Confidentiality of Individually Identifiable Health Information. I. Introduction


Every day, our private health care information is being collected, shared, analyzed and stored with few legal safeguards. There was a time when our health care privacy was protected by our family doctors -- who kept hand-written records about us sealed away in big file cabinets. Today, revolutions in our health care delivery system mean that we have to place our trust in entire networks of insurers and health care professionals. The computer revolution means that our family secrets travel quickly from doctors to hospitals to insurance companies -- and cannot be protected by simply locking up the office doors each night. And, revolutions in biology mean that a whole new world of genetic tests have the potential to help either prevent disease or reveal our most personal secrets.

Right now, the way we currently protect the privacy of our medical records is erratic at best -- dangerous at worst. It is time for our nation to enact federal legislation to protect the age-old right to privacy in this new world of progress. This report recommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who serve them. Specifically, a federal privacy law should:

  • impose new restrictions on those who pay and provide for care, as well as those who receive information from them. It should prohibit disclosure of patient-identifiable infor mation except as authorized by the patient or as explicitly permitted by the legislation. Disclosures of identifiable information should be limited to the minimum necessary to accomplish the purpose of the disclosure, and should be used within an organization only for the purposes for which the information was collected.
  • provide consumers with significant new rights to be informed about how their health information will be used and who has seen that information. Providers and payers should be required to advise patients in writing of their information practices. Patients should be able to see and get copies of their records, and propose corrections. A history of disclosures should be maintained by providers and payers, and be made accessible to patients.
  • provide for punishment for those who misuse personal health information and redress for people who are harmed by its misuse. There should be criminal penalties for obtaining health information under false pretenses, and for knowingly disclosing or using medical information in violation of the Federal privacy law. Individuals whose rights under the law have been violated should be permitted to bring an action for damages and equitable relief.

We are at a decision point. Depending on what we do, revolutions in health care, biotechnology, and communications can hold great promise or great peril. We must ask ourselves: Will we harness these revolutions to improve, not impede, health care? Will we strengthen, not strain, the very lifeblood of our health care system -- the bond of trust between a patient and a doctor. When all is said and done, will our health care records be used to heal us or reveal us?

Without safeguards to assure that obtaining health care will not endanger our privacy, public distrust could turn back the clock on progress in our entire health care system. Instead, we must keep our eye on the future, and act today.