Confidentiality of Individually Identifiable Health Information. E. Boundaries -- Recommended Scope of A Federal Privacy Law


There are four situations in which health information is collected, disclosed, or used, and that we recommend be addressed by Federal health privacy legislation:

Provision of and Payment for Health Care. A Federal health privacy law should focus on health care payers and providers and the information they create and receive for the provision and payment of health care, and on those who receive information from those payers and providers. Providers and payers are the foundation of the health care system, and the primary creators and collectors of health information. The provisions of a Federal privacy law generally should apply to information about a patient collected in the provision of health care services or in the payment for health care services.

A Federal privacy law should apply uniformly, regardless of the setting in which health care is provided. A person seeking treatment should be able to discuss his or her medical condition freely, with confidence that the information will be protected, whether treatment is sought from a private physician or hospital, a company doctor, or a community health center. Similarly, the law should apply uniformly to all such information, whether the information is oral or written, on paper or in a computer.

A Federal health privacy law should limit the ways providers and payers can use identifiable health information. However, it need not cover information that individuals voluntarily provide about themselves directly to parties other than providers or payers, such as retailers or marketers.

Health care research that includes the delivery of health care should be included in Federal privacy protections. Information obtained in this context should be protected by a Federal privacy law. Research that does not involve care, but which is based on medical records obtained from providers and payers, should also be protected, since the information is obtained directly from the health care system.

Employers that render on-site health care for their employees, or provide health benefits through a self-funded health plan, are acting as providers and payers, and in this context should be covered by a health privacy law. They should be able to collect and use identifiable health information for health care and directly related purposes, but should not use the information they collect a providers and payers for other purposes, such as hiring and firing, placement and promotions.

Health information often is obtained from individuals for purposes other than the provision of or payment for health care, and we recommend that these situations be addressed by other legisla tion. Thus, these recommendations do not extend to the results of a fitness-for-duty examination. Nor do our recommendations address the need for protection of genetic information in Federal and State DNA banks and DNA data banks for casualty identification or criminal investigation, or of information generated in workplace drug-testing programs. Some existing uses of health information should not be affected at all, such as reporting of birth and death and reporting of abuse such as child abuse. The confidentiality risks of these collections of information should be (and often are) addressed by legislation specific to them.

We recognize that distinctions among the various holders of health information are not always clear. We are particularly concerned about automobile and similar types of insurance that include a health coverage component. While these insurers may not be labeled "health insurers," as a practical matter they obtain the same information in the same ways, and serve the same functions, as health insurers. Similarly, there may be some grey areas regarding when an employer is functioning as a provider (and thus covered by a Federal privacy law) and when not. These are areas that would benefit from public debate and additional fact-finding. We continue to review specific instances, and may ultimately find that some information not now recommended for protection can and should be included in a Federal privacy law.

Similarly, we recognize that the collection, development, and use of information about health matters by entities other than providers and payers can present serious privacy hazards. It may well be appropriate to impose confidentiality restrictions in those contexts. While we now recommend a Federal health privacy law limited to health information held by providers and payers (and those receiving such information from them), we also believe that the Administration and Congress must continue to examine the hazards to privacy when health information is held in other settings, and consider ways of controlling those hazards.

Service Organizations. Providers and payers do not act alone. They engage other organizations to assist in processing health information. These "service organizations" may be claims processors, pharmacy benefits managers that provide information to pharmacists about coverage and drug interactions, or similar organizations that process information to help make the health care system work better. These organizations should be bound by the same restrictions that apply to the providers and payers from which they obtain the health information. Service organizations have access to patients' health information as an integral part of the provision of and payment for heath care, and should be bound by a Federal health privacy law.

Limited Disclosures for National Priorities. Federal health privacy legislation should also allow certain uses of identifiable health information needed to support national priority activities. In exchange for this access to information, legislation also should place strict boundaries around the use and redisclosure of that information to ensure that it is used for the identified priority purpose only. The major national priorities which we recommend for this treatment are public health, oversight of the health care system, research, and law enforcement. For these activities, it is not always possible to obtain permission and, in many cases, doing so would create significant obstacles in our efforts to fight crime, protect public health, or understand disease.

However, along with access should come the duty to use that information only subject to legislative restrictions on how the information may be used and disclosed, tailored to the particular situations.

Disclosure with Authorization. Sometimes a patient will authorize a provider or payer to disclose information to a third person not directly subject to the Federal health confidentiality legislation that we recommend. In these cases, the patient should be able to enforce an agreement with that third person about how the information will be used. Federal law should impose an enforceable obligation on the recipient to use the information only in accord with the agreement made with the patient at the time of the authorization.

For example, if a potential employer requires health information as part of a background check for security purposes, the applicant can authorize his or her health care providers to disclose the information. But the employer's use of the information should be governed by the employer's statement of how it will use the information, and that agreement should be enforceable.