Ethics of Health Information Management

What are the underlying ethical issues affecting the HIM?

Ethical principles and values have been important to the HIM profession since its beginning in 1928. The first ethical pledge was presented in 1934, by Grace Whiting Myers, a visionary leader who recognized the importance of protecting information in medical records. The ethics of health information management are worth discussing in this forum

The HIM profession was launched with recognition of the importance of privacy and the requirement of authorization for the release of health information: I pledge myself to give out no information from any clinical record placed in my charge, or from any other source to any person whatsoever, except upon order from the chief executive officer of the institution which I may be serving.

Today, it is the patient who authorizes the release of information and not the chief executive officer (CEO) of the healthcare organization, as was stated in the original pledge. The most important values embedded in this pledge are to protect patient privacy and confidential information and to recognize the importance of the HIM professional as a moral agent in protecting patient information (Rinehart-Thompson and Harman 2006).

The HIM professional has a clear ethical and professional obligation not to give any information to anyone unless the release has been authorized.


Protection of Privacy, Maintenance of Confidentiality, and Assurance of Data Security

The terms privacy, confidentiality, and security are often used interchangeably. However, there are some important distinctions, including:

  • Privacy is “the right of an individual to be let alone. It includes freedom from observation or intrusion into one’s private affairs and the right to maintain control over certain personal and health information”
  • Confidentiality carries “the responsibility for limiting disclosure of private matters. It includes the responsibility to use, disclose, or release such information only with the knowledge and consent of the individual”. Confidential information may be written or verbal.
  • Security includes “physical and electronic protection of the integrity, availability, and confidentiality of computer-based information and the resources used to enter, store, process, and communicate it.

The means to control access and protect information from accidental or intentional disclosure”. The HIM professional’s responsibilities include ensuring that patient privacy and confidential information are protected and that data security measures are used to prevent unauthorized access to information. This responsibility includes ensuring that the release policies and procedures are accurate and up-to-date, that they are followed, and that all violations are reported to the proper authorities.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national standards for the privacy and security of health information. This law deals with privacy, information standards, data integrity, confidentiality, and data security (Rinehart-Thompson and Harman 2006). Although HIPAA was passed in 1996, it took five years before the Privacy Rule became effective in April 2001, with an April 2003 compliance date. Congress passed the statute and the U.S. Department of Health and Human Services (HHS) developed the regulations contained within the Privacy Rule (HHS 2003).

The final HIPAA Security Rule regulations were published in the Federal Register in February 2003, and became effective in April 2005. This legislation, which includes administrative simplification standards and security and privacy standards, has had—and will continue to have—a major impact on the collection and dissemination of information for years to come. This legislation has an enforcement program, and HIM professionals serve an important role to assure compliance.

Although privacy is a right protected by the U.S. Constitution, each state can affect its own legislation regarding access to patient information. Preemptive federal legislation was needed so that all patient information would be protected regardless of where a patient lived or received healthcare. Moreover, this legislation protects individuals from losing their health insurance when leaving or changing jobs by providing insurance continuity (portability) and increases the federal government’s authority over fraud and abuse in the healthcare arena (accountability). Part of the impetus for HIPAA was the development of the electronic health record (EHR).

As patient information was moved to the electronic medium, integrated systems across the continuum of care were developed and information was released and redisclosed to many people and agencies needing access to it. Thus, standardized federal legislation became an imperative. HIPAA was designed to guarantee that information transferred from one facility to the next would be protected. The National Committee on Vital and Health Statistics (NCVHS) supports a National Health Information Infrastructure (NHII) so that patient care information can be transferred and protected in our integrated healthcare systems. As a result, patients benefit from the continuity of care and can control their personal health information.

In an electronic environment, protecting privacy has become extremely difficult and patients are becoming increasingly concerned about the loss of privacy and their inability to control the dissemination of information about them. As patients become more aware of the misuses of information, they may become reluctant to share information with their healthcare team. This may, in turn, result in problems with the healthcare that is provided and the information given to researchers, insurers, the government, and the many other stakeholders who legitimately need to access to the information. Increasingly, patients are seeking anonymity and responding to issues related to the use and disclosure of health information for directory purposes; to family and close personal friends; for notification purposes such as disasters; and for other disclosures required by law such as public health, employer medical surveillance, and funeral directors.


 Professional Code of Ethics

HIM professionals used the pledge as the basis for guiding ethical decision making until 1957, at which time the American Association of Medical Record Librarians’ (AAMRL) House of Delegates passed the first Code of Ethics for the Practice of Medical Record Science. The first code of ethics combined ethical principles with a set of professional values to help support the decisions that HIM professionals had to make at work. The original Code of Ethics has been revised several times since 1957—in 1978, 1988, 1998, and 2004. For more information on the ethics of health information management, see the reference below


Adapted from

Kathleen M. La Tour and Shirley Eichenwald Maki. Health Information Management: Concepts, Principles, and Practices.  AHIMA, 3RD Edition, 2010