Confidentiality of Individually Identifiable Health Information. G. Relationship to Other Law


We recommend that the legislation not preempt, supersede, or modify the operation of

-- any law that provides for the reporting of vital events such as birth and death;

-- any law requiring the reporting of abuse or neglect of any individual;

-- the provisions of the Public Health Service Act regarding notification of emergency response employees of possible exposure to infectious diseases (Public Health Service Act subpart II, part E, title XXVI (42 U.S.C. §§ 2681-2690);

-- any law requiring or explicitly authorizing the reporting of injuries or illnesses in connection with a workers' compensation program; or

-- any law that establishes a privilege for records used in health professional peer review activities.

These activities are all subject to existing law, and we recommend that they not be affected at all by the legislation. This proposal is not simply that disclosures to comply with these laws be allowed: it is that these disclosures and activities under these should not be affected at all.

The reporting of vital events like birth and death may include health information, but the reports are made pursuant to an existing body of law which controls use of the information so disclosed, and are for public purposes beyond health care. All States have laws in this area, many based in whole or in part on the model statute promulgated by the National Center for Health Statistics (Centers for Disease Control and Prevention, National Center for Health Statistics, Model State Vital Statistics Act and Regulations (1992)).

The reporting of neglect or abuse is addressed by law in every State.

In workers' compensation programs, State laws require employers to report injuries to State agencies or workers' compensation insurance carriers. While in many cases these reports will come from employers and will not include health information, there will be instances in which a health care provider will make the report. The legislation should not affect these reports.

To the extent that health information is used in health professional peer review activities, control of its use and disclosure should be left to the specialized statutes governing those activities.


We recommend that a patient's authorization for disclosure of health infor mation for health care or payment, or disclosure under the legislation for those purposes without patient authorization not diminish, waive, or otherwise impair any testimonial privilege.

Existing privileges, which in some instances can be abrogated by disclosure of the information covered by the privilege, should be preserved.


We recommend that providers and payers now subject to the Privacy Act of 1974 remain subject to that Act.

We recommend that these providers and payers be obliged to observe the disclosure restrictions of federal privacy legislation as well as any disclosure restrictions of the Privacy Act that are more restrictive than such legislation.

We recommend that Federal agencies be permitted to make disclosures now allowed by the Privacy Act to the National Archives and Records Administration.

The Privacy Act of 1974 (5 U.S.C. § 552a) was a pioneering statute for the use and control of personal information, and continues to serve the public well as a control on the use and disclo sure of information by the Federal government. Its significant contribution to privacy interests are its requirements that agencies maintain only information necessary to the agencies' purposes; that individuals have the right to access and to request amendment of their records; and that agencies be open about the records they keep and their uses and disclosures.

Written to cover the wide variety of records found in the entire Federal government in 1974, including many of minimal sensitivity, its use and disclosure provisions are not highly restrictive. The Act explicitly identifies many disclosures as allowable without individual consent. Information may be used by employees of an agency who have a need to know the information to perform their duties, and "agency" includes an entire cabinet Department. Infor mation may be disclosed pursuant to court order and pursuant to proper requests from law enforcement authorities, and to certain other Federal agencies. There are several other specified allowable disclosures. Beyond those set out in the text of the Act, agencies have discretion to make other disclosures through their administrative power under the Act to establish, by notice, comment, review by the Office of Management and Budget and Congress, a routine use -- a dis closure of information outside the agency "for a purpose which is compatible with the purpose for which it was collected." In devising their routine uses agencies have latitude in determining what is "compatible," although the courts have been looking more closely in recent years at agency choices.

Many Federal agencies conduct activities that would be covered by the legislation we recommend, such as the provision of care by the Clinical Center of the National Institutes of Health, the hospitals and clinics of the Department of Veterans Affairs, the Department of Defense and the Indian Health Service, and the payment activities of Medicare and the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS).

We recommend that federal health record confidentiality legislation limit the latitude of these agencies to make the disclosures otherwise permitted by the Privacy Act. Federal agencies should be restricted in their intra-agency disclosures, and in promulgation of routine uses, to the purposes and uses set out in the health privacy legislation we recommend.

This recommendation is based on these principles:

Health information is a specialized class of information that deserves the more careful treatment, in terms of disclosure restrictions, that the legislation we now recommend would provide.

Federal and other (private, State and local government) health care and payment activities ought, as much as possible, to be subject to the same confidentiality rules.

A common set of rules for health records in all health programs is more important than a common set of rules for records whose only similar feature is their Federal maintenance.

At present, existing confidentiality statutes are often overlaid on the Privacy Act, with the effect that the protections are cumulative. That is the result sought here, and it should be addressed explicitly in the law.

There are strong reasons to encompass both Federal and other health records within a common protective scheme. There is increasing interaction among the Federal, private, and State government sectors in sharing of facilities, purchase of care, and the like. The work of all these facilities and their personnel would be simplified by a common set of rules.

We recommend that the proposal leave in place the subject access and amendment provisions of the Privacy Act, and that it not diminish any protections against disclosure provided by that Act.

Unforeseen circumstances can be accommodated under the administrative authority we recommend, below (discussed under AUTHORITY FOR LIMITED SUSPENSION).

The archives provision deals with the special situation of Federal agencies whose records are subject to the Federal Records Act.


We recommend that the legislation preempt State laws only to the extent that those laws are less stringent or restrictive than the Federal law.

We recommend that the Federal legislation supersede State law only when the State law is less protective than the Federal law. If either the Federal or State law forbids a disclosure, the disclo sure should not be permitted. Thus, the confidentiality protections would be cumulative, and the Federal legislation would provide "floor preemption."

Generally, Federal statutes that provide rights to individuals with respect to privacy and liberty do not displace stronger State laws, and we believe that the legislation we recommend should follow that tradition.

We are aware of the strong arguments, and repeated recommendations, that Federal law in this area should be totally preemptive, i.e., that it totally occupy the field of protection of health care information, so that no State could maintain or establish any law governing use and disclosure of health information.

Those arguments are based on the increasing integration of the health care information system in this country, in which information passes easily from State to State, when information generated in one State may with ease be retrieved in another State, and when it is difficult even to identify the "location" of information to determine which State's law applies.

Nevertheless, we have concluded that the careful attention States have given, and continue to give, to this issue, should be respected. Some States have comprehensive health confidentiality statutes analogous to the one recommended here, and others are considering them. Many have carefully designed statutes protecting specialized classes of information, particularly information about AIDS and HIV infection patients, and mental health patients.

The Federal protection would ensure that everyone has an adequate level of privacy protection, and if the people of the several States wish more, or see special privacy needs which are not being met, they can retain or enact additional safeguards.


We recommend that the legislation not modify or supersede other Federal or State law that provides greater protection.

Some health information subject to the legislation we recommend will also be subject to other law restricting its use and disclosure. The subjects of this information ought to have the benefit of all applicable law.

This may be the case with information held by payers and providers, in States with more protective statutes for some elements of health information (as discussed above in STATE LAW), and will be the case with some information held by Federal agencies. It may also be the case with information disclosed by payers and providers under provisions of the legislation without patient authorization.

In the latter instance, the information would, in its new setting, become subject to other statutes as well as the redisclosure provisions of the legislation we recommend. For example, informa tion disclosed for research may become subject to statutes governing certain statistical activities (Public Health Service Act § 308(d), 42 U.S.C. § 242m(d)), health services research activities of the Agency for Health Care Policy and Research and its grantees and contractors (Public Health Service Act § 903(c), 42 U.S.C. § 299a-1(c)), or research subject identity protection (Public Health Service Act § 301(d), 42 U.S.C. § 241(d)). In other instances, State law may also restrict the disclosure of this information.

In the case of Peer Review Organizations, which review health information to ensure the quality of care for Medicare beneficiaries, health information is protected by its authorizing statute (Social Security Act § 1160, 42 U.S.C. § 1320c-9).

The Americans with Disabilities Act prohibits discrimination on the basis of disability, and in regulating the assessment of applicants and employees, requires employers, among other things, to keep medical information "on separate forms and in separate medical files" and to treat this "as a confidential medical record." (§§ 102(c)(3) and (4), 42 U.S.C. §§ 12112(c)(3) and (4)). Section 503 of the Rehabilitation Act of 1973, 29 U.S.C. § 793, provides the same protections for Federal contractor employees and job applicants (regulation at 41 C.F.R. § 60-741.23).

These laws should continue to apply. Information obtained by employers in providing health care or payment should be subject to the legislation we propose. Information subject to the Americans with Disabilities Act or Rehabilitation Act (whether or not obtained in treatment or payment) should continue to be covered by these laws. There should be no conflict between the requirements, since neither those laws nor the legislation we recommend requires any disclosure that violates the other law.

In providing for the continuance of stronger State law, the legislation should not modify the scope of the Employment Retirement Income Security Act of 1974 (ERISA) (29 U.S.C. § 1134) preemption of State laws. We recommend new minimum federal standards that would apply to many different entities that hold health information, including ERISA plans. However, we are not recommending that States be given new authority to apply more protective privacy standards to ERISA plans.


We recommend that the Secretary of Health and Human Services be authorized to determine, by regulation, which elements of the Federal substance abuse confidentiality statute ((Public Health Service Act § 543, 42 U.S.C. § 290dd-2) should continue to apply, so that the net effect of that statute and the one recommended will be at least as strong protection for the information concerned.

We recommend that the Secretary of Veterans Affairs be similarly empowered with respect to the statute governing substance abuse, sickle cell disease, and HIV infection in the records of the Department of Veterans Affairs (38 U.S.C. § 7332).

This recommendation will ensure that the strongest protections of the new legislation and the existing laws will both apply to covered information. The relevant Cabinet Secretaries would publish regulations to specify what rules apply.