Confidentiality of Individually Identifiable Health Information. A. Background

09/11/1997

The American people expect, and are entitled to, confidential, fair, and respectful treatment of health information about themselves. This report recommends that the Congress enact legislation requiring that treatment.

The need for such legislation is found in the rapid changes in the ways that health care is provided, documented, and paid for in the United States. These changes pose a challenge to American values that are both complementary and competing.

On the one hand, patients have a legitimate need for assurance of the confidentiality that permits them to be frank with their physicians about their health conditions and behavior. That assurance is fundamental to effective diagnosis, treatment and healing, and to the privacy that we in the United States cherish as essential to personal freedom and well-being.

On the other hand, participants in the health care system -- insurers, governments at all levels, managed care organizations -- have legitimate needs for access to health records in performing their roles in the system. Furthermore, those pursuing broad social purposes -- medical researchers, public health workers, governmental policy makers seeking to contain health care costs -- rely on the availability of data arising from these private transactions. Local public health agencies use health records to identify outbreaks of infectious disease, and to trace the source of infections like the recent e. coli infections. Researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers.

Until comparatively recently, any tension between these needs for confidentiality and access was resolved directly between patients and their physicians. They conducted an essentially one-on- one relationship, in examination, treatment and payment, and, with some exceptions, could limit access to information about the patient. The paper records once kept under the control of physicians are giving way to computerized information which is increasingly stored far from its source -- the patient and the physician -- in forms and even locations of which they may have only imperfect understanding. Even physicians may be frustrated in their traditional role as patient advocates by the complexity of the systems that process their patients' information.

Moreover, patients may have little if any contact with some of the doctors and payers involved in their care. The result has been a weakening of the traditional, if often informal, controls that patients and physicians previously exercised to protect patient information.

The President spoke to the importance of these concerns in his commencement address at Morgan State University on May 18, 1997. He said that "technology should not be used to break down the wall of privacy and autonomy free citizens are guaranteed in a free society". He acknowledged the special concerns surrounding health records in his call for enhanced protections for privacy in the face of new technological reality, when we are facing "the frightening prospect that private information -- even medical records -- could be made instantly available to the world."

Our Nation's participation in the Global Information Infrastructure (GII) has sharpened the issues, and our plans for that participation include attention to privacy protection. The statement of the President and Vice-President, A Framework for Global Electronic Commerce reflects this concern and commitment:

Americans treasure privacy, linking it to our concept of personal freedom and well-being. Unfortunately, the GII's great promise -- that it facilitates the collection, re-use, and instantaneous transmission of information -- can, if not managed carefully, diminish personal privacy. It is essential, therefore, to assure personal privacy in the networked environment if people are to feel comfortable doing business.

The concern about confidentiality of health information appears against a backdrop of more general concern about privacy, well expressed by Alan Greenspan, the Chairman of the Federal Reserve Board:

The fears of invasion of privacy, as a consequence of inexorable forces seemingly out of the control of the average American, has risen to a major public policy issue. (Speech, Conference, "Privacy in the Information Age", Salt Lake City, Utah, March 7, 1997)

These concerns are not confined to the United States. The European Union (EU) has addressed the issue, and the EU data protection directive requires member States to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data".(1)