Back to Chapter 3 Privacy, Confidentiality & Medical Records
Opinion 3.3.2

Confidentiality & Electronic Medical Records

Download PDF

Information gathered and recorded in association with the care of a patient is confidential, regardless of the form in which it is collected or stored.

Physicians who collect or store patient information electronically, whether on stand-alone systems in their own practice or through contracts with service providers, must:

  1. Choose a system that conforms to acceptable industry practices and standards with respect to:
    1. restriction of data entry and access to authorized personnel;
    2. capacity to routinely monitor/audit access to records;
    3. measures to ensure data security and integrity;
    4. policies and practices to address record retrieval, data sharing, third-party access and release of information, and disposition of records (when outdated or on termination of the service relationship) in keeping with ethics guidance.
  2. Describe how the confidentiality and integrity of information is protected if the patient requests.
  3. Release patient information only in keeping with ethics guidance for confidentiality.
AMA Principles of Medical Ethics: V
Read the Principles

Council Reports

Related Opinions

See All Opinions
Opinion 3.2.1

Confidentiality

Physicians have an ethical obligation to preserve the confidentiality of information gathered in association with the care of the patient. With rare exceptions, patients are entitled to decide whether and to whom their personal health information is disclosed.
Opinion 3.2.4

Access to Medical Records by Data Collection Companies

Information gathered and recorded in association with the care of a patient is confidential. Disclosing information to third parties for commercial purposes without consent undermines trust, violates principles of informed consent and confidentiality, and may harm the integrity of the patient-physician relationship.
Opinion 3.3.3

Breach of Security in Electronic Medical Records

When there is reason to believe that patients’ confidentiality has been compromised by a breach of the EMR, physicians have a responsibility to follow ethically appropriate procedures for disclosure. The degree to which an individual physician has an ethical responsibility to address inappropriate disclosure depends in part on his or her awareness of the breach, relationship to the patient(s) affected, administrative authority with respect to the records, and authority to act on behalf of the practice or institution.