Confidentiality of Individually Identifiable Health Information. I. Public Responsibility


A Federal health privacy law should permit limited disclosures of health information without patient consent for specifically identified national priority activities. We have carefully examined the many uses that the health professions, related industries, and the government make of health information, and we are aware of the concerns of privacy and consumer advocates about these uses. The allowable disclosures and corresponding restrictions we recommend reflect a balancing of privacy and other social values.

Specifically, in addition to disclosure for health care and payment purposes discussed above, we recommend that Federal legislation authorize disclosure of health information without explicit patient consent for four national priority activities. Recipients of information under such a legislative authorization should also be bound by restrictions on use and further disclosure of the information, tailored to their particular circumstances.

Oversight of the Health Care System (including audit, investigation, quality assurance, and licensure). Combating fraud, abuse, and waste in health care and related payment programs is a major national priority. In addition, we have both legal and ethical duties to improve the quality of health care and records review is essential to this important task. We recommend that the legislation not add additional restrictions to access to health information for these purposes. No new judicial or administrative procedure should be required before oversight agencies can see health records, or use them against patients, providers, and others for wrongdoing in health or related programs. At the same time, existing legal constraints that govern access to or use of such information by oversight organizations should remain in place. We are also recommending criminal penalties for obtaining health information under false pretenses.

For Public Health, and in Emergencies Affecting Life or Safety. The importance of public health and emergency medical activities to our health and safety cannot be overstated. Health information is necessary for tracing the source of rapidly spreading infectious diseases, finding links between diseases and their causes, and rendering appropriate medical care to victims in emergencies. We recommend that there be no new procedural burdens in the way of these priority, often urgent, activities. At the same time, public health workers should be prohibited from redisclosing that information for any other purpose.

For Health Research. Research is essential to our health care. Federal law should permit use of information for research without consent under carefully-defined circumstances, and should also include safeguards, including restrictions on redisclosure, to ensure that individual subjects are not harmed. Federal requirements should include a determination by an institutional review board that the research does not involve more than minimal risk, that the absence of consent will not harm the participants, and that the research would be impracticable if consent were required.

We also propose accommodating the special needs of clinical trials. Generally, patients should have access to their own records. For clinical trials, however, we recommend a limited exception to permit agreements that research subjects typically make, such as to forego access to their trial- related records for the duration of their participation in the trial, as long as they are consistent with Federal rules for the protection of research subjects.

Pursuant to Other Laws or Court Orders, such as: to Law Enforcement Authorities, to State Health Data Systems, and in Court Proceedings. Law enforcement agencies need access to health information for many purposes. We recommend that this Federal health privacy law not alter current practices; that is, it should neither expand nor contract current laws governing disclosure of health information to law enforcement authorities. In many instances, law enforcement authorities today can obtain, share, and use health information without patient consent and without legal process. We are not recommending changes to these practices. Similarly, existing legal constraints on law enforcement access to and use of medical information should remain in place.

We recognize that new issues are raised by the search capabilities of computerized records, and that there are arguments in favor of new restrictions to address these possibilities. However, until more experience is gained with the uses of computerization of these records, and the types and frequency of requested searches, it is premature to change existing law in this area.