The principle of guaranteeing the confidentiality of a patient’s medical condition is common to physicians the world over. In France, and closely inspired by the original Hippocratic Oath, the historical guiding text for the honest practice of medicine, the medical profession is bound by a modern oath of professional conduct set out by its regulating body, the Ordre des médecins, which includes the stipulation that “Admitted into the intimacy of people, I will keep silent those secrets that are confided to me.”
This duty to refrain from disclosing a patient’s medical details beyond those directly involved in their care is also inscribed into French law.
However, it has now emerged that a large number of French hospitals are violating this rule by providing patients’ medical records to private companies hired to assist them in administrative management services.
The practice became known after Jean-Jacques Tanquerel a doctor from the principle public hospital in the town of Saint-Malo in Brittany, north-west France, revealed how the confidential medical records of 950 of the hospital’s patients had been consulted by a private healthcare management consultancy company.
The company, Altao, is one of several engaged by numerous hospitals and private clinics across France to help their own administrations with the verification, and eventual correction, of the coding of medical acts that are refundable by the French social security system.
Tanquerel was in charge of the Saint-Malo hospital’s ‘medical information department’, the département de l’information médicale, or DIM, a service common to all public hospitals and which are headed by a qualified doctor. The DIM is responsible for the referencing of medical acts according to a very specific classification of no less than 650 description codes set out by the social security administration. These provide the basis upon which it refunds a hospital for care provided.
Ensuring the correct coding of refundable treatment given to patients is vital for hospital finances which, because of the complexity of the system, are exposed to significant losses in the case of medical acts that are under-reimbursed by the social security services. Mistakes in coding are relatively frequent, adding significant pressure to already-stretched hospital budgets.
It is for that reason that an increasing number of hospitals engage the back-up services of Altao and similar consultancy companies. The private consultancy companies offer sophisticated software and expert skills, including those of former healthcare professionals. They are paid between 5% and 6% of the sums they recoup by identifying cases of miss-coding, and have every interest in gaining access to a maximum amount of information about patients’ cases.
Private auditing of the coding of medical acts is perfectly legal in as far as the data consulted is of an anonymous nature that concerns the description of the medical acts performed per patient, but without giving the patient’s identity. The private consultants operate under the authorisation of the French national commission responsible for upholding personal data protection rights, the CNIL.
But Jean-Jacques Tanquerel discovered that, in the case of his own hospital in Saint-Malo, the auditors were in fact given access to named patients’ medical files. These involved the reports written by doctors and nurses of 950 patients cared for by the hospital between 2010 and 2012.
Upon his appointment last year, the newly-arrived general manager of Saint-Malo hospital, Jean Schmid, announced he was planning to engage the services of Altao to help with the auditing of the coding system after he had hired the company for similar services at a hospital he had previously been in charge of.
For Tanquerel, who had headed the DIM in the Saint-Malo hospital from 2004 and who also taught at the EHESP School of Public Health (L'École des hautes études en santé publique), a higher education institute that trains healthcare managers in France and from abroad, nothing justified the violation of medical secrecy.
“The DIM’s head doctor is the guarantor of medical confidentiality,” he explained. “He is the only doctor in the hospital who has access to all the medical files. If I had allowed this company to consult them, I would have been guilty of a crime.” Tanquerel decided to expose the scandal.
Alerted to the problem, the body that regulates the French medical profession, the Conseil National de l’Ordre des médecins (equivalent to the General Medical Council in Britain), took the matter up with the CNIL in April this year. After a lengthy procedure, the data protection rights commission issued a formal reprimand to the Saint-Malo hospital on October 7th for its “disrespect of data confidentiality”. The health ministry said it was “very seriously” following the affair.
Altao, a consultancy company specialized in the analysis and treatment of information in healthcare administration, provides its services to about 50 hospitals around France, as well as also to the pharmaceutical industry and medical associations. Among its activities is the verification and correction of hospital’s coding of medical acts. “Our statisticians consult hospitals’ anonymised [sic] data bases in order to identify potentially atypical patient stays,” explained Yannick Berton, the company’s managing director.
These are notably cases where a patient has remained in hospital over a long period for care that is eligible for only low-level refunding. But it was in order to better define cases, and therefore valorize the refundable care provided, that Altao also gained access to confidential written reports by doctors and nurses detailing the conditions and care of identified patients.
While Berton insisted this was a “necessary” procedure, it clearly runs contrary to the deontology of the medical profession and the regulations of public healthcare as underlined by a statement issued by the Ordre des médecins earlier this month on its website. The regulating body, referring to its advice given earlier this year to the CNIL, said “personal information regarding patients’ health are covered by professional confidentiality and cannot be transmitted to a third party [which is] unauthorized by existing legislation as of the moment that they might allow for the identification of a patient.”
"The doctors [in charge] of the medical information departments [DIMs] of healthcare establishments are the guarantors of the respect of these rules,” the statement added.
The controversy indirectly highlights the current financial crisis in which many French hospitals find themselves. The hospital in Saint-Malo has been operating at a loss for several years. “The contract for a return to financial equilibrium endured by this hospital has been very painful,” said Schmid. “When the personnel discovers that these difficulties are to do not with over-staffing but with undervalued coding, it’s difficult.”
Following the CNIL’s reprimand issued on October 7th, the hospital in Saint-Malo reacted immediately, pledging that Altao would no longer have direct access to patients’ individual medical records. Information from these could only be sought via the doctor in charge of the DIM, as stipulated by law, and the hospital promised to implement increased security to guarantee their confidentiality. On October 17th, the CNIL announced the matter was closed.
Schmid described the CNIL’s move as a “severe” reaction. According to him, between 70% and 80% of French public and private hospitals provide patients’ confidential medical records to private consultancy companies. Indeed, in its initial statement issued on October 7th, the CNIL announced it was checking the conduct of other hospitals and had alerted French health minister Marisol Touraine to the potential danger of widespread abuse of the confidentiality of medical records.