Any Federal legislation controlling health information must be understood in the context of other State and Federal laws that also address, either incidentally or directly, the confidentiality of health information. In short, we recommend that existing confidentiality laws at both State and Federal level which provide more protection remain in force. A new Federal privacy law should provide a basic level of protection for everyone -- a "floor" of protection -- without reducing other protections.
State Law. As noted above, there exists today a patchwork of State health privacy laws. While some are comprehensive and strong, the array of protections we recommend here would, in general, be stronger than most existing State law.
We recommend that Federal health privacy legislation supersede State law that is less protective than the Federal law. If either the Federal or State law forbids a disclosure, the disclosure should not be made. Thus, the confidentiality protections should be cumulative, and the Federal legisla tion should provide "floor preemption."
We make this recommendation with the recognition that a single national standard may be preferable from the administrative simplification perspective, and that some privacy interests might also be better served thereby. However, at this time, the freedom of States to protect their citizens' privacy through their own legislation is more important than the benefits of standardization that totally preemptive Federal legislation would confer. The attention several States have given to this issue should be respected. Many States have statutes to protect informa tion about HIV infection and AIDS patients, and about mental health patients, designed after wide public debate to suit local needs. In addition, the Federal government can clearly learn from the experiences of States as they respond to the complex task of protecting patient information in a rapidly changing environment.
Other Federal statutes that afford protection to liberty, privacy, and consumers' rights generally do not displace stronger State laws. At present, the goals of this proposal argue that it not break that tradition.
In addition, Congress expressed a preference for leaving stronger State laws in place in the Health Insurance Portability and Accountability Act of 1996. That Act calls for the Secretary of Health and Human Services to impose confidentiality controls on electronic transaction systems if Congress does not legislate on confidentiality by August 1999, and directs that any such controls not supersede State law with more stringent requirements.(8) Likewise, the standards for administrative simplification of health financial and administrative transactions, which that Act requires the Secretary of HHS to promulgate, may not supersede stronger State confidentiality laws.(9)
Privacy needs, developments in health data systems, and the interests of nationwide administrative simplification for health transactions may ultimately justify preemptive Federal legislation. But, at least at present, as the National Committee on Vital and Health statistics noted, "this issue need not be treated as a single problem with a single solution."(10)
If the Congress enacts Federal legislation leaving State controls in place, the impact of the respective laws on individual privacy rights and on effective use of health information bears careful watching. To the extent that dual regulation impairs health care or the operation of infor mation and payment systems, poses risks to confidentiality arising from misunderstanding of the applicability of multiple laws, or creates uncertainty in patients about rights and redress, consideration of additional action, such as developing a single national law or preempting State laws in particular areas, may be warranted.
Federal Law. Similarly, we recommend that a Federal privacy law not limit or reduce other Federal legal protections that control how information about individuals is disclosed or used. As with State law, Federal privacy protections should be cumulative.
For example, even where the recommended Federal privacy law would allow a disclosure without patient consent or judicial process, it should not obviate the need to comply with other Federal statutes that do require consent or judicial process. Nor should it diminish any rights, of patients or record holders, to challenge disclosures under other Federal law. If another Federal law requires legal process, or specific showings, prior to a disclosure, a record holder should remain obligated to observe those requirements.
For Federal health records, the records management requirements and subject access provisions of the Privacy Act of 1974 should continue to apply. But we recommend that the Privacy Act's disclosure provisions be replaced by the general health information disclosure restrictions we recommend, to the extent that the latter are more stringent than the Privacy Act.