Confidentiality of Individually Identifiable Health Information. D. Principles

09/11/1997

Our recommendations are founded on five key principles:

Boundaries. An individual's health care information should be used for health purposes and only those purposes, subject to a few carefully defined exceptions. It should be easy to use information for those defined purposes, and very difficult to use it for other purposes. Federal health record confidentiality legislation should impose a legal duty of confidentiality on those who provide and pay for health care, and on other entities that receive health information from them.

Security. Organizations to which we entrust health information ought to protect it against deliberate or inadvertent misuse or disclosure. Federal law should require such security measures.

Consumer Control. Patients should be able to see what is in their records, get a copy, correct errors, and find out who else has seen them. Our recommendations significantly strengthen the ability of consumers to understand and control what happens to their health care information.

Accountability. Those who misuse personal health information should be punished, and those who are harmed by its misuse should have legal recourse. Federal law should provide new sanctions and new avenues for redress for consumers whose privacy rights have been violated.

Public Responsibility. Individuals' claims to privacy must be balanced by their public responsibility to contribute to the common good, through use of their information for important, socially useful purposes, with the understanding that their information will be used with respect and care and will be legally protected. Federal law should identify those limited arenas in which our public responsibilities warrant authorization of access to our medical information, and should sharply limit the uses and disclosure of information in those contexts.

Federal privacy legislation should not require any disclosure of information, except to patients who ask to see their own records. The recommended allowable disclosures are just that -- allowable. Thus, for disclosures that are not compelled by other law, providers and payers should be free to disclose or not, according to their own policies and ethical principles. We offer these recommendations as a basic set of legal controls. But ethics and professional practice will in many cases dictate more guarded disclosure policies.

Similarly, where our recommendations would permit disclosure, they are not intended to create any new legal basis for refusing to disclose if such disclosure is required by other law.

Finally, our recommended standards are not intended to preempt or supersede other laws -- State or Federal -- that are more protective of individual privacy.

The effect of implementing our recommendations would be that some current uses of informa tion could not continue without patient authorization. Some organizations that get information with ease now may not be able to get information without patient authorization, or without meeting new requirements. We have designed the requirements to serve patients.

These recommendations must steer a course between two extreme convictions: that privacy is already so compromised that attempts to control health information are futile, and that privacy is so weighty a value that we must reverse our efforts to use information effectively. Legislation must, therefore, strike a balance that permits socially important uses of information while protecting the privacy of people who seek care and healing. We believe our recommendations find that balance.

The remainder of this Introduction is a summary of the scope and content of what we believe a Federal health information privacy law should provide. A more detailed description of our specific recommendations for the rights of patients and the obligations of those who hold health information follows. Our recommendations are framed as expressions of basic policy for the major choices in designing such legislation. We appreciate the difficult choices and complex accommodations required to make Federal health privacy legislation a reality. We look forward to working closely with the Congress in developing such legislation.