B. Why Federal Legislation is Needed
C. Recommendation for Establishing Federal Privacy Standards
E. Boundaries -- Recommended Scope of A Federal Privacy Law
J. How Federal Privacy Legislation Should Relate to Other Laws
K. Particular Classes of Information
C. Patient Awareness and Control
D. Disclosures Authorized by the Patient
F. Specialized Classes of Persons and Entities
Every day, our private health care information is being collected, shared, analyzed and stored with few legal safeguards. There was a time when our health care privacy was protected by our family doctors -- who kept hand-written records about us sealed away in big file cabinets. Today, revolutions in our health care delivery system mean that we have to place our trust in entire networks of insurers and health care professionals. The computer revolution means that our family secrets travel quickly from doctors to hospitals to insurance companies -- and cannot be protected by simply locking up the office doors each night. And, revolutions in biology mean that a whole new world of genetic tests have the potential to help either prevent disease or reveal our most personal secrets.
Right now, the way we currently protect the privacy of our medical records is erratic at best -- dangerous at worst. It is time for our nation to enact federal legislation to protect the age-old right to privacy in this new world of progress. This report recommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who serve them. Specifically, a federal privacy law should:
We are at a decision point. Depending on what we do, revolutions in health care, biotechnology, and communications can hold great promise or great peril. We must ask ourselves: Will we harness these revolutions to improve, not impede, health care? Will we strengthen, not strain, the very lifeblood of our health care system -- the bond of trust between a patient and a doctor. When all is said and done, will our health care records be used to heal us or reveal us?
Without safeguards to assure that obtaining health care will not endanger our privacy, public distrust could turn back the clock on progress in our entire health care system. Instead, we must keep our eye on the future, and act today.
The American people expect, and are entitled to, confidential, fair, and respectful treatment of health information about themselves. This report recommends that the Congress enact legislation requiring that treatment.
The need for such legislation is found in the rapid changes in the ways that health care is provided, documented, and paid for in the United States. These changes pose a challenge to American values that are both complementary and competing.
On the one hand, patients have a legitimate need for assurance of the confidentiality that permits them to be frank with their physicians about their health conditions and behavior. That assurance is fundamental to effective diagnosis, treatment and healing, and to the privacy that we in the United States cherish as essential to personal freedom and well-being.
On the other hand, participants in the health care system -- insurers, governments at all levels, managed care organizations -- have legitimate needs for access to health records in performing their roles in the system. Furthermore, those pursuing broad social purposes -- medical researchers, public health workers, governmental policy makers seeking to contain health care costs -- rely on the availability of data arising from these private transactions. Local public health agencies use health records to identify outbreaks of infectious disease, and to trace the source of infections like the recent e. coli infections. Researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers.
Until comparatively recently, any tension between these needs for confidentiality and access was resolved directly between patients and their physicians. They conducted an essentially one-on- one relationship, in examination, treatment and payment, and, with some exceptions, could limit access to information about the patient. The paper records once kept under the control of physicians are giving way to computerized information which is increasingly stored far from its source -- the patient and the physician -- in forms and even locations of which they may have only imperfect understanding. Even physicians may be frustrated in their traditional role as patient advocates by the complexity of the systems that process their patients' information.
Moreover, patients may have little if any contact with some of the doctors and payers involved in their care. The result has been a weakening of the traditional, if often informal, controls that patients and physicians previously exercised to protect patient information.
The President spoke to the importance of these concerns in his commencement address at Morgan State University on May 18, 1997. He said that "technology should not be used to break down the wall of privacy and autonomy free citizens are guaranteed in a free society". He acknowledged the special concerns surrounding health records in his call for enhanced protections for privacy in the face of new technological reality, when we are facing "the frightening prospect that private information -- even medical records -- could be made instantly available to the world."
Our Nation's participation in the Global Information Infrastructure (GII) has sharpened the issues, and our plans for that participation include attention to privacy protection. The statement of the President and Vice-President, A Framework for Global Electronic Commerce reflects this concern and commitment:
Americans treasure privacy, linking it to our concept of personal freedom and well-being. Unfortunately, the GII's great promise -- that it facilitates the collection, re-use, and instantaneous transmission of information -- can, if not managed carefully, diminish personal privacy. It is essential, therefore, to assure personal privacy in the networked environment if people are to feel comfortable doing business.
The concern about confidentiality of health information appears against a backdrop of more general concern about privacy, well expressed by Alan Greenspan, the Chairman of the Federal Reserve Board:
The fears of invasion of privacy, as a consequence of inexorable forces seemingly out of the control of the average American, has risen to a major public policy issue. (Speech, Conference, "Privacy in the Information Age", Salt Lake City, Utah, March 7, 1997)
These concerns are not confined to the United States. The European Union (EU) has addressed the issue, and the EU data protection directive requires member States to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data".(1)
The existing legal structure does not effectively control information about individuals' health. Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. Today, patients often sign blanket authorizations allowing use of their medical information in order to obtain treatment or payment for care. These authorizations may not really protect us, in part because they do not provide useful information about how our health records will be used, who will see them, or how we can get access to them. Such authorizations are not always voluntary -- if we do not sign the blanket authorization, we may sacrifice the ability to receive care or insurance benefits. In addition, as the health care system becomes more integrated and more computerized, it is becoming difficult to determine the appropriate person or place where our health information can be accessed or controlled.
For these reasons, we are recommending that Congress replace the ineffective use of authorizations with a system of Federal legislative controls on the use of health information collected by health care payers and providers. As described below, Federal legislation should authorize sharing information for health care treatment and payment, and prohibit use of that information for most other purposes. Such legislation should also provide consumers with specific rights to know how their information will be used, to get access to that information, to request correction of errors, and to know who has seen their medical information.
Before turning to the details of our recommendations, however, it is important to describe the current situation, and the general consensus that Federal action is needed.
Current Protections are Inadequate. Today the legal control of health information is, in general, a matter of State law. Limited Federal law covers specialized classes of information such as information about substance-abuse patients and information gathered in some Federally funded programs. The Privacy Act of 1974 provides some procedures and protections for records, including health records, held by Federal agencies.
All States have legal controls on the use and disclosure of health information, including a few comprehensive acts similar in broad outline to the Federal legislation we recommend here. Two States have enacted the Uniform Health-Care Information Act recommended by the National Conference of Commissioners on Uniform State Laws in 1985.(2) Many State laws protect special classes of health information, about HIV infection and AIDS patients and about mental health patients, for example. Some State case law imposes confidentiality duties.
These State laws vary greatly in scope and strength, and the situation has been described as "a morass of erratic law, both statutory and judicial, defining the confidentiality of health informa tion."(3)
The Health Care Information System Is Increasingly Interstate. The health care system, particularly its information component, is very much an interstate activity, and will continue to develop in that direction. Computerization and telecommunications render the concept of "location" of information nearly meaningless. Patients receive care in more than one State, infor mation about them is moved electronically across State borders to obtain payment (often through and to places remote from the patient and the provider), and providers operate across many States. In its administrative simplification requirements, the Health Insurance Portability and Accountability Act of 1996 calls for uniform standards for electronic transactions in health administration precisely because separate standards developed at other than the national level are not workable.
There is continuing movement toward a computer-based patient medical record, with national standards for content and format, and the possibility of ready interstate transmission as needed for patient care. A major impetus toward adopting this type of record was a report of the Institute of Medicine in 1991 that recommended adoption of the computer-based patient record as the standard for all patient care records.(4)
Likewise, increasing use of telemedicine means that patient information will often cross State lines, sometimes in real-time delivery of care. This promising development is an important facet of the National Information Infrastructure because of its potential to provide greater access to quality health care for all Americans, especially those living in rural and remote areas.
The Problems Are Urgent. The need for Federal protection is not theoretical; it is real and it is urgent. In a major American city, a local newspaper published medical record information about a Congressional candidate's attempted suicide. But it is not just public figures such as the Congressional candidate or Arthur Ashe (whose HIV status was published in a newspaper without his permission) who are at risk:
Inappropriate disclosure of personal medical information is not the only problem we are facing. Errors in health information, errors that can have profound financial effects, are often too difficult to correct. Such inappropriate handling of medical information can and should be prevented.
Calls for Federal Legislation. Numerous analyses over several years by government, industry, and professional groups have identified serious gaps in protections for health information, especially in the unregulated exchange of data, and have recommended Federal legislation to close them. There also has been significant Congressional action toward this goal, including several comprehensive health privacy bills introduced by Senators Bennett and Leahy, Representative McDermott, and Representative Condit. The fact that Congress, in the Health Insurance Portability and Accountability Act, mandated that the Department of Health and Human Services produce these recommendations is further evidence that the Congress understands that the time has come for action.
We thus conclude that Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. Such legislation should provide clear guidance and significant incentives for the confidential, fair, and respectful treatment of personal information that the public expects. It should encourage administrative, technological, and management choices in design of health information systems to these ends. And it should provide redress to those adversely affected by misuse of information.
We are aware that our recommendations come at a time of continuing, rapid change in the health care system and its information components. The standards for administrative simplification that the Department will soon publish, under the Health Insurance Portability and Accountability Act of 1996, will in themselves lead to new developments in the transfer and use of information. In addition, the boundaries between health information and other information are blurring. Marketing uses of health information and health uses of marketing information may ultimately make this activity a subject for legislation. New technologies and new uses, unthought of before now, will present new issues and new concerns. These possibilities may well warrant legislative attention in the future, and bear careful watching.
Aware of these contingencies, and of the need they may present for further legislative attention, we nevertheless recommend that the Congress enact legislation now, based on what we know now. Today, we should move forward with legislation that protects the heart of the health care system -- those who provide and pay for health care, and those who get information from them. Delay will leave the public unprotected as more information flows to more places.
Our recommendations are founded on five key principles:
Boundaries. An individual's health care information should be used for health purposes and only those purposes, subject to a few carefully defined exceptions. It should be easy to use information for those defined purposes, and very difficult to use it for other purposes. Federal health record confidentiality legislation should impose a legal duty of confidentiality on those who provide and pay for health care, and on other entities that receive health information from them.
Security. Organizations to which we entrust health information ought to protect it against deliberate or inadvertent misuse or disclosure. Federal law should require such security measures.
Consumer Control. Patients should be able to see what is in their records, get a copy, correct errors, and find out who else has seen them. Our recommendations significantly strengthen the ability of consumers to understand and control what happens to their health care information.
Accountability. Those who misuse personal health information should be punished, and those who are harmed by its misuse should have legal recourse. Federal law should provide new sanctions and new avenues for redress for consumers whose privacy rights have been violated.
Public Responsibility. Individuals' claims to privacy must be balanced by their public responsibility to contribute to the common good, through use of their information for important, socially useful purposes, with the understanding that their information will be used with respect and care and will be legally protected. Federal law should identify those limited arenas in which our public responsibilities warrant authorization of access to our medical information, and should sharply limit the uses and disclosure of information in those contexts.
Federal privacy legislation should not require any disclosure of information, except to patients who ask to see their own records. The recommended allowable disclosures are just that -- allowable. Thus, for disclosures that are not compelled by other law, providers and payers should be free to disclose or not, according to their own policies and ethical principles. We offer these recommendations as a basic set of legal controls. But ethics and professional practice will in many cases dictate more guarded disclosure policies.
Similarly, where our recommendations would permit disclosure, they are not intended to create any new legal basis for refusing to disclose if such disclosure is required by other law.
Finally, our recommended standards are not intended to preempt or supersede other laws -- State or Federal -- that are more protective of individual privacy.
The effect of implementing our recommendations would be that some current uses of informa tion could not continue without patient authorization. Some organizations that get information with ease now may not be able to get information without patient authorization, or without meeting new requirements. We have designed the requirements to serve patients.
These recommendations must steer a course between two extreme convictions: that privacy is already so compromised that attempts to control health information are futile, and that privacy is so weighty a value that we must reverse our efforts to use information effectively. Legislation must, therefore, strike a balance that permits socially important uses of information while protecting the privacy of people who seek care and healing. We believe our recommendations find that balance.
The remainder of this Introduction is a summary of the scope and content of what we believe a Federal health information privacy law should provide. A more detailed description of our specific recommendations for the rights of patients and the obligations of those who hold health information follows. Our recommendations are framed as expressions of basic policy for the major choices in designing such legislation. We appreciate the difficult choices and complex accommodations required to make Federal health privacy legislation a reality. We look forward to working closely with the Congress in developing such legislation.
There are four situations in which health information is collected, disclosed, or used, and that we recommend be addressed by Federal health privacy legislation:
Provision of and Payment for Health Care. A Federal health privacy law should focus on health care payers and providers and the information they create and receive for the provision and payment of health care, and on those who receive information from those payers and providers. Providers and payers are the foundation of the health care system, and the primary creators and collectors of health information. The provisions of a Federal privacy law generally should apply to information about a patient collected in the provision of health care services or in the payment for health care services.
A Federal privacy law should apply uniformly, regardless of the setting in which health care is provided. A person seeking treatment should be able to discuss his or her medical condition freely, with confidence that the information will be protected, whether treatment is sought from a private physician or hospital, a company doctor, or a community health center. Similarly, the law should apply uniformly to all such information, whether the information is oral or written, on paper or in a computer.
A Federal health privacy law should limit the ways providers and payers can use identifiable health information. However, it need not cover information that individuals voluntarily provide about themselves directly to parties other than providers or payers, such as retailers or marketers.
Health care research that includes the delivery of health care should be included in Federal privacy protections. Information obtained in this context should be protected by a Federal privacy law. Research that does not involve care, but which is based on medical records obtained from providers and payers, should also be protected, since the information is obtained directly from the health care system.
Employers that render on-site health care for their employees, or provide health benefits through a self-funded health plan, are acting as providers and payers, and in this context should be covered by a health privacy law. They should be able to collect and use identifiable health information for health care and directly related purposes, but should not use the information they collect a providers and payers for other purposes, such as hiring and firing, placement and promotions.
Health information often is obtained from individuals for purposes other than the provision of or payment for health care, and we recommend that these situations be addressed by other legisla tion. Thus, these recommendations do not extend to the results of a fitness-for-duty examination. Nor do our recommendations address the need for protection of genetic information in Federal and State DNA banks and DNA data banks for casualty identification or criminal investigation, or of information generated in workplace drug-testing programs. Some existing uses of health information should not be affected at all, such as reporting of birth and death and reporting of abuse such as child abuse. The confidentiality risks of these collections of information should be (and often are) addressed by legislation specific to them.
We recognize that distinctions among the various holders of health information are not always clear. We are particularly concerned about automobile and similar types of insurance that include a health coverage component. While these insurers may not be labeled "health insurers," as a practical matter they obtain the same information in the same ways, and serve the same functions, as health insurers. Similarly, there may be some grey areas regarding when an employer is functioning as a provider (and thus covered by a Federal privacy law) and when not. These are areas that would benefit from public debate and additional fact-finding. We continue to review specific instances, and may ultimately find that some information not now recommended for protection can and should be included in a Federal privacy law.
Similarly, we recognize that the collection, development, and use of information about health matters by entities other than providers and payers can present serious privacy hazards. It may well be appropriate to impose confidentiality restrictions in those contexts. While we now recommend a Federal health privacy law limited to health information held by providers and payers (and those receiving such information from them), we also believe that the Administration and Congress must continue to examine the hazards to privacy when health information is held in other settings, and consider ways of controlling those hazards.
Service Organizations. Providers and payers do not act alone. They engage other organizations to assist in processing health information. These "service organizations" may be claims processors, pharmacy benefits managers that provide information to pharmacists about coverage and drug interactions, or similar organizations that process information to help make the health care system work better. These organizations should be bound by the same restrictions that apply to the providers and payers from which they obtain the health information. Service organizations have access to patients' health information as an integral part of the provision of and payment for heath care, and should be bound by a Federal health privacy law.
Limited Disclosures for National Priorities. Federal health privacy legislation should also allow certain uses of identifiable health information needed to support national priority activities. In exchange for this access to information, legislation also should place strict boundaries around the use and redisclosure of that information to ensure that it is used for the identified priority purpose only. The major national priorities which we recommend for this treatment are public health, oversight of the health care system, research, and law enforcement. For these activities, it is not always possible to obtain permission and, in many cases, doing so would create significant obstacles in our efforts to fight crime, protect public health, or understand disease.
However, along with access should come the duty to use that information only subject to legislative restrictions on how the information may be used and disclosed, tailored to the particular situations.
Disclosure with Authorization. Sometimes a patient will authorize a provider or payer to disclose information to a third person not directly subject to the Federal health confidentiality legislation that we recommend. In these cases, the patient should be able to enforce an agreement with that third person about how the information will be used. Federal law should impose an enforceable obligation on the recipient to use the information only in accord with the agreement made with the patient at the time of the authorization.
For example, if a potential employer requires health information as part of a background check for security purposes, the applicant can authorize his or her health care providers to disclose the information. But the employer's use of the information should be governed by the employer's statement of how it will use the information, and that agreement should be enforceable.
We recommend that a Federal health privacy law impose new restrictions on health care payers and providers who create and receive health information, and on those who receive information from those payers and providers. Specifically:
The attached recommendations provide the details for how such restrictions might operate. Many of these recommended rules would simply codify sound professional practices. For example, a provider should be able to use identifiable health information for mailing reminders to patients to schedule appointments. It should not be able -- absent patient consent -- to make available its patient list to a health company for use in a direct mailing announcing a new product or service (even if that product or service might benefit the patient). Providers and payers should be limited in their internal use of information, so that, for example, employers who obtain health information through their operation of self-insured health plans (i.e. as payers) should be prohibited from using that information for personnel decisions.
Americans should know what rules protect their health records, how those records will be used and shared, how they can obtain their records and, if necessary, how they can correct errors in their records. We recommend that Federal law provide consumers with significant new rights to be informed about how their health information will be used and who has seen that information. Specifically:
Our intent is to incorporate basic fair information practices into the health care setting. The attached recommendations provide details for how to make these consumer controls real.
The requirement to safeguard information must be supported by real and severe penalties for violations. Federal legislation should include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. Specifically:
Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously.
A Federal health privacy law should permit limited disclosures of health information without patient consent for specifically identified national priority activities. We have carefully examined the many uses that the health professions, related industries, and the government make of health information, and we are aware of the concerns of privacy and consumer advocates about these uses. The allowable disclosures and corresponding restrictions we recommend reflect a balancing of privacy and other social values.
Specifically, in addition to disclosure for health care and payment purposes discussed above, we recommend that Federal legislation authorize disclosure of health information without explicit patient consent for four national priority activities. Recipients of information under such a legislative authorization should also be bound by restrictions on use and further disclosure of the information, tailored to their particular circumstances.
Oversight of the Health Care System (including audit, investigation, quality assurance, and licensure). Combating fraud, abuse, and waste in health care and related payment programs is a major national priority. In addition, we have both legal and ethical duties to improve the quality of health care and records review is essential to this important task. We recommend that the legislation not add additional restrictions to access to health information for these purposes. No new judicial or administrative procedure should be required before oversight agencies can see health records, or use them against patients, providers, and others for wrongdoing in health or related programs. At the same time, existing legal constraints that govern access to or use of such information by oversight organizations should remain in place. We are also recommending criminal penalties for obtaining health information under false pretenses.
For Public Health, and in Emergencies Affecting Life or Safety. The importance of public health and emergency medical activities to our health and safety cannot be overstated. Health information is necessary for tracing the source of rapidly spreading infectious diseases, finding links between diseases and their causes, and rendering appropriate medical care to victims in emergencies. We recommend that there be no new procedural burdens in the way of these priority, often urgent, activities. At the same time, public health workers should be prohibited from redisclosing that information for any other purpose.
For Health Research. Research is essential to our health care. Federal law should permit use of information for research without consent under carefully-defined circumstances, and should also include safeguards, including restrictions on redisclosure, to ensure that individual subjects are not harmed. Federal requirements should include a determination by an institutional review board that the research does not involve more than minimal risk, that the absence of consent will not harm the participants, and that the research would be impracticable if consent were required.
We also propose accommodating the special needs of clinical trials. Generally, patients should have access to their own records. For clinical trials, however, we recommend a limited exception to permit agreements that research subjects typically make, such as to forego access to their trial- related records for the duration of their participation in the trial, as long as they are consistent with Federal rules for the protection of research subjects.
Pursuant to Other Laws or Court Orders, such as: to Law Enforcement Authorities, to State Health Data Systems, and in Court Proceedings. Law enforcement agencies need access to health information for many purposes. We recommend that this Federal health privacy law not alter current practices; that is, it should neither expand nor contract current laws governing disclosure of health information to law enforcement authorities. In many instances, law enforcement authorities today can obtain, share, and use health information without patient consent and without legal process. We are not recommending changes to these practices. Similarly, existing legal constraints on law enforcement access to and use of medical information should remain in place.
We recognize that new issues are raised by the search capabilities of computerized records, and that there are arguments in favor of new restrictions to address these possibilities. However, until more experience is gained with the uses of computerization of these records, and the types and frequency of requested searches, it is premature to change existing law in this area.
Any Federal legislation controlling health information must be understood in the context of other State and Federal laws that also address, either incidentally or directly, the confidentiality of health information. In short, we recommend that existing confidentiality laws at both State and Federal level which provide more protection remain in force. A new Federal privacy law should provide a basic level of protection for everyone -- a "floor" of protection -- without reducing other protections.
State Law. As noted above, there exists today a patchwork of State health privacy laws. While some are comprehensive and strong, the array of protections we recommend here would, in general, be stronger than most existing State law.
We recommend that Federal health privacy legislation supersede State law that is less protective than the Federal law. If either the Federal or State law forbids a disclosure, the disclosure should not be made. Thus, the confidentiality protections should be cumulative, and the Federal legisla tion should provide "floor preemption."
We make this recommendation with the recognition that a single national standard may be preferable from the administrative simplification perspective, and that some privacy interests might also be better served thereby. However, at this time, the freedom of States to protect their citizens' privacy through their own legislation is more important than the benefits of standardization that totally preemptive Federal legislation would confer. The attention several States have given to this issue should be respected. Many States have statutes to protect informa tion about HIV infection and AIDS patients, and about mental health patients, designed after wide public debate to suit local needs. In addition, the Federal government can clearly learn from the experiences of States as they respond to the complex task of protecting patient information in a rapidly changing environment.
Other Federal statutes that afford protection to liberty, privacy, and consumers' rights generally do not displace stronger State laws. At present, the goals of this proposal argue that it not break that tradition.
In addition, Congress expressed a preference for leaving stronger State laws in place in the Health Insurance Portability and Accountability Act of 1996. That Act calls for the Secretary of Health and Human Services to impose confidentiality controls on electronic transaction systems if Congress does not legislate on confidentiality by August 1999, and directs that any such controls not supersede State law with more stringent requirements.(8) Likewise, the standards for administrative simplification of health financial and administrative transactions, which that Act requires the Secretary of HHS to promulgate, may not supersede stronger State confidentiality laws.(9)
Privacy needs, developments in health data systems, and the interests of nationwide administrative simplification for health transactions may ultimately justify preemptive Federal legislation. But, at least at present, as the National Committee on Vital and Health statistics noted, "this issue need not be treated as a single problem with a single solution."(10)
If the Congress enacts Federal legislation leaving State controls in place, the impact of the respective laws on individual privacy rights and on effective use of health information bears careful watching. To the extent that dual regulation impairs health care or the operation of infor mation and payment systems, poses risks to confidentiality arising from misunderstanding of the applicability of multiple laws, or creates uncertainty in patients about rights and redress, consideration of additional action, such as developing a single national law or preempting State laws in particular areas, may be warranted.
Federal Law. Similarly, we recommend that a Federal privacy law not limit or reduce other Federal legal protections that control how information about individuals is disclosed or used. As with State law, Federal privacy protections should be cumulative.
For example, even where the recommended Federal privacy law would allow a disclosure without patient consent or judicial process, it should not obviate the need to comply with other Federal statutes that do require consent or judicial process. Nor should it diminish any rights, of patients or record holders, to challenge disclosures under other Federal law. If another Federal law requires legal process, or specific showings, prior to a disclosure, a record holder should remain obligated to observe those requirements.
For Federal health records, the records management requirements and subject access provisions of the Privacy Act of 1974 should continue to apply. But we recommend that the Privacy Act's disclosure provisions be replaced by the general health information disclosure restrictions we recommend, to the extent that the latter are more stringent than the Privacy Act.
At present, we recommend that Federal health confidentiality law treat all types of health information alike. The intent is to provide a meaningful minimum floor of privacy protections in Federal law for all types of health information. We recognize, however, that there is a great deal of support for providing additional protection to certain types of health care information that people feel to be particularly sensitive. For example, Federal and State laws already provide stronger protections for certain information, (such as information about HIV status, substance abuse patient information, and mental health records), and we recommend that these standards remain in place. We further recognize that additional types of particularly sensitive information may be identified for special protection in the future, and look forward to working with the Congress in determining when such protections are appropriate.
* * * *
The following are our recommendations for the contents of a federal health privacy statute. There will be many important details to be discussed, both in drafting legislation and then in developing implementing regulations. The following recommendations are not intended to address privacy policy at that level of detail. Rather, the following are statements of principle and policy that describe our recommended framework for federal health privacy legislation. We look forward to working with the Congress on a bi-partisan basis to advance these principles and enact Federal legislation that provides a basic set of rights with respect to health information to all Americans. This is an essential beginning.
We recommend that Federal health privacy legislation apply primarily to health care providers and payers.
We recommend that persons receiving information under the provisions of such legislation without patient authorization for health oversight, public health, research, State data system purposes be subject to the requirements of the legislation.
We recommend that health care providers be defined as persons who receive, create, use, or maintain, health information while providing health care in the ordinary course of business or practice of a profession, pursuant to license, certification, registration, or other legal authorization.
We recommend that payers be defined to include persons who pay for health care through contracts of insurance or in connection with employment, and government programs that pay for care under a benefit plan.
The legislation we recommend should apply in the first instance to providers of health care and payers for health care. They are at the heart of health care, and typically receive information directly from patients and generate health information. They are often one and the same.
In turn, others who receive health information under the provisions of the legislation without patient authorization should be bound by its requirements. They are referred to as "those receiving health information under the provisions of the law without patient authorization."
Providers are persons -- individual and institutional -- who receive, create, use, or maintain, health information while providing health care (including preventive health services) in the ordinary course of business or practice of a profession, pursuant to license, certification, registration, or other legal authorization.
Health care payers pay for health care pursuant to advance agreements or statutory obligations -- the range of entities commonly described as "plans." They may include licensed insurance companies, hospital or medical service corporations, health maintenance organizations, or other entities licensed or certified by a State to provide health insurance or health benefits. They include employee welfare benefit plans and other arrangements that provide health benefits, whether or not funded through the purchase of insurance policies or contracts. They include public programs that pay for health care under a health benefit plan, such as Medicare, Medicaid, the health programs of the Veterans Health Service, and the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS). The term should not be defined to include individuals and families who pay for their own care.
The definition does not encompass liability insurers who receive health information, as needed, pursuant to claimants' authorization. Nor does it include life insurers, who receive information, with the patient's authorization, not as part of health care or payment, but to make underwriting decisions.
We are making no recommendations with respect to including workers' compensation under Federal health privacy legislation at this time. Although workers' compensation carriers receive health care information in much the same manner as health plans, the need under workers' compensation systems to coordinate the health benefits provided with both the indemnity benefits (e.g., lost wages and disability payments) provided under the system and the determination of a worker's ability to return to work raises potential questions about the appropriateness of certain disclosures of medical information. We are continuing to review the need for federal privacy standards in this area and will inform Congress of any recommendations that we have in this area when we complete our review.
We do not recommend that employers as such be controlled by the legislation, But they should be considered health care providers or payers when they actually perform those activities, and obliged to conduct themselves accordingly. (Controls on employers' use of health information so obtained for other purposes is discussed below in LIMITATIONS ON USE).
We recommend that health care be defined to include
-- any preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body;
-- any sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; and
-- procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.
We recommend that health information include any information, oral or recorded, in any form or medium, including demographic information
-- that relates to the past, present, or future physical or mental health or condition of a patient, the provision of health care to a patient, or the past, present, or future payment for the provision of health care to a patient;
-- that is received, created, used, or maintained by a health care provider in the ordinary course of business or practice of a profession, or by a health care payer, or received by entities receiving informa tion under the provisions of the legislation without patient authorization; and
-- that identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the patient.
We recommend that the legislation cover any information about the patient held by providers and payers for their health care and payment activities. Thus, information that in other settings would not be health information -- name, identification number, employment status, address, financial data, family size, education, employment history -- should be covered by the protections of the legislation we recommend if held by a health care provider or payer for health care or payment purposes.
The description of identifiability we recommend follows the text of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (Social Security Act § 1171(6)). We recommend that a legislative definition be no more specific at this time. A precise advance definition is difficult, and there is inadequate basis at this time for recommending one. The only effective formulation now is a test of reasonableness: Information is identifiable if there is a reasonable basis to believe that the information can be used to identify an individual.
No single rule can define what constitutes readily identifiable data. Information is clearly identifiable if it includes a name, social security number or other generally known or readily available identification number, or photograph. Health information will normally be identifiable within providers and payers, and the identifiability question will typically have to be answered when information is to be disclosed outside a provider or payer. Reasonableness may depend on a judgment based on what other information is known to be available to a recipient, and the amount of effort and time that would be needed to achieve a positive identification.
Other legal formulations are not more precise than the HIPAA formulation. The European Union data protection directive, a recent well-debated formulation of privacy rules, uses this test:
an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; (Art. 2(a))
The Council of Europe's "Recommendations of the Committee of Ministers to Member States on the Protection of Medical Data" (No. R(97)5 (1997)) states a reasonableness test, but adds an "effort" standard:
....the expression "personal data" covers any information relating to an identified or identifiable individual. An individual shall not be regarded as "identifiable" if identification requires an unreasonable amount of time and manpower. (Appendix, Art 1.)
The standard we recommend should not be read to mean that information is identifiable if there is a remote chance that somebody might possibly be able to identify a patient from a general description. The Panel on Confidentiality and Data Access of the Committee on National Statistics addressed this issue, and noted that zero-risk requirements for disclosure of statistical records were unrealistic. It recommended a standard that calls for a "reasonably low risk of disclosure of individually identifiable data." (George T. Duncan et al, eds., Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics 137 (1993)). The panel recommended that the Office of Management and Budget should continue to coordinate re search work on statistical disclosure analysis (at 155-157). This will be especially important as changes in the character and availability of technology alter the quantum of information constituting an identifier. Our recommendations include authority for issuance of guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations (IMPLEMENTATION, below).
Records disclosed in a form not intended to be individually identifiable should not be used intentionally to identify a person. A person who obtains such information with the intention of identifying individuals should be regarded as having obtained health information under false pretenses (CRIMINAL PENALTIES, below).
Our recommendations do not distinguish among different types of health information based on presumed sensitivity, although we recommend leaving in place State and Federal laws that make that distinction. Our intent at this time is to recommend a meaningful minimum floor of privacy protections in Federal law for all types of health information. At the same time, we recognize that there are arguments for providing additional protection to certain types of health information that people view as particularly sensitive. We can learn from, and build on, States' experience with privacy laws that protect such information, and work with interest groups, privacy advocates, and others to assess how such information is best protected. Such information could be the subject of future Federal action; we look forward to working with the Congress in determining when such protections are appropriate.
We recommend that research in which care is not delivered not be considered "health care," and thus not covered. There are some existing protections for information gathered solely for re search, which should continue to apply (RESEARCH, below).
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be permitted to engage other organizations, "service organizations," pursuant to contractual arrangements, to carry out functions for them that require use of health information.
We recommend that providers and payers be required to advise their service organizations that their work is subject to the law, whereupon these organizations should become subject to the law.
We recommend that service organizations be obliged to observe the use and disclosure restrictions, and to have a statement of information practices and to make it available upon request, but not be obliged to provide subject access and correction rights.
Much health information obtained and used by the providers and payers is processed by service organizations engaged by contract. The patient does not have a direct relationship with these organizations and typically does not know of their role in the flow of information.
Physicians and other providers engage companies to code, and to process bills and forward them to the appropriate payer. These companies may in turn deal with others engaged by payers. Between them, yet other companies may process health information by passing it from a provider's clearinghouse to a similar organization engaged by a payer. In some instances, these organizations make substantive or adjudicatory choices affecting the patient on behalf of their principals. In others, they do not, and may not retain the information in ways that permit easy retrieval.
Often there are not clear distinctions among the functions these many processors are performing. As an agent of a payer, a pharmacy benefit management company adjudicates and pays claims, and may manage a formulary. It also provide health care, in conjunction with the pharmacist, in looking for drug interactions -- advising the pharmacist, physician, or patient that a prescribed drug taken in combination with one prescribed earlier may have adverse effects. A payer may engage a pharmacy benefit manager to operate a disease management program to assist patients in managing their illnesses, often chronic conditions such as asthma and diabetes, by education through direct mail and telephone communication to the patient, online communication with phy sicians and pharmacists, and video materials.
We recommend that everyone in this chain of information handling be covered by the same rules.
Patients must be assured that their privacy protections are not lessened when the providers or payers with which they have established relationships give information to outside service organizations for processing. Thus, service organizations, once advised of the nature of the in formation they are handling, should be independently bound by the confidentiality restrictions applicable to the principal which engaged them.
They should not use or disclose patient information unless their principals explicitly permit, and the principals should be bound by the legislation in granting such permission. Thus, a service organization should not make independent use of this information unless the provider or payer permits such use, and then only if the legislation permits such use, i.e., with the authorization of the patient, or for a purpose for which the payer or provider could use it or disclose it.
The complexity and multitude of these arrangements, and the typical lack of contact with the patient, make it impractical to impose on service organizations the obligation to provide access and correction rights (discussed below in PATIENT INSPECTION AND COPYING OF RECORDS and PATIENT CORRECTION OF RECORDS.) However, patients should be able to exercise these rights by contacting their providers or payers, and providers and payers may by contract require their processors to provide the necessary access and correction. Service organizations should not be required by law to offer patients a statement of the information practices, but they should be required to have such a statement and to make it available upon request.
Processing of information by these organizations is a natural and understandable source of concern. There have been proposals that patients be permitted to forbid the computerization of their records, or otherwise to control directly the flow of information through the payment system. The National Committee on Vital and Health Statistics considered this possibility and had this observation:
The Committee is not sympathetic to the notion that patients should have a choice in the technology used to create, store and transmit health information. This is not a choice that record subjects [have] for records maintained by other third party record keepers such as banks and employers. Requiring health record keepers -- who are spending vast sums on computerization -- to retain parallel paper systems is impractical and costly. It would deny the benefits and savings that the Congress has already determined will result from increased use of modern information technology. Computers are an inevitable part of modern health care and indeed are intrinsic to the actual delivery of hospital care today. Patients must accept this and move on to debate the proper protections for records in a computerized environment. (Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistics, Approved on June 25, 1997)
Control at this level of detail would be harmful to patients, since the effective and rapid processing of information, often for the benefit of the patient, depends on computerized systems. Our recommendation is for legislation that permits relationships necessary to operate the care and payment system, with common legal controls on all concerned to protect the patient informa tion.
However, should it appear in the future that patient interests are being compromised by contractual arrangements that obscure choices about use and disclosure of information, or that thwart legitimate patient control over information, Congress might want to consider imposing obligations directly on these entities.
In addition to engaging outside organizations to process information about patients, providers and payers will on occasion need to give identifiable information to attorneys, insurers, auditors, and similar special-purpose service organizations. These recipients should be subject to the same use and disclosure restrictions that apply to the information in the hands of the providers and payers.
A similar mechanism, provision for a "qualified service organization," has long been in use under the Federal substance abuse confidentiality statute (Public Health Service Act § 543, 42 U.S.C. § 290dd-1). The regulation interpreting that statute permits substance abuse treatment providers to share patient information with outside organizations under agreements similar to the ones we propose here (42 C.F.R. §§ 2.11 (Qualified service organization) and 2.12(c)(4)).
We recommend that providers and payers which are Federal, State, or local government agencies be permitted to employ other government agencies, in accord with applicable law, to carry out functions for them that require identifiable health information. The other governmental organizations should be subject to the same disclosure and use restrictions as the covered entity.
This is a governmental counterpart to the previous recommendation. Entities which provide or pay for health care, including government agencies, should be obliged to limit patient health in formation to the units or organizations actually performing those functions. However, government health providers or payers might on occasion use either outside private organizations (as discussed above) or other parts of their own departments or other departments of government for functions that involve personally-identifiable information, such as central data processing facilities. Likewise, State attorneys general's offices, and the Department of Justice, provide legal services to State and Federal health care facilities and may in the course of that work have access to health information. For such divisions of work within government, existing statutes may govern relationships, and the private contractual model is not directly useable. But the service agencies should be subject to the same use and disclosure restrictions as the covered entity, and thus should not use information about patients obtained in the course of this work for other purposes.
We recommend that there be a duty not to use or disclose health information except as authorized by the patient, or as explicitly permitted by the legislation.
We recommend that there be no duty to disclose information (except to the patient), and that other laws providing greater protection for health informa tion, or rights for the patient, remain in effect.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to use the health information only for purposes compatible with and directly related to the purposes for which the information was collected or received, or for purposes for which they would be authorized to disclose the information.
We recommend that legislation constrain the use of information within organizations. Organizations with many purposes and activities do on occasion create or collect information while acting as health care providers or payers. They may also receive information from providers or payers.
The fact that an organizational entity holds information is not a proper basis for its uncontrolled use within the organization. Under the requirement we recommend, entities holding records should have to make distinct and explicit choices about which activities are sufficiently connected with their health activities to warrant the use of identifiable health information. Other uses could be made only with patient authorization, or under provisions of the legislation that permit disclosure without patient authorization.
This requirement should not interfere with normal uses of information in the health care delivery or payment process, but should prevent uses extraneous to health, and may limit some existing uses of health information. We recommend that this be a somewhat more restrictive control than the Federal Privacy Act, which permits disclosure to officers and employees of the agency maintaining the record who have a need for the record in the performance of their duties (5 U.S.C. § 552a(b)(1)).
It is not possible or desirable to set forth in legislation all appropriate internal uses for health information by providers and payers. A general statutory standard is required, and so our recommendation calls for limiting use of health information to purposes compatible with and directly related to the purpose for which the information was collected or received.
For hospitals, for example, the use of health information to provide health care is obviously within the purpose of collection, and providing health care includes a wide variety of activities like management analysis, quality assurance and similar oversight activities, carrying out mandates of law, teaching, training, and research activities. Likewise, a provider or payer should be permitted to use information internally for a purpose for which it could make a disclosure.
This limitation on how patient information is used is especially applicable to organizations that are not primarily health care providers or payers, but that perform those functions, such as employers. This proposal is not intended to cover employers as such. Existing laws (such as the Americans with Disabilities Act of 1990 § 102 (42 U.S.C. § 12112) and the Rehabilitation Act of 1973, (29 U.S.C. § 793) (with regulation at 41 C.F.R. § 60-741.23)) constrain the collection, use and disclosure of health information by employers and should not be disturbed.
But we recommend that employers, when they function as providers or payers, be required to conduct themselves as such under the legislation. Workers have worried that employers get health information about them, and often their families, in the claims payment process, and may use it to discriminate against them. (Marilyn J. Field and Harold T. Shapiro, eds., Employment and Health Benefits: A Connection at Risk at 148 (1993)). This study by the Institute of Medicine recommends explicitly (at 246) that employer access to certain information collected in connection with health benefits be limited through controls similar to those in the Americans with Disabilities Act of 1990.
We recommend just such controls, by regulating how an employer uses information received in the payment process, either as a self-insurer or by processing claims en route to an insurance company. Information should not be used outside of the payment activity. An employer could not use it, for example, to make decisions about promotions or job assignments. Even if employers have information in identifiable form for statistical and analytic operations related to payment, or for oversight of an outside payer, the legislation should forbid its use for anything but these payment-related purposes. Employers should be required to build impermeable barriers between activities that use health information and their other activities.
The same considerations apply to health care delivered by an employer, or on the employer's premises, or by employee assistance programs. The information obtained in rendering these health services should not be used by the employer for purposes outside the purposes for which it was collected, except as authorized by the patient or otherwise allowed by the law.
The examples here are from the employment context; the requirement should be applicable to all who have health information.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be required to maintain reasonable and appropriate administrative, technical, and physical safeguards
-- to ensure the integrity and confidentiality of health information; and
-- to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information.
We recommend the statutory formulation of a basic obligation of all record holders -- to safeguard the information.
No legislation can effectively specify how to do this, but it can require diligent and attentive choices of security measures. The technology is varied and dynamic, and different types of technology and information call for different types and degrees of security. We recommend that the legislation require providers and payers to take the appropriate levels and types of protective measures. The legislation should not create an obligation of absolute security. The key words are "reasonable," "appropriate," and "reasonably anticipated," to permit consideration of the degree of risk, the likely consequences of compromise, and the expenditure, financial and other, required to address the risk.
The measures should especially include employee education, clear and certain punishment for misuse, and technical controls on access to information within an organization, since there is evidence that a substantial threat to information is careless or deliberate misuse by those who have authorized access to it in their normal work activities.
A growing body of policy and technical material will help managers in formulating their plans in this regard.
The Office of Management and Budget has promulgated policy establishing a minimum set of controls to be included in Federal automated information security programs (OMB Circular A- 130, Management of Federal Information Resources, Appendix III, (February 1996)).
A recent study (commissioned by the National Library of Medicine of the National Institutes of Health and funded by the Library with additional support from the NIH Warren G. Magnuson Clinical Center and the Massachusetts Health Data Consortium), identifies best practices in social and technical mechanisms for protecting privacy and maintaining security that are currently used in information systems for health care. (National Research Council, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Informa tion (1997)).
The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to develop standards for electronic transmission of financial and administrative information about health transactions, including security standards. Most of these standards will be published for initial comment this year.
The Center for Democracy and Technology has produced Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality (1996), a guide to help designers of electronic health information systems to identify and deal with confidentiality issues.
The Computer-based Patient Record Institute (CPRI) has produced a series of publications with guidance on security policies for computer-based patient records. (Guidelines for Establishing Information Security Policies at Organizations Using Computer-based Patient Records (January 1996), Guidelines for Information Security Education Programs (June 1995), Guidelines for Managing Information Security Programs (January 1996), Sample Confidentiality Statements and Agreements (May 1996), and Security Features for Computer-based Patient Record Systems (September 1996)).
We recommend that all uses and disclosures be restricted, to the extent practicable, to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed.
This recommendation is for an obligation to design systems to limit the amount of information that is disclosed to the minimum necessary for the intended purpose.
Any judgment about what is practicable, and what is minimum, must take into account the technical capabilities of record systems and the costs of limiting uses and disclosures. It is likely to be easier to limit disclosure when disclosing computerized records than when providing access to paper records. Technological mechanisms to limit the amount of information available for a particular purpose, and make information available without identifiers, are an important contribution of computerization to personal privacy. For example, limited fields of information can be disclosed, and identifiers can be stripped. As a practical matter, sorting through paper records to ensure that only the minimum amount is disclosed will be expensive and time- consuming and can risk compromising the integrity of the record, and these factors relate to practicability.
As technologies develop, it will become easier and cheaper to provide minimum information and to limit disclosure. We recommend that a Federal agency be authorized to issue guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations.
Recent studies have emphasized the value of privacy-enhancing technologies (PETS) in accomplishing necessary transactions with a minimum of identifying information. The Dutch Data Protection Authority and the Information and Privacy Commissioner for the Province of Ontario, Canada, both governmental privacy protection entities, recently collaborated in producing a report exploring privacy technologies that permit transactions to be conducted anonymously. (Information and Privacy Commissioner/Ontario, Canada, and Registratiekamer, the Netherlands, Privacy-Enhancing Technologies: The Path to Anonymity (1995)).
The provision we recommend should not be a basis for automatic withholding of records in situations where the requester is best positioned to determine what information is necessary, such as oversight and public health investigations.
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be required to prepare a written notice to inform patients of their information practices and of the patients' rights regarding the health information.
We recommend that the explanation be required to provide information on whatever rights the patient has with respect to information, including, if applicable
-- the uses and disclosures of information authorized under the legislation and intended by the holder, as well the protections available;
-- the right of the patient to prevent or limit disclosure in whatever circumstances that right exists;
-- the right to inspect and copy information and to seek amendments;
-- the procedures for authorizing disclosure of information and for revoking disclosure authorizations;
-- the procedures for the exercise of rights under the legislation, and the procedures, if any, for complaint, redress, or appeal; and
-- the fact that service organizations and those receiving information under the provisions of the legislation without patient authorization have explanations of information practices which are available upon request.
We recommend that providers and payers be required to give patients this explanation, or at least advise patients affirmatively of its availability and provide a copy upon request.
We recommend that service organizations and those receiving information under the provisions of the legislation without patient authorization be required to develop explanations of information practices meeting the same standards, and to provide a copy to patients upon request.
An informed citizenry is essential to protection of privacy. The basic structures for protection of health information should include requirements that patients be told what is being done with in formation about them, and what their rights are.
The Privacy Working Group of the President's Information Infrastructure Task Force formulated personal privacy principles (Principles for Providing and Using Personal Information (June 1995)), and three of them point to the centrality of public information and education:
II.B. Notice Principle. Information users who collect personal information directly from the individual should provide adequate, relevant information about:
- Why they are collecting the information;
- What the information is expected to be used for;
- What steps will be taken to protect its confidentiality, integrity, and quality;
- The consequences of providing or withholding information; and
- Any rights of redress.
II.E. Education Principle. Information users should educate themselves and the public about how information privacy can be maintained.
III.A. Awareness Principle. Individuals should obtain adequate, relevant information about:
- Why the information is being collected;
- What the information is expected to be used for;
- What steps will be taken to protect its confidentiality, integrity, and quality;
- The consequences of providing or withholding information; and
- Any rights of redress.
Likewise, the National Information Infrastructure Advisory Council (a public advisory committee to the President's Information Infrastructure Task Force) issued a statement, Common Ground: Fundamental Principles for the National Information Infrastructure (March 1995), which includes the following among its privacy and security principles:
10. Collectors and users of personally identifiable information on the NII should provide timely and effective notice of their privacy and related security practices.
11. Public education about the NII and its potential effect on individual privacy is critical to the success of the NII and should be provided.
The reasoning behind these principles emphasized that the public should be aware of uses and transfer of information that may not be clear or obvious. Health information is transmitted and used by a large number of agencies and institutions, and patients should know at least in a general way where it is going, how they can make corrections, and how to find out more infor mation.
The explanation is of special importance in view of our recommendation below (HEALTH CARE AND PAYMENT) that disclosures of health information for health care and for payment be permitted without patient authorization, but that patients be permitted to object to particular disclosures for these purposes. The explanation of the patient's right in this regard is an integral element (together with direct legal controls on use of information by providers and payers) of this more realistic and informed patient control of information that we offer to replace the consent processes under which patients now permit their records to be passed around.
The Privacy Act of 1974 requires that Federal agencies advise the subjects of Federal records of their intended uses (5 U.S.C. § 552a(e)(3)). Cable television subscribers are entitled, under the Cable Communications Policy Act of 1984, to an annual notice of the cable company's informa tion practices (47 U.S.C. § 551(a)). The recommended requirement would bring these salutary practices to health information.
All organizations should be required to have statements to inform patients, if they request it, of how they use health information, and what the rights of the patients are. The health care providers and payers, which have direct relationships with patients, should make this explanation available in an affirmative fashion, for example, at health care facilities, or with written material sent by mail to subscribers to health insurance plans. We recommend that the legislation require a written explanation that can be retained by the patient, so that patients can examine the policies and become aware of their rights at their leisure (when not under the anxiety sometimes attendant to receiving health care) and consult others as necessary. At the same time, we do not believe that it is desirable to prescribe in legislation the details of how the notice should be given.
Federal agencies could incorporate in the explanation proposed here the notice of information practices required by the Privacy Act.
Organizations that do not have direct contact with patients should also be required to prepare such an explanation and to make it available upon request.
We recommend that patients be allowed to inspect and copy health informa tion about them held by providers and payers. We recommend that patients be allowed to inspect and copy health information held by public health authorities, and by oversight agencies in any situation in which an oversight agency has made an adverse decision about the rights, benefits, or privileges of the patient.
We recommend that those holding health information be permitted to deny patient inspection of particular information under any of these circumstances:
-- the information is about another person (other than a health care provider) and the holder determines that patient inspection would cause sufficient harm to another individual to warrant withholding.
-- inspection could be reasonably likely to endanger the life or physical safety of the patient or anyone else.
-- the information includes information obtained under a promise of confidentiality (from someone other than a health care provider), and inspection could reasonably reveal the source.
-- the information is held by an entity that has received it under the health oversight provisions of the legislation, and access by the patient could be reasonably likely to impede an ongoing oversight or law enforcement activity.
-- the information is collected in the course of a clinical trial, the trial is in progress, an institutional review board has approved the denial of access, and the patient has agreed to the denial of access when consenting to participate.
-- the information is compiled principally in anticipation of, or for use in, a legal proceeding.
We recommend that providers and payers be permitted to deny inspection if the information is used solely for internal management purposes and is not used in treating the patient or making any administrative determination about the patient, or if it duplicates information available for inspection by the patient.
We recommend, in instances where a patient is to be denied inspection, that the holder of the record be required to make available to the patient, to the maximum extent possible, any portion of the health information which is not allowed to be denied to the patient under the standards above.
We recommend that providers and payers be permitted to charge a reasonable, cost-based fee for inspection and copying a record.
We recommend that entities obliged to provide inspection rights be required to make a decision on patient inspection within 30 days of a request, and that if they deny inspection rights they be required to give the patient a written statement of the reason.
We recommend that existing rights of subject access and correction under the Privacy Act of 1974 not be diminished.
The ability to see one's own record is central to effective control of information and is a basic fair information practice. A patient's decision whether to disclose a record may depend on what the record says, and so access to the record is integral to making an informed choice to disclose in formation.
The "Code of Fair Information Practice" recommended in 1973 by the Secretary's Advisory Committee on Automated Personal Data Systems includes as one of its five basic principles:
There must be a way for an individual to find out what information about him is in a record and how it is used.
(U.S. Department of Health and Human Services, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens 41 (1973)).
The Privacy Protection Study Commission recommended that this right be available. (Personal Privacy in an Information Society 299 (1977)). A right to see one's record is available by law in 31 States (described in Public Citizen Health Research Group, Medical Records: Getting Yours (1995)), and has been a right (with very limited exceptions) in Federal health record systems since the Privacy Act of 1974 (5 U.S.C. § 552a(d)).
The exceptions that we recommend provide for the limited situations in which, in the judgment of health professionals, access to the record by the patient would cause grave harm, or, in the case of oversight activities, would endanger the oversight activity, or in the case of clinical trials, would endanger a trial.
There should be no obligation to employ the exceptions. In general, patients should be able to see and copy their records, but there should be a provision to permit health professionals to exercise their judgment to withhold information in the rare instances where that is appropriate. Further, the record holder should be able to deny access only to the portion of the record that falls within the stated exceptions. The record holder should redact the portions allowed to be denied, and should give the patient the rest of the information.
There need be no obligation to let patients see information used solely for internal management purposes, which is a duplicate of the basic patient record (e.g., a back-up copy), or which is gathered for litigation.
Some clinical trials will involve health care and thus will be covered by the law, and the usual right to see one's record raises a special issue in these cases. We believe that a right to see one's own record, properly managed, need not impair research.
Subjects in clinical trials are often, by design of the research, unaware of the identity of the medication they are taking, or of other elements of their record. The research design precludes their seeing their own records and continuing in the trial. Further, patient access during the trial could endanger the entire trial.
Thus, we recommend that it be clear that a patient can waive the normal right to inspect informa tion while the trial is in progress, regardless of the length of the trial. This waiver would be an element of the patient's consent to participate in the trial. The institutional review board should have to approve it, and the patient should be told clearly of this condition. The subject should have the usual right to see the record after the trial is completed.
Some entities other than providers and payers should be obliged to provide patient access (and the related correction rights, described below). Public health agencies may be able to take actions to affect the lives of the patients. Some health oversight agencies can make operational choices that affect the patient, such as denial of payment, and it is essential that patients be able to see records held by these agencies, after a decision adverse to the patient is taken. Under current law, such disclosure is already required, and through adversary proceedings, patients can challenge incorrect information which served as the basis for the adverse decision.
In other instances (e.g., an accreditation study of a hospital by the Joint Committee on Accreditation of Health Care Organizations) no individual patient interest is at stake in the oversight activity, and access is less significant.
However, the right recommended here is not simply a right to fair procedure in an administrative transaction or criminal or civil legal action (which may be provided in any case by other law); it is a freestanding fair information practice right to see one's record at a time of one's choosing regardless of actual use in a proceeding or for decision making. It should be available unless there is a danger that patient access would impede the investigation. We recommend that any procedures established to implement these provisions not be unduly burdensome on law enforcement or oversight agencies.
We do not recommend that researchers who receive information under the provisions of the legislation without patient authorization be obliged to permit patient access. In most instances, they have no direct contact with patients, and under our recommendations would be prohibited from using such information against a patient.
The section on SERVICE ORGANIZATIONS, above, addresses the rights of patients to see in formation held by service organizations operating on behalf of entities that are obliged to give patients access to their records.
We recommend that patients be permitted to seek correction or amendment of health information about them held by any entity obliged to permit patients to inspect health information about them.
We recommend that these conditions govern responses to such requests:
-- if the entity makes the requested change, it must make reasonable efforts to inform others who have received the incorrect information about the change,
who are identified by the patient; or
who the entity knows have received the information, when it is reasonably foreseeable that the incorrect information may have an adverse impact on the recipient or patient.
-- if the entity makes the requested change, it must make reasonable efforts to inform known sources of incorrect information.
-- if an entity denies a request, it should inform the patient of the reasons for the denial and of any procedures for further review. The burden of proving that information needs to be amended or corrected should fall on the patient, and the legislation should not require a process for further review.
-- if a patient's request is denied, the patient should have the right to file a concise statement with the requested correction and the patient's reasons for disagreeing with the refusal. This statement should be included in any subsequent disclosure of the disputed portion of the information about the patient. The holder may include a concise statement of its reasons for not making the requested change.
This recommendation is intended to ensure basic fairness with respect to accuracy of informa tion. It follows the pattern established by the Privacy Act of 1974 for Federal agencies (5 U.S.C. § 552a(d)(2)). It is not intended to interfere with medical practice, or modify standard record- keeping practices.
Reasonable attempts at notification of others should prevent the perpetuation and further transmission of erroneous information. The legislation should explicitly state a test of reasonableness in this regard, so that the vigor of the effort required is proportional to the importance of the information and the degree of hazard in disseminating incorrect information.
We recommend that it be clear that this provision is not intended to provide a procedure for substantive review of decisions such as coverage determinations by payers. It is intended to deal with the content of records, not the underlying truth or correctness of the events recounted in them. Attempts under the Privacy Act of 1974 to use the Act's correction mechanism as a basis for collateral attacks on agency determinations have generally been rejected by the courts. We intend the result to be the same here.
It is the standard practice of medical record keepers not to expunge any information in a treatment record. The usual procedure is to mark incorrect information and to add the correct information. Even if information is wrong, it is essential to the purpose of the medical record that the record reflect the information available when treatment decisions were made. We recommend no change in these practices, and there should be no requirement that information be erased or deleted. A record should be considered corrected or amended if incorrect information is marked as such, and the correct information added.
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be required to retain a history of all disclosures of health information made for treatment, payment, research, oversight, public health, emergencies, to State data systems, for law enforcement, in judicial proceedings, and with the authorization of the patient.
We recommend that the record include the date and purpose of the disclosure; the name and address of the person to whom the disclosure was made or the location to which the disclosure was made; and where practicable, a description of the information disclosed.
We recommend that patients be permitted to see this record, except in the case of disclosures to and by health oversight agencies and to law enforcement agencies where access by the patient could be reasonably likely to impede those activities.
We recommend that the disclosure history be retained for the life of the record to which it relates.
We recommend that there be no obligation on service organizations to retain a record of disclosures in the course of treatment and payment transactions.
Patients ought to know who has seen information about them. This basic right was recommended by the Privacy Protection Study Commission (Personal Privacy in an Information Society 316 (1977), and is available, with limited exceptions, under the Privacy Act of 1974 (5 U.S.C. § 552a(c)). The ability to see who has seen one's record is a form of control on disclo sure. In a health facility where employees who receive care at the facility can easily check who has accessed their records, they often do check, and staff at the facility see this as an important confidentiality control (National Research Council, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Information 98 (1977)).
Our recommendation does not envision that the legislation specify any particular form for retention of this history, as long as the inquiring patient can find out where his or her information went. Health facilities may choose to keep the disclosure history in a patient file, in a separate log, or in any other way, as long as it is possible to identify or accurately reconstruct the disclo sures.
Our recommendations call for an exception to the right of patient access when access could be reasonably likely to impede oversight or law enforcement activities. We recommend that any procedures to implement these provisions not be unduly burdensome on oversight or law enforcement agencies.
No accounting should required for disclosures made under the next-of-kin and directory information provisions (described below).
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be permitted to disclose information pursuant to the authorization of a patient under the following conditions:
-- the authorization is in writing, is dated, and is signed or otherwise authenticated;
-- the authorization states an expiration date, or event, and is received by that date or event;
-- the authorization specifies the information to be disclosed;
-- the authorization specifies the entity or entities which are to disclose the information;
-- the authorization specifies the person or persons to receive the infor mation;
-- the authorization states that the patient has received a statement of the intended use of the information by the recipient; and
-- the authorization is not on the same form on which a patient consents to health care, and states that treatment, coverage, and payment are not conditioned on the patient's authorization to disclose, unless the disclosure is necessary for treatment, coverage, or payment.
We recommend that a person who requests a patient to authorize disclosure of health information be required to give the patient a copy of the authorization.
We recommend that a patient be permitted to revoke an authorization to disclose information except to the extent that action has been taken in reliance on the authorization.
We recommend that entities disclosing information pursuant to an authorization be required to retain a copy of the authorization, and a record of the disclosure.
The ability to control use and disclosure of information is central to fair information practices, and we recommend requirements to ensure that the patient understands the nature of the disclo sure being authorized, and to ensure that there is adequate specificity to the patient's authorization, and to ensure that authorizations do not become general permissions for unrelated disclosures.
The required signature may be an electronic authentication.
To assist in preparing these authorizations, the Federal agencies should be authorized to publish model authorization forms and model statements of intended uses (see below, IMPLEMENTATION).
We recommend that a person who requests a patient to authorize disclosure of health information be required to provide a statement for retention by the patient, not on the same form as the authorization, specifying the purposes for which the information is sought and the uses and disclosures to be made of it.
We recommend that use or disclosure of the health information inconsistent with the statement be the basis for a civil action for damages.
This recommendation is intended to provide patient control in the many situations in which patients authorize others to receive health information about themselves. It addresses informa tion that moves beyond the direct scope of the law we recommend.
These disclosures are made for many reasons. Applicants for life or disability insurance authorize providers to disclose existing information about themselves, and are informed by the insurer how the information will be used, including, for example, for reports to the Medical In formation Bureau, a clearing house of information about life and disability insurance applicants to detect fraudulent applications.
Claimants in liability situations authorize their providers to send information to liability insurers to show the extent of their injuries. In case which move to litigation, a plaintiff will typically authorize an attorney to receive medical records and transmit them to medical consultants for review, and then to the defendant's insurer, to show the extent of the plaintiff's injury.
Patients may authorize disclosure of health information when receiving other services, such as social services. Disability determinations in the disability program under the Social Security Act are dependent on the patient's offering evidence of his or her health condition. People may authorize disclosure of their information for suitability investigations by government agencies, or for employment or assignment determinations.
Legislation cannot address all the possible uses of health information by the great variety of persons and organizations that may receive it pursuant to patient authorization. Nonetheless, patients properly expect fair treatment of this information, and should be able to enforce that expectation. This information, obtained as it is from the health care setting, retains its sensitivity, and should be protected in a legally enforceable way. Collection of damages for use inconsistent with the stated purpose is the recommended enforcement mechanism.
This recommendation provides that protection by permitting the patient to enforce the agreement the patient and the recipient make.
The recipient may choose to promise essentially no confidential treatment, or may choose to specify, in general or in particular, how the information may be used. In some instances, other law will govern how the information may be further used (as in some collections of health infor mation by government agencies), and that law would define the recipient's promises to the patient. The patient may be able to take these promises into account in deciding whether to dis close information in a particular instance.
To assist in developing such agreements, the Federal agencies should be authorized to prepare model authorization forms and model statements of intended uses (see below, IMPLEMENTATION).
This recommendation would implement one of the Principles for Providing and Using Personal Information (discussed above in EXPLANATION OF INFORMATION PRACTICES), formulated by the Privacy Working Group of the President's Information Infrastructure Task Force:
III.C. Redress Principle
Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information.
The President's statement on the Global Information Infrastructure, A Framework for Global Electronic Commerce (June 1997), in its discussion of privacy, reiterates this point:
Under these principles, consumers are entitled to redress if they are harmed by improper use or disclosure of personal information or if decisions are based on inaccurate, outdated, incomplete, or irrelevant personal information.
We recommend that providers be forbidden to condition treatment on the patient's authorization to disclose health information, unless the disclosure is necessary for a health care or payment purpose.
We recommend that payers be forbidden to condition coverage or payment on the patient's authorization to disclose health information, unless the dis closure is necessary for a health care or payment purpose.
We recommend that providers and payers be required, when requesting an authorization to disclose information for purposes other than health care or payment, to advise patients that treatment, coverage, and payment are not conditioned on the patient's authorization to disclose.
We recommend this requirement so that providers and payers cannot require patients to authorize disclosure of health information as a condition of treatment, coverage, or payment unless the dis closure is actually necessary for those purposes. Such demands could nullify the legislation's controls on disclosure of information. If needed benefits or services are not available unless the patient consents to disclose information, patients could be unfairly compelled to permit disclo sures beyond those permitted by the legislation.
A patient seeking care or payment should be informed that he or she can resist a request for an authorization. It is important that the authorization clearly state that the patient will receive the same treatment, coverage, or payment, whether or not the authorization is signed (DISCLOSURE WITH PATIENT AUTHORIZATION: AUTHORIZATION CONTENT, above).
This requirement should not interfere with health care or the normal operation of the payment system. Patients may properly be required to make available information necessary to treat them, or for reimbursement. Likewise, where such requests are not forbidden by other law, patients could be asked to disclose information about past health history for underwriting purposes. Patients could be asked to authorize disclosure for purposes other than health care or payment, like marketing, as long as treatment, coverage or payment is available whether or not the patient authorizes the disclosure.
This recommendation is not intended to prevent researchers from requiring subjects to agree to disclosures necessary for participation in a clinical trial. Research subjects are often asked to consent to disclosure of their past health history, as well as to permit information generated in the trial to be reviewed by sponsoring and oversight agencies. These disclosures are integral to the operation of clinical trials, and the legislation should permit such conditions.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to disclose health information without patient authorization to provide health care to any patient, and for payment, but that patients be permitted to restrict disclosures of particular information or disclosures to particular persons.
We recommend that the traditional control on use and disclosure of information, the patient's written authorization, be replaced by comprehensive statutory controls on all who get health in formation for health care and payment purposes.
The reality of the present authorization process is that the patient has little actual control of infor mation. The approach we recommend would replace the often ritualistic authorization with direct statutory controls and a realistic and effective opportunity for patient intervention in instances where the patient finds it truly necessary.
Disclosures for health care are made routinely now. A requirement for a signed paper for a routine referral can impair care by delaying consultation and referral. For example, a physician may decide, from review of test results after the patient has left the office, to refer the patient for consultation; the patient should not have to journey to the office again to sign a form before the physician can discuss the case with the consulting specialist. The provider should not be constrained in deciding whom to consult unless the patient has specifically indicated a sensitivity to such consultations.
Some existing State health confidentiality laws permit disclosures without consent to other health care providers treating the patient, and the Uniform Health-Care Information Act permits disclo sure "to a person who is providing health-care to the patient" (9 Part I, U.L.A. 475, § 2-104 (1988 and Supp. 1996)).
For payment, existing authorizations are often forms that have little meaning to the patient, and that the patient must sign if reimbursement is to be obtained. This process should be replaced by one in which information flows easily and without unnecessary barriers when necessary for payment, while protected by direct legal obligations on providers and payers. Changes in insurance carriers, for example, should not require multiple authorizations. A failure to obtain an authorization should not prevent a health care provider from billing payers who might not be precisely identified when treatment is rendered. In addition, information moves from provider to payer through a chain of processing entities (see SERVICE ORGANIZATIONS, above) whose precise identity may not be known to the provider in contact with the patient. A true, fully enforced, authorization requirement for each of these transfers of information would bring the health care payment system to a halt.
The traditional goals of the authorization process are important ones, and we must have strong and realistic ways of meeting those goals. It is our view that stringent statutory protections on information held by providers and payers, and an opportunity for patients to object to particular disclosures (an "opt-out"), can fulfill these goals more effectively than the authorization formula. The explanation of information practices that providers and payers would have to provide should specifically note the patient's opportunity to object to particular disclosures.
The opportunity to object to a particular disclosure is a more realistic and effective form of control than routine signature of an authorization form, and exactly for that reason it may require attention from providers in responding to patient wishes. In turn, patients will have to exercise care and judgment in using it. In the treatment context, some elements of medical history are irrelevant to present treatment, and patients may reasonably want them concealed. A patient's sexually-transmitted disease at the age of 22 need not be announced to all who are treating an athletic injury when the patient is 44.
But current medical history, especially medications, and some past medical history, are very much relevant to present treatment, and the patient cannot withhold this information from subsequent providers without grave risk. There are dangers in making treatment decisions based on incomplete information, and providers may properly decline to treat patients without full understanding of their medical history. Legislation should not prevent physicians from conditioning treatment on having that history. Thus, if the patient chooses to restrict disclosure for treatment, the patient and the concerned providers would have to negotiate the patient's actual control in light of the need for the history in treating the patient.
Likewise, disclosure to a payer is necessary for reimbursement. To the extent that the patient does not want information disclosed to an insurer or other payer, the patient must address the financial aspects of treatment in some other way.
We recommend that the legislation be written to allow physicians to use any patient's record, not just the record of the patient being treated, to accommodate the practice in which a physician who is treating a patient with a rare disease may examine the records of other hospital patients with the same disease. Likewise, physicians may consult the records of several people in the same family or living in the same household to assist in diagnosis of conditions that may be contagious or that may arise from a common environmental factor.
We recommend that providers and payers and those receiving information for health oversight without patient authorization under the provisions of the legislation be permitted to disclose health information without patient authorization, if such disclosures are authorized by other law and any requirements of other law have been met, for oversight of the health care system, including
-- any assessment, evaluation, determination, or investigation relating to the licensing, accreditation, or certification of health care providers; and
-- any audit, assessment, evaluation, determination, or investigation relating to the effectiveness of, compliance with, or applicability of, legal, fiscal, medical, or scientific standards or aspects of performance related to health care or payment, including claims for benefits based on health status, claims of eligibility for programs that produce eligibility for health benefits, and claims for other benefits in programs conducted or funded by governments.
We recommend that public agencies, as well as other entities acting on behalf of public agencies, acting pursuant to a requirement of a public agency, or carrying out activities under a State or Federal statute regulating assessment, evaluation, determination, or investigation with respect to health care, be eligible for this access.
We recommend that standard-setting organizations with which a provider or payer has a contract providing for review of the covered entity's activities be eligible for this access.
We recommend that those receiving information under the provisions of the legislation without patient authorization for research and public health be permitted to disclose health information for oversight of the particular re search or public health activity holding the information, and that no use of the information against the patient be permitted except for wrongdoing in connection with the research or public health activity.
We recommend that public agencies receiving information under this provision be permitted to disclose health information in accord with applicable law.
We recommend that other entities receiving information under this provision not be permitted to disclose health information except for oversight purposes.
We recommend that these disclosures be permitted so that there can be effective oversight of health care activities. The types of oversight organizations and activities are many, and range from traditional law enforcement agencies, to government agencies investigating or paying for health care, to the professional licensure and discipline system, to regulators like insurance commissioners, and to accreditation, standard-setting, and quality review organizations and activities.
These activities occur under a myriad of circumstances, including pursuant to complaints about criminal behavior, as part of professional disciplinary proceedings, and pursuant to contract by facilities which wish accreditation and engage organizations to review their activities.
These activities may be performed by a public agency, or by another organization acting on behalf of a public agency, pursuant to a requirement of a public agency, or carrying out activities under a State or Federal statute requiring or otherwise providing for the assessment, evaluation, determination, or investigation. The standard-setting organizations perform their functions pursuant to contract with the institutions they are examining and accrediting.
The common features among these activities are these:
All, at some point in their operations, need access to individually-identifiable records.
Their effectiveness depends on access being controlled by the oversight entity, not the holder of the information, whose behavior and activities are under examination.
The oversight activity is required because of the large volume of fraud and abuse in the health care system. It necessitates a substantial enforcement apparatus, including conventional law enforcement agencies (such as the Federal Bureau of Investigation, and State and local police departments), and specialized agencies (such as the Inspectors General of the Department of Health and Human Services, the Office of Personnel Management, and the Department of Labor, and State Medicaid fraud control units.) The General Accounting Office has estimated health care losses due to fraud and abuse as approximately 10 percent of outlays.
Some of the activities investigated by the Office of Inspector General of the Department of Health and Human Services display the scope of the issue, and suggest how records are needed in the investigation:
-- Billing of Medicare and Medicaid by nursing homes for unnecessary services and services which were not provided at all (OIG Special Fraud Alert, "Fraud and Abuse in the Provision of Services in Nursing Facilities" (61 Fed. Reg. 30623-30625 (1996)), including:
A physician billing $350,000 over a 2-year period for comprehensive physical examinations of residents without seeing a single resident, and falsifying medical records to indicate that the services were rendered.
A psychotherapist manipulating Medicare billing codes to charge for 3 hours of therapy for nursing home residents when in fact he spent only a few minutes with each resident.
A speech specialist preparing documentation overstating time spent on each session, claiming to spend 20 hours with residents every day, and submitting some claims for residents he had never seen, and some who were dead.
-- Billing of Medicare and Medicaid for services by home health agencies that were not provided, or provided by untrained personnel, or otherwise in violation of the rules governing reimbursement of home health services (OIG Special Fraud Alert, "Home Health Fraud, and Fraud and Abuse in the Provision of Medical Supplies to Nursing Facilities