Confidentiality of Individually Identifiable Health Information. I. Administration

09/11/1997

We recommend that the legislation provide authority to issue regulations to implement the legislation.

We recommend that there be authority to

-- sponsor research relating to the privacy and security of health information;

-- develop information and technical guidance for protection of health informa tion; and

-- develop technology to implement standards regarding health information.

We recommend that there be authority to promulgate

-- model notices of information practices for use by entities subject to the legis lation;

-- model authorizations for disclosure and model statements of intended use of health information by persons requesting that patients authorize disclosure of health information;

-- guidelines for the administrative, technical, and physical safeguards required to protect health information;

-- guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations;

-- guidelines for use within organizations of health information "only for purposes compatible with and directly related to the purposes for which the information was collected or received";

-- requirements for institutional review boards authorized to approve disclo sures for research;

-- model notices to advise patients of efforts to obtain health information in legal proceedings; and

-- standards for electronic and magnetic writings that would fulfill the requirements of the legislation.

This recommendation recognizes the need for interpretation and application when new confiden tiality standards govern health information. An ongoing Federal authority is needed to preclude doubt and confusion, to provide certainty in applying the rules, and to be a point of public reference and recourse with respect to violations subject to civil money penalties.

In addition, there should be authoritative sources for technical guidance for several matters that cannot be addressed in detail in legislation. Entities subject to the legislation should be assured that they are in compliance if they used model notices, security practices, and other forms and techniques promulgated centrally. In some areas, like restricting use of health information to the purposes for which it was collected, new organizational and administrative techniques could be promulgated to assist small businesses to comply.

2. AUTHORITY FOR LIMITED SUSPENSION

We recommend that there be authority to suspend, by regulation, any provision of the legislation for a limited period in the event of an unforeseen significant threat to health or safety, significant threat to patient privacy, major economic disruption, or manifest unfairness.

The design of precise controls on the use and disclosure of information is a complex task, and it is possible that the legislation would forbid a disclosure, or otherwise constrain behavior, in a way that causes unanticipated hardship.

Authority to suspend a provision would ensure that situations like this could be addressed, on a temporary basis, pending Congressional consideration of amendments.

Federal agencies are accustomed to the flexibility provided by the Privacy Act of 1974, whose routine use provision (5 U.S.C. § 552a(a)(7) and (b)(3)) permits agencies to make administrative choices to disclose information beyond the disclosures explicitly allowed in the statute. We do not recommend administrative authority as flexible as the routine use provision, which appears in a law covering all activities of all Federal agencies, and where a statutory catalog of all possible uses of information was not feasible. We recommend a provision to deal with extraordinary situations that may have not been foreseen, and then only for a limited time.

3. EFFECTIVE DATE

We recommend that the obligations of the providers and payers become effective 9 months after the promulgation of implementing regulations.

We recommend that there be authority to exempt records in existence on the date of enactment from compliance with specific provisions of the law, for time-limited periods.

These recommendations are for an implementation schedule to ensure adequate time to apply the rules to health information in the hands of providers and payers.

The requirements we recommend can be applied with minimal trouble to new transactions with patients and to records developed with the legislation as background and guidance. At the same time, to apply the legislation to existing records, including some that are in archival status, could present undue hardships, with little benefit to patients. It is not intended that patients whose records exist already should not get the protection of the law. The exemption provision should be available only for situations where there is no significant adverse privacy effect on the patient.