Intended for healthcare professionals

Practice Practice Pointer

Confidentiality in the digital age

BMJ 2014; 348 doi: (Published 09 May 2014) Cite this as: BMJ 2014;348:g2943
  1. Bradley H Crotty, instructor in medicine1,
  2. Arash Mostaghimi, instructor in medicine and dermatology2
  1. 1Division of Clinical Informatics, Beth Israel Deaconess Medical Center and Harvard Medical School, Brookline MA 02446, USA
  2. 2Department of Dermatology, Brigham and Women’s Hospital and Harvard Medical School, Boston, MA, USA
  1. Correspondence to: B H Crotty bcrotty{at}

Digital technology introduces new concerns for confidentiality and information security. Bradley H Crotty and Arash Mostaghimi outline the regulations governing confidentiality and medical privacy and provide practical advice on how to safeguard patient information

Confidentiality is a pillar of our profession. The patient-physician relationship is built on trust that enables patients to share intimate details. When deciding how to secure and transmit patient information, clinicians must apply professional judgment, informed by policies set forth by regulators and enumerated in local guidelines.1 Electronic communication of patient information can facilitate clinical care, while mobile technologies and cloud computing boost productivity. However, these technologic innovations introduce new concerns for confidentiality and information security.2

We review “practice pointers” for clinicians to help them safeguard patient information in the digital age. We will focus on the professional setting while highlighting best practices for personal technology use. Where applicable, we point out current regulatory mandates, highlight grey areas, and offer practical advice for clinicians.


Although the responsibility to keep patient information confidential may be rooted in professional ethics, governmental bodies regulate confidentiality and medical privacy in most countries. Laws such as the Data Protection Act in the United Kingdom,3 the Data Protection Directive in the European Union,4 and the Health Insurance Protection and Portability Act (HIPAA)5 in the United States stipulate stringent rules for data security.

Privacy regulations are constantly in flux. Regulators routinely update rules, as seen recently in the US with the 2013 HIPAA Omnibus Regulations.6 7 These new regulations stipulate that all entities involved with protected health information are subject to HIPAA regulations and must assume liability for breaches of protected health information. With every new change, physicians must review their business practices and agreements with vendors who have access to personal health information, making sure that …

View Full Text

Log in

Log in through your institution


* For online subscription