Confidentiality of Individually Identifiable Health Information. A. Coverage



We recommend that Federal health privacy legislation apply primarily to health care providers and payers.

We recommend that persons receiving information under the provisions of such legislation without patient authorization for health oversight, public health, research, State data system purposes be subject to the requirements of the legislation.

We recommend that health care providers be defined as persons who receive, create, use, or maintain, health information while providing health care in the ordinary course of business or practice of a profession, pursuant to license, certification, registration, or other legal authorization.

We recommend that payers be defined to include persons who pay for health care through contracts of insurance or in connection with employment, and government programs that pay for care under a benefit plan.

The legislation we recommend should apply in the first instance to providers of health care and payers for health care. They are at the heart of health care, and typically receive information directly from patients and generate health information. They are often one and the same.

In turn, others who receive health information under the provisions of the legislation without patient authorization should be bound by its requirements. They are referred to as "those receiving health information under the provisions of the law without patient authorization."

Providers are persons -- individual and institutional -- who receive, create, use, or maintain, health information while providing health care (including preventive health services) in the ordinary course of business or practice of a profession, pursuant to license, certification, registration, or other legal authorization.

Health care payers pay for health care pursuant to advance agreements or statutory obligations -- the range of entities commonly described as "plans." They may include licensed insurance companies, hospital or medical service corporations, health maintenance organizations, or other entities licensed or certified by a State to provide health insurance or health benefits. They include employee welfare benefit plans and other arrangements that provide health benefits, whether or not funded through the purchase of insurance policies or contracts. They include public programs that pay for health care under a health benefit plan, such as Medicare, Medicaid, the health programs of the Veterans Health Service, and the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS). The term should not be defined to include individuals and families who pay for their own care.

The definition does not encompass liability insurers who receive health information, as needed, pursuant to claimants' authorization. Nor does it include life insurers, who receive information, with the patient's authorization, not as part of health care or payment, but to make underwriting decisions.

We are making no recommendations with respect to including workers' compensation under Federal health privacy legislation at this time. Although workers' compensation carriers receive health care information in much the same manner as health plans, the need under workers' compensation systems to coordinate the health benefits provided with both the indemnity benefits (e.g., lost wages and disability payments) provided under the system and the determination of a worker's ability to return to work raises potential questions about the appropriateness of certain disclosures of medical information. We are continuing to review the need for federal privacy standards in this area and will inform Congress of any recommendations that we have in this area when we complete our review.

We do not recommend that employers as such be controlled by the legislation, But they should be considered health care providers or payers when they actually perform those activities, and obliged to conduct themselves accordingly. (Controls on employers' use of health information so obtained for other purposes is discussed below in LIMITATIONS ON USE).


We recommend that health care be defined to include

-- any preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body;

-- any sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; and

-- procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.


We recommend that health information include any information, oral or recorded, in any form or medium, including demographic information

-- that relates to the past, present, or future physical or mental health or condition of a patient, the provision of health care to a patient, or the past, present, or future payment for the provision of health care to a patient;

-- that is received, created, used, or maintained by a health care provider in the ordinary course of business or practice of a profession, or by a health care payer, or received by entities receiving informa tion under the provisions of the legislation without patient authorization; and

-- that identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the patient.

We recommend that the legislation cover any information about the patient held by providers and payers for their health care and payment activities. Thus, information that in other settings would not be health information -- name, identification number, employment status, address, financial data, family size, education, employment history -- should be covered by the protections of the legislation we recommend if held by a health care provider or payer for health care or payment purposes.

The description of identifiability we recommend follows the text of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (Social Security Act § 1171(6)). We recommend that a legislative definition be no more specific at this time. A precise advance definition is difficult, and there is inadequate basis at this time for recommending one. The only effective formulation now is a test of reasonableness: Information is identifiable if there is a reasonable basis to believe that the information can be used to identify an individual.

No single rule can define what constitutes readily identifiable data. Information is clearly identifiable if it includes a name, social security number or other generally known or readily available identification number, or photograph. Health information will normally be identifiable within providers and payers, and the identifiability question will typically have to be answered when information is to be disclosed outside a provider or payer. Reasonableness may depend on a judgment based on what other information is known to be available to a recipient, and the amount of effort and time that would be needed to achieve a positive identification.

Other legal formulations are not more precise than the HIPAA formulation. The European Union data protection directive, a recent well-debated formulation of privacy rules, uses this test:

an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; (Art. 2(a))

The Council of Europe's "Recommendations of the Committee of Ministers to Member States on the Protection of Medical Data" (No. R(97)5 (1997)) states a reasonableness test, but adds an "effort" standard:

....the expression "personal data" covers any information relating to an identified or identifiable individual. An individual shall not be regarded as "identifiable" if identification requires an unreasonable amount of time and manpower. (Appendix, Art 1.)

The standard we recommend should not be read to mean that information is identifiable if there is a remote chance that somebody might possibly be able to identify a patient from a general description. The Panel on Confidentiality and Data Access of the Committee on National Statistics addressed this issue, and noted that zero-risk requirements for disclosure of statistical records were unrealistic. It recommended a standard that calls for a "reasonably low risk of disclosure of individually identifiable data." (George T. Duncan et al, eds., Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics 137 (1993)). The panel recommended that the Office of Management and Budget should continue to coordinate re search work on statistical disclosure analysis (at 155-157). This will be especially important as changes in the character and availability of technology alter the quantum of information constituting an identifier. Our recommendations include authority for issuance of guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations (IMPLEMENTATION, below).

Records disclosed in a form not intended to be individually identifiable should not be used intentionally to identify a person. A person who obtains such information with the intention of identifying individuals should be regarded as having obtained health information under false pretenses (CRIMINAL PENALTIES, below).

Our recommendations do not distinguish among different types of health information based on presumed sensitivity, although we recommend leaving in place State and Federal laws that make that distinction. Our intent at this time is to recommend a meaningful minimum floor of privacy protections in Federal law for all types of health information. At the same time, we recognize that there are arguments for providing additional protection to certain types of health information that people view as particularly sensitive. We can learn from, and build on, States' experience with privacy laws that protect such information, and work with interest groups, privacy advocates, and others to assess how such information is best protected. Such information could be the subject of future Federal action; we look forward to working with the Congress in determining when such protections are appropriate.

We recommend that research in which care is not delivered not be considered "health care," and thus not covered. There are some existing protections for information gathered solely for re search, which should continue to apply (RESEARCH, below).


We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be permitted to engage other organizations, "service organizations," pursuant to contractual arrangements, to carry out functions for them that require use of health information.

We recommend that providers and payers be required to advise their service organizations that their work is subject to the law, whereupon these organizations should become subject to the law.

We recommend that service organizations be obliged to observe the use and disclosure restrictions, and to have a statement of information practices and to make it available upon request, but not be obliged to provide subject access and correction rights.

Much health information obtained and used by the providers and payers is processed by service organizations engaged by contract. The patient does not have a direct relationship with these organizations and typically does not know of their role in the flow of information.

Physicians and other providers engage companies to code, and to process bills and forward them to the appropriate payer. These companies may in turn deal with others engaged by payers. Between them, yet other companies may process health information by passing it from a provider's clearinghouse to a similar organization engaged by a payer. In some instances, these organizations make substantive or adjudicatory choices affecting the patient on behalf of their principals. In others, they do not, and may not retain the information in ways that permit easy retrieval.

Often there are not clear distinctions among the functions these many processors are performing. As an agent of a payer, a pharmacy benefit management company adjudicates and pays claims, and may manage a formulary. It also provide health care, in conjunction with the pharmacist, in looking for drug interactions -- advising the pharmacist, physician, or patient that a prescribed drug taken in combination with one prescribed earlier may have adverse effects. A payer may engage a pharmacy benefit manager to operate a disease management program to assist patients in managing their illnesses, often chronic conditions such as asthma and diabetes, by education through direct mail and telephone communication to the patient, online communication with phy sicians and pharmacists, and video materials.

We recommend that everyone in this chain of information handling be covered by the same rules.

Patients must be assured that their privacy protections are not lessened when the providers or payers with which they have established relationships give information to outside service organizations for processing. Thus, service organizations, once advised of the nature of the in formation they are handling, should be independently bound by the confidentiality restrictions applicable to the principal which engaged them.

They should not use or disclose patient information unless their principals explicitly permit, and the principals should be bound by the legislation in granting such permission. Thus, a service organization should not make independent use of this information unless the provider or payer permits such use, and then only if the legislation permits such use, i.e., with the authorization of the patient, or for a purpose for which the payer or provider could use it or disclose it.

The complexity and multitude of these arrangements, and the typical lack of contact with the patient, make it impractical to impose on service organizations the obligation to provide access and correction rights (discussed below in PATIENT INSPECTION AND COPYING OF RECORDS and PATIENT CORRECTION OF RECORDS.) However, patients should be able to exercise these rights by contacting their providers or payers, and providers and payers may by contract require their processors to provide the necessary access and correction. Service organizations should not be required by law to offer patients a statement of the information practices, but they should be required to have such a statement and to make it available upon request.

Processing of information by these organizations is a natural and understandable source of concern. There have been proposals that patients be permitted to forbid the computerization of their records, or otherwise to control directly the flow of information through the payment system. The National Committee on Vital and Health Statistics considered this possibility and had this observation:

The Committee is not sympathetic to the notion that patients should have a choice in the technology used to create, store and transmit health information. This is not a choice that record subjects [have] for records maintained by other third party record keepers such as banks and employers. Requiring health record keepers -- who are spending vast sums on computerization -- to retain parallel paper systems is impractical and costly. It would deny the benefits and savings that the Congress has already determined will result from increased use of modern information technology. Computers are an inevitable part of modern health care and indeed are intrinsic to the actual delivery of hospital care today. Patients must accept this and move on to debate the proper protections for records in a computerized environment. (Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistics, Approved on June 25, 1997)

Control at this level of detail would be harmful to patients, since the effective and rapid processing of information, often for the benefit of the patient, depends on computerized systems. Our recommendation is for legislation that permits relationships necessary to operate the care and payment system, with common legal controls on all concerned to protect the patient informa tion.

However, should it appear in the future that patient interests are being compromised by contractual arrangements that obscure choices about use and disclosure of information, or that thwart legitimate patient control over information, Congress might want to consider imposing obligations directly on these entities.

In addition to engaging outside organizations to process information about patients, providers and payers will on occasion need to give identifiable information to attorneys, insurers, auditors, and similar special-purpose service organizations. These recipients should be subject to the same use and disclosure restrictions that apply to the information in the hands of the providers and payers.

A similar mechanism, provision for a "qualified service organization," has long been in use under the Federal substance abuse confidentiality statute (Public Health Service Act § 543, 42 U.S.C. § 290dd-1). The regulation interpreting that statute permits substance abuse treatment providers to share patient information with outside organizations under agreements similar to the ones we propose here (42 C.F.R. §§ 2.11 (Qualified service organization) and 2.12(c)(4)).


We recommend that providers and payers which are Federal, State, or local government agencies be permitted to employ other government agencies, in accord with applicable law, to carry out functions for them that require identifiable health information. The other governmental organizations should be subject to the same disclosure and use restrictions as the covered entity.

This is a governmental counterpart to the previous recommendation. Entities which provide or pay for health care, including government agencies, should be obliged to limit patient health in formation to the units or organizations actually performing those functions. However, government health providers or payers might on occasion use either outside private organizations (as discussed above) or other parts of their own departments or other departments of government for functions that involve personally-identifiable information, such as central data processing facilities. Likewise, State attorneys general's offices, and the Department of Justice, provide legal services to State and Federal health care facilities and may in the course of that work have access to health information. For such divisions of work within government, existing statutes may govern relationships, and the private contractual model is not directly useable. But the service agencies should be subject to the same use and disclosure restrictions as the covered entity, and thus should not use information about patients obtained in the course of this work for other purposes.