Return to the Data Council home page .Although they are more fragmented, more specific to data categories, and less uniform than those in some European countries, many protections are in place in the U.S. (96)
Codifying the precepts of Hippocrates for current guidance, the Code of Ethics of the predominant U.S. medical society, the American Medical Association, specifies in its Core Principle IV that physicians "shall safeguard patient confidences within the constraints of the law." The Code's Opinion 5.05 affirms that "the information disclosed to a physician during the course of the relationship between physician and patient is confidential to the greatest possible degree. ... The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law." Its Opinion 5.07 insists: "The utmost effort and care must be taken to protect the confidentiality of all medical records, including computerized records"; then it lays out a series of safeguards. (97)
This and similar codes of practice provide guidance, and they are important as standards to which doctors are held in ethics inquiries and in court and other formal judgments.
Under State medical certification and licensing laws, physicians are obliged to respect patients' privacy. But, contrary to widespread public belief, the physician–patient confidentiality privilege relates more to whether courts can force disclosure, than to whether physicians may reveal data to insurance companies or employers. Tort law provides partial reinforcement of obligations to confidentiality in healthcare relationships.
Weaker licensure laws cover nurses, speech therapists, psychologists, clinical laboratory personnel, and some other healthcare professionals. Nominally, under their licenses and their contracts with healthcare institutions, doctors and some other practitioners are responsible for the actions of persons working under their supervision. (But in actual practice, how firmly do they supervise?) These laws vary considerably.
Healthcare provider obligations to protect medical confidentiality are specified in the statutes and patient documents of such Federal healthcare programs as Medicare (for persons 65 years of age and over), Medicaid (administered by the States, with joint Federal/State funding, for low-income and other disadvantaged persons), the Veterans Administration (for military veterans), and the Indian Health Service (for Native Americans).
Similarly, the service contracts of private-sector healthcare plans routinely assure that patient records will be held confidentially, although they may also require, as a condition for coverage, patient–member authorization of "administrative" or "research" use of their data.
Respect for privacy is incorporated in a variety of human-subjects protections, such as the mandatory informed consent, Institutional Review Board supervision, and other requirements discussed in Chapter 4, most of which are Federal rules.
Some researchers and research settings are not covered. For example, an independent physician working in his own clinic may test an experimental clinical treatment; and although of course he is subject to a variety of licensure and other legal controls, and on the advice of his attorney he almost certainly will seek patients' informed consent, he is not required by Federal law to have his research supervised by an Institutional Review Board.
For defense against subpoenas, court orders, and other externally compelled disclosures of health-research data, the Public Health Service Act provides that special legal-confidentiality protection may be issued: (98)
The Secretary [of Health and Human Services] may authorize persons engaged in biomedical, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of the research the names or other identifying characteristics of such individuals.
Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals.
Currently protection of this kind is granted in the form of "Certificates of Confidentiality" which are issued, upon application, for particular projects. The research need not be Federally sponsored to qualify. Once a Certificate is granted, the researcher must apply it. This mechanism allows researchers to give firm prior assurance of confidentiality, with few possible exceptions (such as for tightly controlled Federal audits), to data-subjects. If they wish to, data-subjects themselves may authorize specified disclosures.
Incidentally, unless a Certificate of Confidentiality has been obtained before research begins, or some other legal protection obtains, research data may be vulnerable to legally compelled disclosure. This legal area deserves some public policy review generally, and it may be acquiring new dimensions now (for instance, with respect to secondary research in databases, in which data are transferred and "reside" far from their source).
The Privacy Act of 1974 covers personally identifiable data held by the Federal government, no matter what their source or subject, that are stored in "systems of records" from which data are retrieved by personal identifiers. Thus it covers regulatory data held by the Food and Drug Administration, statistical data held by the National Center for Health Statistics, public- health surveillance data held by the Centers for Disease Control, and the like. It requires that agencies announce in the Federal Register the purposes and uses of the system of records, and that notice be provided to the data-subjects. It provides that individuals must be allowed upon request to see information about themselves. And it prohibits disclosure of data without the consent of the data-subject, except in some special circumstances set out in the Act.
However, under the Privacy Act the Federal agencies are allowed wide discretion in making disclosures pursuant to their mandates. They may designate information as being eligible for "routine use" disclosure without the consent of the data-subjects if it is "for a purpose which is compatible with the purpose for which it was collected." "Routine uses" must be announced in theFederal Register, and the conditions on use are restrictive.
The Department of Health and Human Services provides for "routine use" disclosure of specified data sets for health research, imposing conditions on disclosure and use. (100)
The Privacy Act has been widely noted to have serious weaknesses, among them that: (101)
- It does not cover data held outside the Federal government.
- It covers only data about U.S. citizens and aliens permanently residing in the U.S., not data about citizens of other countries.
- Its "routine use" provision is lax.
- Few legal avenues are provided for citizens to seek injunctive or other relief if they believe their rights are being violated.
- Its protections do not continue after the death of the data-subject.
The Privacy Act does not negate the provisions of the Freedom of Information Act (the law that provides "transparency" in Federal records by allowing citizens access to them). (102) Exemption 6 of the Freedom of Information Act states that the Act does not apply to "personal and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." A few Freedom of Information demands for access to personally identifiable health data have succeeded, but for the most part health-research data have been defended. (103)
Adding specificity and strictness beyond the Privacy Act, the statutes governing many Federal agencies that conduct, support, or regulate health research set detailed privacy-protection requirements.(104) Generally these statutes' requirements extend to the agencies' grantees and contractors, and must be recognized in contractual arrangements with the agencies.
Special provisions of the Public Health Service Act apply to dedicated facilities that provide treatment for alcohol or drug abuse with Federal assistance. These set very strict rules on disclosure of data acquired in treatment, rehabilitation, training, and research. (105)
State laws, which have "just grown" independently over the years, vary greatly in the ways and extents to which they protect privacy of health information. Most recognize some form of patient–physician privilege (the patient right to defend against forced court disclosure of his record), but the scope of protection varies greatly. Most require that medical records be held closely, but allow a variety of disclosures for insurance and other "legitimate" purposes. All require, though not uniformly, that physicians and clinical laboratories notify public-health authorities of certain communicable diseases and some kinds of trauma (gunshot wounds, indications of child abuse...), and they may set constraints on disclosure of those data.
A recent analysis of State laws by Lawrence Gostin and colleagues found extreme variance in coverage of public-health data: (106)
Virtually all states reported some statutory protection for governmentally maintained health data for public health information in general (49 states), communicable diseases (42 states), and sexually transmitted diseases (43 states). State statutes permitted disclosure of data for statistical purposes (42 states), contact tracing (39 states), epidemiologic investigations (22 states), and subpoena or court order (14 states).
A number of States have statutes dealing with the confidentiality of personal data relating to specific diseases, such as cancer, HIV–AIDS, or mental-health problems. State legislative activity continues, with genetic data especially receiving attention.
Over the years State courts have rewarded penalties against unwarranted disclosure of health data on grounds of malpractice, breach of contract or implied contract with patients, invasion of privacy, and public embarrassment.
Having reviewed the above legal matters, in 1993 the U.S. Office of Technology Assessment summarized:(107)
This patchwork of State and Federal Laws addressing the question of privacy in personal medical data is inadequate to guide the health care industry with respect to obligations to protect the privacy of medical information in a computerized environment. It fails to confront the reality that, in a computerized system, information will regularly cross State lines, and will therefore be subject to inconsistent legal standards with respect to privacy. The law allows development of private sector businesses dealing in computer databases and data exchanges of patient information without regulation, statutory guidance, or recourse for persons who believe they have been wronged by abuse of data. These laws do not address the questions presented by new demands for data prompted by computerization, and the obligations of secondary users in accessing and maintaining data.
In August 1996 a Health Insurance Portability and Accountability Act was signed into law. (108) The Act set new requirements for private health insurance, established new ways for providing health insurance, and created a framework for standardizing transmission of information for financial and administrative transactions relating to health care.
The law's "Administrative Simplification subtitle (F)" establishes several requirements relevant for privacy and research. Standards for electronic financial and administrative transactions must be adopted by the Secretary of Health and Human Services (HHS), including providing for "a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system" (§1173(b)). Such an identifier number may prove very useful for keeping track of research subjects, linking data, and so on, but its confidentiality will have to be safeguarded carefully.
The law also requires that the Secretary develop security standards and safeguards (§1173(d)). Within twelve months of the law's enactment (i.e., by August 1997) she must submit "detailed recommendations" to the Congress "on standards with respect to the privacy of individually identifiable health information" (§ 264). Among other matters these recommend- ations must cover data-subjects' rights, procedures for assuring those rights, and rules on use and disclosure of the data. (109)
On all of these matters the Secretary is required to consult the National Committee on Vital and Health Statistics. In early 1997 the Committee held a series of public hearings and will duly advise the Secretary. (110)
Even though the privacy-protection standards to be established under this law apply mainly to administrative and financial transactions in health care, the data covered (such as the "Medicaid" data which are so important for understanding the health problems of low-income people) are the subject of much research. Moreover, the standards surely will set some example for future standards covering other aspects of health data.
Several Federal bills governing medical privacy, or fair health information practices, have been proposed in the past few years. The previous Congress considered a broad "Medical Records Confidentiality Act of 1996" (Senate Bill 1360, proposed by Senator Robert Bennett, Republican from Utah); a "Medical Privacy in the Age of New Technologies Act of 1996" (House of Representatives Bill 3482, by Congressman Jim McDermott, Democrat from Washington); and a "Fair Health Information Practices Act of 1997" (House of Representatives Bill 52, by Congressman Gary Condit, Democrat from California).
Each of these Bills has distinctive features, but generally they seek to establish uniform national rules on the collection and protection of personally identifiable health data, no matter where they are held; affirm rights of data-subjects; set criteria and procedures for disclosure, fair use, and security; focus responsibilities for ensuring proper protection and use; and establish penalties for wrongful use of data.
In addition, versions of a genetic confidentiality act are being proposed. A prominent one is the "Genetic Confidentiality and Nondiscrimination Act of 1996" (Senate Bill 1898, co-sponsored by Senators Pete Domenici, Republican from New Mexico, and James Jeffords, Republican from Vermont). (Genetic issues are discussed on pages 74–76).
The negotiations over these Bills in the current Congress are moving quickly, and this Report cannot comment on the legislative fray. But it must remark that a broad medical privacy law would foster nationwide uniformity of practices, provide guidance over private-sector data, and be relevant for "adequacy of protection" determinations regarding international transfers of data. Genetic data should be covered firmly by an omnibus medical privacy law, with special genetic provisions stipulated if necessary, but because genetic factors are so thoroughly integrated with other health factors, a separate law on genetic privacy is not desirable, nor would one be on any other particular health condition or disease.
| [Previous] | [Next] |
Return to the Data Council home page .
Last updated 7/23/97.