Medical Records - Confidentiality and Access

Jennifer Gimler Brady


Medical records contain vital information about a patient's medical history, as well as the medical care provided by hospitals, physicians and other health care providers.  In addition, a medical record documents a patient's informed consent to a particular course of treatment and is intended to serve as a basis for communication between a patient's various medical providers.  A patient's financial and insurance information also may be included in the medical record.  Each and every visit to a medical professional is accompanied by an entry to a medical record, and every test performed on a patient is documented in the patient's record.  Hospital admissions generate even more paperwork.  It is not surprising, therefore, that the volume of medical records in this country is staggering.

Unquestionably, medical records contain sensitive, personal information.  This is particularly the case when the records of AIDS/HIV patients are at issue.  Thus, disclosure of medical records is appropriately limited.  However, the expansion of managed care, third party utilization review, quality assurance efforts, malpractice claims, and governmental oversight has been accompanied by an expansion in access to medical records.  Indeed, it has been estimated that an average of 75 persons have access to any patient record.[2]  One need only open a newspaper to find a story on how confidential medical information is being widely disseminated without the patient's knowledge, much less consent.

The increased demand for access to medical records has heightened tensions between a third-party's need/right/desire to know a patient's medical information and the patient's right to maintain the confidentiality of such information.  Currently, the confidentiality of medical records is protected by constitutional privacy rights, the common law right to privacy, and a variety of federal and state privacy laws.  On April 14, 2003, the privacy regulations implemented pursuant to the federal Health Insurance Portability and Accountability Act ("HIPAA") took effect.  The HIPAA privacy regulations represent the first comprehensive attempt to establish a national standard for the protection of private medical information.  The HIPAA privacy regulations will be discussed in detail during one of today's sessions.

At present, Delaware does not have a statute that protects the confidentiality of medical records generally, although, as discussed below, several statutes address the confidentiality of medical records in particular contexts, including HIV testing records.

This paper discusses issues that frequently arise in connection with patient medical records, such as ownership, access, and confidentiality.  In addition, the Delaware statute relating to HIV testing records is discussed in detail.  The paper concludes with summaries of a few key court opinions from Delaware and elsewhere relating to patient medical records and HIV status disclosure.


Traditionally, medical records have been viewed as the property of the facility or practitioner responsible for generating and maintaining the records.  In the case of a physician who is a member of a professional corporation group practice, however, it has been held that the corporation, and not the individual physician who treated the patient, owns the medical record.  See Parsley v. Associates in Internal Medicine, P.C., N.Y. Supr., 484 N.Y.S.2d 485 (1985); see generally Dickinson Medical Group, P.A. v. Foote, Del. Ch., C.A. No. 834-K, Brown, V.C. (May 10, 1984).

The ownership rights of a provider or facility generally are not absolute.  Rather, they are subject to the patient's right of access to and privacy in the information contained in the medical records.  Indeed, in most jurisdictions, it has been held that a patient has the right to review or obtain a copy of his or her medical record.  Requests for access to one's medical records should be made in writing.  It should be noted that a patient's access to medical records may be restricted if it is determined that such access may be harmful to the patient -- this type of limitation is most frequently encountered in connection with patients who are under psychiatric care.

If a patient is incapacitated, his or her legal guardian or a person holding a power of attorney for the patient may obtain access to the patient's medical records.  Again, a written request for records is recommended.  In the case of a deceased patient, the legal representative of the decedent's estate may obtain access to records.  Frequently, a family member will request copies of a loved one's medical records.  In general, such requests must be denied in light of privacy concerns.  However, a parent may obtain access to a minor's records.


Third party access to medical records is governed by federal and state law, as well as common law.  In general, third parties must obtain the consent of the patient to whom the medical records pertain before medical records will be released.  A more comprehensive consent form is recommended for records that may implicate particularly sensitive medical information, such as HIV status, as it documents that the patient made a fully informed decision in consenting to disclosure of the records.  As discussed below, however, the confidentiality of medical records is not absolute, and there are several exceptions for access to records by entities or individuals, without patient authorization.


The confidentiality of medical records is protected by common law. Both the Hippocratic Oath and the Principles of Medical Ethics promulgated by the American Medical Association have been cited by courts as sources for the duty to maintain the confidentiality of a patient's medical records.  See, e.g. Hammonds v. Aetna Cas. & Ins. Co., 243 F. Supp. 793 (N.D. Ohio 1965) (The Hammonds court also held that patients have a right to rely on the ethical standards of the medical profession as an express warranty of confidentiality.).  The Hippocratic Oath provides, in pertinent part:  "Whatever, in connection with my professional practice, or not in connection with it, I see or hear in the life of men, which ought not to be spoken abroad, I will not divulge, as reckoning that all such should be kept secret."  Similarly, Section 5.05 of the Principles of Medical Ethics states, in pertinent part:  "The information disclosed to a physician during the course of the relationship between physician and patient is confidential to the greatest possible degree. ...  The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law."

Privacy rights also are derived from the United States Constitution and perhaps, state constitutions.  Constitutional privacy rights limit the power of government (and generally not that of private hospitals and practitioners) to encroach on an individual's private interests.  An individual's privacy rights may be outweighed by a legitimate governmental interest, however.  In such case, disclosure of confidential of private information may be compelled.

In addition, the confidentiality of medical records is protected by federal and state statutes.  A few of the key federal and state confidentiality statutes that relate to medical records are discussed below.



A. The Privacy Act of 1974

The Privacy Act of 1974 prohibits the disclosure of records maintained on individuals by federal government agencies and by government contractors, unless such disclosure is requested or consented to in writing by the person to whom the records pertain.  See 5 U.S.C. § 552a.  Medical facilities operated by the federal government or those that maintain a records system operated pursuant to a contract with a federal agency are bound by the Privacy Act's requirements concerning disclosure of a patient's medical records.  In the absence of patient consent, records may be disclosed only to the persons and for the purposes set forth in the Privacy Act, including "to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual..." (id. at 552a(b)(8)), or pursuant to the order of a court of competent jurisdiction (5 U.S.C. § 552a(b)(11)).

An aggrieved party may bring suit to enjoin the release of records, and if successful, may recover reasonable attorneys' fees and court costs.  Criminal penalties are applicable to Intentional unauthorized releases of information.  It should be noted that the fact that a hospital or health care facility receives federal funding or is subject to federal regulation does not automatically bring it within the scope of the Privacy Act.

B. Public Health Service Act

The federal Drug Abuse Prevention, Treatment, and Rehabilitation Act and the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 have been transferred into the Public Health Service Act. Provisions of the Public Health Service Act address access to the records of alcohol or drug abuse patients.  These provisions, together with implementing regulations found at 42 C.F.R., Part 2, are intended to ensure that the confidentiality of medical records of patients who seek treatment for substance abuse is maintained, in order to encourage individuals to voluntarily seek such treatment.  The confidentiality requirements are very strict, and they prohibit disclosure of sensitive medical information, except in limited circumstances.  Specifically protected from disclosure are:  "[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States...."  42 U.S.C. § 290dd-2(a).  To be covered under the statute, a treatment program must receive direct or indirect federal financial assistance, including via Medicare or Medicaid participation.

The implementing regulations are broad and protect from disclosure records of patients who have actually been treated for substance abuse problems, as well as patient records prepared in connection with the treatment or referral for treatment of alcohol or drug abuse, whether or not such patients actually are treated.  42 C.F.R. § 2.12(e)(4).  The regulations protect the patient's entire medical record, not just information relating to alcohol or drug abuse.  See Commissioner of Soc. Servs. v. David R.S., N.Y. Supr., 436 N.E.2d 451 (1982); but see State v. Bright, Del. Super., 683 A.2d 1055 (1996) (The court expressed doubt that the defendant's threatening statements regarding his ex-wife would fall within the scope of communications Congress sought to protect by enacting the confidentiality statute.)  Thus, AIDS/HIV status information would be protected under the Public Health Service Act if it is part of the medical record maintained in connection with a substance abuse treatment program.

The medical records of alcohol and drug abuse patients may be disclosed with the written consent of the patient to whom the records pertain, under certain circumstances.  The implementing regulations specify the information that should be included in a consent form (42 C.F.R. § 2.31), including:

  • the specific name or general designation of the program or person permitted to make the disclosure;
  • the name of the person or organization to which disclosure is to be made;
  • the name of the patient;
  • the purpose of the disclosure;
  • how much and what kind of information is to be disclosed;
  • the signature of the patient or other person authorized to give consent; 
  • the date the consent in signed; and
  • a statement that the consent is subject to revocation and the conditions or date upon which the consent will expire.

A sample consent form is included in the regulations.  If state law requires parental consent for a minor to obtain drug or alcohol abuse treatment, any written consent for disclosure must be given by both the minor and the parent or guardian. 42 C.F.R. §2.14.  (Delaware law provides that a minor 14 years of age or over may give written consent for voluntary, non-residential treatment of substance abuse.  The consent is valid and legally effective for all purposes. 16 Del. C. § 2210(b)).

Disclosure without consent is permitted under limited circumstances, including medical emergencies (42 C.F.R. § 2.51), and in connection with:  communications within a program or between a program and an entity having direct administrative control over that program (42 C.F.R. § 2.12(c)(3)); disclosures to a qualified service organization (42 C.F.R. § 2.12(c)(4)); crimes on program premises or against program personnel (42 C.F.R. § 2.12(c)(5)); reports of suspected child abuse and neglect (42 C.F.R. § 2.12(c)(6)); and certain research and audit/evaluation activities (42 C.F.R. §§ 2.52 and 2.53).  The records also may be disclosed for "good cause," such as "the need to avert a substantial risk of death or serious bodily harm," pursuant to a court order. 42 U.S.C. § 290dd-2(b)(2)(C); see also Doe v. Marsh, 899 F. Supp. 933, 935 (N.D.N.Y. 1995) (The plaintiff brought an action against the New York Education Department for emotional damages after the department allegedly published plaintiff's HIV status in a departmental publication.  The District Court upheld the Magistrate Judge's ordered disclosure of evidence relating to the plaintiff's confidential substance abuse treatment records, noting, "The concealment of evidence relating to a material issue of the case clearly supports a showing of good cause, particularly if the evidence is unavailable by another means.")

A violation of the Public Health Service Act's confidentiality protections concerning drug and alcohol abuse patient's records is punishable by a fine of not more than $500 for the first offense and not more than $5,000 for each subsequent offense.  42 C.F.R. § 2.4.  In addition, a report of any violation may be directed to the United States Attorney for the judicial district in which the violation occurred. 42 C.F.R. § 2.5. Several courts have held that the Public Health Service Act and the implementing regulations thereunder do not provide for a civil cause of action for breach of the confidentiality provisions (see Logan v. District of Columbia, 447 F. Supp. 1328 (D.D.C. 1978); Chapa v. Adams, 168 F.3d 1036, 1038 (7th Cir. 1999)), but an injured party nonetheless could pursue relief under one of the liability theories discussed below.

C. Health Insurance Portability and Accountability Act

In addition to the Health Insurance Portability and Accountability Act's ("HIPAA") guarantee of continued availability of health insurance, regardless of medical condition, for those who already have health coverage through employment or otherwise, the Act imposes privacy requirements on every health plan, information clearinghouse, and health care provider who transmits protected health information electronically.  Such entities are required to maintain "reasonable and appropriate" safeguards to ensure the integrity and confidentiality of "individually identifiable health information."  "Individually identifiable health information" is any information that: identifies an individual or could reasonably be used to identify an individual; relates to the individual's medical history or status; and is created or received by a health plan, provider, employer or clearinghouse.

Penalties for breach of privacy under HIPAA are significant.  The Act provides that a person who wrongfully discloses individually identifiable health information to another person shall be subject to a fine up to $50,000 and/or imprisonment of up to 1 year.  If the disclosure is committed under false pretenses, the penalties are increased to a fine of up to $100,000 and/or imprisonment up to 5 years.  Moreover, "if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm," a fine of up to $250,000 and/or imprisonment up to 10 years may be imposed.  42 U.S.C. § 1320d-6.

HIPAA's privacy provisions do not preempt state confidentiality laws; indeed, the HIPAA regulations will preempt only more lenient state privacy laws.  Also, state laws imposing reporting requirements in connection with child abuse, disease, injury, public health investigations, etc. are not preempted.  42 U.S.C. § 1320d-7.

The following checklist may be useful in evaluating whether a particular state law is preempted by the HIPAA privacy regulations.[3]

1. Analogous HIPAA law

Is there a federal provision that addresses the same subject matter as the state law?  If yes, go to 3.  If no, stop, as the state law is not preempted.

2. Contrary

Is the state law either:  (a) impossible to comply with at the same time as the federal requirements, or (b) an obstacle to the HIPAA privacy standards?  If yes, go to 4.  If no, stop, as the state law is not preempted.

3. Carve-Out

Does the state law regulate:  (a) public health (reporting disease, injury, child abuse, birth, death, or conducting surveillance, investigation or intervention), or (b) health plan reporting (report or to provide access to information for management or financial audits, program monitoring and evaluation, facility/individual licensure or certification)?  If yes, stop, as the state law is carved out from preemption.  If no, go to 5.

4. Necessary

Is the state law necessary:  (a) to prevent fraud and abuse; (b) to regulate insurance and health plans; (c) for state reporting on health care delivery or costs; or (d) for the purposes of serving a compelling need related to public health, safety, or welfare when the privacy intrusion is warranted when balanced against the need to be served?  If yes, the state law may qualify for an exception determination. Follow the procedures for applying for an exception.  If no, go to 6.

5. Controlled Substances

Does the state law regulate controlled substances?  If yes, the state law may qualify for an exception determination.  Follow the procedures for applying for an exception.  If no, go to 7.

6. Relates to Health Privacy

Does the state law have the specific purpose or effect of protecting the privacy of health information in a direct, clear and substantial way?  If yes, if the state law also is more stringent, the state law may be excepted.  Go to 8.  If no, the state law has no other exception options and is preempted.

7. More stringent

Does the state law provide greater privacy protection for the individual?  If so, and if the state law also relates to health information privacy, the state law governs.  If no, the state law is preempted.


Delaware currently does not have a privacy statute directed to medical records generally.  However, Delaware has specific statutes that address the privacy of HIV testing information, information relating to sexually transmitted diseases, alcohol treatment records, and mental health treatment records.

A. Informed Consent and Confidentiality Regarding HIV-Related Tests

Pursuant to 16 Del. C. § 1201, et seq., no HIV-related tests may be performed on a person without that person's informed consent (or that of the individual's legal guardian).  (See § 1202(a))  Informed consent is defined under the statute and requires providers to give the test subject explanations of:  the test to be performed; the procedure to be followed; the nature of AIDS/HIV infection; and the behaviors known to pose risks for transmission of HIV infection.  (See § 1202(b)).

The statute permits testing to be performed without informed consent under certain limited conditions, including when testing is necessary for medical diagnostic purposes to provide emergency treatment and care; the testing is done for research purposes and the identity of the test subject is unknown; the testing is necessary to assure the medical acceptability of blood, a body part donated for a purpose specified under the Uniform Anatomical Gift Act, or semen provided for the purpose of artificial insemination; the testing is done to protect the health of a health care worker who may have been exposed to blood or bodily fluids of a patient in a manner known to transmit HIV infection; testing that is necessary to control transmission of HIV infection under certain designated conditions; and testing that is ordered by a court of competent jurisdiction.  (See § 1202(c)).

The statute also protects from disclosure to third parties information relating to HIV status, including test results.  (See § 1203) Section 1203 provides:  "No person may disclose or be compelled to disclose the identity of any person upon whom an HIV-related test is performed, or the results of such test in a manner which permits identification of the subject of the test, except to the following person:...."  The statutory exceptions are:

(1) the test subject or his or her legal guardian;

(2) a person who secures a legally effective release;

(3) an authorized agent or employee or a health facility or provider if the facility or provider itself is authorized to obtain the test results or if the agent or employee provides patient care and has a medical reason to know the patient's HIV status to provide care;

(4) health care providers when knowledge is required to provide appropriate emergency treatment;

(5) as part of an official report to the Division of Public Health;

(6) a health facility or provider which procures, processes, distributes or uses blood, body parts or semen;

(7) health facility staff committees or accreditation or oversight review organizations for program monitoring, program evaluation or service reviews;

(8) as such information relates to an investigation of alleged child abuse;

(9) as such information relates to the control of sexually transmitted diseases;

(10) a person who is granted access pursuant to a court order granted for compelling need that cannot be accommodated by other means; and

(11) as such information relates to notification of emergency medical care providers.

The statute specifies the procedure for obtaining a court order to compel HIV testing (§1202(c)(6)) or disclosure of HIV testing information (§ 1203(a)(10)).  Pleadings must substitute a pseudonym for the true name of the subject of the test, and the subject must be given notice and a reasonable opportunity to participate in the proceedings.  In addition, court proceedings are to be conducted in camera unless the test subject agrees to a hearing in open court, or the court determines that a public hearing is necessary to the public interest.  The court may order testing or disclosure of HIV status information only if the person seeking the order has demonstrated a compelling need for the test results which cannot be accommodated by some other means.  If an order compelling disclosure issues, appropriate safeguards against unauthorized disclosure of HIV-related test information must be included to protect against disclosure beyond the individual(s) specified in the order.

It also is noteworthy that the Delaware HIV confidentiality statute requires every licensed health care provider who renders primary prenatal care to advise every pregnant patient of the value of testing for HIV infection and request her consent to such testing.  If a patient tests positive for the virus, providers are required to counsel her concerning the dangers to her fetus and the advisability of obtaining appropriate treatment.  A pregnant woman is free to refuse to consent to be tested, and the provider is required to document the refusal in the patient's medical record.

The HIV test confidentiality statute expressly authorizes a private cause of action for improper disclosure of HIV status information.  A person who negligently violates a provision of the statute is subject to a penalty of the greater of $1,000 or actual damages.  Intentional or reckless violations are subject to a penalty of the greater of $5,000 or actual damages.  Reasonable attorneys' fees also may be awarded.  The Delaware Superior Court has jurisdiction over actions alleging a breach of the HIV confidentiality statute, and such actions must be commenced within three (3) years after the injured party becomes aware of the unauthorized disclosure.  See 16 Del. C. § 1205.  Compare 16 Del. C. § 711 (relating to confidentiality of sexually transmitted diseases including HIV).  To date, there are no reported court decisions relating to cases arising under the statute.

B. Sexually Transmitted Diseases

Pursuant to 16 Del. C. § 701, et seq., health care professionals are required to report the diagnosis of certain designated sexually transmitted diseases, including infection with AIDS and HIV, to the Division of Public Health.  The report must include the subject's name, address, age, sex, race, the date of onset and the stage of the disease, and the nature of treatment provided within one (1) day of the diagnosis (48 hours for HIV).

All reports made under the sexually transmitted disease statute are confidential and may be released only as specified in Section 711 of the statute.  Under Section 711, information and records held by the Division of Public Health relating to known or suspected cases of sexually transmitted diseases, including HIV infection, may be disclosed only under the following circumstances:

(1) if release is for statistical purposes and the information is disclosed in a manner that does not identify the subject;

(2) if the subject consents to the release of the information;

(3) if release is necessary to the control of sexually transmitted diseases or is required in connection with a child abuse investigation;

(4) if release is required in connection with a medical emergency to protect the health of the subject; and

(5) if released is ordered by a court of competent jurisdiction.

(See § 711(1)-(5)). The procedure for obtaining a court order is similar to that followed under the HIV confidentiality statute discussed above.

C. HIV Testing for Insurance Act

The Delaware HIV Testing for Insurance Act, found at 18 Del. C. § 7401, et seq., provides that no insurer may require an applicant to submit to an HIV test unless it first:  (1) obtains the applicant's prior written informed consent; (2) informs the applicant of the purpose of the testing and the entities to which disclosure of the test results may be made; and (3) provides the applicant with written information regarding HIV and AIDS.

The Act requires insurers to maintain strict confidentiality regarding HIV test results. Only limited disclosures are permitted under the statute.  For example, with the applicant's written informed consent, the insurer may disclose the results to reinsurers and personnel involved in the underwriting process, provided disclosure is necessary to make underwriting or claims decisions regarding the application for insurance.  The statute prohibits release of HIV-related information to brokers and agents.

If an insurer declines to issue a policy to an applicant due to the results of HIV testing, the insurer is required to notify the applicant in writing that the decision was based on the applicant's medical examination, but the insurer shall not disclose the actual test results.  The insurer also must tell the applicant that the test results will be released to the physician designated by the applicant and that the applicant should consult with that physician.  If the applicant refuses to designate a physician, the insurer must report such fact to the Department of Health and Social Services, which will endeavor to contact the applicant and inform him/her of the test results.

D. Substance Abuse Treatment Act

This statute, found at 16 Del. C. § 2201, et seq., addresses the treatment of individuals who misuse substances such as alcohol, drugs or inhalants.  The statute provides in pertinent part: "Personal and medical records shall be treated confidentially and shall not be made public without the consent of the patient, except such records as are needed for a patient's transfer to another health care institution or as required by law or third party payment contract.  No personal or medical records shall be released to any person inside or outside the facility who has no demonstrable need for such records."  16 Del. C. § 2220(6).

E. Mental Health Treatment Records

Mental health records often contain extremely sensitive information regarding the patient, and perhaps others who are related to or who interact with the patient.  In addition, mental health records are unique because they reflect the provider's clinical observations and diagnoses, which could readily be misinterpreted by the patient or a third party.  It is not difficult to appreciate that improper disclosure of such records could be detrimental to the patient's treatment progress, and has the potential to adversely affect the patient's relationships, reputation, standing in the community, and employment.  Thus, in addition to the principles governing medical records generally, there are additional constraints and exceptions that apply to mental health records.

1. Mental Health Patients' Bill of Rights

Patients admitted to the Delaware Psychiatric Center or to any other hospital certified for treatment of the mentally ill are covered by the Delaware Mental Health Patients' Bill of Rights, 16 Del. C. § 5161.  With regard to medical records, the Bill of Rights provides:

No information reported to the Department and no clinical records maintained with respect to patients shall be public records.  Such information and records shall not be released to any person or agency outside of the Department except in conformity with existing law and as follows:

  • To patients, or if the patient is a minor, to a parent or legal guardian, except that access to specific records may be refused when a clinical determination is made and documented in the patient's individualized treatment plan that such access would be seriously detrimental to the patient's health or treatment progress.  In the latter case, such material may be made available to a licensed mental health professional selected by the patient, and that professional may, in the exercise of professional judgment, provide the patient with access to any or all parts of the denied material or otherwise disclose the information contained therein.  Whenever records are released in accordance with this paragraph, the recipient shall have the right to review the record with a mental health professional provided by the facility;
  • Pursuant to an order of a court of record;
  • To attorneys representing the patient;
  • To rights-protection agencies otherwise entitled to access under applicable federal or state law or implementing interagency agreement, including the Office of the Long-Term Care Ombudsman and designated programs under the federal Protection and Advocacy for Mentally Ill Individuals Act [42 U.S.C. § 10801 et seq.] and Developmental Disabilities Assistance and Bill of Rights Act [42 U.S.C. §6000 et seq.], as amended;
  • With the consent of the patient, or, if the patient is a minor, with the consent of a parent or legal guardian;
  • To Departmental contractors to the extent necessary for professional consultation or services;
  • To the State Bureau of Investigation pursuant to subsection (14) of this section [regarding involuntary commitments] and 11 Del. C. §8509 [relating to patients involuntarily committed in connection with criminal matters]; and
  • As otherwise required by law.

2. Delaware Rule of Evidence 503

Delaware recognizes a testimonial privilege relating to information disclosed in the context of the physician-patient and psychotherapist-patient relationships.  The privilege is set forth in Delaware Rule of Evidence 503, which provides, in pertinent part:

A patient has a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made for the purpose of diagnosis or treatment of his physical, mental or emotional condition, including alcohol or drug addiction, among himself, his physician or psychotherapist, and persons who are participating in the diagnosis or treatment under the direction of the physician or psychotherapist, including members of the patient's family.

The privilege is a right, held by the patient, to withhold from discovery or admission at trial information disclosed to a physician or psychotherapist with an expectation of confidentiality.  There are statutory exceptions to the privilege, however.  For example, no privilege attaches to: communications relevant to proceedings to hospitalize a patient for mental illness; communications made in the course of a court-ordered examination of the physical, mental or emotional state of a patient; communications relevant to an issue of the physical, mental or emotional condition of the patient in any proceeding in which he or she relies on the condition as an element of his or her claim or defense; or communications relevant to proceedings for the appointment of a guardian or in child abuse cases. In addition, the privilege is easily waived by the patient who places any aspect of his or her medical condition "in issue."


Certain of the confidentiality provisions discussed above provide remedies for wrongful disclosure of confidential medical information.  Confidentiality statutes should be reviewed carefully to determine whether they afford a private cause of action for unauthorized disclosure of information.  A person aggrieved by wrongful release of medical records may be able to pursue other forms of relief, however.  A few of the more common theories of liability are discussed below.

A. Invasion of Privacy

A party who discloses confidential medical information without proper patient consent can be sued for the tort of invasion of privacy, generally on the basis of one of the following four scenarios:

(1) unreasonable public disclosure of private facts;

(2) intrusion upon physical solitude or seclusion;

(3) wrongful appropriation of a person's name or likeness; or

(4) publicity that unreasonably places a person in a false light before the public.  The tort is limited to actions that would be highly offensive to the ordinary person.  It must be emphasized, however, that as discussed herein, the right to privacy of medical information is subject to certain exceptions, and an individual may escape liability for disclosure if he or she acted under the authority of patient consent, judicial compulsion, a duty to warn third parties of danger, or under color of law, such as pursuant to a statute that mandates disclosure of treatment of individuals for certain types of wounds or injuries (see 24 Del. C. § 1762), or sexually transmitted diseases (see 16 Del. C. § 702).

It also should be noted that an action may lie for breach of the constitutionally protected right to privacy, where a governmental entity has wrongfully disclosed confidential medical information.  See Whalen v. Roe, 429 U.S. 589 (1977); United Stated v. Westinghouse Elec. Corp., 638 F.2d 570, 577 (3d Cir. 1980) (The Third Circuit held that medical records are protected from disclosure by the constitutionally protected interest in avoiding disclosure of personal matters.  The Court noted, however, that the nondisclosure of confidential medical information is not absolute, and even sensitive material must be disclosed or produced upon a showing of proper governmental interest.)  Even the threat of disclosure can give rise to a constitutional tort for invasion of privacy.  See, e.g., Sterling v. Borough of Minersville, 232 F.3d 190, 196 (3rd Cir. 2000) (holding that a police officer's threat to disclose an arrestee's suspected homosexuality was sufficient to make out a violation of the arrestee's constitutionally protected privacy interest.)  State constitutions also may provide a right of privacy that would support a cause of action for wrongful disclosure of confidential medical information.

B. Breach of Confidential Relationship

The tort of breach of a confidential relationship consists of the unauthorized disclosure to a third party of confidential information that was obtained in the context of a confidential relationship.  Courts may consider such things as confidentiality restrictions in a professional licensing statute, a doctor-patient evidentiary privilege, and professional ethics requirements to establish the existence of a confidential relationship.

Establishing the existence of a confidential relationship is relatively easy, so breach of the relationship may be a claim of choice for individuals whose medical records have been disclosed without consent.  Nonetheless, as discussed above, liability may be avoided if the disclosure was protected.

In Crescenzo v. Crane, 796 A.2d 283 (N.J. Super. Ct. App. Div. 2002), a patient brought an action against a physician who produced her medical records without notice or authorization in response to a subpoena.  The physician-defendant had produced the plaintiff's medical records in response to a subpoena issued in connection with a child custody case.  The trial judge found that since the records were admissible in the child custody action, the plaintiff had no cause of action against the physician for breach of a confidential relationship.  The Superior Court reversed and remanded, however, holding that a physician may not disclose confidential information without a determination by the court that such disclosure is required.  The court further noted that a subpoena does not constitute a "determination" by the court that disclosure is mandated.  See also Runyon v. Smith, 749 A.2d 852 (N.J. 2000) (affirming the Superior Court's holding that a psychologist-patient privilege should be considered analogous to the lawyer-client privilege).

C. Breach of Contract

Courts have found an implied contract to maintain confidentiality between a medical provider and patient.  See, e.g., Hammond v. Aetna Cas. and Ins. Co., 243 F. Supp. 793 (N.D. Ohio 1965).  A claim for breach of implied contract, which is akin to a claim for breach of a confidential relationship, may be particularly viable in a jurisdiction, such as Delaware, that has a complex statutory scheme for the protection of particular health information, such as HIV or AIDS status.  Such statutory schemes underscore the expectation of confidentiality.  In addition, professional ethics rules may be deemed to constitute an implied contract between the patient and the provider to maintain the confidentiality of medical information.  A breach of implied contract claim may not be favored, however, as it is difficult to establish damages.

D. Other Possible Claims

Other possible theories of liability relating to wrongful disclosure of medical records include: defamation, medical malpractice, negligence, and intentional infliction of emotional distress.


The following Delaware and local federal court decisions are instructive with regard to medical record confidentiality issues:

A. Brzoska v. Olson, Del. Supr., 668 A.2d 1355 (1995)

In this case, the defendant was the administrator of the estate of Dr. Owens, a Wilmington dentist who died of AIDS in 1991.  Plaintiffs were former patients of the dentist, and they asserted several claims against the dentist's estate stemming from the dentist's treatment of the plaintiffs while he was obviously in the throes of AIDS-related illnesses.  Plaintiffs' complaint consisted of five counts, including negligence, recklessness, battery, fraudulent misrepresentation, and false pretenses.  The trial court dismissed all counts of the complaint on the theory that plaintiffs had no basis for a "fear of AIDS" claim, absent underlying physical injury/actual exposure to HIV.  Plaintiffs appealed the dismissal of the battery and fraudulent misrepresentation claims to the Delaware Supreme Court.

The Delaware Supreme Court affirmed the trial court's determination that a patient may not recover damages for treatment by a health care provider afflicted with AIDS, absent a showing of a resultant physical injury or exposure to the disease.  The Court noted that "the incidental touching of a patient by an HIV-infected dentist while performing ordinary, consented-to dental procedures is insufficient to sustain a battery claim in the absence of a channel for HIV infection."  Id. at 1363-64.  The Court reversed the dismissal of the fraudulent  misrepresentation claim, however, in light of the evidence offered by plaintiffs that the dentist affirmatively misrepresented the state of his health in response to specific inquiries from some of the plaintiffs.  (Indeed, the dentist denied that he was suffering from AIDS when asked by certain of the plaintiffs.)  The case was remanded to the trial court for a determination as to which specific plaintiffs received false representations from the dentist, and whether any recoverable damages were sustained.  Significantly, the Court observed in a footnote that "[w]e do not suggest that a health care provider has an affirmative duty to respond to questions concerning his health, including his or her HIV status.  In the interests of the provider's privacy, he or she may decline to answer without being subject to liability for false representation.  But if a response is given to the patient, it must not be false."  Id. at 1367, n. 15.  But see Scoles v. Mercy Health Corp., 887 F. Supp. 765 (E.D. Pa. 1994) (A hospital system refused to permit an HIV positive surgeon to perform invasive procedures unless he specifically informed patients of his HIV status and obtained their informed consent to the procedure.  The United States District Court for the Eastern District of Pennsylvania upheld the hospital system's placement of an affirmative duty of disclosure on the surgeon.)

B. Doe v. Southeastern Pa. Transp. Auth., 72 F.3d 1133 (3d Cir. 1995)

In this case, a jury awarded a SEPTA employee $125,000 in compensatory damages for emotional distress he suffered as a result of a violation of his privacy rights by his employer.  The violation occurred when the employee's prescription records, which indicated that he was taking medicines associated with the treatment of AIDS, were disclosed to several SEPTA officials, including the Chief Administrative Officer and the Director of Benefits.  The disclosure was made in the context of an audit of the company's prescription drug plan for fraud, drug abuse, and excessive costs.

The Third Circuit Court of Appeals reversed the jury verdict in favor of the employee.  Citing United States v. Westinghouse Elec. Corp., 638 F.2d 570 (3d Cir. 1980), the Court noted that the employee had a legitimate privacy interest in his prescription records, as it is possible to determine a person's medical condition by looking at his or her prescription records.  The Court added, however, that a person's privacy interest in his or her medical information is not absolute. Rather, the interest may give way in the face of important competing interests.[4]  In this case, the employer's right to monitor the use and cost of its health insurance plan, in a manner that disclosed confidential medical information only for the purpose of monitoring the plan to those with a need to know, outweighed the employee's interest in keeping his prescription drug purchases confidential.  The Court observed: "Such minimal intrusion, although an impingement on privacy, in insufficient to constitute a constitutional violation."  The Court was particularly influenced by the manner in which access to the employee's prescription information was controlled by the employer.  Only a few individuals with direct responsibility for monitoring the employer's health plan received the information.  (The Court also noted that the plaintiff had voluntarily disclosed his health status to other SEPTA employees.)

C. Redden v. Meadow Wood Hosp., Del. Super., C.A. No. 94C-12-008 HDR, Ridgely, P.J. (Feb. 21, 1997)

During the course of the plaintiff's treatment with Meadow Wood Hospital, she told a counselor that she believed she had been raped by two individuals.  In the subsequent criminal proceeding, the two defendants subpoenaed the plaintiff's medical records.  The hospital's records custodian complied with the subpoena without obtaining the plaintiff's prior consent, and released a portion of the plaintiff's records pertaining to a statement that she made during a counseling session to the effect that she did not recall being raped.  Defendants subsequently negotiated favorable plea agreements.

The plaintiff sued the hospital claiming that it breached her right to confidentiality by disclosing the content of records relating to her psychiatric treatment, in response to a subpoena duces tecum, without first obtaining her consent.  In its motion for summary judgment, the hospital argued that it could not be held liable for responding to a subpoena.  Alternatively, the hospital asserted that the information that was disclosed would have been revealed at trial anyway, since the fact that the plaintiff did not recall being raped constituted substantial evidence of her mental condition, which affected her credibility as a vital prosecution witness.  The Court agreed with this latter argument and granted the hospital's motion for summary judgment.  The Court noted that the plaintiff had established a prima facie case for breach of confidentiality by establishing that she was owed a duty of confidentiality in light of the physician-patient relationship that existed.  However, there was no liability on the part of the hospital because the information that was disclosed inevitably would have been released, as the plaintiff's lack of memory about the alleged rape would have been probative of her ability to recollect the occurrence at trial.

Significantly, the Superior Court did not hold that the fact that a medical provider has been served with a subpoena obviates the need for the provider to obtain the consent of the individual whose records have been requested, prior to releasing the records in response to the subpoena.  The safest course would be for the provider to notify the individual and obtain his or her consent to release of the records.  In the absence of consent, the provider should proceed cautiously, particularly when very sensitive information is at issue.  A motion to quash or for protective order may be warranted to protect the provider against a charge of wrongful disclosure of confidential medical records.  See H. v. H., Del. Fam. Ct., C.A. No. CN98-9185, 1999 Del. Fam. Ct. LEXIS 50, Buckworth, J. (Jan. 27, 1999) ("Physicians are only obligated to release medical records if they have a signed release by the patient or an Order of the Court based upon good cause shown.  The mere fact that Husband's Counsel sent a subpoena to the doctor does not conform to either of these two requirements, especially when the doctor objects to releasing the information, which he did by phone call to the Court in this case.")


   Jennifer Gimler Brady is a partner with the Wilmington law firm of Potter Anderson & Corroon LLP, where she has practiced since 1990.
   Barry R. Furrow, et al., Health Law, 4-29 (1995) (citing American College of Hospital Administrators, Medical Confidentiality: Can it be Protected? 2-3 (1983)).
   From Hospital Law Manual, 2003 ed., Volume 3, Medical records/ HIPAA, p. 167-68. 
   The Court reiterated the following factors to be weighed in considering whether a given disclosure constitutes an actionable invasion of privacy:  (1) the type of record requested; (2) the information it does or might contain; (3) the potential for harm in any subsequent nonconsensual disclosure; (4) the injury from disclosure to the relationship in which the record was generated; (5) the adequacy of safeguards to prevent unauthorized disclosure; (6) the degree of need for access; and (7) whether there is an express statutory mandate, articulated public policy, or other recognizable public interest favoring access.

Related Professionals

Media Contact

Lisa Altman, Jaffe PR, Senior Vice President

About Potter Anderson

Potter Anderson & Corroon LLP is one of the largest and most highly regarded Delaware law firms, providing legal services to regional, national, and international clients. With more than 100 attorneys, the firm’s practice is centered on corporate law, corporate litigation, intellectual property, commercial litigation, bankruptcy, labor and employment, and real estate.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.