We recommend that there be a duty not to use or disclose health information except as authorized by the patient, or as explicitly permitted by the legislation.
We recommend that there be no duty to disclose information (except to the patient), and that other laws providing greater protection for health informa tion, or rights for the patient, remain in effect.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to use the health information only for purposes compatible with and directly related to the purposes for which the information was collected or received, or for purposes for which they would be authorized to disclose the information.
We recommend that legislation constrain the use of information within organizations. Organizations with many purposes and activities do on occasion create or collect information while acting as health care providers or payers. They may also receive information from providers or payers.
The fact that an organizational entity holds information is not a proper basis for its uncontrolled use within the organization. Under the requirement we recommend, entities holding records should have to make distinct and explicit choices about which activities are sufficiently connected with their health activities to warrant the use of identifiable health information. Other uses could be made only with patient authorization, or under provisions of the legislation that permit disclosure without patient authorization.
This requirement should not interfere with normal uses of information in the health care delivery or payment process, but should prevent uses extraneous to health, and may limit some existing uses of health information. We recommend that this be a somewhat more restrictive control than the Federal Privacy Act, which permits disclosure to officers and employees of the agency maintaining the record who have a need for the record in the performance of their duties (5 U.S.C. § 552a(b)(1)).
It is not possible or desirable to set forth in legislation all appropriate internal uses for health information by providers and payers. A general statutory standard is required, and so our recommendation calls for limiting use of health information to purposes compatible with and directly related to the purpose for which the information was collected or received.
For hospitals, for example, the use of health information to provide health care is obviously within the purpose of collection, and providing health care includes a wide variety of activities like management analysis, quality assurance and similar oversight activities, carrying out mandates of law, teaching, training, and research activities. Likewise, a provider or payer should be permitted to use information internally for a purpose for which it could make a disclosure.
This limitation on how patient information is used is especially applicable to organizations that are not primarily health care providers or payers, but that perform those functions, such as employers. This proposal is not intended to cover employers as such. Existing laws (such as the Americans with Disabilities Act of 1990 § 102 (42 U.S.C. § 12112) and the Rehabilitation Act of 1973, (29 U.S.C. § 793) (with regulation at 41 C.F.R. § 60-741.23)) constrain the collection, use and disclosure of health information by employers and should not be disturbed.
But we recommend that employers, when they function as providers or payers, be required to conduct themselves as such under the legislation. Workers have worried that employers get health information about them, and often their families, in the claims payment process, and may use it to discriminate against them. (Marilyn J. Field and Harold T. Shapiro, eds., Employment and Health Benefits: A Connection at Risk at 148 (1993)). This study by the Institute of Medicine recommends explicitly (at 246) that employer access to certain information collected in connection with health benefits be limited through controls similar to those in the Americans with Disabilities Act of 1990.
We recommend just such controls, by regulating how an employer uses information received in the payment process, either as a self-insurer or by processing claims en route to an insurance company. Information should not be used outside of the payment activity. An employer could not use it, for example, to make decisions about promotions or job assignments. Even if employers have information in identifiable form for statistical and analytic operations related to payment, or for oversight of an outside payer, the legislation should forbid its use for anything but these payment-related purposes. Employers should be required to build impermeable barriers between activities that use health information and their other activities.
The same considerations apply to health care delivered by an employer, or on the employer's premises, or by employee assistance programs. The information obtained in rendering these health services should not be used by the employer for purposes outside the purposes for which it was collected, except as authorized by the patient or otherwise allowed by the law.
The examples here are from the employment context; the requirement should be applicable to all who have health information.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be required to maintain reasonable and appropriate administrative, technical, and physical safeguards
-- to ensure the integrity and confidentiality of health information; and
-- to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information.
We recommend the statutory formulation of a basic obligation of all record holders -- to safeguard the information.
No legislation can effectively specify how to do this, but it can require diligent and attentive choices of security measures. The technology is varied and dynamic, and different types of technology and information call for different types and degrees of security. We recommend that the legislation require providers and payers to take the appropriate levels and types of protective measures. The legislation should not create an obligation of absolute security. The key words are "reasonable," "appropriate," and "reasonably anticipated," to permit consideration of the degree of risk, the likely consequences of compromise, and the expenditure, financial and other, required to address the risk.
The measures should especially include employee education, clear and certain punishment for misuse, and technical controls on access to information within an organization, since there is evidence that a substantial threat to information is careless or deliberate misuse by those who have authorized access to it in their normal work activities.
A growing body of policy and technical material will help managers in formulating their plans in this regard.
The Office of Management and Budget has promulgated policy establishing a minimum set of controls to be included in Federal automated information security programs (OMB Circular A- 130, Management of Federal Information Resources, Appendix III, (February 1996)).
A recent study (commissioned by the National Library of Medicine of the National Institutes of Health and funded by the Library with additional support from the NIH Warren G. Magnuson Clinical Center and the Massachusetts Health Data Consortium), identifies best practices in social and technical mechanisms for protecting privacy and maintaining security that are currently used in information systems for health care. (National Research Council, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Informa tion (1997)).
The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to develop standards for electronic transmission of financial and administrative information about health transactions, including security standards. Most of these standards will be published for initial comment this year.
The Center for Democracy and Technology has produced Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality (1996), a guide to help designers of electronic health information systems to identify and deal with confidentiality issues.
The Computer-based Patient Record Institute (CPRI) has produced a series of publications with guidance on security policies for computer-based patient records. (Guidelines for Establishing Information Security Policies at Organizations Using Computer-based Patient Records (January 1996), Guidelines for Information Security Education Programs (June 1995), Guidelines for Managing Information Security Programs (January 1996), Sample Confidentiality Statements and Agreements (May 1996), and Security Features for Computer-based Patient Record Systems (September 1996)).
We recommend that all uses and disclosures be restricted, to the extent practicable, to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed.
This recommendation is for an obligation to design systems to limit the amount of information that is disclosed to the minimum necessary for the intended purpose.
Any judgment about what is practicable, and what is minimum, must take into account the technical capabilities of record systems and the costs of limiting uses and disclosures. It is likely to be easier to limit disclosure when disclosing computerized records than when providing access to paper records. Technological mechanisms to limit the amount of information available for a particular purpose, and make information available without identifiers, are an important contribution of computerization to personal privacy. For example, limited fields of information can be disclosed, and identifiers can be stripped. As a practical matter, sorting through paper records to ensure that only the minimum amount is disclosed will be expensive and time- consuming and can risk compromising the integrity of the record, and these factors relate to practicability.
As technologies develop, it will become easier and cheaper to provide minimum information and to limit disclosure. We recommend that a Federal agency be authorized to issue guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations.
Recent studies have emphasized the value of privacy-enhancing technologies (PETS) in accomplishing necessary transactions with a minimum of identifying information. The Dutch Data Protection Authority and the Information and Privacy Commissioner for the Province of Ontario, Canada, both governmental privacy protection entities, recently collaborated in producing a report exploring privacy technologies that permit transactions to be conducted anonymously. (Information and Privacy Commissioner/Ontario, Canada, and Registratiekamer, the Netherlands, Privacy-Enhancing Technologies: The Path to Anonymity (1995)).
The provision we recommend should not be a basis for automatic withholding of records in situations where the requester is best positioned to determine what information is necessary, such as oversight and public health investigations.