the confidentiality of information gathered in association with the care of the patient. With rare exceptions, patients are entitled to decide whether and to whom their personal health information is disclosed.

Opinion 3.2.4

Access to Medical Records by Data Collection Companies

Information gathered and recorded in association with the care of a patient is confidential. Disclosing information to third parties for commercial purposes without consent undermines trust, violates principles of informed consent and confidentiality, and may harm the integrity of the patient-physician relationship.

Opinion 3.3.2

Confidentiality & Electronic Medical Records

Information gathered and recorded in association with the care of a patient is confidential, regardless of the form in which it is collected or stored.