Confidentiality of Individually Identifiable Health Information. F. Security

09/11/1997

We recommend that a Federal health privacy law impose new restrictions on health care payers and providers who create and receive health information, and on those who receive information from those payers and providers. Specifically:

  • Patient-identifiable information should not be disclosed except as authorized by the patient or as explicitly permitted by the legislation.
  • Those holding such information should be required to implement security measures to protect the information against reasonably anticipated threats.
  • All disclosures of identifiable information should be limited to the minimum necessary to accomplish the purpose of the disclosure.
  • Patient information should be used within an organization only for purposes reasonably related to the purposes for which the information was collected.
  • A patient's authorization to disclose information should have to meet specific requirements.
  • A provider or payer should not be allowed to condition treatment, payment, or coverage on a patient's agreement to disclose health information unless the information is needed for treatment, coverage, or payment purposes.
  • Those receiving information through a patient's authorization should be required to abide by the terms of the authorization agreement, or face civil liability.

The attached recommendations provide the details for how such restrictions might operate. Many of these recommended rules would simply codify sound professional practices. For example, a provider should be able to use identifiable health information for mailing reminders to patients to schedule appointments. It should not be able -- absent patient consent -- to make available its patient list to a health company for use in a direct mailing announcing a new product or service (even if that product or service might benefit the patient). Providers and payers should be limited in their internal use of information, so that, for example, employers who obtain health information through their operation of self-insured health plans (i.e. as payers) should be prohibited from using that information for personnel decisions.