1.     The right to privacy is personal and fundamental.
2. Medical information maintained by clinicians and students is privileged and should remain confidential.
3. Patients should have a right to access to his/her medical records and be allowed to provide identifiable additional comments or corrections. The right of access is not absolute. For example, in rare cases  where full and direct disclosure to the patient might harm the patient's mental and/or physical well-being, access may be extended to his/her designated representative, preferably a physician.
4. The privacy of adolescent minors should be respected. Parents or legal guardians should not, in some circumstances, have unrestricted access to the adolescent’s medical records. Confidentiality must be maintained particularly in areas where the adolescent has the legal right to give consent.
5. Medical information may have legitimate purposes outside of the physician/patient relationship, such as, billing, quality improvement, quality assurance, population-based care, patient safety, etc. However, patients and physicians must authorize release of any personally identifiable information to other parties. Third party payer and self-insured employer policies and contracts should explicitly describe the patient information that may be released, the purpose of the information release, the party who will receive the information, and the time period limit for release. Policies and contracts should further prohibit secondary information release without specific patient and physician authorization.
6. Any disclosure of medical record information should be limited to information necessary to accomplish the purpose for which disclosure is made. Physicians should be particularly careful to release only necessary and pertinent information when potentially inappropriate requests are received. Sensitive or privileged information may be excluded at the option of the clinicians unless the patient provides specific authorization for release. Duplication of the medical record by mechanical, digital, or other methods should not be allowed without the specific approval of the clinician, taking into consideration applicable law.
7. Disclosure may be made for use in conducting legal medical records audits provided that stringent safeguards to prevent release of individually identifiable information are maintained.
8. Policy exceptions which permit medical records release within applicable law.
9. Electronic health information communication systems must be equipped with appropriate safeguards (e.g., encryption; message authentication, user verification, etc.) to protect clinician, students and patient privacy and confidentiality. Individuals with access to electronic systems should be subject to clear, explicit, mandatory policies and procedures regarding the entry, management, storage, transmission and distribution of patient and physician information.