Confidentiality of Individually Identifiable Health Information. Footnotes

09/11/1997

(1) The directive requires EU States to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data". (Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, art. 25, ¶ 1 (Eur. O.J. 95/L281)).

(2) 9 Part I, U.L.A. 475 (1988 and Supp. 1996)

(3) Workgroup for Electronic Data Exchange, Report to the Secretary of U.S. Department of Health and Human Services Appendix 4, Confidentiality and Antitrust Issues 5 (1992). For other analyses of the State law situation see Robert M. Gellman, Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy, 62 N.C. L. Rev. 255 (1984); Lawrence O. Gostin, Health Information Privacy, 80 Cornell L. Rev. 101 (1995); Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law § 7-3 (1996).

(4) Richard S. Dick and Elaine B. Steen, eds., The Computer-Based Patient Record: An Essential Technology for Health Care (1991). A revised version of this report is expected in the autumn of 1997.

(5) The National Committee on Vital and Health Statistics, an advisory committee to the Secretary of Health and Human Services, is established by the Public Health Service Act § 306(k), 42 U.S.C. § 242k(k), and its membership was expanded to include persons distinguished in "privacy and security of electronic information" by the Health Insurance Porta bility and Accountability Act of 1996. In the course of its consultation on these recommendations, its Subcommittee on Privacy and Confidentiality held six days of hearings on health privacy during the first two months of 1997. Witnesses included health care providers, researchers, public health authorities, Federal and State oversight agencies, accreditation organizations, insurers, claims processors, pharmaceutical manufacturers, Federal agencies, law enforcement agencies, and patient and privacy advocates. (Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistics, Approved on June 25, 1997)

(6) U.S. Congress, Office of Technology Assessment, Protecting Privacy in Computerized Medical Information 44 (1993).

(7) Molla A. Donaldson and Kathleen N. Lohr, eds. Health Data in the Information Age: Use, Disclosure and Privacy 190 (1994).

(8) Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 264(c)(2), 110 Stat. 1936, 2033 (1996). Congress has provided for confidentiality protection for a limited class of information if legislation is not enacted.

If Congress does not enact legislation on standards for privacy of health information transmitted in connection with financial and administrative transactions (i.e. the information subject to the standards to be developed under section 262) within 36 months, the Secretary of HHS must issue regulations with privacy standards for these transactions within 42 months of enactment (§ 264(c)(1)). This is timed to coincide with the effective date of the standards under section 262.

(9) Social Security Act § 1178(a)(2)(B), added by section 262 of the Health Insurance Portability and Accountability Act of 1996.