Vice-President Gore's March 8, 1995 memorandum to Secretary Shalala called for an inter- agency effort to analyze better methods of privacy protection in connection with health care applications of the National Information Infrastructure. In particular, the memorandum highlighted three privacy- related concerns:
the inadequacy of current laws in addressing privacy and confidentiality in an electronic environment;
the varying quality of the policies adopted by institutions that hold health information; and
the need to analyze the federal role in this area.
The Privacy Working Group initially formed as a departmental task force, commissioned by the department's committee on data policy. Its initial focus during the first half of 1995 was on developing a proposal for a privacy advocate office within HHS, a proposal generated during the REGO II process. The group has now evolved into an inter-agency committee and has prioritized the questions outlined in the Vice-President's memorandum. (See initial memorandum to representatives of other agencies, attached hereto.) Its members include representatives from all federal agencies with direct involvement in health-related information, including OMB, VA, DoD, and Social Security, as well as agencies within HHS (such as HCFA, and the Indian Health Service). The group meets twice a month.
Privacy in an electronic environment
The group has begun to assemble and analyze the information already learned, and will next begin drafting a document describing these issues.
The group is developing a plan, with resource estimates, for identifying and disseminating current best practices for protecting privacy of individually identifiable health information (textual data and images) that is transmitted or is potentially accessible via the Internet/NII. The focus is on identifying best combinations of policy, procedure, and use of evolving technology. The group has identified categories of institutions and data uses for which best practices should be identified and has outlined the range of best practices needed, e.g., for management of privacy protection, for obtaining informed consent, for discouraging unauthorized redisclosure, for technical and procedural approaches to user authentication, encryption, auditing use, etc.
Current efforts are focused on a preliminary assessment of the extent to which written policies and procedures address these issues and on the identification of any other ongoing efforts to codify "best practices" for protecting the privacy and security of health data. Approaches include a comprehensive literature search, which will eventually be published by the National Library of Medicine, and telephone contacts with representatives (including professional associations) of the various types of institutions involved. The project will also draw on the work of a National Academy of Sciences study of best practices in health care settings that is being funded by the National Institutes of Health (National Library of Medicine and the Clinical Center) which began in September, 1995.
The federal role
As stated above, initially the group developed a proposal for a privacy advocate within HHS. That proposal has now been approved by the HHS Data Council, which has in turn recommended the establishment of the position to the Secretary. The primary function of this position would be to identify and influence privacy-related data policy decisions, and to serve as a signal to the public of concern for the careful use by the federal government of highly sensitive medical information. Members of the public with concerns in this area could contact the privacy advocate's office, as is also the case with the privacy advocate already established at the Internal Revenue Service.
More fundamentally, the group believes that federal privacy legislation covering medical records in all forms - - electronic and paper -- is urgently needed. Virtually all constituencies concerned with this issue are in agreement on this point. Consumers, providers, data systems vendors, payers and public health departments concur in the desire for a set of national rules on collection, use and disclosure of medical information. Legislation introduced as part of health care reform in 1993 achieved substantial bipartisan support, and similar legislation is planned for this session of Congress. Members of the group are closely following the efforts to enact such legislation.
The Privacy Working Group does not envision activities that will require additional budgetary resources.
The primary focus of the group in the next year will be to draft a document that first identifies the variety of privacy issues raised by the new technological environment and proposes policy guidelines for resolving those issues. A draft of that document should be well underway by the time of the next status report, in six months. We also will pursue the publication of the best practices information, as described above, and will consult with other Administration staff on the content of medical records privacy legislation.