Back to Chapter 3 Privacy, Confidentiality & Medical Records
Opinion 3.2.4

Access to Medical Records by Data Collection Companies

Download PDF CME Course

Information contained in patients’ medical records about physicians’ prescribing practices or other treatment decisions can serve many valuable purposes, such as improving quality of care. However, ethical concerns arise when access to such information is sought for marketing purposes on behalf of commercial entities that have financial interests in physicians’ treatment recommendations, such as pharmaceutical or medical device companies.

Information gathered and recorded in association with the care of a patient is confidential. Patients are entitled to expect that the sensitive personal information they divulge will be used solely to enable their physician to most effectively provide needed services. Disclosing information to third parties for commercial purposes without consent undermines trust, violates principles of informed consent and confidentiality, and may harm the integrity of the patient-physician relationship.

Physicians who propose to permit third-party access to specific patient information for commercial purposes should:

  1. Only provide data that has been de-identified.
  2. Fully inform each patient whose record would be involved (or the patient’s authorized surrogate when the individual lacks decision-making capacity) about the purpose(s) for which access would be granted.
    Physicians who propose to permit third parties to access the patient’s full medical record should:
  3. Obtain the consent of the patient (or authorized surrogate) to permit access to the patient’s medical record.
  4. Prohibit access to or decline to provide information from individual medical records for which consent has not been given.
  5. Decline incentives that constitute ethically inappropriate gifts, in keeping with ethics guidance.

Because de-identified datasets are derived from patient data as a secondary source of data for the public good, health care professionals and/or institutions who propose to permit third-party access to such information have a responsibility to establish that any use of data derived from health care adhere to the ethical standards of the medical profession.

AMA Principles of Medical Ethics: I, II, IV
Read the Principles

Council Reports

Related Opinions

See All Opinions
Opinion 3.2.1

Confidentiality

Physicians have an ethical obligation to preserve the confidentiality of information gathered in association with the care of the patient. With rare exceptions, patients are entitled to decide whether and to whom their personal health information is disclosed.
Opinion 3.3.3

Breach of Security in Electronic Medical Records

When there is reason to believe that patients’ confidentiality has been compromised by a breach of the EMR, physicians have a responsibility to follow ethically appropriate procedures for disclosure. The degree to which an individual physician has an ethical responsibility to address inappropriate disclosure depends in part on his or her awareness of the breach, relationship to the patient(s) affected, administrative authority with respect to the records, and authority to act on behalf of the practice or institution.