NRPM: Standards for Privacy of Individually Identifiable Health Information. A. Need for privacy standards.


The maintenance and exchange of individually identifiable health information is an integral component of the delivery of quality health care. In order to receive accurate and reliable diagnosis and treatment, patients must provide health care professionals with accurate, detailed information about their personal health, behavior, and other aspects of their lives. Health care providers, health plans and health care clearinghouses also rely on the provision of such information to accurately and promptly process claims for payment and for other administrative functions that directly affect a patient’s ability to receive needed care, the quality of that care, and the efficiency with which it is delivered.

Individuals who provide information to health care providers and health plans increasingly are concerned about how their information is used within the health care system. Patients want to know that their sensitive information will be protected not only during the course of their treatment but also in the future as that information is maintained and/or transmitted within and outside of the health care system. Indeed, a Wall Street Journal/ABC poll on September 16, 1999 asked Americans what concerned them most in the coming century. “Loss of personal privacy” was the first or second concern of 29 percent of respondents. All other issues, such a terrorism, world war, and global warming had scores of 23 percent or less.

Efforts to provide legal protection against the inappropriate use of individually identifiable health information have been, to date, undertaken primarily by the States. States have adopted a number of laws designed to protect patients against the inappropriate use of health information. A recent survey of these laws indicates, however, that these protections are quite uneven and leave large gaps in their protection. See Health Privacy Project, “The State of Health Privacy: An Uneven Terrain,” Institute for Health Care Research and Policy, Georgetown University (July 1999) (

A clear and consistent set of privacy standards would improve the effectiveness and the efficiency of the health care system. The number of entities who are maintaining and transmitting individually identifiable health information has increased significantly over the last 10 years. In addition, the rapid growth of integrated health care delivery systems requires greater use of integrated health information systems. The expanded use of electronic information has had clear benefits for patients and the health care system as a whole. Use of electronic information has helped to speed the delivery of effective care and the processing of billions of dollars worth of health care claims. Greater use of electronic data has also increased our ability to identify and treat those who are at risk for disease, conduct vital research, detect fraud and abuse, and measure and improve the quality of care delivered in the U.S.

The absence of national standards for the confidentiality of health information has, however, made the health care industry and the population in general uncomfortable about this primarily financially driven expansion in the use of electronic data. Many plans, providers, and clearinghouses have taken steps to safeguard the privacy of individually-identifiable health information. Yet they must currently rely on a patchwork of State laws and regulations that are incomplete and, at times, inconsistent. The establishment of a consistent foundation of privacy standards would, therefore, encourage the increased and proper use of electronic information while also protecting the very real needs of patients to safeguard their privacy.

The use of these standards will most clearly benefit patients who are, in increasing numbers, indicating that they are apprehensive about the use and potential use of their health information for inappropriate purposes. A national survey released in January 1999 indicated that one-fifth of Americans already believe that their personal health information has been used inappropriately. See California HealthCare Foundation, “National Survey: Confidentiality of Medical Records,” January 1999 (conducted by Princeton Survey Research Associates) ( Of even greater concern, one-sixth of respondents indicated that they had taken some form of action to avoid the misuse of their information, including providing inaccurate information, frequently changing physicians, or avoiding care. The use of these standards will help to restore patient confidence in the health care system, providing benefits to both patients and those who serve them.

In order to administer their plans and provide services, private and public health plans, health care providers, and health care clearinghouses must assure their customers (such as patients, insurers, providers, and health plans) that the health care information they collect, maintain, use, or transmit will remain confidential. The protection of this information is particularly important where it is individually identifiable. Individuals have an important and legitimate interest in the privacy of their health information, and that interest is threatened where there is improper use or disclosure of the information. The risk of improper uses and disclosures has increased as the health care industry has begun to move from primarily paper-based information systems to systems that operate in various electronic forms. The ease of information collection, organization, retention, and exchange made possible by the advances in computer and other electronic technology afford many benefits to the health care industry and patients. At the same time, these advances have reduced or eliminated many of the logistical obstacles that previously served to protect the confidentiality of health information and the privacy interests of individuals.

Congress recognized the need for minimum national health care privacy standards to protect against inappropriate use of individually identifiable health information by passing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which called for the enactment of a privacy statute within three years of the date of enactment. The legislation also called for the Secretary of Health and Human Services to develop and send to the Congress recommendations for protecting the confidentiality of health care information, which she did on September 11, 1997. The Congress further recognized the importance of such standards by providing the Secretary of Health and Human Services with authority to promulgate health privacy regulations in lieu of timely action by the Congress. The need for patient privacy protection also was recognized by the President’s Advisory Commission on Consumer Protection and Quality in the Health Care Industry in its recommendations for a Consumer Bill of Rights and Responsibilities (November, 1997).