The existing legal structure does not effectively control information about individuals' health. Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. Today, patients often sign blanket authorizations allowing use of their medical information in order to obtain treatment or payment for care. These authorizations may not really protect us, in part because they do not provide useful information about how our health records will be used, who will see them, or how we can get access to them. Such authorizations are not always voluntary -- if we do not sign the blanket authorization, we may sacrifice the ability to receive care or insurance benefits. In addition, as the health care system becomes more integrated and more computerized, it is becoming difficult to determine the appropriate person or place where our health information can be accessed or controlled.
For these reasons, we are recommending that Congress replace the ineffective use of authorizations with a system of Federal legislative controls on the use of health information collected by health care payers and providers. As described below, Federal legislation should authorize sharing information for health care treatment and payment, and prohibit use of that information for most other purposes. Such legislation should also provide consumers with specific rights to know how their information will be used, to get access to that information, to request correction of errors, and to know who has seen their medical information.
Before turning to the details of our recommendations, however, it is important to describe the current situation, and the general consensus that Federal action is needed.
Current Protections are Inadequate. Today the legal control of health information is, in general, a matter of State law. Limited Federal law covers specialized classes of information such as information about substance-abuse patients and information gathered in some Federally funded programs. The Privacy Act of 1974 provides some procedures and protections for records, including health records, held by Federal agencies.
All States have legal controls on the use and disclosure of health information, including a few comprehensive acts similar in broad outline to the Federal legislation we recommend here. Two States have enacted the Uniform Health-Care Information Act recommended by the National Conference of Commissioners on Uniform State Laws in 1985.(2) Many State laws protect special classes of health information, about HIV infection and AIDS patients and about mental health patients, for example. Some State case law imposes confidentiality duties.
These State laws vary greatly in scope and strength, and the situation has been described as "a morass of erratic law, both statutory and judicial, defining the confidentiality of health informa tion."(3)
The Health Care Information System Is Increasingly Interstate. The health care system, particularly its information component, is very much an interstate activity, and will continue to develop in that direction. Computerization and telecommunications render the concept of "location" of information nearly meaningless. Patients receive care in more than one State, infor mation about them is moved electronically across State borders to obtain payment (often through and to places remote from the patient and the provider), and providers operate across many States. In its administrative simplification requirements, the Health Insurance Portability and Accountability Act of 1996 calls for uniform standards for electronic transactions in health administration precisely because separate standards developed at other than the national level are not workable.
There is continuing movement toward a computer-based patient medical record, with national standards for content and format, and the possibility of ready interstate transmission as needed for patient care. A major impetus toward adopting this type of record was a report of the Institute of Medicine in 1991 that recommended adoption of the computer-based patient record as the standard for all patient care records.(4)
Likewise, increasing use of telemedicine means that patient information will often cross State lines, sometimes in real-time delivery of care. This promising development is an important facet of the National Information Infrastructure because of its potential to provide greater access to quality health care for all Americans, especially those living in rural and remote areas.
The Problems Are Urgent. The need for Federal protection is not theoretical; it is real and it is urgent. In a major American city, a local newspaper published medical record information about a Congressional candidate's attempted suicide. But it is not just public figures such as the Congressional candidate or Arthur Ashe (whose HIV status was published in a newspaper without his permission) who are at risk:
- The director of a work site health clinic operated by a large manufacturing company testified before the National Committee on Vital and Health Statistics that he was frequently pressured to provide personal health information about his patients to their supervisors.
- Until recently, at a Boston-based HMO clinic, all employees could tap into patients' mental health treatment records in the clinic's computer. In Colorado, a medical student copied health records at night and sold them to medical malpractice attorneys.
- Medical records were dumped in a parking lot after a psychiatric clinic in Louisiana was sold.
Inappropriate disclosure of personal medical information is not the only problem we are facing. Errors in health information, errors that can have profound financial effects, are often too difficult to correct. Such inappropriate handling of medical information can and should be prevented.
Calls for Federal Legislation. Numerous analyses over several years by government, industry, and professional groups have identified serious gaps in protections for health information, especially in the unregulated exchange of data, and have recommended Federal legislation to close them. There also has been significant Congressional action toward this goal, including several comprehensive health privacy bills introduced by Senators Bennett and Leahy, Representative McDermott, and Representative Condit. The fact that Congress, in the Health Insurance Portability and Accountability Act, mandated that the Department of Health and Human Services produce these recommendations is further evidence that the Congress understands that the time has come for action.
- Earlier this year, the National Committee on Vital and Health Statistics held hearings and advised on this issue. After six days of hearing witnesses from the full spectrum of public and private constituencies concerned with privacy, consumer interests, and operation of the health care system, the Committee strongly recommended that the 105th Congress enact a health privacy law.(5)
- The Office of Technology Assessment, in a study of privacy and medical information, noted that lack of legislation "allows for a proliferation of private sector computer databases and data exchanges without regulation, statutory guidance, or recourse for persons wronged by abuse of data."(6)
- A study of regional health data networks by the Institute of Medicine recommended Federal privacy legislation.(7)