Confidentiality of Individually Identifiable Health Information. E. Other Disclosures

09/11/1997

We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to disclose health information without patient authorization to provide health care to any patient, and for payment, but that patients be permitted to restrict disclosures of particular information or disclosures to particular persons.

We recommend that the traditional control on use and disclosure of information, the patient's written authorization, be replaced by comprehensive statutory controls on all who get health in formation for health care and payment purposes.

The reality of the present authorization process is that the patient has little actual control of infor mation. The approach we recommend would replace the often ritualistic authorization with direct statutory controls and a realistic and effective opportunity for patient intervention in instances where the patient finds it truly necessary.

Disclosures for health care are made routinely now. A requirement for a signed paper for a routine referral can impair care by delaying consultation and referral. For example, a physician may decide, from review of test results after the patient has left the office, to refer the patient for consultation; the patient should not have to journey to the office again to sign a form before the physician can discuss the case with the consulting specialist. The provider should not be constrained in deciding whom to consult unless the patient has specifically indicated a sensitivity to such consultations.

Some existing State health confidentiality laws permit disclosures without consent to other health care providers treating the patient, and the Uniform Health-Care Information Act permits disclo sure "to a person who is providing health-care to the patient" (9 Part I, U.L.A. 475, § 2-104 (1988 and Supp. 1996)).

For payment, existing authorizations are often forms that have little meaning to the patient, and that the patient must sign if reimbursement is to be obtained. This process should be replaced by one in which information flows easily and without unnecessary barriers when necessary for payment, while protected by direct legal obligations on providers and payers. Changes in insurance carriers, for example, should not require multiple authorizations. A failure to obtain an authorization should not prevent a health care provider from billing payers who might not be precisely identified when treatment is rendered. In addition, information moves from provider to payer through a chain of processing entities (see SERVICE ORGANIZATIONS, above) whose precise identity may not be known to the provider in contact with the patient. A true, fully enforced, authorization requirement for each of these transfers of information would bring the health care payment system to a halt.

The traditional goals of the authorization process are important ones, and we must have strong and realistic ways of meeting those goals. It is our view that stringent statutory protections on information held by providers and payers, and an opportunity for patients to object to particular disclosures (an "opt-out"), can fulfill these goals more effectively than the authorization formula. The explanation of information practices that providers and payers would have to provide should specifically note the patient's opportunity to object to particular disclosures.

The opportunity to object to a particular disclosure is a more realistic and effective form of control than routine signature of an authorization form, and exactly for that reason it may require attention from providers in responding to patient wishes. In turn, patients will have to exercise care and judgment in using it. In the treatment context, some elements of medical history are irrelevant to present treatment, and patients may reasonably want them concealed. A patient's sexually-transmitted disease at the age of 22 need not be announced to all who are treating an athletic injury when the patient is 44.

But current medical history, especially medications, and some past medical history, are very much relevant to present treatment, and the patient cannot withhold this information from subsequent providers without grave risk. There are dangers in making treatment decisions based on incomplete information, and providers may properly decline to treat patients without full understanding of their medical history. Legislation should not prevent physicians from conditioning treatment on having that history. Thus, if the patient chooses to restrict disclosure for treatment, the patient and the concerned providers would have to negotiate the patient's actual control in light of the need for the history in treating the patient.

Likewise, disclosure to a payer is necessary for reimbursement. To the extent that the patient does not want information disclosed to an insurer or other payer, the patient must address the financial aspects of treatment in some other way.

We recommend that the legislation be written to allow physicians to use any patient's record, not just the record of the patient being treated, to accommodate the practice in which a physician who is treating a patient with a rare disease may examine the records of other hospital patients with the same disease. Likewise, physicians may consult the records of several people in the same family or living in the same household to assist in diagnosis of conditions that may be contagious or that may arise from a common environmental factor.

2. HEALTH OVERSIGHT

We recommend that providers and payers and those receiving information for health oversight without patient authorization under the provisions of the legislation be permitted to disclose health information without patient authorization, if such disclosures are authorized by other law and any requirements of other law have been met, for oversight of the health care system, including

-- any assessment, evaluation, determination, or investigation relating to the licensing, accreditation, or certification of health care providers; and

-- any audit, assessment, evaluation, determination, or investigation relating to the effectiveness of, compliance with, or applicability of, legal, fiscal, medical, or scientific standards or aspects of performance related to health care or payment, including claims for benefits based on health status, claims of eligibility for programs that produce eligibility for health benefits, and claims for other benefits in programs conducted or funded by governments.

We recommend that public agencies, as well as other entities acting on behalf of public agencies, acting pursuant to a requirement of a public agency, or carrying out activities under a State or Federal statute regulating assessment, evaluation, determination, or investigation with respect to health care, be eligible for this access.

We recommend that standard-setting organizations with which a provider or payer has a contract providing for review of the covered entity's activities be eligible for this access.

We recommend that those receiving information under the provisions of the legislation without patient authorization for research and public health be permitted to disclose health information for oversight of the particular re search or public health activity holding the information, and that no use of the information against the patient be permitted except for wrongdoing in connection with the research or public health activity.

We recommend that public agencies receiving information under this provision be permitted to disclose health information in accord with applicable law.

We recommend that other entities receiving information under this provision not be permitted to disclose health information except for oversight purposes.

We recommend that these disclosures be permitted so that there can be effective oversight of health care activities. The types of oversight organizations and activities are many, and range from traditional law enforcement agencies, to government agencies investigating or paying for health care, to the professional licensure and discipline system, to regulators like insurance commissioners, and to accreditation, standard-setting, and quality review organizations and activities.

These activities occur under a myriad of circumstances, including pursuant to complaints about criminal behavior, as part of professional disciplinary proceedings, and pursuant to contract by facilities which wish accreditation and engage organizations to review their activities.

These activities may be performed by a public agency, or by another organization acting on behalf of a public agency, pursuant to a requirement of a public agency, or carrying out activities under a State or Federal statute requiring or otherwise providing for the assessment, evaluation, determination, or investigation. The standard-setting organizations perform their functions pursuant to contract with the institutions they are examining and accrediting.

The common features among these activities are these:

All, at some point in their operations, need access to individually-identifiable records.

Their effectiveness depends on access being controlled by the oversight entity, not the holder of the information, whose behavior and activities are under examination.

The oversight activity is required because of the large volume of fraud and abuse in the health care system. It necessitates a substantial enforcement apparatus, including conventional law enforcement agencies (such as the Federal Bureau of Investigation, and State and local police departments), and specialized agencies (such as the Inspectors General of the Department of Health and Human Services, the Office of Personnel Management, and the Department of Labor, and State Medicaid fraud control units.) The General Accounting Office has estimated health care losses due to fraud and abuse as approximately 10 percent of outlays.

Some of the activities investigated by the Office of Inspector General of the Department of Health and Human Services display the scope of the issue, and suggest how records are needed in the investigation:

-- Billing of Medicare and Medicaid by nursing homes for unnecessary services and services which were not provided at all (OIG Special Fraud Alert, "Fraud and Abuse in the Provision of Services in Nursing Facilities" (61 Fed. Reg. 30623-30625 (1996)), including:

A physician billing $350,000 over a 2-year period for comprehensive physical examinations of residents without seeing a single resident, and falsifying medical records to indicate that the services were rendered.

A psychotherapist manipulating Medicare billing codes to charge for 3 hours of therapy for nursing home residents when in fact he spent only a few minutes with each resident.

A speech specialist preparing documentation overstating time spent on each session, claiming to spend 20 hours with residents every day, and submitting some claims for residents he had never seen, and some who were dead.

-- Billing of Medicare and Medicaid for services by home health agencies that were not provided, or provided by untrained personnel, or otherwise in violation of the rules governing reimbursement of home health services (OIG Special Fraud Alert, "Home Health Fraud, and Fraud and Abuse in the Provision of Medical Supplies to Nursing Facilities (60 Fed. Reg. Reg. 40847-4085 (1995), including:

Billing Medicare for 123 home health visits to a patient who never received a single visit, and submitting claims for beneficiaries who were in an acute care hospital during the period the agency claimed to have provided home visits.

Billing for a home health aide provided to a beneficiary who was not housebound, and actually very mobile.

Claiming nearly $26 million during one year in visits that were not made, visits to patients who were not homebound, and visits not authorized by a physician, all supported by forging beneficiary signatures on visit logs and physician signatures on plans of care.

Review of patient records was essential to the inquiries that identified these abuses. Some oversight activities, such as audits and evaluations, are done without direct access to identifiable patient information, since these inquiries take the form of a statistical inquiry to determine, for example, the rate at which a certain procedure is performed in a hospital or to calculate the average cost of a particular procedure. Computerized techniques make this possible without direct access to identifiers, and it is the practice of oversight agencies to do as much inquiry as possible without identified information.

But there are many instances in which identifiers are needed. Even in a statistical inquiry of the type just described, in a paper environment individual patient charts must be examined, and the patient's name would be disclosed because it would be on each page of the chart.

Other inquiries require review of individual medical records, to identify individual instances of the anomalies in treatment or billing patterns detected in statistical analysis. Billing abuses of the type cataloged above are detected by cross-checking the records of individual patients, to see the medical documentation in support of a service. The oversight agency reviews identifiable records to verify that it is comparing the same treatment history. Once an offense is identified and is to be prosecuted, a complete and intact record is required for evidentiary purposes, and due process requires that persons subject to sanction or prosecution have access to the precise factual basis for those actions.

This recommendation is meant to permit disclosure of health information for inquiries that may not be solely about the actual delivery of health care. The definition of health care and payment encompasses "claims for benefits based on health, and claims of eligibility for programs that produce eligibility for health benefits and claims for other benefits in programs conducted or funded by governments." Fraudulent schemes sometimes involve several government programs, such as public assistance, food stamps, and disability programs, as well as health payment programs like Medicaid. Law enforcement officials work in teams to examine the common patterns in these activities, and we intend to permit, for example, the use of information about Medicaid beneficiaries in such investigations. Programs such as workers' compensation also involve review of health records to determine whether program requirements have been met.

Patient records are needed for other inquiries relating to quality of care, and the rights of patients. The Peer Review Organizations authorized under title XI, part B of the Social Security Act (42 U.S.C. §§ 1320c et seq.) review the quality of care provided to Medicare beneficiaries. The Protection and Advocacy for Mentally Ill Individuals Act of 1986 (42 U.S.C. § 10801 et seq.) authorizes grants for State programs to investigate abuse and neglect of individuals with mental illness, and authorizes access to patient records for this purpose (§ 105(a)(4), 42 U.S.C. § 10805(a)(4)). State insurance regulatory agencies examine the records of insurance companies. The Department of Labor reviews plans under the Employment Retirement Income Security Act of 1974 (ERISA) (29 U.S.C. § 1134). State professional licensure agencies examine the records of health professionals, and may use evidence in them in taking action against the professionals. In the case of research, Federal reviewers may examine records to evaluate compliance with the regulation for protection of research subjects (45 C.F.R. part 46, and 21 C.F.R. parts 50 and 56). The Nuclear Regulatory Commission reviews records to determine medical licensees' compliance with its regulations.

This recommendation does not propose any new judicial process prior to disclosure. The legisla tion we recommend should permit access to records without compulsory process where that access is otherwise allowed. However, it should not abrogate or modify other statutory requirements for judicial determinations or other procedural safeguards, or permit disclosures forbidden by other law. It should not abrogate or modify other legal restrictions on redisclosure of information, such as the requirement for court review for disclosure for purposes unrelated to health care of information obtained under the Attorney General's investigative demand authority in section 3486 of title 18 of the U.S. Code, added by the Health Insurance Portability and Ac countability Act of 1996, § 248. We also recommend that the legislation make obtaining health information under false pretenses be a Federal felony.

Many investigative agencies have and use compulsory process authority. Inspectors General have it under the Inspector General Act of 1978 (5 U.S.C. App. 3, § 6(a)(4) (1988)). The Attorney General has a new investigative demand authority, mentioned just above, providing authority to examine any medical records in investigating health fraud, with power to invoke the aid of any court in enforcing the demand. In these cases, the statutes under which investigative authorities operate determine the procedure surrounding the demand.

Thus, even if compulsory process is used for an oversight investigation, we recommend that there be no requirement for judicial consideration of the type required in the civil litigation situations described below under JUDICIAL PROCEEDINGS AND ADMINISTRATIVE PROCEEDINGS: PATIENT AS PARTY and JUDICIAL PROCEEDINGS: OTHER.

3. PUBLIC HEALTH

We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to disclose health information without patient authorization, for public health purposes to

-- a legally constituted public health authority for disease or injury reporting, public health surveillance, or public health investigation or intervention;

-- anyone authorized to receive the information to comply with requirements or direction of a public health authority; or

-- an individual authorized by law to be notified in a public health intervention.

We recommend that a public health authority be defined as an authority of the United States, a State, a political subdivision of a State, or an Indian tribe, that is formally responsible for public health matters as part of its official mandate.

We recommend that further disclosure by a recipient be limited to health care, public health, research, and oversight of the particular public health activity, except that no restrictions should apply to an individual who is notified in a public health intervention.

Numerous important public health activities use identifiable information about patients. Disclo sure and use of information for those purposes, under careful controls to protect the patients, contributes to an important social benefit.

Traditional public health surveillance, investigation, and intervention with respect to communicable disease continues to be important. Infectious disease is still a serious threat to health. In a report on this topic the Centers for Disease Control and Prevention offer as a major objective the expansion and coordination of surveillance systems for the early detection, tracking, and evaluation of emerging infections in the United States. The report states that "[s]urveillance is the single most important tool for identifying infectious diseases that are emerging, are causing serious public health problems, or are diminishing in importance." (Department of Health and Human Services, Public Health Service, Centers for Disease Control and Prevention, Addressing Emerging Infectious Disease Threats: A Prevention Strategy for the United States 12 (1994)).

These well-known activities have been supplemented by carefully-designed and valuable assessment activities to collect information about other health conditions and injuries. Assessment activities (e.g., assessing the health needs of the community) embody several core public health practices that all communities need to perform (Michael A. Stoto et al., eds., Healthy Communities: New Partnerships in the Future of Public Health (1996)).

Disclosures to facilitate these activities, including both reporting requirements imposed by statute and other collections of data based on more general authority, should be allowed. In all States, certain conditions are required to be reported to public health authorities, but the recommendation permits disclosure without an explicit statutory command to report an item of information. (Terence L. Chorba, et al., Mandatory Reporting of Infectious Diseases by Clinicians, 262 JAMA 3018-3026 (1989) and Eugene Freund et al., Mandatory Reporting of Occupational Diseases by Clinicians 262 JAMA 3041-3044 (1989)).

Many public health surveillance activities are conducted without identifiable information, but some do require identifiable information. In some instances, identifiers are needed, but the infor mation may be used only in aggregate form. This is the case with surveillance programs for certain diseases and conditions where identifiers are needed to ensure an accurate count when duplicate reports may come from different sources. But there may be no intervention, and aggregate results are produced without reference to any identified individual.

Disease registries, such as cancer registries, operate this way. State-based cancer registries are funded by the Centers for Disease Control and Prevention through the National Program of Cancer Registries (Public Health Service Act §§ 399H-399L (42 U.S.C.A. §§280e-280e4)). The Surveillance, Epidemiology and End Results (SEER) Program of the National Cancer Institute, operated since 1973, collects and publishes cancer incidence and survival data from population-based cancer registries covering approximately 14 percent of the U.S. population. It is from reports by hospitals and laboratories to these registries that we have accurate information about cancer incidence, survival rates, and geographical variations in our Nation.

Other activities important to public health and safety are conducted by bodies like the National Transportation Safety Board. It investigates airplane and train crashes, in an effort to reduce mortality and injury by making recommendations for safety improvements, and it uses medical records in its investigations. Similar inquiries are conducted by the military services.

The Occupational Safety and Health Administration, the Mine Safety and Health Administration, and the National Institute for Occupational Safety and Health also conduct public health investigations related to occupational health and safety. The Nuclear Regulatory Commission and State agencies working with it investigate occupational worker or general public radiation injury, and misadministration of radioactive materials to patients; these inquiries often require access to individually-identifiable health information. All of these activities relate to the public health and safety, and the legislation should permit disclosure for them.

Other programs, directed toward communicable disease such as sexually-transmitted disease, involve contact with the individual and provision of health care, and occasionally, enforcement actions to prevent transmission of disease. All States have authority to isolate and quarantine individuals who endanger public health. The emergence of multi-drug resistant tuberculosis has renewed attention to these powers of States. The issues are discussed in Lawrence O. Gostin, Controlling the Resurgent Tuberculosis Epidemic, 269 JAMA 255 (1993).

Surveillance of the effect of drugs and medical devices also involves collection of information, sometimes in identifiable form. The tracking of medical devices (under section 519 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. § 360i)) require that physicians report infor mation (sometimes including patient identifiers) to device manufacturers, and these reports may in turn find their way to the Food and Drug Administration.

The proposal envisions that disclosures will be made not only to government agencies, but also to private entities as required or permitted by law. In tracking medical devices, for instance, the initial disclosure is not to a government agency, but to a device manufacturer that collects infor mation under explicit legal authority, or at the direction of the Food and Drug Administration. The cancer registries mentioned above are often non-profit organizations such as universities which receive reports from physicians and laboratories pursuant to State statutory requirements to report. These activities should not be impaired.

We recommend a provision for disclosure to "an individual authorized by law to receive the information in a public health intervention" so that physicians or health departments, in carrying out public health interventions authorized by law, can notify individuals who have been exposed to a communicable disease. That notification may implicitly reveal the identity of the patient, but should be permitted as a disclosure in the course of an authorized public health intervention. The recommendation does not include a confidentiality obligation on the individual notified.

The provision we recommend should sharply constrain public health agencies and other institutional entities receiving information in how they further disclose it. Public health authorities have a long ethical tradition of complete confidentiality in the conduct of their investigations, and are subject to confidentiality obligations under State law. The use and control of information by health departments is discussed in Lawrence O. Gostin, et al., The Public Health Information Infrastructure, 275 JAMA 1921-1927 (1996)).

The Federal legislation should bolster those ethical and legal obligations by additional safeguards. Information obtained under the public health provision should not be further disclosed except for public health purposes (which may include action against individuals, such as in quarantine situations to protect the public health, with whatever disclosure that involves), for research, or for audit or investigation of the particular public health entity holding the health information. It may also involve use and disclosure of patient information in enforcement proceedings against entities.

4. RESEARCH

We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to disclose health information without patient authorization for re search.

We recommend that disclosures be permitted only under the following conditions:

The research would be impracticable to conduct without the individually-identifiable health information;

The research has been approved by an institutional review board organized and operated in a manner consistent with and in accord with the institutional review board requirements of Federal Policy for Protection of Human Re search Subjects; and

The institutional review board has determined that disclosure is allowable without the informed consent of the subjects, and, in making that judgment, has determined that

-- the research project is of sufficient importance so as to outweigh the intrusion into the privacy of the patient who is the subject of the infor mation that would result from the disclosure;

-- the research is of minimal risk;

-- not obtaining consent will not adversely affect the rights and welfare of the subjects; and

-- the research could not practicably carried out if consent were required.

We recommend that a researcher receiving information be required to remove or destroy personal identifiers, at the earliest opportunity consistent with the purposes of the research, unless an institutional review board has determined that there is a health or research justification for retention of identifiers and there is an adequate plan to protect the identifiers from improper use and disclosure.

We recommend that the health information so obtained not be further disclosed except

-- pursuant to a reasonable belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or to the public health;

-- for another research project that meets the same conditions set out in the legislation for initial research disclosure; or

-- for oversight of the research project.

We recommend that information so obtained not be used or disclosed in any administrative, civil, or criminal action or investigation directed against the patient.

Health research is an integral and essential part of modern health care, and the source of much of the knowledge on which medical treatment is based. Much of that research is based on analysis of existing health records, and thus access to health records is vital to research.

Research based on health and other records has been an important source of information about the health of the population, and about how to prevent and treat disease. This research differs from research where there is an interaction with the researcher, and where the individual must of course be aware of the research and give informed consent. The latter activity may be covered as a form of health care, but is different from the records-based research for which disclosure without patient authorization is recommended here under certain conditions.

A wide variety of research activities use health records -- biomedical, epidemiological, and health services research, and statistical activities. Likewise research on behavioral, social, and economic factors affecting health, and the effect of health on other aspects of life, may use health records. Use of records in research and the privacy aspects of such research are discussed in a recent report published by the Department of Health and Human Services, Privacy and Health Research, a report to the U.S. Secretary of Health and Human Services by William W. Lowrance (1997). Researchers have an excellent record for maintaining confidentiality of information they get this way, and privacy has not been harmed as a result.

The Privacy Protection Study Commission, in its recommendation about health-care records, recognized the research uses of health records, and supported disclosure without patient authorization under stringent conditions, which are reflected in the present recommendations (Personal Privacy in an Information Society 309 (1977)).

Much important and helpful scientific knowledge has come from large-scale studies using existing records. They are discussed in Leon Gordis and Ellen Gold, Privacy, Confidentiality, and the Use of Medical Records in Research, 207 Science 153-156 (1980). Among examples of valuable research findings are these:

When mothers took DES during pregnancy to prevent a miscarriage, female offspring of these pregnancies were at increased risk of developing a rare type of cancer of the vagina when they reached adolescence.

Workers exposed to vinyl chloride are at high risk of liver cancer. This finding could only be made by reviewing the medical records of large groups of employees and linking the employees' records at the factory site with hospital records and death certificates if they existed.

The cause of increased risk of a form of blindness called retrolental fibroplasia in low birth weight infants was identified through examination of records. It was caused by high oxygen concentrations administered to premature newborns. Since this finding, use of a lower level of oxygen has virtually wiped out this form of blindness in premature infants.

The treatment of acute leukemia in children was greatly enhanced by studies of medical records that showed that new forms of therapy were effective.

Beta-blocker therapy resulted in fewer re-hospitalizations and improved survival among elderly survivors of acute myocardial infarction.

State Medicaid policies restricting the number of prescriptions per month to prevent fraud and abuse also produced large declines in use of effective medications, adverse impacts on health status, and increased utilization of more expensive health care services. With this information, several States discontinued policies that limit prescriptions per month.

The need to provide these records without contacting the patients results from the scale and type of studies using records, and their scientific characteristics. It is often impracticable, or impossible, to seek authorization from everyone in a records-based study of this kind. Some involve hundreds of thousands, and occasionally millions, of people. If it were necessary to seek authorization, some people would refuse, and some could not be found. In these cases, the people not included might have unknown common characteristics that would skew the results -- a problem that can render the results useless, and a special problem in studying rare health conditions, where a usable count depends on finding every case.

The results of these inquiries appear as statistics -- aggregate results, with analysis and conclusions -- and no one's actual identity is ever published. However, the research does depends on information about specific individuals, and in the course of the research identifiers are sometimes necessary -- to be sure that there are not duplicate reports, or to match health records with other records, like records of treatment in several health facilities or death records, to determine the long-term effects of a condition or a treatment.

In other cases, the research may call for identifying patients through existing provider records, and then contacting them and with their consent obtaining further information. There are effective techniques for contacts of this kind -- often by the provider after the researcher has identified them -- without revealing information to individuals other than the patient.

This can all be done, and is done now, without harming the patient.

Thus, we recommend that the legislation include conditions closely modeled on the regulation that protects subjects in research funded by Federal agencies, the Federal Policy for the Protection of Human Subjects (the "Common Rule," first published at 56 Fed. Reg. 28002-28032 (1991) and codified for the Department of Health and Human Services at 46 C.F.R. part 46 and 20 C.F.R. parts 50 and 56). Under this regulation, an institutional review board may waive the normal requirement for informed consent of the subjects if the research is of minimal risk, if the waiver will not adversely affect the rights and welfare of the subjects, and if the research could not be practicably carried out without the waiver (45 C.F.R. § 46.116(d)). However, we recommend that such protection be imposed by statute, and that there be criminal penalities for obtaining health information under false pretenses and for wrongful disclosure.

These conditions help ensure that records are disclosed only after careful consideration, by requiring, for example, that researchers show that patient identifiers are genuinely needed for the research and that the expected results are of sufficient importance to warrant the disclosure.

The "impracticable" test does not mean, and should not mean, that it is impossible to conduct the research in any other way, nor does it require that patient authorization be obtained if at all possible. Institutional review boards appropriately weigh such factors as cost, time and other resources available for data collection, and the quality of results.

The proposal should not oblige anyone to disclose records for research. Some providers may conclude that their records, or portions of them, are so sensitive that they should not be disclosed to outside researchers, even under the careful conditions that currently govern research and that we recommend.

It is fundamental to the protection of individuals in research that they not be disadvantaged by the research except to the extent that they know the disadvantage and voluntarily choose to accept it. The strict restrictions on further disclosure that we recommend would ensure that end. They come from this principle (called "functional separation") enunciated by the Privacy Protection Study Commission:

Information collected or maintained for a research or statistical purposes may be not be used in individually identifiable form to make any decision or take any action directly affecting the individual to whom the record pertains, except within the context of the re search plan or protocol. (Personal Privacy in an Information Society 572-574 (1977))

5. EMERGENCY PURPOSES

We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be permitted to disclose health information without the authorization of the patient pursuant to a reasonable belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual.

We recommend that disclosure be permitted only to a person reasonably likely to be able to prevent or lessen the threat.

We recommend that information so disclosed not be permitted to be used in any proceeding against the patient except for proceedings related to the reason for its disclosure, but that there be no other control on the use or dis closure of this information by the recipient, except to the extent that the recipient is otherwise covered by the law.

This recommendation addresses situations where it is necessary to disclose information to prevent harm to individuals. For example, law enforcement authorities may need information from a psychiatric record to predict the behavior of a person who is threatening others. Providers may be under an ethical or legal duty to warn someone of potential harm by a patient.

The latter circumstance has been addressed in court cases, and the provision we recommend permits disclosures in accord with cases which require disclosure, of which the leading case is Tarasoff v. Regents of the University of California (17 Cal. 2d 425 (1976)). In that case, a psychologist was told by a patient that the patient intended to kill a third person. The psychologist notified the police but did not warn the intended victim. The patient subsequently killed that person. The Supreme Court of California found that the therapist had an obligation to use reasonable care to protect the intended victim against danger, including warning the victim of the peril. Many States have adopted (judicially or legislatively) some type of Tarasoff duty to warn, but not all State have done so. The provision we recommend takes no substantive position on a health care provider's duty to warn, but permits the disclosure if required or allowed under applicable law.

An emergency disclosure provision does present some risks of improper disclosure, through, for example, a fraudulent telephone request with a claim that cannot be verified that information is needed for life-saving purposes. There will be pressures and uncertainties when disclosures are requested under emergency circumstances, and decisions must often be made instantaneously and without the ability to seek authorization or to perform complete verification of the request. We believe that this risk is warranted, and that the law should not hold record holders liable if they make a reasonable judgment and disclose information in good faith, even if later events reveal that the judgment was in error.

It is difficult to predict who might receive information under this provision, and so we recommend that the control on further use be formulated as a prohibition on using the informa tion against the patient outside the occasion for the disclosure.

This provision should not otherwise control redisclosure, so that it would not, for example, burden a private individual who is notified of a threat by a patient with legal sanctions for discussing the incident. Some recipients will be health care providers, and would be obliged to comply with the legislation regardless of where the information came from.

6. STATE HEALTH DATA SYSTEMS

We recommend that providers and payers be permitted to disclose health in formation without patient authorization, if required or explicitly authorized by State law or regulation, for health data programs that collect health data for analysis in support of policy, planning, regulatory, and management functions identified by State statute or regulation.

We recommend that information so obtained not be further disclosed except under the same conditions and circumstances applicable to information disclosed for research purposes.

This recommendation is in support of State programs that collect data to analyze health care outcomes, quality, costs and patterns of utilization, effects of public policies, changes in the health care delivery system, and related phenomena to engage in better policy making, planning, regulation, and management. These programs frequently require reporting of information for all patients treated or released by specified classes of providers within the State. The recipient may be a State agency, or may be a private organization working in collaboration wit the State. In some instances the information is reported without identifiers, but in other instances it includes some form of identifier that may make the information identifiable under the standards we propose.

The information is used to analyze trends in health care services and the costs of care. This activity partakes of the character of research, oversight, public health, and payment, but does not fall neatly into any one category. It is a valuable activity that offers the possibility of improved understanding of clinical, administrative, and financial aspects of the health care system. These benefits can be achieved while protecting the privacy interests of the patients. Like research, these activities sometimes need identifiable information, but the identity of the individuals is irrelevant to the outcome, and the results appear only in the aggregate.

For these disclosures we recommend that the data collection be required or explicitly authorized by State law or regulation. As in the case of research, the principle of functional separation formulated by the Privacy Protection Study Commission is applicable. Thus, we recommend that the restrictions on further use of this information be the same as the restrictions on further use of information disclosed for research purposes (RESEARCH, above)

7. NEXT-OF-KIN

We recommend that health care professionals involved in the direct provision of patient care be permitted to disclose health information, in connection with the patient's current treatment, to family members of the patient and others with whom the patient has a close personal relationship

-- if the patient has been notified of the right to object to such disclosure and has not objected; or

-- in circumstances where such notification has not been given, if the disclosure is consistent with good health professional practice and ethics.

Certain routine communications take place with a patient's family and friends in connection with illness and injury. A spouse or parent should surely be told about the condition of a patient who has been injured or suddenly taken ill. A helpful neighbor assisting an elderly person being discharged from the hospital should be informed of the person's limitations in mobility, or of a health problem that requires ongoing practical help. A roommate or friend may be dispatched to the drug store to pick up prescription medication.

In general, patients should have a choice about these disclosures, and providers should notify patients of this right, and proceed only if the patient does not object. It is not envisioned that formal written authorization will be obtained.

There may be instances where it is not feasible to notify patients, but where communication with the family is necessary. In these cases, health care professionals involved in the direct provision of patient care should have the option of using their judgment, and informing relatives as necessary, in accordance with health professional practice and ethics.

As with all permitted disclosures, providers should be able to decline to disclose in this fashion without consulting the patient. Institutions may impose on their employees policies which are more restrictive.

No further control on the use or disclosure of this information by the recipient is appropriate.

8. DIRECTORY INFORMATION

We recommend that health care providers be permitted to disclose, without patient authorization, the fact of a person's presence in a facility, and the location, and to describe the patient's conditions in general terms that do not communicate specific medical information about the patient, if the patient has not affirmatively objected in advance to these disclosures.

Hospitals and other inpatient facilities serve as temporary residences, and directory information of this type is regularly provided to verify that a person is a patient in the facility, to assist visitors to the patient, to permit mail communication, and to let persons beyond the patient's immediate circle know in a general way of the patient's condition (in terms like "good," "fair," "stable," "serious," or "critical").

Patients should be permitted to restrict such disclosures, but we do not recommend a legislative requirement for notice of this opportunity beyond the required explanation of information practices more generally (EXPLANATION OF INFORMATION PRACTICES, above). Any institution should be free to have more restrictive policies, and many might choose to ask patients explicitly whether they agree to making directory information available.

In the case of institutions which of their nature identify the condition being treated, disclosure of directory information would communicate specific medical information, and should not be permitted.

No further control on the use or disclosure of this information by the recipient is appropriate.

9. LAW ENFORCEMENT: INVESTIGATION OF PROVIDERS AND PAYERS

We recommend that providers and payers be permitted to disclose health in formation without patient authorization

-- for investigation or prosecution of a covered entity, or

-- to determine whether a crime has been committed and the nature of any crime that may have been committed, other than a crime that may have been committed by the patient,

if such disclosures are authorized by other law, and all requirement of other law have been met.

Law enforcement agencies often inquire into activities of providers and payers, and review health records in that process, without having any interest in the patients. This may occur, for example, in inquiries about compliance with tax laws, where a review of patient records might assist in estimating a provider's income, or in inquiries about compliance with safety and health laws, where review of health information might assist investigators. The patients are not the focus of the investigation and do not have an interest that warrants independent judicial consideration of the disclosure of their information. We are not recommending any changes to existing legal constraints that govern access to or use of patient information by law enforcement agencies. In addition, our recommendations would make obtaining health information under false pretenses be a Federal felony.

In other cases, health information about a victim of a crime may be needed to investigate the crime, or to allow prosecutors to determine the proper charge. For some crimes, the severity of the victim's injuries will determine what charge should be brought against a suspect. For medical information to be relevant, the crime will normally involve bodily injury to the patient. Here again, while the patient is involved, the focus of the investigation is not the patient, but someone else. While the patient certainly has a privacy interest in the use of his or her information in the investigative process and judicial proceedings, this approach leaves control of this information to the procedures of the criminal justice system.

10. LAW ENFORCEMENT

We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization for oversight purposes be permitted to disclose health information without patient authorization

-- to investigate a crime against, or on the premises of, a health care provider or payer,

-- to comply with State law that requires the reporting of specific items of health information to a law enforcement authority,

-- to assist in the identification or location of a victim, witness, suspect, or fugitive in a law enforcement inquiry, in situations similar to those in which State law requires disclosure of specific items of health infor mation to a law enforcement authority,

-- upon request of a law enforcement official who states that the health information is needed for a legitimate law enforcement inquiry, and that the request complies with all applicable law, or

-- upon the request of an official of the U.S. Intelligence Community, as that term is defined in section 3 of the National Security Act, 50 U.S.C. §401a, who states that the information requested is needed for a lawful purpose,

if such disclosures are authorized by other law, and all requirement of other law have been met.

We recommend that the Intelligence Community and law enforcement agencies which receive information under this provision not be subject to restrictions on its further use or disclosure, except as provided by other law.

The disclosures we recommend here are an exception to a basic principle of the protections we recommend, which is to limit the use of health information to purposes connected directly with health care and payment. It is an instance of balancing private interests and the principle of public responsibility when law enforcement agencies need access to health information. Thus, we recommend that the legislation maintain current practices by permitting disclosure of health information to law enforcement authorities and permitting them to use that information, subject to other applicable law.

These disclosures are necessary to protect the health care system and the public, and they comport with certain well accepted realities of law enforcement and the criminal justice system. We are not recommending any changes to existing legal constraints that govern access to or use of patient information by law enforcement agencies. In addition, our recommendations would make obtaining health information under false pretenses be a Federal felony.

In instances where a crime is committed on the premises of, or against, a health care provider it may be necessary to review records. The presence of a patient in a particular location in a facility, or the timing of an observation in a chart, may help in identifying a suspect or an offense, and may incidentally disclose health information to investigators. The information needed may be limited, but could well include health information covered by the law.

State laws commonly require that health providers report gunshot wounds, injuries associated with arson, and other specific conditions. In the same vein, police typically make inquiries in emergency rooms in pursuing persons injured while committing crimes. Responses to these inquiries, even if not specifically required by law, are analogous to the reports required by law, and serve to prevent health care facilities from becoming sanctuaries for fleeing criminals. These inquiries are usually close in time to the offense and the appearance for treatment of the patient in a health care facility.

In other instances law enforcement authorities now get health information without patient consent, pursuant to other law. We are not recommending any changes to existing legal constraints that govern access to or use of patient information by law enforcement agencies. In getting information, law enforcement officials should have to comply with whatever other law was applicable. Thus, if State law permitted disclosure only after compulsory process with court review, a provider or payer should not be allowed to disclose information unless the law enforcement authorities had complied with that requirement.

We recognize that there are arguments in favor of new confidentiality restrictions to address, for example, the law enforcement possibilities in the search capabilities of computerized health records. Until more experience is gained with the nature and speed of computerization of these records, and the types and frequency of requested searches, it is premature to change existing law in this area. Existing constitutional and other legal constraints would of course remain in place.

The provision we recommend here should not permit health care providers to disclose at their own instance information about patients that is evidence of a crime (apart from crimes connected with the health care facility). The basic obligation of nondisclosure which we propose precludes this.

This provision should be permissive, and health care facilities may, as far as the protection we are recommending is concerned, choose to refuse to cooperate with requests from law enforcement authorities. However, there may be other statutes that compel cooperation of the covered entity, and the legislation should permit this cooperation.

11. JUDICIAL AND ADMINISTRATIVE PROCEEDINGS: PATIENT AS PARTY

We recommend that providers and payers and health oversight agencies be permitted to disclose health information without patient authorization

-- pursuant to the Federal Rules of Civil Procedure, the Federal Rules of Criminal Procedure, or comparable rules of other courts or administrative agencies in proceedings in which the patient is a party and has placed his or her physical or mental condition or functional status in issue;

-- if directed by a court in connection with a court-ordered examination of an individual; or

-- to petition a court for guardianship or protective services for the patient.

We recommend that the party seeking the information be required to give written notice in advance to the patient or patient's attorney.

We recommend that providers and payers and health oversight agencies be permitted to disclose information in these circumstances only after receiving written notification that the above conditions have been fulfilled.

The controls we recommend here of necessity intersect with existing procedural laws and rules of Federal and State courts and administrative agencies. We recommend that the legislation impose procedural controls on disclosure of information in these circumstances, but leave substantive judgments about use of the health information to the law governing the proceeding. In this type of proceeding, the patient's privacy interest is necessarily more limited than one in which the patient is not already a party, and in addition the patient is in a position to seek appropriate restrictions from the court. This provision for disclosure is intended to apply to administrative proceedings, such as appeal processes in Federal benefit programs.

Our recommended procedure is meant to provide assurance to providers and payers that disclo sure is proper, and to give notice to the patient. A person seeking health information should be required to notify the patient or the patient's attorney of the request, and to give the holding entity a signed document attesting to this notification, and to give sufficient time to permit the patient to challenge the request.

In particular, such a provision would provide an opportunity to object to demands for informa tion where the patient may have a proper claim that the request for information is too sweeping, or that the information is irrelevant to the proceeding. Some litigation reasonably requires medical information, but the patient's entire past medical history may not be relevant to the issue at hand, and its disclosure may be an inappropriate invasion of privacy. This procedure would ensure notice to the patient, and an opportunity to object in a timely fashion under the rules applicable to the proceeding.

The dispute about the need for the medical information or the scope of the request could then be resolved by the tribunal considering the matter. The general rule that disclosures must be limited to the minimum amount of information necessary to accomplish the purpose for which the information is to be used should be fully applicable, and this rule could thus be used by patients to contest the scope of discovery requests.

12. JUDICIAL PROCEEDINGS: OTHER

We recommend that providers and payers be permitted to disclose health in formation in a judicial or administrative proceeding (other than a proceeding in which the patient is a party and has put his or her condition at issue), pursuant to an administrative or judicial subpoena if the patient has been notified in advance and has not objected in a timely manner.

We recommend that if the patient has been notified in advance and does object in a timely manner, the official issuing the subpoena not order the in formation disclosed unless the person seeking the information has demonstrated that

-- there are reasonable grounds to believe that the information will be relevant to the proceeding; and

-- the need for the information outweighs the privacy interest of the patient.

We recommend that in determining whether the need for the information outweighs the privacy interest of the patient, the court or agency consider

-- the particular purpose for which the information was collected;

-- the degree to which disclosure of the information will embarrass, injure, or invade the privacy of the patient;

-- the effect of the disclosure on the patient's health care;

-- the importance of the information to the lawsuit or proceeding; and

-- any other factor deemed relevant by the court.

We recommend that a covered entity be permitted to challenge a demand for health information on any grounds available under this or other law.

This recommendation addresses the need for health information in proceedings other than proceedings in which the patient is a party.

The procedure we recommend is basically the same as for those situations. The test for disclo sure is somewhat different, in light of the need to demand a higher degree of justification for seeking health information in proceedings that are not law enforcement proceedings, or in which the patient is not already before the court.

13. JUDICIAL PROCEEDINGS: INFORMATION OTHERWISE ALLOWED TO BE DISCLOSED

We recommend that disclosure be permitted without notice to the patient, or judicial determination, if the health information could be disclosed under other provisions of the legislation not requiring notice or judicial determination, provided that the conditions in the other provisions are satisfied.

The procedural safeguards attendant to disclosure of health information in judicial proceedings should not be required when the information could be disclosed under other provisions without judicial proceedings.

In these instances, the requirements of the other sections authorizing the disclosure provide safeguards for the individuals. Notice to individuals simply because compulsory process was being used would serve no useful purpose and might wrongly convey the impression that the patient was somehow being investigated.

Disclosures that we propose be permitted without patient authorization are sometimes in fact made pursuant to compulsory legal process required or authorized by other law. Health oversight agencies have this authority (discussed in the HEALTH OVERSIGHT section, above). State and local public health agencies have subpoena or warrant authority to obtain information. The Occupational Safety and Health Administration and the National Institute for Occupational Safety and Health have authority to compel disclosure of health records for their public health and safety investigations and occupational health and safety research (29 U.S.C. §§657, 669), and the Mine Safety and Health Administration (30 U.S.C. §813) has similar authority. Should agencies with that authority have to use it, they should not be required to comply with the notice and judicial determination requirements applicable in other proceedings using compulsory process.

The legislation should also provide that, if disclosure is conditioned upon a requirement to dis close in State law, Federal agencies may make the disclosure despite the inapplicability of State law to their activities.