Vice-President Gore's March 8, 1995 memorandum to Secretary Shalala called for an inter- agency effort to analyze better methods of privacy protection in connection with health care applications of the National Information Infrastructure. In particular, the memorandum highlighted three privacy- related concerns:
the inadequacy of current laws in addressing privacy and confidentiality in an electronic environment;
the varying quality of the policies adopted by institutions that hold health information; and
the need to analyze the federal role in this area.
The Privacy Working Group initially formed as a departmental task force, commissioned by the department's committee on data policy. Its initial focus during the first half of 1995 was on developing a proposal for a privacy advocate office within HHS, a proposal generated during the REGO II process. The group has now evolved into an inter-agency committee and has prioritized the questions outlined in the Vice-President's memorandum. (See initial memorandum to representatives of other agencies, attached hereto.) Its members include representatives from all federal agencies with direct involvement in health-related information, including OMB, VA, DoD, and Social Security, as well as agencies within HHS (such as HCFA, and the Indian Health Service). The group meets twice a month.
Privacy in an electronic environment
The major focus of the group is now the identification of privacy-related questions that fall outside the bounds of existing law and that have not been addressed by the existing body of privacy policy. These questions arise as a result of two powerful trends: electronic communications technology, specifically the capacity by an increasing number of actors (including individuals) to link previously distinct databases, and the move at state and federal levels to integrated databases serving multiple functions. For example, are disclosures to a community health information system permitted under the Privacy Act? Under program-specific statutes such as those governing Medicaid information? When data are downloaded and then analyzed separately, does that constitute a new "system of records"? Does that activity constitute "research"?
We have begun the process of gathering information by meeting with experts who can help us identify the issues that require the development of new privacy policy and, ultimately, law. At the first inter-agency meeting, the VA, DoD and Indian Health Service presented summaries of their electronic information systems and the issues they are encountering as to data disclosure. A representative of the CDC analyzed the ongoing process and problems encountered with emerging state-level immunization data systems at the second meeting. At the third meeting, a researcher from the George Washington University Health Policy Program presented the interim findings of a study commissioned by PHS to review state confidentiality laws and identify gaps creating problems for state health agency officials. The fourth meeting included a presentation on the FTC settlement with the Medical Information Bureau regarding its policies on insurance companies' use of its information and a further briefing on the VA health information system.
The group has begun to assemble and analyze the information already learned, and will next begin drafting a document describing these issues.
Institutional policies
The group is developing a plan, with resource estimates, for identifying and disseminating current best practices for protecting privacy of individually identifiable health information (textual data and images) that is transmitted or is potentially accessible via the Internet/NII. The focus is on identifying best combinations of policy, procedure, and use of evolving technology. The group has identified categories of institutions and data uses for which best practices should be identified and has outlined the range of best practices needed, e.g., for management of privacy protection, for obtaining informed consent, for discouraging unauthorized redisclosure, for technical and procedural approaches to user authentication, encryption, auditing use, etc.
Current efforts are focused on a preliminary assessment of the extent to which written policies and procedures address these issues and on the identification of any other ongoing efforts to codify "best practices" for protecting the privacy and security of health data. Approaches include a comprehensive literature search, which will eventually be published by the National Library of Medicine, and telephone contacts with representatives (including professional associations) of the various types of institutions involved. The project will also draw on the work of a National Academy of Sciences study of best practices in health care settings that is being funded by the National Institutes of Health (National Library of Medicine and the Clinical Center) which began in September, 1995.
The federal role
As stated above, initially the group developed a proposal for a privacy advocate within HHS. That proposal has now been approved by the HHS Data Council, which has in turn recommended the establishment of the position to the Secretary. The primary function of this position would be to identify and influence privacy-related data policy decisions, and to serve as a signal to the public of concern for the careful use by the federal government of highly sensitive medical information. Members of the public with concerns in this area could contact the privacy advocate's office, as is also the case with the privacy advocate already established at the Internal Revenue Service.
More fundamentally, the group believes that federal privacy legislation covering medical records in all forms - - electronic and paper -- is urgently needed. Virtually all constituencies concerned with this issue are in agreement on this point. Consumers, providers, data systems vendors, payers and public health departments concur in the desire for a set of national rules on collection, use and disclosure of medical information. Legislation introduced as part of health care reform in 1993 achieved substantial bipartisan support, and similar legislation is planned for this session of Congress. Members of the group are closely following the efforts to enact such legislation.
Budget implications
The Privacy Working Group does not envision activities that will require additional budgetary resources.
Next steps
The primary focus of the group in the next year will be to draft a document that first identifies the variety of privacy issues raised by the new technological environment and proposes policy guidelines for resolving those issues. A draft of that document should be well underway by the time of the next status report, in six months. We also will pursue the publication of the best practices information, as described above, and will consult with other Administration staff on the content of medical records privacy legislation.