The Legal and Ethical Aspects of Healthcare Information

The Legal and Ethical Aspects of Healthcare Information

Patient health information comes in different forms such as paper records, electronic records, an abstract of specific patient information, or other formats. Health information plays a pivotal role in the delivery of healthcare. Additionally, health information kept in these formats serves as legal record of patient care to the health care provider. As such, health information is subject to various ethical and legal requirements. Security, privacy, and confidentiality are three concepts that are used when discussing the protection of health information. Confidentiality is both a legal and ethical requirement in the healthcare field. For example, AHIMA code of ethics support and advocate for confidentiality when handling healthcare information. Health care professionals with access to patient’s records should uphold the principle of confidentiality in disclosure and use of a patient’s health information (AIHIMA, 2011).

In law, confidentiality is privileged communication between a professional and a client. Health Insurance Portability and Accountability Act (HIPAA) provides laws that protect a patient’s health information. The Privacy Rule under HIPAA gives a patient right over their health information (Bragg et al., 2009). Under this federal law, patients can decide who accesses their health information whether oral, written or electronic. HIPAA applies to covered entities in health plans, healthcare providers, and healthcare clearing houses. The HIPAA valid authorization requirement for covered entities in regard to healthcare information disclosure was amended by the HITECH Omnibus Rule. The Omnibus extends health care information disclosure requirements not only to the covered entities but also to business associates. In regard to the Privacy Rule and the Omnibus rule, federal rules must be considered when disclosing protected health information.

Support of confidentiality is evident in case law. For example, in Jaffee v. Redmond (1996), a therapist was allowed by the Supreme Court to continue withholding sensitive information of a client. In mental health treatment, health information requires special confidentiality. There are state statutes that provide guidelines for management of health information for mental health patients. For example, the Illinois Mental Health and Disabilities Confidentiality Act protects the health information of mentally disabled patients and provides requirements for disclosure and use of confidential information belonging to mentally-ill patients.


In regard to health care information, privacy is the right of the patient to be left alone, especially when deciding how their personal information is disclosed. The United States constitution does not have specific laws to protect healthcare information privacy rights. However, healthcare information and decisions are outlined ins statutes at both state and federal levels. Additionally, privacy rights in regard to health information have also been outlined in court decisions, and organization policies.  For example, HIPAA has a Privacy Rule that protects the privacy of patients’ health information.  Under the privacy rule, health care providers should limit instance under which a patient’s information is used. There are arguments about HIPAA’s effectiveness in ensuring privacy rights of patients. HIPAA has impacted the health information management of professionals thus piling pressure on professionals to comply with HIPAA Privacy Rule responsibilities(Krager & Krager, 2016)..


Security refers to the means of protection used to safeguard the privacy of patient information. Prior to technological advancement, security of health information referred to the protection of health records in paper form stored in file cabinets. However, the use of electronic records has grown over the last decade creating the need for regulatory guidelines specific to electronic health records. HIPAA was the first to offer a federal law protecting the security of health information. Under the HIPAA Security Rule, individual health information is protected from improper disclosure while allowing health providers access to information for treatment purposes.

Application of Policies and Procedures to Proper Access and Disclosure of Personal Health Information

Health care is one of the most important services rendered in the world, yet to provide this care, various health professionals must have access to private patient information. In order to receive health care, patients must reveal intimate information about themselves. In turn, the healthcare professional(s) must use the information with confidentiality and protect the security of the information. On the other hand, to receive appropriate care, health professionals require immediate access to patient’s information. Health professionals must therefore be able to balance their ability to deliver quality care while upholding patient’s right to privacy

Confidentiality of health information is enforced in every state by their state law as well as the federal laws as provided by HIPAA and expanded by the Omnibus Rule. All health professionals and individuals who come into contact with patient health information to consult their state privacy law in regard to health information. Additionally, it is significant for those responsible for health care information to confirm the credentials of other individuals who are authorized to access a patient’s health records. Consequently, health care providers will be better equipped to handle patients’ health care information without risking inappropriate disclosure.

Protected health information can be disclosed or used by covered entities and business associates provided there is a Business Associate Agreement between the covered entity and its business associate. However, before use and disclosure, the patient has to receive a Notice of Privacy Practices from the provider and sign acknowledgement of the notice. Mental health records are not involved in this release. Providers must ensure that their notice are up to both HIPAA and state law standards (McWay, 2015). Mental health records require the specific authorization of the patient. In cases whereby the media seeks to access information regarding a patient, the healthcare provider must respect the confidentiality of the patient. In such cases, the provider is only allowed to disclose limited information since media’s need for information does not outweigh the confidentiality rights of the patient.

Health professionals can only disclose protected health information when they have the patient’s or substitute decision makers’ consent. For example, when the patient is a minor, the physician will require consent from the parents or guardian. In other instances, disclosure of PHI can be permitted under legislation. Additionally, during legal proceedings or when the information is of security importance, disclosure of PHI is required by the law. When disclosure of PHI is important to the provision of healthcare, and the health provider is not in a position to reach the patient in a timely manner, then disclosure is allowed under HIPAA. On the other hand, disclosure is allowed under HIPAA. A health care provider may disclose PHI if on reasonable grounds, the physician believes that disclosure is important to eliminate risk to a person or persons. For example, to prevent a disease outbreak, physicians are obligated to disclose PHI. Therefore, the laws comprise statutes in state and federal law that require healthcare provides to avail PHI. For example, a court order might request PHI.

Ethical Obligations of Healthcare Providers

Health information management (HIM) professionals are ethically obligated to provide security of healthcare information and ensure its privacy. HIM professionals are ethically obligated to disclose health information to authorized personnel. Additionally, they are obligated to conduct continuance and improvement of health information systems. Their ethical obligation also includes ensuring the integrity and accessibility of health information. AIHMA requires certificants and members to uphold professional ethics. Under AIHMA, healthcare providers shall: uphold the patient’s right to privacy and confidentiality during disclosure and use of health information (AIHMA, 2011); subordinate their self-interests for the health, service, and welfare of individuals; safeguard security and privacy of all forms of health information; uphold ethics and professionalisms in all their actions; enhance and develop professional knowledge in order to advance knowledge in health information management; guide and recruit others strengthen and develop a professional work place; represent the healthcare profession in a professional manner; and respect the dignity of other persons (McWay, 2015).

The American Medical Association also provides a code of ethics to optimize patient benefit. Health care providers are expected to provide proficient care with respect for human rights, dignity, and compassion. In all situations, physicians and their assistants shall recognize and respect the law and when need bee seek changes in laws that do not promote patient’s wellbeing (McWay, 2015). With the constrains of federal and state laws, healthcare providers shall respect the rights of patients and safeguard confidences. While caring for a patient, a physician shall prioritize on their responsibility to the patient.

Beyond specific ethical guidelines, there are four principles which extend to the healthcare provider’s code of ethics. These principles include; Autonomy, beneficence, justice and non-maleficence. Autonomy provides that patients have control over their bodies. Therefore, a patient can choose to accept or refuse treatment even if it is contrary to the doctor’s opinion. On the other hand, beneficence physicians and nurses to provide the best available care to a patient by acknowledging the uniqueness of every case. According to this principle, healthcare providers should treat every case as unique because even though patients maybe suffering from the same symptoms a decision to treat similar symptoms might have adverse effects on a patient.  The principle of non-maleficence requires physicians to consider any accidental harm their actions might cause to a patient. Finally, physicians must be just in the treatment of patients.

Procedures regarding the Release of Patient Information to Authorized Users

Patients have the right to access protected health information belonging to them including research records, billing records, and medical records. However, there are procedural requirements before a patient can access their health records. First, a patient needs to complete a form to request access to health information. If the records of the patient are not filed under health information management (HIM), the HIM staff on duty should send the request to the appropriate department. HIM is obligated to respond within 30 days after the request for on-site health records and 60 days for off-site health records. In case of search difficulties, the HIM department is granted an extra 30 days to find the medical record (Green et al., 2011). However, the HIM department is expected to notify the patient with an extension notification. Patients must pay a stipulated amount of money for their records; that is, in most cases, the charge is $0.75 per page. Lawyers and insurers pay $1 for each page (Green et al., 2011). Sometimes a patient might not wish to carry the record with them whereby they just want to inspect them. In such cases, an inquiry should be made to the patient on whether they want their physician present for the review. Patients should provide proper identification documents before they are handed the requested health records.

In some special cases, patient authorization is not required before his/ her records are accessed. Such instances include: requirements by the law, when protecting public health, and when information is required by health oversight organizations. However, all other PHI request require the patient’s authorization. The procedure to obtain patient’s information by an outsider begins with presentation of Downstate HIPAA Authorization filled in and signed by the patient. If the PHI requested relates to mental health, substance abuse or HIV, the authorization should explain the specific information that should be disclosed. Health providers who request access to PHI must fill in a relevant form to declare their intention (Peden, 2017). Finally, disposal of health information documents should follow provided protocols. Moreover, waste documents containing patient health information should not be tossed in waste baskets, taken home or used as scratch paper.

Importance of Patient’s Rights, Advance Directives, and Other Aspects of Informed Consent in American Health Care

Patient rights allow patients security, comfort, and privacy. Anyone involved in the care of the patient is not allowed to treat or examine the patient without their consent. Additionally, auditory and visual privacy is offered when the patient is being treated, examined or interviewed. Health providers are obligated to obtain the patient’s consent. Therefore, patient’s rights and advance directives protect patients from seclusion and restraints imposed by the health care provider as discipline or a means of coercion (McLean & Mason, 2003). Patients have a right to be informed of their rights before discontinuing or receiving care. Therefore, patients are fully aware of what to expect before receiving or discontinuing care. Informed consent also means that patients cannot be coerced into any form of treatment. Health information can be accessed without the patient’s notice for research and even malicious purposes. However, patients are protected from such practices and are given the power to choose who can access their healthcare information. Additionally, rights in regard to disclosure of patient’s health information ensure that the patient’s respect and dignity are upheld.


Privacy, security, and confidentiality are important aspects when handling healthcare information. Patients must be assured that the information they share with healthcare providers will be kept confidential. Patients might withhold important information without such assurance and withholding of information could adversely affect the outcome, safety, and quality of care. The HIPAA privacy and security rules together with the Omnibus Rule have established principles for disclosure of information including what a valid authorization constitutes. Confidentiality of health information is an ethical requirement for professional association code of ethics such as AHIMA. All those who come into contact with or have access to health information are obligated to respect the information. Finally, patients have privacy rights in regard to how their information is treated.




AHIMA. (2011). American Health Information Management Association Code of Ethics.

Bragg, M. D., & American Bar Association. (2009). HIPAA for the general practitioner.                Chicago, Ill: ABA General Practice, Solo & Small Firm Division.

Green, M. A., Bowie, M. J., & McGraw, S. L. (2011). Essentials of health information                               management: Principles and practices. Clifton Park, NY: Delmar Cengage Learning.

Jaffee v. Redmond.  518 U.S. 1; 116 S. (1996). Retrieved from   

Krager, D., & Krager, C. (2018). HIPAA for health care professionals.

McLean, S., & Mason, J. K. (2003). Legal and ethical aspects of healthcare. London: Greenwich Medical Media.

McWay, D. C. (2015). Legal and ethical aspects of health information management.

Peden, A. H. (2017). Comparative health information management.