Privacy of medical records is a legally complex subject. Medical record privacy is governed by a patchwork of federal and state laws, industry standards, privacy practices of specific providers, contracts between medical providers and their information management providers. In addition, the degree of privacy accorded to a medical treatment record can depend on the type of treatment rendered to the patient, and where and by whom the patient has been treated.

This article is not intended to address the entire subject of medical record privacy, but is only intended to address the circumstances under which a civil action would lie for a violation of medical privacy.

Federal Laws Governing Medical Privacy

Federal laws that govern the privacy of medical treatment records include the Federal Privacy Act of 1974, which covers Federal agencies, such as the Veteran’s Administration and the Department of Defense, and the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA. HIPAA applies generally to all medical providers in the United States, and imposes stringent limitations on disclosures, along with administrative and criminal penalties for intentional violations. However, HIPAA does not provide for any civil action for improper disclosure.

Some other federal laws governing medical privacy include Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits genetic information discrimination in employment, and strictly limits disclosure of genetic testing information. In addition, the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 makes records of drug abuse treatment and rehabilitation confidential.

These are merely a few of many Federal laws and regulations that affect the privacy of medical treatment records.

Georgia Law on Medical Records Privacy

Common Law

No survey of medical privacy law would be complete without at least a brief discussion of the tort of invasion of privacy. Georgia was the first state to acknowledge judicially the existence of a legally enforceable right to privacy. In the context of violations of medical privacy this usually means that one can maintain a civil action for damages for the public disclosure of embarrassing private facts against a medical provider or other party with an obligation to maintain privacy.

Violations of medical privacy can also give rise to negligence claims. As noted above, HIPAA does not provide for civil actions to recover for violations, but in some states the courts have accepted that HIPAA regulations provide the standard of care for protecting medical information, and that a medical record disclosure in violation of HIPAA gives the injured party a negligence claim.

Genetic Testing Information

Outside the context of testing to determine paternity or in criminal cases, genetic testing information may only be used for therapeutic or diagnostic purposes. The testing results may only be disclosed to the individual tested and those whom he designates to receive that information. In the event that an insurance company uses genetic testing information in violation of the law they are subject to a claim under the Fair Business Practice Act of 1975.

Georgia Law on Mental Health Treatment Records

For decades now, Georgia has had a strong public policy against the unauthorized release of mental health treatment records. Georgia has statutorily recognized psychologist-patient communications to be confidential since 1951. In 1995, the scope of Georgia’s privilege was statutorily expanded to cover confidential communications between a patient and a licensed clinical social worker, clinical nurse specialist in mental health, licensed marriage and family therapist, and licensed professional counselor. In light of that expansion, it is appropriate to refer to the privilege as the “mental health privilege.”

Protecting confidential mental health communications from disclosure serves an important private interest and a public interest. As far as the individual patient’s private interest is concerned, confidentiality is an essential for successful psycho-therapeutic treatment since a psychotherapist’s ability to help a patient is completely dependent upon the patient’s willingness and ability to talk freely, and assurances of confidentiality and privilege foster the psychotherapist’s ability to function. In the case of Kennestone Hospital v. Hopson, 273 Ga. 145, 148, 538 S.E.2d 742 (2000), Justice Fletcher of the Georgia Supreme Court observed that

The purpose of the privilege is to encourage the patient to talk freely without fear of disclosure and embarrassment, thus enabling the psychiatrist to render effective treatment of the patient’s emotional or mental disorders.

Since “[t]he mental health of our citizenry … is a public good of transcendent importance[,]” the privilege serves the public interest “by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem.”

Limited Disclosures of Medical Records or Information

In Georgia, disclosures of medical information made pursuant to laws requiring disclosure or pursuant to limited consent to disclosure do not destroy the privileged or confidential nature of those records. Those who receive confidential or privileged medical matter pursuant to legally required or limited consensual disclosure may only use them for those purposes and must otherwise keep them confidential.

If you believe that your confidential medical information has been improperly disclosed, then please call us at 912-401-0121.