Chapter 3.B.1  The Duty to Maintain Confidentiality


1. The Duty to Maintain Confidentiality


Notes: Common Law and Statutory Duties to Maintain Confidentiality


Note 1.  A Constitutional Right of Confidentiality.


For a discussion of the right to privacy and medical records, as well as a suggestion of more stringent standards of review for determining infringements of privacy see: Alison M. Jean, “Personal Health and Medical Information: The Need for More Stringent Constitutional Privacy Protection,” 37 Suffolk U.L. Rev. 1151 (2004).


Patient’s privacy rights violated by provisions requiring the disclosure of unredacted medical records, ultrasound pictures and incident reports in Tucson Woman’s Clinic v. Eden, 379 F. 3d 531 (9th Cir. 2004).


No violation of plaintiff’s right to privacy where medical records reviewed to determine whether he was a sexually violent predator. Hubbs v. Alamao, 360 F. Supp. 2d 1073 (C.D. Cal. 2005).


A statutory requirement that health care professionals report sexual activity by minors under the age of 16 violated patient’s privacy rights and was permanently enjoined in the absence of reason to suspect injury from the illegal sexual activity. AID for Women v. Foulston, 427 F.Supp.2d 1093 (D. Kan. 2006).


Note 2.  The Doctrinal Basis for a Common Law Duty to Maintain Confidentiality.


For a review of the trends in health care privacy that concentrates on the U.S. but also looks at the UK and Australia see: Roger S. Magnusson, “The Changing Legal and Conceptual Shape of Health Care Privacy,” 32 J.L. Med. & Ethics 680 (2004).


Note 3.  Statutory Protection.


In Shaddox v. Bertani, 110 Cal. App. 4th 1406 (2003), the court held that a dentist was statutorily protected from a claim of invasion of privacy for reporting a police officer whom he believed was addicted to prescription drugs to the police department. 


Physician’s disclosure of medical information to a patient’s supervisor was not a breach of confidentiality because it was sufficiently non-specific to fit within the exception of the state’s Confidentiality of Medical Information Act.  Garrett v. Young, 109 Cal. App. 4th 1393 (2003).


Note 4.  Federal Protection.


HIPAA has survived its first constitutional attack. See: South Carolina Med. Ass’n v. Thompson, 327 F.3d 346 (4th Cir. 2003). The plaintiffs had argued that the HIPAA regulations were the result of improper, standardless delegation of legislative authority and that they were unconstitutionally vague.


The trial court correctly quashed a subpoena issued under HIPAA seeking the records of patients whose physicians used specifically identified procedures to perform late-term abortions.  Northwestern Memorial Hospital v. Ashcroft, 362 F. 3d 923 (7th Cir. 2004).


A hospital violates the provisions of HIPAA by selling a list of patient’s names for marketing purposes; the hospital could be criminally prosecuted. However, if a clerk who works at the hospital does the same thing in violation of hospital policy, can the clerk be criminally prosecuted? See Robert Pear, Ruling Limits Prosecution of People Who Violate Law on Privacy of Medical Records, The New York Times, June 7, 2005 at A 16,

Col. 1. Available at: (last visited July 20, 2006) (Justice Department has issued a new authoritative ruling that limits who can be criminally prosecuted for HIPAA violations).  


Courts are beginning to struggle to integrate HIPAA into the framework of other sources of disclosure/confidentiality obligations. See e.g., Smith v. American Home Products Corp. Wyeth-Ayerst Pharmaceutical, 855 A.2d 608 (N.J. Super. L. 2003) (discussing interaction of HIPAA with state discovery rules).


Not surprisingly, HIPAA’s scope has resulted in numerous commentaries.  For examples see:  


Diane Kutzko et al., HIPAA in Real Time: Practical Implications of the Federal Privacy Rule, 51 Drake L. Rev. 403 (2003); Marie C. Pollio, The Inadequacy of HIPAA’s Privacy Rule: the Plain Language Notice of Privacy Practices and Patient Understanding, 50 N.Y.U. Ann. Surv. Am. L. 579 (2004) (critiques the plain language requirements of the HIPAA Privacy Rule); David R. Morantz, HIPAA’s Headaches: A Call for a First Amendment Exception to the Newly Enacted Health Care Privacy Rules, 53 U. Kan. L. Rev. 479 (2005); June Mary Zekan Makdisi, Commercial Use of Protected Health Information under HIPAA’s Privacy Rule: Reasonable Disclosure or Disguised Marketing, 82 Neb. L. Rev. 741 (2004); Meredith Kapushion, Hungry, Hungry HIPAA: When Privacy Regulations Go too Far, 31 Fordham Urb. L. J. 1483 (2004); Jennifer Guthrie, Time is Running Out – The Burdens and Challenges of HIPAA Compliance: A Look at the Preemption Analysis, the “Minimum Necessary” Standard, and the Notice of Privacy Practices, 12 Ann. Health L. 143 (2003).


Note 5.  Confidentiality as a Rule of Evidence.


Ralph Ruebner & Leslie Ann Reis, Hippocrates to HIPAA: a Foundation for a Federal Physician-Patient Privilege, 77 Temp. L. Rev. 505 (2004) (calls for a federal physician-patient privilege and discusses the foundation for that privilege).


For a discussion of why pregnancy tests done at Planned Parenthood clinics should be confidential and not obtainable by subpoena during criminal investigations into deaths and abandonment of newborns, see: Melissa O’Neill, Ohio’s Patient-Physician Privilege: Whether Planned Parenthood is a Protected Party, 17 J. L. & Health 297 (2003).


There is no dangerous-patient exception to the federal psychotherapist-patient testimonial privilege even though the psychotherapist may have the statutory discretion to disclose confidential information about the patient to prevent harm to a third party or to the patient. U.S. v. Chase, 340 F. 3d 978 (9th Cir. 2003).


Note 6.  Waiver and other Exceptions.


Suesbury v. Caceres, 840 A.2d 1285 (D.C. App. 2004) (physicians disclosure of information to a physician colleague in the same office “in the course of dealing with a matter related to the operation of that office” was not an "unconsented, unprivileged disclosure to a third party”).


NEW NOTE 10. Disclosure of Information about Health Care Providers.


Courts sometimes strike down statutes designed to protect the confidentiality of health providers. See: Public Citizen Inc. v. U.S. Dept of Health and Human Services, 332 F.3d 654 (D.C. Cir. 2003) (invalidating regulations and manual which prohibited disclosure of substantive disposition of PRO review when beneficiary's physicians did not consent).