Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Shalala Address on Privacy of Health Information - July 31, 1997

The Honorable Donna E. Shalala

Protecting Privacy of Health Information

National Press Club
Washington, DC

I have returned to the National Press Club to talk about one of the most serious issues facing our health care system. Something that affects every single American – every single one of you. That's the privacy of our most cherished and personal information: our medical records. Our family secrets.

Until recently, at a Boston-based HMO, every single clinical employee could tap into patients' computer records and see detailed notes from psycho-therapy sessions. In Colorado, a medical student copies countless health records at night and sells them to medical malpractice attorneys looking to win easy cases. And, in a major American city, a local newspaper publishes information about a Congressional candidate's attempted suicide. Information she thought was safe and private at a local hospital. She was wrong.

What about us? When we give a physician or health insurance company precious information about our mood or motherhood, money or medication what happens to it?

As it zips from computer to computer, from doctor to insurance company to hospital, who can see it? Who protects it? What happens if they don't? It all depends on the state you live in.

Every day, our private health information is being shared, collected, analyzed and stored with fewer federal safeguards than our video store records. Let me be frank. The way we protect the privacy of our medical records right now is erratic at best – dangerous at worst.

I will argue today that, to eliminate this clear and present danger to our citizens and our health care system, we must act now with national legislation, national education, and a national conversation.

As I was preparing this speech, I thought about a similar challenge faced by one of my predecessors, Secretary Elliot Richardson. The year was 1972 -- 25 years ago. The Vietnam war was drawing to a close -- and the first chapters of Watergate were being written. Public distrust of government was on the rise. And the computer age was just beginning.

It was against this backdrop that Secretary Richardson appointed an advisory committee to help the government figure out how to protect the privacy of data in this new world of technology. The report outlined a code of fair information practices -- including the need to eliminate secret data bases and give people more control over their personal information. It built the foundation for the landmark Federal Privacy Act, which protects the privacy of records kept by federal agencies. And, it helped lay out a vision for balancing our age-old right to be left alone with our desire to fulfill the promises of a new computer age. That is what we must do today -- this time for our private health records.

It is also what we, as nations and individuals, have always struggled to do. DeToqueville described how our Founding Fathers dealt with the tension between individual rights and public responsibilities.

Great Americans like the late Justice Brennan dedicated themselves to protecting the individual against an all too powerful government and majority. Books like 1984 send a warning about lost autonomy – and lost humanity. Nations in the European Union recently enacted a Privacy Directive that will require them to protect personal data and only exchange it with other nations that have the same high standards.

Throughout time individuals have grappled with privacy -- whether they're getting an HIV test at a local clinic or complaining, as they did last week, about America Online's plan to sell its mailing list.

Yet, while our desire to be left alone has always remained constant, little else has. A lot has changed since Secretary Richardson confronted this issue. In the last 25 years, revolutions not only in computers, but also in biology and our health care delivery system have made our world dramatically different. Now, as Thomas Jefferson said "Our laws and institutions must keep pace with the progress of the human mind."

Twenty-five years ago, our health care privacy was protected by our family doctor -- who kept hand-written records about us sealed away in a big file cabinet. We trusted our physicians to keep their file cabinets locked and their mouths shut.

We trusted them not only because of the Hippocratic Oath and the fundamental ethics of medicine -- but because we knew them. They took care of our entire families.

We asked their advice about our personal problems. We went to school with their children. We shopped at the same stores. They came over for dinner -- and yes, some even made house calls.

Today, the revolution in our health care delivery system means that instead of Marcus Welby, we have to place our trust in entire networks of insurers and health care professionals -- both public and private.

The computer revolution means that our deepest and darkest secrets no longer exists in one place and can no longer be protected by simply locking up the office doors each night.

And, revolutions in biology mean that a whole new world of genetic tests have the potential to help either prevent disease or reveal our families' most personal secrets. Because without safeguards that assure citizens that getting tested won't endanger their families' privacy or health insurance or jobs, we could, in turn, endanger one of the most promising areas of research our nation has ever seen.

We are at a decision point. Depending on what we do over the next months, these revolutions in health care, communications, and biology could bring us great promise or even greater peril. The choice is ours.

We must ask ourselves, will we harness these revolutions to improve -- not impede -- our health care? Will we harness them to safeguard -- not sacrifice -- our privacy? And will we harness these revolutions to strengthen -- not strain -- the very lifeblood of our health care system -- the bond of trust between a patient and doctor.

For example, will health care information flow safely to improve care, cut fraud, ensure quality, foster research, and reach citizens in underserved areas? Or will it flow recklessly into the wrong hands – and be used to deny our citizens health insurance, jobs, and the confidentiality they expect and deserve? It is up to us.

The Institute of Medicine has said that electronic health records should be the wave of the future and the Congress has asked us to develop standards to make it happen.

Will they be used to help an emergency room doctor learn more about an unconscious patient -- like what diseases she has and which medications she's allergic to? Will it be used -- as it can be now -- to tell parents which immunizations their kids have -- and which ones they still need? Or will a pharmaceutical company use it to market the newest anti-depressant to someone with a family history of depression? Will a political group use it to embarrass a rival they believe once had an abortion or a child with a drug problem?

The fundamental question before us is: Will our health records be used to heal us or reveal us? The American people want to know. And, as a nation, we must decide.

Today, almost 75 percent of our people say they are at least somewhat concerned that computerized medical records will have a negative effect on their privacy. In one survey, about one-fourth of adolescents say they would not seek medical care unless their privacy and confidentiality were protected. And, how many people do you know -- do all of us know -- who have insurance but often choose not to use it because they're scared someone will find out about their therapy or other sensitive care?

If we don't act now, public distrust could deepen -- and ultimately stop citizens from disclosing vital information to their doctors, getting needed treatment for mental illness, going in for genetic tests, and participating in clinical research trials.

We've already seen this happen with some groups in the aftermath of the experiments at Tuskegee. And we know that, if unchecked, distrust can undermine and stop progress in our entire health care system.

The question is, what can we do? There are some who say we have already lost the battle. They say privacy in this new electronic world is impossible. Just give it up. Then there are others who say that consumers should not only have control over their health care information. They should have complete control. They say that Americans should even have the power to ensure that their records are kept on paper, not in computers.

Both of these approaches are wrong. We can't turn back the hands of progress or turn our backs on public responsibilities like research -- and we shouldn't. But we can and must do what Secretary Richardson envisioned: To look ahead and safeguard privacy in this new world of progress. Health care privacy can be safeguarded.

To do that, we must, first and foremost enact national legislation -- to protect the privacy of our medical records -- and we must do it now.

We have federal laws that protect the privacy of video records, motor vehicle records, and credit records.

But, when it comes to our private health care records that can reveal personality traits, Sexually Transmitted Diseases, and depression. When it comes to personal information that travels in real time across hospitals, doctors' offices, and state lines -- even international borders, we rely on a patchwork of state laws -- only about a dozen of which are comprehensive.

The fact is, we have no real federal health care privacy standards. We have no national standards. We do have a national interest -- now we must make a national commitment.

That's why in the Kassebaum-Kennedy law, Congress asked our Department to make recommendations for federal legislation protecting health care information. Our recommendations, which we will be sending to Congress next month, will be guided by five key principles:

First, the principle of boundaries. With very few exceptions, a health care consumer's personal information should be disclosed for health care and health care only.

Our goal is to make it easier to use information for health care purposes and very tough to use it for any other purpose. For example, we will recommend that a hospital be able to use personal health information to teach, train, conduct research, provide care, and ensure quality. But, on the other hand, employers who gets health care information to pay claims cannot use it for any non-health purposes -- like hiring, firing, and promotions.

And, what about the third parties? Those who more and more often are hired to do billing and other services? They must be bound by the same tough standards. Even if they don't collect it, they still must protect it.

Second, the principle of security. When Americans give out their personal health care information, they should feel like they're leaving it in good safe hands. With information traveling from doctors to hospitals to insurers, at every juncture there exists the potential for greater care and graver privacy violations.

Think about all the ways that private information like your genetic tests could become public: People who are allowed to see it -- like those at the lab -- can misuse it either carelessly or intentionally. And, people who shouldn't be seeing it -- like marketers -- can find a way to do so anyway -- either because an organization doesn't have proper safeguards or they find an easy way around them.

If we are going to block this leakage, Congress must pass a law that requires those who legally receive health information to take real steps to safeguard it.

Third, the Principle of Consumer Control. No one should have to trade in their privacy rights to get quality health care. We will recommend that Americans have the power to find out who's looking in their records, what's in them, how to get them, and what they can do to change incorrect information.

Let me give you an example of why this is important. According to the Privacy Rights Clearinghouse, a physician in private practice was having trouble getting health, disability, and life insurance. She ordered a copy of her report from the Medical Information Bureau -- a clearinghouse used by many insurance companies. It included information about her heart problems and her Alzheimer's disease. There was only one problem. None of it was true. What if she hadn't requested her records? With electronic data, mistakes can multiply -- and sunlight is still the best disinfectant.

Fourth, the principle of accountability. If you're using information improperly, you should be severely punished. And we will be making recommendations to ensure that you are.

Most parents save the threat of punishment for their teenagers' worst offenses. When someone's health care privacy has been violated, it's not enough to say it's wrong. We need to show it's wrong.

We can't just tell a hospital worker to stay away from private medical records. We can't just tell a private investigator not to lie about their identity in order to see a patient's records. We need to enforce our messages with real criminal penalties for abuse.

At the same time, our nation needs to address another legal issue that has a tremendous impact on how people view their privacy: health care discrimination.

For some, the privacy issue didn't really catch their eye until the AIDS epidemic unfolded. Remember the outrage when someone leaked a list of people with AIDS from a public health clinic in Florida? With AIDS, citizens don't just have worry that people will know they're sick. They also have to worry that people will make assumptions about their sexual orientations -- and use that information or their health status to discriminate against them.

The fact is, we will never fully address the issue of health care privacy until we give all Americans confidence that information in their medical records will not be used to deny them jobs or affordable health insurance. That's why we are fighting to enforce the American with Disabilities Act. It's why the Kassebaum-Kennedy law says you can't deny someone health insurance just because they have a pre-existing condition. And it's why the President recently announced his support for Congresswoman Slaughter's proposal to wipe-out genetic discrimination in health insurance.

But, as we work to protect Americans from breaches of privacy, we must recognize that we have other critical -- yet often competing -- interests and goals.

And, that brings me to my fifth and final principle: the Principle of Public Responsibility.

Just like our free speech rights, privacy rights can never be absolute. We must balance our protections of privacy with our public responsibility to support national priorities -- like public health, research, quality care, and our fight against health care fraud and abuse.

For example, public health agencies use health records to warn us of outbreaks of emerging infectious diseases. Our Inspector General uses health records to zero in on kick-backs, over-payments and other fraud -- so we can bring the perpetrators to justice and the money back to the taxpayers. And researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers.

In these cases, it's not always possible to ask for permission. And, in many cases doing so could create major obstacles in our efforts to fight crime and protect public health. But, that doesn't give us a free pass. Allowing access doesn't mean that we can forget about protecting privacy. And we shouldn't.

Take the case of research. We already rely upon institutional review boards to limit access to personal information and determine if it's necessary and advisable to waive the normal informed consent required to use medical records.

Our new recommendations go even further. They will make it clear that all researchers must carefully protect the privacy of the personal information they receive -- and we recommend penalties if they don't. That's important. As I said earlier, if we don't protect health records soon, we may no longer be able to trade valuable research data with Europe, under the EU's new Privacy Directive.

And, as Dr. William Lowrance made clear in a recent report I requested: if people don't trust the research community to protect their personal information, they may refuse to participate in clinical trials and they may even oppose the use of their records for all research -- no matter what the circumstances.

That could be devastating. But, national standards alone will not inspire trust in one's rights or commitment to one's responsibilities.

To protect health care privacy and instill trust in the American people, we need a major commitment to education. Which is my second point.

Every single health care professional, every insurance agent, every researcher, every member of an IRB, every public health official, every pharmacist, and yes, every member of the press -- every single person who comes in contact with health care records must understand why it's important to keep them safe, how they can keep them safe, and what will happen to them if they don't.

And we need to enlist their help -- your help -- in educating all consumers not just about the privacy risks in this new health care world, but also the rewards.

We need to help them understand not just their privacy rights, but also their responsibilities to ask questions and demand answers -- to become active participants in their health care. That's why the President's Advisory Commission on Quality and Consumer Protection -- which I co-chair -- has identified privacy and confidentiality as key priorities as they draft a Consumer's Bill of Rights.

We need an informed public -- because, as the National Research Council recently pointed out, we need an informed public debate. A national conversation to answer the tough questions. Which is my third and final point.

Take the issue of law enforcement. Should auditors be able to peek through your private medical records looking for fraud committed by a doctor? Most people would say yes. Should law enforcement officers be able to search through emergency room records looking for someone who has just fled the scene of a crime. Most people would say yes.

But, what happens if law enforcement officers are looking through insurance records for fraud and stumble upon information about a totally unrelated crime -- say drug usage. What then?

Or, for that matter, what happens if researchers, stumble upon information about someone who may have exposed you to HIV. Is their obligation to your safety? Or the other person's privacy?

What happens if drug companies know you suffer from heart disease and send you information about their new treatment. Is that helpful or offensive? Does that change if the disease is depression? What about venereal disease?

These questions will sometimes be wrenching. They will always be changing.

But, they are not going away. We can't expect to solve this problem all at once. We need to be flexible, to change course if our strategy isn't working -- and meet new challenges as they arise.

When the Human Genome Project was created, we didn't know what miracles it would uncover. But, we did know we needed to devote real resources and energy to examine the legal, ethical, and social implications of all that we find. So that our ethics would always be just as sophisticated as our science. So that, as Jefferson said, our laws and institutions would always keep pace with the human mind.

Twenty-five years ago, Secretary Richardson looked into an uncertain future and tried to chart a course where individual rights and privacy would prevail. That challenge is now before us.

Twenty five years from now, what will they say about the footsteps we left?

Will we leave the next generation with real federal privacy standards based on fundamental principles?

Will we have boundaries to ensure that, with very few exceptions, our health care information is used only for health care? Will we have assurances that our information is secure? Will we have control over what happens to it? Will those who violate our privacy be held accountable? And, will we be able to safeguard our privacy rights while still protecting our core public responsibilities like research and public health?

In short, will we harness these revolutions in biology, communications, and health care to breathe new life into the trust between our patients and their doctors, between our citizens and their government, between our past and our future?

We can. We must. And, if we act today, we will.

Thank you.