NRPM: Standards for Privacy of Individually Identifiable Health Information. 1. Professional Codes of Conduct and the Protection of Health Information.


We examined statements issued by five major professional groups, one national electronic network association and a leading managed care association. There are a number of common themes that all the organizations appear to subscribe to:

  • The need to maintain and protect an individual’s health information;
  • Development of policies to ensure the confidentiality of protected health information;
  • Only the minimum necessary information should be released to accomplish the purpose for which the information is sought.

Beyond these principles, the major associations differ with respect to the methods used to protect health information. One critical area of difference is the extent to which professional organizations should release protected health information. A major mental health association advocates the release of identifiable patient information “. . .only when de-identified data are inadequate for the purpose at hand.” A major association of physicians counsels members who use electronically maintained and transmitted data to require that they and their patients know in advance who has access to protected patient data, and the purposes for which the data will be used. In another document, the association advises physicians not to “sell” patient information to data collection companies without fully informing their patients of this practice and receiving authorization in advance to release of the information.

Only two of the five professional groups state that patients have the right to review their medical records. One group declares this as a fundamental patient right, while the second association qualifies their position by stating that the physician has the final word on a patient’s access to their health information. This association also recommends that its members respond to requests for access to patient information within 10 days, and recommends that entities allow for an appeal process when patients are denied access. The association further recommends that when a patient contests the accuracy of the information in their record and the entity refuses to accept the patient’s change, the patient’s statement should be included as a permanent part of the patient’s record.

In addition, three of the five professional groups endorse the maintenance of audit trails that can track the history of disclosures of protected health information.

The one set of standards that we reviewed from a health network association advocated the protection of private health information from disclosure without patient authorization and emphasized that encrypting information should be a principal means of protecting patient information. The statements of a leading managed care association, while endorsing the general principles of privacy protection, were vague on the release of information for purposes other than treatment. They suggest allowing the use of protected health information without the patient’s authorization for what they term “health promotion.” It is possible that the use of protected health information for “health promotion” may be construed under the proposed rule as part of marketing activities.

Based on the review of the leading association standards, we believe that the proposed rule embodies all the major principles expressed in the standards. However, there are some major areas of difference between the proposed rule and the professional standards reviewed. These include the subject individual’s right of access to health information in the covered entity’s possession, relationships between contractors and covered entities, and the requirement that covered entities make their privacy policies and practices available to patients through a notice and the ability to respond to questions related to the notice. Because the proposed regulation would require that (with a few exceptions) patients have access to their health information that a covered entity possesses, large numbers of providers may have to modify their current practices in order to allow patient access, and to establish a review process if they deny a patient access. Also, none of the privacy protection standards reviewed require that providers or plans prepare a formal statement of privacy practices for patients (although the major physician association urges members to inform patients about who would have access to their protected health information and how their health information would be used). Only one HMO association explicitly made reference to information released for legitimate research purposes, and none of the other statements we reviewed discuss release of information for research purposes. The proposed rule allows for the release of protected health information for research purposes without an individual’s authorization, but only for research that is supervised by an institutional research board or an equivalent privacy board. This research requirement may cause some groups to revise their disclosure authorization standards.