You can violate patient confidentiality without even knowing it, particularly when transferring health-care information or records to others. This complex issue involves two levels of obligation: law and ethics.

Law. Although a doctor in private practice is the owner of patient records, a crazy quilt of federal and state laws (to quote a judges comment) regulates the release of patients health-care information. The most recent and far-reaching law in this regard is the federal Health Insurance Portability and Accountability Act (HIPAA).

HIPAA allows a practitioner to disclose patient information without violating confidentiality requirements in order to get paid, provide treatment, consult, refer or manage the patients case, or perform health-care operations (such as quality assessment). But, the HIPAA rules require the patients consent for disclosures of personal health-care information to third parties outside these exceptions. This authorization must be in writing and must describe the purpose of the disclosure and the information to be provided.

Importantly, the rules allow a practitioner to transfer patient records by sale or other disposition to a successor practitioner, as long as that practitioner abides by HIPAA requirements.

Ethics. Patient confidentiality is also subject to ethical rules, which can be incorporated into state practice acts or other laws as legal obligations.

State board rules and regulations often include legal and ethical
proscriptions that apply to confidentiality, patient access to information, and the period of time records must be maintained. Violations (for unprofessional conduct) can result in disciplinary action, including loss of license for a practitioner.

So, what legal and ethical responsibilities does an optometrist usually have when transferring patient records? This question arises regularly, such as when an employee leaves a private practice, when a co-owner sells his or her interest in a private practice, when an optometrists lease agreement is terminated or when a practice is sold to another practitioner.

Answer the following four questions to test your knowledge of confidentiality requirements. Check the answerswhich are based upon prevailing legal and ethical rulesand your colleagues responses from our e-mail survey. (Keep in mind that these obligations do vary somewhat from jurisdiction to jurisdiction.)


Question 1. Sale of a Practice

A solo O.D. practitioner sells the practice, including all patient records, to another optometrist. Does the sellers ethical obligation to protect the confidentiality of the records extend beyond the sale?

a. The ethical obligation ends with the sale.

b. The ethical obligation ends with the sale if the buyer agrees to comply with HIPAA requirements to respect confidentiality, and in fact does so.

c. The ethical obligation continues past the sale regardless of what the buyer agrees to or does.

d. The ethical obligation continues past the sale only if the seller agrees to assume future responsibility for confidentiality.


Answer 1. Sale of a Practice to Another Practitioner

The sale of a practice is confusing to me, says John Fujii, O.D., of Stockton, Calif. I would assume that the HIPAA regulations would require that the patients records be protected beyond the sale by the selling doctor, and that the buyer and staff would be required to protect that information upon the practices sale or transfer.

The answer is: b. Confidentiality requirements end with the sale if the buyer complies with HIPAA requirements to respect confidentiality. For this reason, the sales contract should include a HIPAA compliance statement, in which the buyer pledges to adhere to HIPAA confidentiality requirements.

Legally, if a valid transfer of ownership is made, the duty to protect confidentiality becomes the buyers responsibility after the sale, but an ethical breach would occur if the transfer was of such character that protection of confidentiality could not be obtained afterwards. If the seller knew or should have known that confidentiality could not be protected, the transfer likely does not meet ethical standards, even if it satisfies the legal requirements for a sale.

A sales contract does not automatically impose confidentiality requirements on the buyer and seller (unless it specifically includes language to this effect), but the obligation to respect confidentiality exists under law and continues to apply until records are destroyed. Ethically, a seller of records should ensure they will be disposed of properly, and the sales agreement may contain language obligating the buyer to conform to accepted methods (i.e., shredding) when records are ultimately to be destroyed.

(Source: Review of Optometry e-mail survey, n = 785)

Question 2: Termination of Employment in a Private Practice

The employment contract between an optometrist who is the sole owner of a practice and an employee optometrist states that all patient records are the property of the employer. It further states that the employee has no right to the records or the information in them when employment terminates. Does the employee have a continuing ethical obligation to protect the confidentiality of patient information in the records after the employment ends?

a. The employees obligation to respect the confidentiality of patient information continues even after the employment has ended.

b. The employees responsibility to respect confidentiality after termination of employment only pertains to the records of patients the employee examined, not the employers other patients.

c. The employee has a duty to respect confidentiality of patient information after employment only if the employment contract includes such a requirement.

d. Once the employment relationship ends, the employee is no longer ethically bound to protect the confidentiality of the employers records.


Answer 2: Termination of Practitioners Employment in a Private Practice

Regardless of the legality, it seems to me that its plain common sense and courtesy to maintain confidentiality of records once they are out of a practitioners [or employees] possession, says Chris Marquardt, O.D., of Wausau, Wis.

The answer is: a. An employees obligation not to divulge patient information continues past the termination of employment.

Legally, the final responsibility for protecting confidentiality belongs to the employer, who is the owner of the records. However, an employee is legally and ethically bound to ensure confidentiality while working for the employer. So, a breach of confidentiality by an employee optometrist, if the employer is also involved, may result in discipline for both practitioners because the employer is legally responsible for the acts or omissions of an employee.

After the employment has ended, the employee is still legally and ethically bound to respect the confidentiality of individual patient information (whether this obligation is specified in the employment contract or not). This obligation extends to all the employers patients (and not merely those examined by the employee).

If copies of patient records are subsequently transferred to the ex-employee, the responsibility essentially becomes a joint one, with each practitioner responsible for the records in his or her possession.

(Source: Review of Optometry e-mail survey, n = 781)


Question 3: Sale of Interest by the Co-Owner of a Private Practice

An optometrist who is the co-owner of a private practice decides to sell all ownership interest and start a rival clinic. The practice bylaws confer ownership of the patient records upon the practice and do not permit departing shareholders to take records with them. What is the practices legal and ethical responsibility to provide patient information from the records after the optometrists departure?

a. If the optometrist requests patient information from the records, the practice must provide it.

b. The practice has no responsibility to provide patient information from the records to the optometrist.

c. Any information from records can only be given to the patients requesting it and not to the optometrist.

d. The practice must comply with requests from patients to transfer information from their records to the optometrist.


Answer 3: Sale of Ownership Interest by a Practitioner in Private Practice

The patient owns the information in his/her record, says Don R. Dye, O.D., of Elberton, Ga. Protection of the patients information should only be released by the patients written instructions.

The answer is: d. For both legal and ethical reasons, patient information must be transferred to another practitioner upon the valid request of the patient. Failure to do so may be considered unprofessional conduct.

When a practice business entity (general partnership, limited liability company, professional association or corporation, Subchapter S corporation) is granted ownership of patient records, it is responsible for protecting confidential information (through its practitioners). A co-owner who leaves the practice usually does not have a legal right to this information (unless specifically allowed by the practice bylaws or rules). So, the practice should not comply with requests for patient information or records by the former co-owner unless accompanied by a written consent from the patient.

However, patients may request that information be provided to the optometrist. The practice then is ethically bound to transfer the information to ensure continuity of care. HIPAA allows patients to inspect their records, request correction of erroneous entries, and direct the transfer of information to successor doctors.

If a departing practitioner is allowed to take copies of patient records, he or she remains obligated to protect the confidentiality of the copies (and the information in them) as does the practice for the protection of the original records.

(Source: Review of Optometry e-mail survey, n = 782)


Question 4: Office Lease Agreement Requiring Records Transfer at Termination

The office lease agreement offered by a for-profit business corporation contains a clause stating that, upon termination of the lease, an independent optometrist must leave the patient records to a future optometrist who will be selected by the for-profit corporation. Can an optometrist ethically agree to such a provision?

a. An independent contractor owns the records of patients seen and therefore can ethically dispose of the records in this manner.

b. Leaving the records behind is ethical as long as another optometrist eventually takes possession of them.

c. This provision is not ethical because it does not provide for a successor practitioner who will respect confidentiality, as required by HIPAA.

d. It is unethical to transfer patient records to another practitioner without a sales agreement that ensures the legal transfer of ownership.


Answer 4: Transfer of a Practitioners Records as Part of a Lease Agreement

As a doctor, signing any contract that allows ownership of patient medical records by a for-profit retail corporation may be improper, says Alan McKee, M.S., O.D., of Tahlequah, Okla. Even with a signed agreement from the incoming doctor regarding confidentiality and HIPAA, any period of gap during which time the corporation has sole responsibility for the medical records would be an issue.

The correct answer is: c. To ethically turn ownership of patient records over to a successor practitioner, an optometrist must ensure that the practitioner will comply with HIPAA confidentiality requirements and that patient information will be protected.

An independent contractor is an autonomous practitioner and is expected to maintain his or her own records. So, ownership of the records is typically vested in the independent contractor. That means an independent contractor can legally sell the records to a successor practitioner, and the transaction is ethical as long as the purchasing practitioner complies with HIPAA confidentiality requirements. This is true even if there is no written contract of sale, because ethical and legal obligations to respect confidentiality exist independent of the sales agreement. However, lack of a written contract can create other legal problems.

If an independent contractor assigns possession (not ownership) to a practitioner who agrees to be HIPAA compliant, the transfer is considered ethical. But, suppose the successor practitioner is not known at the time of the transfer? It would be impossible for the independent contractor to determine whether the successor would comply with HIPAA confidentiality requirements, or to ensure that confidentiality is respected until a successor practitioner takes possession.

Dumping of records in this manner is considered unethical. Under these circumstances, eventual assumption of possession by a successor practitioner would not relieve the independent contractor of responsibility for protection of confidentiality. If a breach occurred, both practitioners could be held responsible.

An O.D. employed by a for-profit corporation who holds no ownership right in the records incurs the responsibilities of a departing employee (previously discussed). If the employee O.D. owns the records, he or she has the same status as an independent contractor.

(Source: Review of Optometry e-mail survey, n = 778)


A practitioner assumes legal and ethical responsibilities to protect confidentiality whenever he or she compiles patient records. Records can only be transferred when a successor practitioner agrees to assume them. From an ethical standpoint, the transfer must be accomplished in a manner that preserves the confidentiality of the health information.

A successor practitioner effectively assumes this obligation when ownership (not mere possession) of the records is transferred. If the circumstances of the transaction do not result in protection of confidentiality, however, then both practitioners may be held to have breached ethical requirements.

Similarly, a transfer of possession (but not ownership) does not necessarily relieve the transferring practitioner of ethical obligations to preserve confidentiality. If confidentiality is breached by the practitioner who is in possession, the practitioner who transferred the records may also be held responsible for the breach because ownership of records confers both an ethical and a legal obligation to protect confidentiality, even if the records are in the possession of (but not owned by) another practitioner.

For these reasons, whenever there is a transfer of records, a transfer of confidentiality should also be included within the contract between the parties.


Check Your Answers!

Check your state laws and board rules or regulations, in addition to federal HIPAA requirements, to ensure that your practice is in compliance with both the legal and ethical confidentiality requirements in your jurisdiction. HIPAA obligates practitioners to inform patients that privacy policies are being used to protect confidentialityand practitioners must ensure that their actions do just that.

Dr. Class is a professor at the School of Optometry of the University of Alabama at Birmingham. Dr. Harris is the Director of Policy and Planning at University of California Berkeley School of Optometry.

Vol. No: 145:07Issue: 7/15/2008