Patient Confidentiality within the Peer Review Process
Information Source: TMA Board of Councilors - "HIPAA Privacy Standards and County Medical Society Disciplinary Procedures" and U.S. Department of Health and Human Services Office for Civil Rights - HIPAA
An article from the November 2002 Michigan Law Review states that HIPAA "arguably" requires a patient to give a written authorization before a health professional may disclose private health information (PHI) to a peer review committee of a statewide professional association reviewing a complaint made by the patient over the professional's competence.
HIPPA Privacy Standards Overview
Protected health information may not be used or disclosed except as permitted by regulation
Minimum Necessary Requirement:
Except for the purposes of rendering treatment, only the minimum necessary information should be disclosed and only the minimum necessary personnel should have access to the information.
These privacy standards create obstables in the pursuit of legitimate county medical society complaints.
Whether the complaint is patient-physician or a physician-physician, a peer review committee cannot and must not have access to a patient's private health information without the patient's signed HIPAA-compliant authorization form of release.
That also means that a physician cannot present any PHI to a peer review committee without the signed consent of the patient authorizing the release of the information.
Thus, the peer review committee and/or the physician must have the patient consent and sign the authorization for PHI release.
Click on the following link to download a Sample HIPAA-compliant Authorization Form
If the patient refuses to sign consent form, a peer review committee will have a severely limited ability to review and come to a conclusion without the PHI.
De-identified Health Information
The physician also has another alternative if either he or she cannot or chooses to not obtain the patient's consent - de-identifying patient information. The privacy standards do not apply to de-identifed information, and the physician may use or disclose that set of information freely.
How to de-identify private health information
According to the U.S. Department of Health and Human services, when de-identifying a patient, the following identifiers must be removed:
B.) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census:
1.) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and
2.) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
C.) All elements o dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
D.) Telephone numbers;
E.) Fax numbers;
F.) E-mail addresses;
G.) Social Security numbers;
H.) Medical record numbers;
I.) Health plan beneficiary numbers;
J.) Account numbers;
K.) Certificate/License numbers;
L.) Vehicle identifiers and serial numbers, including license plate numbers;
M.) Device identifiers and serial numbers;
N.) Web Universal Resource Locators (URLs);
O.) Internet Protocol (IP) address numbers;
P.) Biometric identifiers, including finger and voice prints;
Q.) Full-face photographic images and any comparable images; and
R.) Any other unique identifying number, characteristic, or code.
Return to Physician Information page