Confidentiality of Individually Identifiable Health Information. C. Patient Awareness and Control


We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be required to prepare a written notice to inform patients of their information practices and of the patients' rights regarding the health information.

We recommend that the explanation be required to provide information on whatever rights the patient has with respect to information, including, if applicable

-- the uses and disclosures of information authorized under the legislation and intended by the holder, as well the protections available;

-- the right of the patient to prevent or limit disclosure in whatever circumstances that right exists;

-- the right to inspect and copy information and to seek amendments;

-- the procedures for authorizing disclosure of information and for revoking disclosure authorizations;

-- the procedures for the exercise of rights under the legislation, and the procedures, if any, for complaint, redress, or appeal; and

-- the fact that service organizations and those receiving information under the provisions of the legislation without patient authorization have explanations of information practices which are available upon request.

We recommend that providers and payers be required to give patients this explanation, or at least advise patients affirmatively of its availability and provide a copy upon request.

We recommend that service organizations and those receiving information under the provisions of the legislation without patient authorization be required to develop explanations of information practices meeting the same standards, and to provide a copy to patients upon request.

An informed citizenry is essential to protection of privacy. The basic structures for protection of health information should include requirements that patients be told what is being done with in formation about them, and what their rights are.

The Privacy Working Group of the President's Information Infrastructure Task Force formulated personal privacy principles (Principles for Providing and Using Personal Information (June 1995)), and three of them point to the centrality of public information and education:

II.B. Notice Principle. Information users who collect personal information directly from the individual should provide adequate, relevant information about:

  1. Why they are collecting the information;
  2. What the information is expected to be used for;
  3. What steps will be taken to protect its confidentiality, integrity, and quality;
  4. The consequences of providing or withholding information; and
  5. Any rights of redress.

II.E. Education Principle. Information users should educate themselves and the public about how information privacy can be maintained.

III.A. Awareness Principle. Individuals should obtain adequate, relevant information about:

  1. Why the information is being collected;
  2. What the information is expected to be used for;
  3. What steps will be taken to protect its confidentiality, integrity, and quality;
  4. The consequences of providing or withholding information; and
  5. Any rights of redress.

Likewise, the National Information Infrastructure Advisory Council (a public advisory committee to the President's Information Infrastructure Task Force) issued a statement, Common Ground: Fundamental Principles for the National Information Infrastructure (March 1995), which includes the following among its privacy and security principles:

10. Collectors and users of personally identifiable information on the NII should provide timely and effective notice of their privacy and related security practices.

11. Public education about the NII and its potential effect on individual privacy is critical to the success of the NII and should be provided.

The reasoning behind these principles emphasized that the public should be aware of uses and transfer of information that may not be clear or obvious. Health information is transmitted and used by a large number of agencies and institutions, and patients should know at least in a general way where it is going, how they can make corrections, and how to find out more infor mation.

The explanation is of special importance in view of our recommendation below (HEALTH CARE AND PAYMENT) that disclosures of health information for health care and for payment be permitted without patient authorization, but that patients be permitted to object to particular disclosures for these purposes. The explanation of the patient's right in this regard is an integral element (together with direct legal controls on use of information by providers and payers) of this more realistic and informed patient control of information that we offer to replace the consent processes under which patients now permit their records to be passed around.

The Privacy Act of 1974 requires that Federal agencies advise the subjects of Federal records of their intended uses (5 U.S.C. § 552a(e)(3)). Cable television subscribers are entitled, under the Cable Communications Policy Act of 1984, to an annual notice of the cable company's informa tion practices (47 U.S.C. § 551(a)). The recommended requirement would bring these salutary practices to health information.

All organizations should be required to have statements to inform patients, if they request it, of how they use health information, and what the rights of the patients are. The health care providers and payers, which have direct relationships with patients, should make this explanation available in an affirmative fashion, for example, at health care facilities, or with written material sent by mail to subscribers to health insurance plans. We recommend that the legislation require a written explanation that can be retained by the patient, so that patients can examine the policies and become aware of their rights at their leisure (when not under the anxiety sometimes attendant to receiving health care) and consult others as necessary. At the same time, we do not believe that it is desirable to prescribe in legislation the details of how the notice should be given.

Federal agencies could incorporate in the explanation proposed here the notice of information practices required by the Privacy Act.

Organizations that do not have direct contact with patients should also be required to prepare such an explanation and to make it available upon request.


We recommend that patients be allowed to inspect and copy health informa tion about them held by providers and payers. We recommend that patients be allowed to inspect and copy health information held by public health authorities, and by oversight agencies in any situation in which an oversight agency has made an adverse decision about the rights, benefits, or privileges of the patient.

We recommend that those holding health information be permitted to deny patient inspection of particular information under any of these circumstances:

-- the information is about another person (other than a health care provider) and the holder determines that patient inspection would cause sufficient harm to another individual to warrant withholding.

-- inspection could be reasonably likely to endanger the life or physical safety of the patient or anyone else.

-- the information includes information obtained under a promise of confidentiality (from someone other than a health care provider), and inspection could reasonably reveal the source.

-- the information is held by an entity that has received it under the health oversight provisions of the legislation, and access by the patient could be reasonably likely to impede an ongoing oversight or law enforcement activity.

-- the information is collected in the course of a clinical trial, the trial is in progress, an institutional review board has approved the denial of access, and the patient has agreed to the denial of access when consenting to participate.

-- the information is compiled principally in anticipation of, or for use in, a legal proceeding.

We recommend that providers and payers be permitted to deny inspection if the information is used solely for internal management purposes and is not used in treating the patient or making any administrative determination about the patient, or if it duplicates information available for inspection by the patient.

We recommend, in instances where a patient is to be denied inspection, that the holder of the record be required to make available to the patient, to the maximum extent possible, any portion of the health information which is not allowed to be denied to the patient under the standards above.

We recommend that providers and payers be permitted to charge a reasonable, cost-based fee for inspection and copying a record.

We recommend that entities obliged to provide inspection rights be required to make a decision on patient inspection within 30 days of a request, and that if they deny inspection rights they be required to give the patient a written statement of the reason.

We recommend that existing rights of subject access and correction under the Privacy Act of 1974 not be diminished.

The ability to see one's own record is central to effective control of information and is a basic fair information practice. A patient's decision whether to disclose a record may depend on what the record says, and so access to the record is integral to making an informed choice to disclose in formation.

The "Code of Fair Information Practice" recommended in 1973 by the Secretary's Advisory Committee on Automated Personal Data Systems includes as one of its five basic principles:

There must be a way for an individual to find out what information about him is in a record and how it is used.
(U.S. Department of Health and Human Services, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens 41 (1973)).

The Privacy Protection Study Commission recommended that this right be available. (Personal Privacy in an Information Society 299 (1977)). A right to see one's record is available by law in 31 States (described in Public Citizen Health Research Group, Medical Records: Getting Yours (1995)), and has been a right (with very limited exceptions) in Federal health record systems since the Privacy Act of 1974 (5 U.S.C. § 552a(d)).

The exceptions that we recommend provide for the limited situations in which, in the judgment of health professionals, access to the record by the patient would cause grave harm, or, in the case of oversight activities, would endanger the oversight activity, or in the case of clinical trials, would endanger a trial.

There should be no obligation to employ the exceptions. In general, patients should be able to see and copy their records, but there should be a provision to permit health professionals to exercise their judgment to withhold information in the rare instances where that is appropriate. Further, the record holder should be able to deny access only to the portion of the record that falls within the stated exceptions. The record holder should redact the portions allowed to be denied, and should give the patient the rest of the information.

There need be no obligation to let patients see information used solely for internal management purposes, which is a duplicate of the basic patient record (e.g., a back-up copy), or which is gathered for litigation.

Some clinical trials will involve health care and thus will be covered by the law, and the usual right to see one's record raises a special issue in these cases. We believe that a right to see one's own record, properly managed, need not impair research.

Subjects in clinical trials are often, by design of the research, unaware of the identity of the medication they are taking, or of other elements of their record. The research design precludes their seeing their own records and continuing in the trial. Further, patient access during the trial could endanger the entire trial.

Thus, we recommend that it be clear that a patient can waive the normal right to inspect informa tion while the trial is in progress, regardless of the length of the trial. This waiver would be an element of the patient's consent to participate in the trial. The institutional review board should have to approve it, and the patient should be told clearly of this condition. The subject should have the usual right to see the record after the trial is completed.

Some entities other than providers and payers should be obliged to provide patient access (and the related correction rights, described below). Public health agencies may be able to take actions to affect the lives of the patients. Some health oversight agencies can make operational choices that affect the patient, such as denial of payment, and it is essential that patients be able to see records held by these agencies, after a decision adverse to the patient is taken. Under current law, such disclosure is already required, and through adversary proceedings, patients can challenge incorrect information which served as the basis for the adverse decision.

In other instances (e.g., an accreditation study of a hospital by the Joint Committee on Accreditation of Health Care Organizations) no individual patient interest is at stake in the oversight activity, and access is less significant.

However, the right recommended here is not simply a right to fair procedure in an administrative transaction or criminal or civil legal action (which may be provided in any case by other law); it is a freestanding fair information practice right to see one's record at a time of one's choosing regardless of actual use in a proceeding or for decision making. It should be available unless there is a danger that patient access would impede the investigation. We recommend that any procedures established to implement these provisions not be unduly burdensome on law enforcement or oversight agencies.

We do not recommend that researchers who receive information under the provisions of the legislation without patient authorization be obliged to permit patient access. In most instances, they have no direct contact with patients, and under our recommendations would be prohibited from using such information against a patient.

The section on SERVICE ORGANIZATIONS, above, addresses the rights of patients to see in formation held by service organizations operating on behalf of entities that are obliged to give patients access to their records.


We recommend that patients be permitted to seek correction or amendment of health information about them held by any entity obliged to permit patients to inspect health information about them.

We recommend that these conditions govern responses to such requests:

-- if the entity makes the requested change, it must make reasonable efforts to inform others who have received the incorrect information about the change,

who are identified by the patient; or

who the entity knows have received the information, when it is reasonably foreseeable that the incorrect information may have an adverse impact on the recipient or patient.

-- if the entity makes the requested change, it must make reasonable efforts to inform known sources of incorrect information.

-- if an entity denies a request, it should inform the patient of the reasons for the denial and of any procedures for further review. The burden of proving that information needs to be amended or corrected should fall on the patient, and the legislation should not require a process for further review.

-- if a patient's request is denied, the patient should have the right to file a concise statement with the requested correction and the patient's reasons for disagreeing with the refusal. This statement should be included in any subsequent disclosure of the disputed portion of the information about the patient. The holder may include a concise statement of its reasons for not making the requested change.

This recommendation is intended to ensure basic fairness with respect to accuracy of informa tion. It follows the pattern established by the Privacy Act of 1974 for Federal agencies (5 U.S.C. § 552a(d)(2)). It is not intended to interfere with medical practice, or modify standard record- keeping practices.

Reasonable attempts at notification of others should prevent the perpetuation and further transmission of erroneous information. The legislation should explicitly state a test of reasonableness in this regard, so that the vigor of the effort required is proportional to the importance of the information and the degree of hazard in disseminating incorrect information.

We recommend that it be clear that this provision is not intended to provide a procedure for substantive review of decisions such as coverage determinations by payers. It is intended to deal with the content of records, not the underlying truth or correctness of the events recounted in them. Attempts under the Privacy Act of 1974 to use the Act's correction mechanism as a basis for collateral attacks on agency determinations have generally been rejected by the courts. We intend the result to be the same here.

It is the standard practice of medical record keepers not to expunge any information in a treatment record. The usual procedure is to mark incorrect information and to add the correct information. Even if information is wrong, it is essential to the purpose of the medical record that the record reflect the information available when treatment decisions were made. We recommend no change in these practices, and there should be no requirement that information be erased or deleted. A record should be considered corrected or amended if incorrect information is marked as such, and the correct information added.


We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be required to retain a history of all disclosures of health information made for treatment, payment, research, oversight, public health, emergencies, to State data systems, for law enforcement, in judicial proceedings, and with the authorization of the patient.

We recommend that the record include the date and purpose of the disclosure; the name and address of the person to whom the disclosure was made or the location to which the disclosure was made; and where practicable, a description of the information disclosed.

We recommend that patients be permitted to see this record, except in the case of disclosures to and by health oversight agencies and to law enforcement agencies where access by the patient could be reasonably likely to impede those activities.

We recommend that the disclosure history be retained for the life of the record to which it relates.

We recommend that there be no obligation on service organizations to retain a record of disclosures in the course of treatment and payment transactions.

Patients ought to know who has seen information about them. This basic right was recommended by the Privacy Protection Study Commission (Personal Privacy in an Information Society 316 (1977), and is available, with limited exceptions, under the Privacy Act of 1974 (5 U.S.C. § 552a(c)). The ability to see who has seen one's record is a form of control on disclo sure. In a health facility where employees who receive care at the facility can easily check who has accessed their records, they often do check, and staff at the facility see this as an important confidentiality control (National Research Council, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Information 98 (1977)).

Our recommendation does not envision that the legislation specify any particular form for retention of this history, as long as the inquiring patient can find out where his or her information went. Health facilities may choose to keep the disclosure history in a patient file, in a separate log, or in any other way, as long as it is possible to identify or accurately reconstruct the disclo sures.

Our recommendations call for an exception to the right of patient access when access could be reasonably likely to impede oversight or law enforcement activities. We recommend that any procedures to implement these provisions not be unduly burdensome on oversight or law enforcement agencies.

No accounting should required for disclosures made under the next-of-kin and directory information provisions (described below).