Confidentiality of Individually Identifiable Health Information. F. Specialized Classes of Persons and Entities


We recommend that patients be covered by the protections of the legislation for two years after death, and that the right to control the patient's health in formation within that time be held by an executor or administrator, or in the absence of such an officer, by next-of-kin, determined under State law, or in absence of both, by the holder of the health information.

Whether to apply confidentiality legislation to information about deceased patients is a difficult issue, with good arguments in favor both of protecting and not protecting this information. In traditional privacy law, privacy interests, in the sense of the right to control disclosure of infor mation about oneself, cease at death. The underlying purpose of health record confidentiality -- to encourage a person seeking treatment to be frank in the interest of obtaining care -- may require, from the patient's perspective, confidential treatment of information even after death. However, the problem of ensuring confidentiality after death is complicated by the traditional method of managing affairs after death -- control by an executor or administrator, who is often a relative. The result may be that the very people the deceased may have hoped would not know of his or her health condition will control the information.

At the same time, perpetual confidentiality has serious drawbacks. If information is needed for legitimate purposes, there should be someone legally authorized to disclose it, by analogy with authorization by a living person. A permanent bar to disclosure would serve privacy interests only rarely, and could interfere with important and acceptable uses of information, such as historical research.

A two year period of confidential treatment, with provisions for authorization by specific persons, would preserve dignity and respect by preventing uncontrolled disclosure of information immediately after death but permitting disclosure for proper purposes during this period. It should be noted that providers may, apart from legally compelled disclosure, choose to keep in formation confidential for a longer period.


We recommend that health information be permitted to be disclosed to identify a dead person, or to aid a medical examiner's or coroner's investigation.

Information from health records is used to identify dead persons, and this recommendation permits providers and payers to disclose information for this purpose. In an instance where in formation so disclosed reveals information about a living person, that information should not be used for any purpose relating to the living individual.

Medical records are used in investigation of causes of death, and should be permitted to be disclosed for that purpose.


We recommend that health information about patients who are inmates of correctional facilities, or incarcerated in detention facilities, be available to prison and detention officials responsible for the custody and care of the inmates and detainees, and that no further restrictions apply to the use and disclosure of this information. We recommend that the rights and obligations of the legislation not apply to inmates or detainees, or the officials or entities responsible for their care and custody.

This recommendation acknowledges the special situation of persons in correctional facilities, whose health care is a fundamental responsibility of the officials of those facilities.


We recommend that patients below the age of 18 who, acting alone, have the legal capacity to apply for and obtain health care and who have sought such care, should have all rights under the legislation with respect to information relating to such care.

We recommend that in cases not covered by the preceding condition, and in which the patients is age 14, 15, 16, or 17, either the patient or the parents or legal guardians be authorized to exercise all rights under the law.

We recommend that the rights of patients under 14 years of age be exercised by the parent or legal guardian of the patient.

These recommendations recognize the special situation of minors. They take into account the responsibility and concern of parents for their children, and at the same time acknowledge the ability under many State laws of minors to consent to their own care for particular conditions named in statute.


We recommend that persons authorized by law (other than on account of minority) to act for a patient, or authorized by an instrument recognized under law, to act as agent, attorney, proxy or other legal representative, exercise all rights of the patient to the extent authorized by the grant of authority.

We recommend that persons authorized by law, or by an instrument recognized under law, to make decisions about a patient's health care exercise the rights of the patient to the extent necessary to effectuate the terms or purposes of the grant of authority.

These recommendations address situations in which patients have formally authorized others to act for them, or are unable to act for themselves. They are necessary accommodations in situations where, for purposes beyond decisions about information, others are acting for patients.

As it relates to persons authorized to make health care decisions for others, this recommendation recognizes the power, under the laws of most States, of individuals to designate others to make health care decisions on their behalf, in the form of durable powers of attorney or similar instruments. The definition of rights we recommend is similar to one offered by the National Conference of Commissioners on Uniform State Law, in the Uniform Health-Care Decisions Act (9 Part I U.L.A. 93 (Supp. 1994)) in this circumstance.


We recommend that if a patient is not capable of exercising his or her rights under the legislation but has not been legally adjudicated as incompetent or has not had a legal representative appointed, the patient's rights under the recommended Federal privacy act be exercised by a person who holds a health care power of attorney for the patient, or in the absence of such a person, by next of kin, or in the absence of such a person, the health care provider.

We recommend that anyone exercising these rights be required to do so in the best interest of the patient.

This is intended to deal with situations where a patient is unable to exercise the rights under the confidentiality law, and there is no formal legal arrangement for others to exercise those rights.


We recommend that providers and payers be permitted to disclose, in connection with payment by debit, credit, or other payment card or account number, or other electronic payment means, the minimum amount of health information necessary to complete the payment transaction.

We recommend that a debit, credit, or other payment card issuer, or anyone otherwise directly involved in payment or billing transactions through such means, be permitted to use or disclose health information about a patient only for authorization, settlement, billing or collection, and for other purposes directly related to these financial operations.

Financial organizations such as banks that issue credit cards now process payment for health care. In the course of making payment for health care, and billing customers, they may incidentally receive health information. When a patient pays a provider using a credit card, the transaction does not use health information as such, and the provider should not include health information in communicating with the bank to receive payment.

However, some health information can be derived by ready inference from information that is included in the financial transaction. The specialty of a provider, which is easily determined, may indicate the type of health care being received. The amount or pattern of charges may suggest with some precision the gravity or character of a patient's condition.

Any health information so disclosed should be used only for the immediate purposes of the transaction.

Since entities performing these functions are typically regulated as financial or credit institutions, and transactions with health information are integrated into their more general operations, there is no value in identifying them as payers or service organizations and subjecting them to the range of obligations imposed on providers and payers and their service organizations.

The legislation should prevent them from using identifiable patient information for purposes beyond the immediate transactions. In particular, they should not be allowed to use health infor mation for purposes like direct marketing by the processor or by others, for the development of consumer profiles, for prescreening, for credit evaluation, or for other purposes.

The limitations we recommend should not interfere with use of patient information in audits, transfer of receivables or accounts, or the range of activities that surround the sale or transfer of receipts, or any legal or regulatory access to information that is common to the transactions of the processor more generally. The intent is to prevent the use of health information as such for any purpose beyond those narrowly connected with payment.


We recommend that disclosures of health information within the Department of Veterans Affairs for the purposes of the benefit programs of that Department be permitted without explicit authorization.

In the Department of Veterans Affairs health information about its beneficiaries currently flows as necessary from its medical facilities to its benefits payment elements, to permit benefit determinations based on health status. There is little value in requiring, for these information transfers within that agency, that veterans give the same authorization they would have to provide, for example, to permit disclosure of a private provider's records to a private insurance company. Simplicity and convenience for the veterans, and reduction of merely formalistic documentation, warrant this exception to the authorization requirements. The Privacy Act of 1974 provides a structured framework for the maintenance of the information, and existing confi dentiality statutes cover DVA information without distinguishing health information from other information (38 U.S.C. § 5701).


We recommend that the Secretaries of Departments including military services be authorized to promulgate regulations permitting disclosure without patient authorization of health information about members of the military services, by health care providers and payers that are part of the military services or operating on behalf of the military services.

The purpose of the health care system of the military services differs in its basic character from that of the health care system of society generally, and the leadership of the military services has a special relationship with its members. The special situation of the military services is acknowledged by the Constitutional provision for separate lawmaking for them (U.S. Const. art. I, § 8, cl. 14), and in their separate criminal justice system, under the Uniform Code of Military Justice (10 U.S.C. §§ 801 et seq.)

Officials of the military services are responsible for the health of the members, and use informa tion, including health information, to make operational choices about assignment of personnel and other matters relating to the national defense functions. Examples include the medical status of pilots, the reliability of nuclear weapons personnel, and compliance with controlled substance policies. The normal role of the patient in authorizing disclosure of health information would be inconsistent with these responsibilities and relationships, and thus we recommend that the military departments be permitted to modify the disclosure rules as necessary.

Under this recommendation, the rules could be modified for providers and payers which are direct military activities, as well as for civilian facilities serving members of the military services pursuant to contract (such as TRICARE managed care support contractors). We recommend that the authority to modify the disclosure rules apply only to health information about members of the military services.

The legislation should not permit promulgation of regulations to permit disclosure or use of in formation that is restricted or controlled by other law.

This recommendation is applicable to the Department of Defense and the Department of Transportation.


We recommend that the Secretaries of Departments including military services be authorized to promulgate regulations restricting the revocation of authorizations for disclosure of information by civilian employees and contractors' employees in instances where ongoing access to health informa tion is necessary for the conduct of national defense functions.

This provision addresses the situation of civilian employees of the military services, and contractor personnel, who authorize use of their health records to evaluate their suitability for deployment and other defense-related activities. Information about their health is needed on a continuous basis, and revocation of the authorization would interfere with use of the information, possibly in situations where the lack of information could have serious operational consequences.