Personal Privacy in an Information Society. General Recommendations


The Commission considered several ways in which its medical-record recommendations might be implemented and enforced. The alternatives considered ranged from a wholly voluntary approach to Federal legislation which, like the 1974 Drug Abuse and Alcoholism statutes,49 would make compliance with the recommendations a requirement attached to the direct or indirect receipt of Federal funds. Ultimately, however, the Commission settled on an intermediate strategy of giving medical-care institutions the responsibility for seeing that the requirements are met as a condition of qualifying for Medicare or Medicaid reimbursement. Private practitioners would not have to meet these requirements, since under current law they are not subject to the qualification standards that apply to medical-care institutions. Nonetheless, as it becomes necessary for private practitioners to qualify for Federal reimbursement, either through expansion of existing regulations, or through other developments looking toward a national health insurance scheme, they, too, would be covered by the recommended measures.

The Commission believes that this strategy allows time and opportunity for the orderly resolution of differences between the institutionalized medical-care relationship and the private practitioner relationship, differ ences that directly affect the content and handling of medical records. Moreover, to begin with the institutional relationship is to begin where the greatest problems appear to exist at the present time.

Accordingly, the Commission recommends:

Recommendation (1):

That the Congress, through amendment of the Social Security Act, authorize the Secretary of Health, Education, and Welfare to promulgate regulations requiring:
(a) that medical-care providers whose services are paid for directly or indirectly under Titles XVIU and XIX of the Social Security Act develop specific procedures for implementing Commission Recommendations (6), (7), (9), (10), (11), (12), (13), and (14);
(b) that such providers be required to show evidence of compliance with these recommendations as a condition of participation in the Medicare and Medicaid programs; and
(c) that all records of surveys of compliance with the procedures developed pursuant to the Commission's recommendations be a matter of public record and open to public inspection, provided, however, that the names or other identifying particulars of patients are deleted prior to public release.

This recommendation builds on existing regulatory mechanisms and current certification and accreditation processes. Subparagraph (c), however, goes beyond current practice regarding surveys carried out by the Joint Commission on the Accreditation of Hospitals (JCAH). Whereas surveys of Federal facilities and of institutions other than JCAH-accredited hospitals are open to public inspection under the Federal Freedom of Information Act, the results of JCAH surveys of medical-care institutions, by law, are not. Thus, unless the law were changed to provide for public inspection of those portions of a survey having to do with Title XVIII and Title XIX privacy protection requirements, the public would have no knowledge of hospital compliance. As repeatedly emphasized throughout this report, openness as to information policies and practices and accountability for such policies and practices are two of the most important protections for personal privacy. Both these protections would be absent if JCAH survey reports were allowed to remain secret.

The need for subparagraph (c) points up the major disadvantage of relying exclusively on the existing Title XVIII and Title XIX regulatory mechanisms; no actionable rights for individuals will be created as a result. Enforcement will depend solely on the effectiveness of certification and accreditation procedures, and the ability of individuals, as individuals, to induce the Department of Health, Education, and Welfare to investigate specific cases and institute sanctions where an institution has failed to discharge its responsibilities. In Chapter 9 on the education relationship, the deficiences of this type of approach are described, from the sanctioning agency's point of view as well as from the individual's. Hence, as a corollary to the action it urges on the Congress, the Commission also recommends:

Recommendation (2):

That each State enact a statute creating individual rights of access to, and correction of, medical records, and an enforceable expectation of confidentiality for medical records consistent with Commission recommendations in these areas.

The Commission strongly urges that the National Commission on Uniform State Laws, or another body of comparable mission and expertise, develop model State statutes that will provide for the individual a right to sue for access to a medical record about himself, to correct or amend erroneous, misleading, or incomplete information in a medical record, and a right to hold a medical-care provider responsible if it can be shown that the provider has not exercised reasonable care in protecting the confidentiality of the medical records it maintains about him. In addition, the Commission would urge that such statutes create a limitation of liability to protect the medical-care provider against actions brought for defamation, invasion of privacy, or negligence when a medical record or medical-record information is released pursuant to the requirements of the statute or to the DHEW regulations proposed in Recommendation (1), above. False information furnished with malice or willful intent to injure an individual would, of course, not be covered by such limitation.

Recognizing that there will be some medical-care providers that will not be subject to Medicare and Medicaid regulations, or, at least for a time, to State statutory requirements, the Commission also recommends:

Recommendation (3):

That any medical-care provider not subject to either of the Commission's two general recommendations on implementation voluntarily establish procedures to comply with the specific recommendations set forth below.

Finally, in light of the evidence presented to the Commission concerning the surreptitious acquisition of medical-record information from medical-care providers, the Commission recommends:

Recommendation (4):

That Federal and State penal codes be amended to make it a criminal offense for any individual knowingly to request or obtain medicalrecord information from a medical-care provider under false pretenses or through deception.

Safeguarding the confidentiality of medical records is properly the responsibility of the medical-care provider maintaining them. Yet, as noted earlier, at least one firm has specialized in obtaining medical-record information through subterfuge and was reported to have been successful in more than 90 percent of its attempts.50 Indeed, the breaches of medicalrecord security which have come to the public's attention in the last few years have been dramatic and unsettling. The break-in at the offices of Daniel Ellsberg's psychiatrist, the publicizing of Senator Eagleton's past medical history, and the recent exposure of the theft of information by Factual Service Bureau are but three examples of blatant disregard for the confidentiality of medical records. Under these circumstances, to place the full onus of responsibility for the protection of medical records on the medical-care provider seems to the Commission to be unrealistic. Its responsibility must be reinforced by sanctions against the deceptive acquisition or theft of medical-record information.


Inasmuch as the Commission has no recommendations that bear directly on the intrusiveness of the medical-care relationship itself, its first set of specific recommendations concerns fairness. The measures recom mended here prescribe procedures for allowing a patient to see, copy, and correct or amend a medical record pertaining to himself, and for placing limits on the circulation of medical-record information within the immediate medical-care setting. Measures are also recommended to reinforce the expectation of confidentiality in the medical-care relationship by placing limits and conditions on those, other than a medical-care provider, who may acquire and use the information contained in a medical record.



As noted earlier, one of the issues on which medical-care providers are least in agreement is whether a patient should be allowed to see and copy a medical record about himself. Nine States currently grant a patient the right to inspect and, in some instances, obtain copies of his medical records. Colorado clearly has the most liberal statutes in that they apply not only to hospital records, but also to records kept by private physicians, psychologists, and psychiatrists. The Colorado statutes grant the patient the right to obtain a copy of his records for a reasonable fee, without resort to litigation, and without the authorization of physicians or hospital officials.51 An Oklahoma statute permits the patient to inspect and copy his medical records in both the hospital setting and the physician's office.52 The difference between the Oklahoma and Colorado laws lies in the status of psychiatric records. Colorado provides for patient access to psychiatric records following termination of treatment, while Oklahoma excludes psychiatric records altogether.

Other States recognize a much narrower right of access. Florida law gives the patient the right to obtain copies of all reports of his examination and treatment, but applies only to records maintained by physicians, with no mention of hospital records.53 By contrast, the statutes of Connecticut, Indiana, Louisiana, and Massachusetts cover only a hospital record, and make no mention of records maintained by physicians.54 Mississippi and Tennessee require the patient to show good cause before he can have access to his hospital records.55 Ten States (Illinois, Maine, Missouri, Montana, Nevada, New Jersey, New Mexico, North Dakota, Utah, and Wisconsin) have vaguely worded statutes or regulations56 that allow a patient, relative, physician, or attorney access to the patient's medical records. Of these 10 states, Nevada and New Mexico apply only to mental-health records. In New York, the patient need be shown only enough of the hospital record to indicate which physicians have attended him,57 and in Ohio the hospital determines how much of the medical record the patient may see.58 In Arizona the administrator or attending physician must consent before a patient can inspect his hospital records 59

In several other States legislation is now pending that would create a right of access for a patient similar to the one provided by the Privacy Act of 1974, i.e., a right to see and copy a medical record about oneself except in special situations.

The subsection of the Privacy Act that specifically refers to medical records states:

In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules . . . which shall . . . establish procedures for the disclosure to an individual, upon his request, of his record or information pertaining to him, including special procedures, if deemed necessary, for the disclosure to an individual of medical records, including psychological records pertaining to him. [5 U.S.C. 552a(f)(3)J

The Office of Management and Budget guidelines for implementing the Privacy Act quote the legislative history of this provision as follows:

If in the judgment of the agency, the transmission of medical information directly to a requesting individual could have an adverse effect upon such individual, the rules which the agency promulgates should provide means whereby an individual who would be adversely affected by receipt of such data may be apprised of it in a manner which would not cause such adverse effects.60

While the Privacy Act recognizes an individual's undeniable right to see and copy a medical record about him maintained by a Federal medicalcare facility, it clearly allows special procedures where direct access could be harmful to him. The guidelines are vague about when special procedures are justified and silent about what they may be. Thus, it should not be surprising that the special procedures developed by the different agencies are not the same.

The Department of Health, Education, and Welfare has the most liberal procedures, providing for indirect access to records through a responsible individual, not necessarily a medical professional, designated by the patient. The Department of Defense procedure requires that arrangements be made for release of the record to a physician of the patient's choice. The Veterans Administration takes a middle ground, requiring that medical records containing "sensitive information" be "referred to a physician or other professional person with the necessary professional qualifications to properly interpret and communicate the information desired." The one caveat provided is that the selectee must either meet VA professional standards or be licensed in the appropriate professional specialty.61

The Commission's hearings failed to produce evidence that one procedure was more effective than another in protecting patients from any adverse consequences that might result from obtaining their medical records. Not one witness was able to identify an instance where access to records has had an untoward effect on a patient's medical condition. While the Department of Defense special procedure is clearly the most restrictive, DOD representatives estimated that the Department had released a record to a physician, rather than to the individual directly, in less than one percent of the cases where access had been requested.

The Commission considered a number of proposals for a special procedure to be followed when direct access might harm the patient. Some of these would stop short of the DHEW procedure allowing release of the record to any responsible person the patient may designate, whether the designee is a medical professional or not. Others would leave the patient's see-and-copy right unrestricted with respect to any information in his medical records that had been or might be disclosed for use in making nonmedical decisions about him, but would prescribe special procedures in specified instances (e.g., psychiatric or terminal illness) when there is no possibility of such disclosure to third parties. In the end, however, the Commission concluded that no solution would be acceptable in the long run so long as it risks leaving the ultimate discretion to release or not to release in the hands of the patient's physician. In situations where the keeper of a medical record believes that allowing the patient to see and copy it may be injurious to the patient, the Commission concluded that it would be reasonable for the record to be given to a responsible person designated by the patient, with that person being the ultimate judge of whether the patient should have full access to it. In no case, however, should the physician or other keeper of the record be able to refuse to disclose the record to the designated responsible person, even where it is known in advance that the designated person will give the patient full access to it. Accordingly, having weighed the evidence before it, and having considered the arguments pro and con, the Commission recommends:

Recommendation (5):

That upon request, an individual who is the subject of a medical record maintained by a medical-care provider, or another responsible person designated by the individual, be allowed to have access to that medical record, including an opportunity to see and copy it. The medical-care provider should be able to charge a reasonable fee (not to exceed the amount charged to third parties) for preparing and copying the record.

Although this recommendation stops short of guaranteeing that the patient will be allowed to see and copy everything in every medical record about him, it leaves the designee the option of giving the patient this guarantee. The Commission believes that the measure will encourage medical-care providers themselves to release records to patients whenever they can possibly do so in good conscience. In some sense, the recommended procedure harkens back to the time when family members and friends played a much larger role in patient care than they normally do today. In any case, it gives most patients a way of finding out what is in their medical records, and of knowing what others can learn about them from those records.

This discussion would be incomplete without a word about access to medical records by patients who are minors. As noted in Chapter 11 on the public assistance and social services relationship, most of the comments submitted to the Commission urged that a minor patient be given access to medical records concerning treatment he has sought on his own behalf, if State law permits him to obtain such treatment without the knowledge or consent of his parents. State laws usually deal with this question in connection with venereal disease, drug or alcohol abuse, pregnancy, and family planning, including abortion. The Commission believes that in these instances only the minors (and not their parents or guardians) should be given access to such records or portions of records so as not to discourage them from seeking necessary treatment.

The fee provision also raises a minor problem. Recommendation (5) would allow the medical-care provider to charge the individual a preparation or copying fee consistent with the fees it charges others for such services. This could mean anything from $1 to several hundred dollars. Obviously, the Commission would not want the right to see and copy a medical record to become a prerogative of the well-to-do, and thus urges medical-care providers to develop fee schedules flexible enough to match the varying financial circumstances of patients.


Elsewhere in this report the Commission recommends measures to assure an individual's right of access to a record maintained about him by an insurer, self-insurer, or insurance-support organization and further, that he be able to obtain on request a copy of all the information that served as the basis for an adverse insurance decision about himself. In another chapter, the Commission recommends that an employer voluntarily establish procedures whereby an individual can gain access to records the employer maintains about him. In the chapter on Public Assistance and Social Services, the Commission recommends enactment of a Federal statute requiring that the States, in turn, enact statutes permitting individuals to have access to records maintained by a public assistance or social service agency.

In all three instances, some of the records to which the individual would be given access are, or contain, medical-record information. The Commission would prefer that such third-party holders of medical-record information not distinguish it from any other information the individual asks to see and copy. The Commission recognizes, however, that as a practical matter an individual may not always find a medical record or a copy of medical-record information informative unless a medical professional interprets its technical language for him, and third-party keepers of medical-record information may not be able to provide such assistance. Thus, with respect to medical-record information, the Commission recommends:

Recommendation (6):

That upon request, an individual who is the subject of medical-record information maintained by an organization which is not a medicalcare provider be allowed to have access to that information either directly or through a licensed medical-care professional designated by him.

It must be noted that this recommendation does not fall within the primary implementation strategy contained in Recommendations (1), (2), and (3) above. In the case of insurance institutions and insurance-support organizations, it would become part of the recommended general and specific rights of access to records to be established by Federal statute. In the private-sector employment situation, it would be implemented voluntarily by the employer. In the public assistance and social services area, it would become a right provided by State statute which, if the Commission's recommendations were followed exactly would have to distinguish between the social-services provider who is a medical-care provider-properly subject to the requirements of Recommendation (5) -and the social-services provider who is not a medical-care provider but who uses medical-record information. As to the latter, the statute should guarantee direct access lest it retreat from the current practice of allowing an individual to see, before or during a hearing, information used to make an adverse eligibility determination about him. (See Chapter 11.)


A main premise of a privacy protection policy is that an individual should be able to review the records made by others of information he has divulged, or has permitted to be divulged, and to correct any errors or amend any inadequacies in them. This premise is no less important for medical records than for other types of records, although much of the information in a medical record is put there by medical professionals. The individual may provide information, but he rarely enters it directly into the record; the medical professional normally does that. Thus, even with the most conscientious record keeping, there are ample opportunities for errors of fact or interpretation to creep into a medical record.

Within the medical-care relationship itself, such errors can usually be corrected before they do any harm. Once information has been disclosed to someone outside the relationship, however, not only is correction or amendment more difficult but the consequences of errors become increasingly difficult to avoid or reverse. This becomes a particular danger when, as previously noted, offhand comments and speculations which are irrelevant to a patient's medical history, diagnosis, condition, treatment, or evaluation are set down in medical records that become available for use in making a non-medical decision about him. Furthermore, while it is true that some portion of the information in a medical record may be beyond the patient's comprehension, not all of it will be. Accordingly, in recognition of the fact that the circulation of erroneous, obsolete, incomplete, or irrelevant medical-record information outside the confines of the medical-care relationship can bring substantial harm or embarrassment to the individual concerned, the Commission recommends:

Recommendation (7):

That each medical-care provider have a procedure whereby an individual who is the subject of a medical record it maintains can request correction or amendment of.the record. When the individual requests correction or amendment, the medical-care provider must, within a reasonable period of time, either:

(a) make the correction or amendment requested; or
(b) inform the individual of its refusal to do so, the reason for the refusal, and of the procedure, if any, for further review of the refusal.

In addition, if the medical-care provider refuses to correct or amend a record in accordance with the individual's request, the provider must permit the individual to file a concise statement of the reasons for the disagreement, and in any subsequent disclosure of the disputed information include a notation that the information is disputed and furnish the statement of disagreement. In any such disclosure, the provider may also include a statement of the reasons for not making the requested correction or amendment.

Finally, when a medical-care provider corrects or amends a record pursuant to an individual's request, or accepts a notation of dispute and statement of disagreement, it should be required to furnish the correction, amendment, or statement of disagreement to any person specifically designated by the individual to whom the medical-care provider has previously disclosed the inaccurate, incomplete, or disputed information.

The requirement to furnish a correction, amendment, or dispute statement to such previous recipients as the individual may designate evolves from a concern that medical-record information disclosed to third parties be as accurate, complete, and timely as possible. To expect a medical-care provider to convey a correction; amendment, or dispute statement to all previous recipients of information from a record would impose an unreasonable burden on the provider; yet the Commission is concerned that some steps be taken to minimize the extent to which medical-record information may become a source of unfairness to an individual. Therefore, it has recommended that only those specifically designated by the individual be furnished with the details of the correction, amendment, or statement of disagreement. The Commission believes this approach represents a reasonable balance. Moreover, because Recommendations (10) and (14) below call for two types of accountings of disclosures (notations and retained authorization statements), the Commission would expect those accountings also to be available to the individual to help him to decide to whom corrections, amendments, or statements of disagreement should be sent.


As with its recommendations on patient access, the Commission also debated the correction, amendment, and dispute issues as they relate to keepers of medical-record information. The problem is largely one of information erroneously or incompletely reported by a medical-care provider, or erroneously copied or interpreted for or by the recipient. For example, an investigative-reporting firm under contract to an insurer may be authorized to acquire information from the physicians and hospitals named on an individual's insurance application. If the investigative firm representative makes a mistake in copying information from a medical record, neither his firm nor the insurer has any way of knowing it unless and until the error precipitates an adverse insurance decision and perhaps not even then. Even if the error is detected later, the information may have been disclosed in the meantime to other insurers (with the- individual's authorization), or to the Medical Information Bureau where it will be retained, and thus constitute a potential problem for the individual for many years.

The Commission recognizes that the number of mistakes of this sort can be minimized by having a medical-care professional review and interpret records for agents of third parties, or by using photocopying techniques. Not all medical records today can be organized to allow easy photocopying, however, and at the same time assure that the inquiring third party receives only as much information as the individual has authorized it to receive. Nor is it always possible to have a professional available when records are reviewed by third parties. Thus, in some unknown number of cases, either a medical professional will have to prepare special reports for the ultimate recipient-in this example, the insurer-or a certain amount of hand copying by persons who are not medically trained will unavoidably continue. Even when a medical record can be photocopied without revealing more information than is meant to be disclosed, there is the danger that the third party representative making the copy will overlook portions of the record which, if known, would alter the insurer's decision.

The simplest solution would, of course, be to allow the individual to correct or amend medical-record information where it rests, in the files of the recipient-user. Yet the simplest solution is not always the most practical one. The insurer (or employer, or whoever the third-party record holder happens to be) may elect not to give the individual direct access to medicalrecord information about himself. Recommendation (6), it will be remembered, gives the third-party record holder the option62 of disclosing medicalrecord information either to the individual to whom it pertains, or to a licensed medical professional whom the individual designates. Hence, there may be no way for the third-party holder to cope with a correction or amendment request without, in effect, giving up its option to deal with the individual through a designated professional.

Moreover, despite what has been said about the tendency of some medical-care providers to record irrelevant information, it must be remembered that the medical record is a document to which unusual attention is given because it is created by persons who have special expertise. If an insurer could have confidence in an individual's own description of his medical situation, there would be no need to acquire information in his medical records. The insurer, however, cannot assume that the individual is either qualified or motivated to give an accurate description. The fact that the insurer cannot rely on the individual in this matter is both the reason why the insurer seeks to acquire medical-record information and the reason why the individual's claim that the information obtained is erroneous or otherwise inadequate cannot be taken at face value.

It may also happen that the medical-care provider who originally provided the contested information can no longer be consulted; for example, a physician may have retired, died, or moved out of reach, or the provider may simply not be willing to acknowledge that an error was made. In such situations, the Commission believes that the third-party holder of the allegedly inaccurate information should afford the individual a way of entering his corrections into the record as long as it also indicated that the changes were made without the concurrence of its original source. Accordingly, the Commission recommends:

Recommendation (8):

That when an individual who is the subject of medical-record information maintained by an organization whose relationship to the individual is not that of a medical-care provider requests correction or amendment of such information, the organization should disclose to the individual, or to a medical-care professional designated by him, the identity of the medical-care provider who was the source of the information; and further,

That if the medical-care provider who was the source of the information agrees that it is inaccurate or incomplete, the organization maintaining it should promptly make the correction or amendment requested.

In addition, a procedure should be established whereby an individual who is the subject of medical-record information maintained by an organization whose relationship to him is not that of a medical-care provider, and who believes that the information is incorrect or incomplete, would be provided an opportunity to present supplemental information, of a limited nature, for inclusion in the organization's record, provided that the source of the supplemental information is also included in the record.


In other chapters of this report, the Commission considers various potential sources of unfairness to the individual when information is being used for the purposes for which it was collected. The Commission does not believe it necessary to do so here because institutional providers of medical care have traditionally given priority to protecting the individual in their own uses of patient records.63 The several organizations in the field of medical records management are far more competent than the Commission to make judgments and recommend rules as to the proper content of a medical record, its proper uses, and the types of users to whom it should or should not be disclosed within the framework of the medical-care relationship. Thus, in this chapter, the Commission confines its examination of information management within the medical-care relationship to one obvious area of concern: the medical-care provider's role in assuring that the patient's legitimate expectations of confidentiality are not breached as a consequence of negligence on the part of medical professionals themselves. The dramatic instance, previously cited, of the Factual Service Bureau's unauthorized access to hospital medical records clearly highlights hospital internal records management as a problem area, although laxity in hospital records-management procedures was only part of the problem in that instance.

Hospital records are routinely available to hospital employees on request. Most of these people are medical professionals who need such access in order to do their jobs, but not all of them are. Besides the physicians, psychologists, nurses, social workers, therapists, and other licensed or certified medical professionals and paraprofessionals, there are nearly always medical students and other people in training programs conducted either by the medical-care institution itself or affiliated with the institution. These people, too, have access to medical records for training or job-related purposes, as do non-professional employees and voluntary workers. In fact, one of the Factual Service Bureau sources was an employee in the administrator's office of a Denver hospital.

The more people there are who have access to a medical record, the more people there are who can be approached by a firm like Factual Service Bureau. Since the patient cannot control access to or use of records about him within a medical-care institution, it follows that the responsibility for protecting the record from such abuse must be assumed by the institution. Thus, the Commission recommends:

Recommendation (9):

That each medical-care provider be required to take affirmative measures to assure that the medical records it maintains are made available only to authorized recipients and on a "need-to-know" basis.

Requiring the patient's authorization each time an employee of the institution needs access to his medical record would be impractical. The team approach to treatment demands that the professional staff have ready access to patient records. Employees whose functions are purely administrative or custodial, however, need access to only some of the information in a patient's record, for example, name, address, and whatever other information may be essential for preparing and submitting bills and claims or statistical and management reports. These employees do not need, and should not have, free access to detailed clinical information about patients.

The Commission urges accrediting bodies, licensing agencies, and professional associations to take the lead in establishing guidelines for affirmative measures to protect hospital medical records from unauthorized access. Affirmative measures might include routine call-back to verify the validity of telephone requests for records, requiring staff members and employees who request information or records from the medical-record department to identify themselves, prompt dismissal of any employee who violates the confidentiality of medical-record information, and a program to instruct new employees in the hospital's confidentiality policies.

Expectation of Confidentiality


The American Hospital Association (AHA), like the American Medical Association (AMA), claims for its membership the right to decide when disclosure of a patient's medical record is necessary to protect the individual or the community. According to Hospital Medical Records, an AHA publication:

The medical record . . . is the property of the hospital, therefore, the hospital, subject to applicable legal provisions, may restrict the removal of the record from the medical-record files or hospital premises, determine who may have access to it, and define the kind of information that may be taken from it.64

Although courts have found the disclosure of medical-record information by a physician to be actionable in a number of different cases, they have also consistently held that such disclosures are justifiable if they are made either in the best interest of the patient or to foster a supervening societal interest. An individual can clearly bring suit against a physician and probably against any other medical-care professional for disclosing information in a medical record about him without his authorization, but he is likely to lose. Indeed, in one case involving the unauthorized disclosure of derogatory psychiatric information, a court went so far as to affirm that . . . the responsibility of the doctor to keep confidences may be outweighed by a higher duty to give out information even though defamatory . . , ."65

Spokesmen for the medical-care professions argue that their discretion in making disclosures of the information in medical records is not a significant source of abuse. While the Commission is inclined to agree, the individual cannot rely on his expectation of confidentiality in any recordkeeping relationship unless the restraints on disclosures are known, as the Commission argues in Chapter 9. As long as record keepers have complete discretion in making disclosures, the individual can have no basis for an expectation of confidentiality. Even if all record keepers were equally aware of their confidentiality obligation and equally conscientious in discharging it, the individual could not tell just what to expect since their perceptions of what the obligation entails would not necessarily be the same. Record keepers need not be denied all discretion in the matter; if enforceable limits are set on their discretion, the individual can build an expectation of confidentiality that corresponds with those limits.

Enforceable limits on voluntary disclosures of confidential information have advantages for the record keeper as well as for the individual. In fact, without them, both are often hard put to refuse demands for disclosure, and virtually helpless when the demand is part of a compulsory process. The Commission believes that the medical-care relationship in America today is becoming dangerously fragile as the basis for an expectation of confidentiality with respect to records generated in that relationship is undermined more and more. A legitimate, enforceable expectation of confidentiality that will hold up under the revolutionary changes now taking place in medical care and medical record-keeping needs to be created and the Commission therefore recommends:

Recommendation (10):

That each medical-care provider be considered to owe a duty of confidentiality to any individual who is the subject of a medical record it maintains, and that, therefore, no medical care provider should disclose, or be required to disclose, in individually identifiable form, any information about any such individual without the individual's explicit authorization, unless the disclosures would be:
(a) to another medical-care provider who is being consulted in connection with the treatment of the individual by the medicalcare provider;
(b) to a properly identified recipient pursuant to a showing of compelling circumstances affecting the health and safety of an individual provided that:
(i) an accounting of any such disclosure is kept; and
(ii) the individual who is the subject of the information disclosed can find out that the disclosure has been made and to whom it has been made;
(c) for use in conducting a biomedical or epidemiological research project, provided that the medical-care provider maintaining the medical record:
(i) determines that such use or disclosure does not violate any limitations under which the record or information was collected;
(ii) ascertains that use or disclosure in individually identifiable form is necessary to accomplish the research or statistical purpose for which use or disclosure is to be made;
(iii) determines that the importance of the research or statistical purpose for which any use or disclosure is to be made is such as to warrant the risk to the individual from additional exposure of the record or information contained therein;
(iv) requires that adequate safeguards to protect the record or information from unauthorized disclosure be established and maintained by the user or recipient, including a program for removal or destruction of identifiers; and (v) consents in writing before any further use or redisclosure of the record or information in individually identifiable form is permitted;
(d) for an audit or evaluation purpose specifically required by law, provided that an accounting of such disclosures is kept and the individual who is the subject of the information being disclosed can find out that the disclosure has been made and to whom;
(e) for an audit or evaluation purpose not specifically required by law, provided that:
(i) any further use or redisclosure of the information in individually identifiable form is prohibited;
(ii) adequate safeguards to protect the medical-record information from unauthorized disclosure are established by the user or recipient including a program for removal or destruction of identifiers;
(iii) an accounting of such disclosures is kept and the individual who is the subject of the information being disclosed can find out that the disclosure has been made and to whom;
(f) pursuant to a statute that requires the medical-care provider to report specific diagnoses to a public-health authority, and the individual is notified of each such disclosure;
(g) pursuant to a statute that requires the medical-care provider to report specified items of information about the individual to a law enforcement authority, and the individual is notified of each such disclosure;
(h) limited to location and status information (such as room number, dates of hospitalization, and general condition) provided that:
(i) the patient or his authorized representative does not object to the disclosure; and
(ii) such disclosure is limited to items specified in the general notice to the individual called for in Recommendation (12); or
(i) pursuant to a lawful judicial summons or subpoena consistent with the recommendations of the Commission on government access.

The recommended duty of confidentiality would be established in the first instance through regulations promulgated by the Department of Health, Education and Welfare. To make the duty fully effective, however, it should be adopted by statutory enactment in each of the 50 States. If this is not done the individual patient will be dependent on the medical-care provider to protect him against compulsory process and other demands for his medical records or he will have to rely on the Department of Health, Education and Welfare to act on his behalf when a provider violates its duty of confidentiality to him.

The Commission recognizes that a duty established by State statute will not in most cases be effective against any conflicting requirements of Federal agencies to disclose medical-record information in individually identifiable form as a condition of participation in a Federal program. Thus, the final test of society's desire to create a viable basis for legitimate expectations of confidentiality in records about individuals generated in the context of the medical-care relationship, as in other contexts examined in this report, will be its willingness to adopt the Commission's recommendations on government access set forth in Chapter 9.

Exceptions to the Duty of Confidentiality

As noted earlier, it is no longer possible to restore the comparative insulation medical records enjoyed even a decade ago. Exceptions allowing disclosure without the individual patient's authorization are necessary here, as elsewhere, in order to strike a balance between the individual's right to personal privacy and society's countervailing needs for information about his medical condition. The rationale for each of the exceptions in Recommendation (10) is explained below.

Disclosures to Other Medical-Care Providers

The first exception the Commission weighed concerns the disclosure of medical-record information between medical-care providers. Currently, it is by no means routine for a provider referring a patient to another provider to ask the patient's written authorization to disclose the pertinent medicalrecord information about him to the second provider. Inasmuch as the second provider is no doubt directly involved in the diagnosis and treatment of the patient, the patient's authorization properly may be assumed. The Commission agrees that this is a proper assumption. It does not, however, find the assumption proper when information in the medical record of a patient is disclosed to a medical-care provider who has not had, or is not being consulted in connection with, a therapeutic relationship with the patient. In such a case, respect for the patient's legitimate expectation of confidentiality demands that disclosure be made only with the patient's written authorization or pursuant to one of the other exceptions in Recommendation (10).

Disclosures to Protect Health or Safety

Exception (b) of Recommendation (10) recognizes that a medical-care provider clearly cannot be bound by a requirement to obtain the patient's authorization before disclosing medical-record information about him if such disclosure is necessary to avert or alleviate a serious threat to an individual's health or safety. Nonetheless, this exception is only justified by a compelling threat to someone's health or safety; a provider's desire to protect individuals' social or economic welfare or peace of mind is not enough. For example, a physician would not ordinarily be permitted to justify telling a patient's employer that the patient has cancer, although he might justify notifying an airline employer that a patient, who is one of its pilots, is suicidal.

Disclosures to Facilitate Research

Most medical-care providers routinely give medical professionals engaged in clinical or epidemiological research access to their patient records along with permission to abstract individually identifiable informa tion and exchange that information with other researchers. Patient authorization for such access by researchers is not usually sought. Although a researcher's obligation to obtain an individual's informed consent to participate in any study that may expose him to physical or psychological harm is widely recognized, the researcher's obligation to obtain the patient's permission to use information in records about him has always seemed less compelling. For one thing, the practical difficulties are considerable. Patients are difficult to locate, and if asked for an authorization might refuse, thereby skewing the results of the study in unknown ways. Insistence on patient authorization would make many important studies impossible. The recent search for the cause of the "Legionnaires' Disease," for example, would have been doomed at the start if the researchers had had to obtain authorizations before reviewing medical records. As it was, some victims were not traced until months after the event. The diethylstilbestrol (DES) follow-up studies described in testimony before the Commission66 are another example of epidemiological research that could hardly have been undertaken had the researchers been required to obtain patients' authorization prior to reviewing their medical records.

The research uses of medical records are not, however, without risk. As one witness told the Commission:

. . . a researcher was doing a follow-up study of people who had been enrolled in a methadone maintenance program . . . . The contractor had the name and address of one particular individual who had been enrolled in the program several years previously, and the contractor went to the individual's residence. It was a Saturday night and the person was having a party and the contractor said, "Hi, I am so-and-so from such-and-such an organization, and we are doing a follow-up study of patients who had been enrolled in the methadone maintenance program."67

Another such incident which came to the Commission's attention involved the recontact of patients who had received treatment at an abortion clinic. In both instances the recontacts were unwelcome, resented, and extremely embarrassing to the persons contacted.

Contacting individuals for follow-up information after reviewing their medical records poses a unique problem, illustrating the need for some minimum conditions on disclosure and use of individually identifiable records for research and statistical purposes. Exception (c) of Recommendation (10) makes the researcher who wants access to this kind of information accountable to the medical-care provider keeping the records and, through the provider, to the individuals concerned. Under this recommendation the researcher who wants access to medical-record information in individually identifiable form must show that he needs it for a worthwhile purpose; that access is vital to the fulfillment of that purpose; and that he can and will protect whatever expectation of confidentiality the patients had when the information was originally recorded. Recommendation (10)(c) comports with the Commission's recommendations in Chapter 15 pertaining to the disclosure and use of records about individuals for statistical or research activities funded in whole or in part by the Federal government.

Disclosures to Auditors and Evaluators

Exceptions (d) and (e) recognize that surveyors and reviewers regularly ask for and get access to medical records for such purposes as certifying the accuracy and adequacy of an institution's financial or administrative records; assessing the effectiveness of their medical, administrative, or financial management; and assuring their faithfulness to medical, legal, financial, and administrative standards. These examinations of records are part of the audits, certifications, accreditations, and licensure reviews and evaluations conducted by organizations like the Joint Commission on the Accreditation of Hospitals, Professional Standards Review Organizations, State and local public health departments, and other government agencies. While such activities clearly serve the interests of the public that receives and subsidizes medical care, the Commission sees no need for the reports of auditors and evaluators to identify any individual patient directly or indirectly, nor does the Commission see any reason why the individual should be deprived of the knowledge that auditors and evaluators have had access to his records, and thus of any recourse in the event he is harmed by the disclosures they may make of information about him. Exception (d) recognizes that when audits and evaluations are specifically required by law, the medical-care provider is in no position to impose conditions on how information obtained from the medical records it maintains will be treated. In such cases, moreover, any subsequent uses and disclosures would be subject to the Commission's government access recommendations in Chapter 9. Exception (e) deals with the situation where the medical-care provider can set conditions for disclosure and recommends what those conditions should be.

Disclosures Pursuant to Compulsory Reporting Statutes

The original purpose of the State statutes that require the reporting of specific diagnoses to public health authorities was to help control the spread of communicable diseases. Today, however, many States require that in addition to communicable diseases, cases of cancer and other environmentally and occupationally related diseases also be reported. Mandatory reporting of births and deaths is universal and, in addition, some States require that gunshot and stab wounds, cases of child abuse, and other violence-related injuries be reported to law enforcement authorities.

While a significant number of States that require the reporting of venereal disease restrict, to some degree, the permissible uses and disclosures of such reports, over half the States provide no statutory protection for them.68 One State which has such a reporting statute leaves it up to local health departments to decide whether such reports shall be open to public inspection, and another gives citizens the right to examine public records, including required reports of communicable diseases.69 Amendment of State statutes governing the use and disclosure of medical-record information obtained pursuant to public-reporting statutes is clearly the best way to prevent the irreparable harm to an individual that can result from misuse of such a report. Strengthening confidentiality protection would still not preclude the possibility that subsequent contact by agents of authorities to whom the information is properly reported will startle or embarrass an individual unnecessarily, particularly if the individual is not aware that a report was made. Thus, exemptions (f) and (g) require medical-care providers to notify an individual whenever information about him is disclosed pursuant to a public-reporting statute.

Disclosures to the Public

Many medical-care institutions that would under no circumstances divulge the details of a patient's diagnosis or treatment are quite comfortable about allowing the fact of admission, or the occurrence of a birth or death, to be publicized. It is normal hospital practice to tell anyone who inquires whether a patient has been admitted to a hospital and to indicate how serious the patient's current condition is.

In its Guide for Cooperation with Communications Media, the American Hospital Association takes the position that: The hospital has the . . . obligation of pointing out to the patient that his hospitalization is likely to become known and . . . public acknowledgement will usually be in his best interests . . . [to assure] that accurate information [about] his condition will come from an authorized source.70

The Commission, however, believes that an individual patient's desire not to have his admission and general condition known should be respected. Exception (h) provides for limited disclosure of location and status information while at the same time giving the individual who objects a way of making his wishes known and binding. Limiting what may be disclosed to items specified in the notice called for in Recommendation (11) not only gives an individual a means of deciding whether he wishes to object to any disclosure at all; it also reassures the individual who, while inclined not to object, is concerned about what may be disclosed if he takes no preventive action.

Disclosures Pursuant to Compulsory Process

A hospital or physician must surrender medical records or medicalrecord information when required by proper judicial process unless the disclosure is prohibited by statute. A psychiatrist testifying before the Commission urged the Commission to recommend a measure to protect patient records from indiscriminate court orders and subpoenas. He argued that information released pursuant to a court order or subpoena becomes a matter of public record; that grounds for issuing a subpoena are not always legitimate; and that not only patients but physicians and hospital officials are often so intimidated by the threatening documents they do not know they have legal rights against them. He recommended that at the very least subpoenas should include notification to the individual that he has a right to contest it, and how to do so.71

The Commission agrees strongly that an individual whose medical records have been subpoened should have an opportunity to be heard in court. It also recognizes that to provide that opportunity, existing Federal and State laws will have to be amended. Exception (i) represents the first step toward that end. Other steps are proposed in the Commission recommendations on government access in Chapter 9.


Medical professionals look upon the medical record as a tool of communication among themselves. It seldom crosses their minds that a patient's record may fall into the hands of someone who is neither trained to interpret it nor bound by the professional's

ethics. Moreover, when a medical professional discloses information in a patient's record outside the medical community, neither he nor the patient who may grant permission for its disclosure can fully anticipate the ways in which the information may figure in non-medical decisions made about the patient.

The Commission, as noted earlier, is neither mandated nor qualified to question a medical-care provider's prerogative of putting into a medical record any item of information whose inclusion is professionally defensible. If medical-care providers are to maintain that prerogative, however, and if others who do not have a medical-care relationship with the individual are to continue to benefit from the extraordinary degree of divulgence and observation the medical-care relationship can entail, it is essential that each disclosure of information from a patient's record, with or without patient authorization, be strictly limited to the particular information needed for the user's particular stated purposes. Medical-care providers breach the confidential nature of the medical-care relationship whenever they send a copy of a patient's entire medical record to an insurer or employer instead of completing the claims form provided, or abstracting the specific information requested. Photocopying technology, in general, and portable copying machines, in particular, make this practice widespread.

When the patient has authorized disclosures, the authorization statement proposed in Recommendation (13) below will encourage the medical-care provider to place limits on the amount of information disclosed. It has also been suggested that a way to control the flow of information into and out of hospitals and physicians' offices is to develop a basic uniform medical record that would make it possible to comply with utilization and quality-care review requirements without disclosing an unnecessary amount of detail. Such a standardized record, however, is a long way off. Therefore, given the individual's inability to be certain that the information disclosed is no more and no less than indicated on the authorization statement he signs, and given the fact that 2 certain number of disclosures will necessarily take place without his authorization, the Commission believes that implicit in the medical-care provider's duty of confidentiality is an affirmative responsibility to limit the disclosure of information in a medical record to only that information which is specified on the authorization form or required by law. Accordingly, the Commission further recommends:

Recommendation (11):

That any disclosure of medical-record information by a medical-care provider, with or without the authorization of the individual to whom it pertains, be limited only to information necessary to accomplish the purpose for which the disclosure is made.


To relieve apprehension about the disclosures that may be made of information in a medical record without the patient's authorization, as well as to inform a patient of the procedures by which he can ascertain whether particular disclosures have been made, the Commission recommends:

Recommendation (12):

That each medical-care provider be required to notify an individual on whom it maintains a medical record of the disclosures that may be made of information in the record without the individual's express authorization.

This recommendation is comparable to the notice recommendations made in other areas the Commission has examined. Ideally, the patient should be notified during his first contact with the medical-care provider and renotified whenever a new category of disclosures without authorization is created. The Harvard Community Health Plan, a health maintenance organization, is one medical-care provider that already provides its members with such a rudimentary form of notice in its service agreement. In the confidentiality provision of the agreement, the member is informed that his medical records will be kept confidential

. . . except for use incident to bona fide medical research, . . . education, . . . use reasonably necessary in connection with the administration of the agreement [and that] such information will not be disclosed without the consent of the member, unless . . . required by law.72

Although this notice is not as specific as the one the Commission recommends, it demonstrates that such a notice requirement could be met.


As indicated in many chapters of this report, each time an individual applies for a job, for life or health insurance, for credit, or for financial assistance or services from the government, he agrees to relinquish some measure of personal privacy in return for the benefit he seeks. This cannot be helped, but all too often he is asked to sign away far more of his privacy than the situation warrants. Some authorization statements are so broadly worded as to require the recipient to "furnish any and all information on request."

The American Psychiatric Association takes the position that any blanket consent for the release of information from a medical record is unacceptable, since all consent for the disclosure of medical-record information should be "informed consent."73 Such a standard appears to the Commission to be impractical. To speak of informed consent is to presuppose that the individual being asked to give it not only knows precisely what is being disclosed, but has the option both of refusing to divulge information about himself and preventing others from doing so. It also assumes that he can predict accurately who shall subsequently have access to the information and precisely how it will be used. In other words, to have given one's informed consent to a particular disclosure of information about oneself is to have fully understood the costs and benefits that will or even might result from such disclosure. Yet the individual who authorizes someone to acquire medical-record information about him rarely has the option of refusing to do so. Technically, most authorization statements are voluntarily signed, but the option of refusing varies inversely with the individual's need for the treatment, job, insurance, or social service he is seeking.

Recognizing these natural limits of informed consent, the Commission recommends an authorization procedure along the lines prescribed in the DREW regulations on the "Confidentiality of Alcohol and Drug Abuse Patient Records" [42 CER. Z] as a working model for all authorization statements presented to and accepted by a medical-care provider. The Commission recommends: 74

Recommendation (13):

That whenever an individual's authorization is required before a medical-care provider may disclose information it collects or maintains about him, the medical-care provider should not accept as valid any authorization which is not:

(a) in writing;
(b) signed by the individual on a date specified or by someone authorized in fact to act in his behalf;
(c) clear as to the fact that the medical-care provider is among those either specifically named or generally designated by the individual as being authorized to disclose information about him;
(d) specific as to the nature of the information the individual is authorizing to be disclosed;
(e) specific as to the institutions or other persons to whom the individual is authorizing information to be disclosed;
(f) specific as to the purpose(s) for which the information may be used by any of the parties named in (e) both at the time of the disclosure and at any time in the future;
(g) specific as to its expiration date, which should be for a reasonable period of time not to exceed one year, except where an authorization is presented in connection with a life or non cancellable or guaranteed renewable health insurance policy, in which case the expiration date should not exceed two years from the date the authorization was signed.

This type of authorization statement provides assurance that an individual will understand what he is allowing to be disclosed, and why, but does not require that the voluntariness of his action be verifiable, nor does it assume that he can recognize every possible consequence of signing it. The medical-care provider should be responsible for having reasonable procedures to assure that authorizations presented to it satisfy the conditions of the recommendation. The medical-care provider should be able to use the exercise of such procedures as a defense where it later is claimed that the authorization is invalid. Subsection (b) of Recommendation (13) raises a small problem when the disclosure of medical-record information is authorized by a minor patient. The Commission feels strongly that where State law permits minors to obtain treatment for specific conditions without the consent of a parent or guardian the presumed confidentiality of the resulting medical-care relationship must be protected. Therefore, it would urge that in these instances, the minor patient alone be permitted to authorize disclosure of such information.

The exceptions to the one-year rule in subsection (g) take account of the two-year "contestable period" (see Chapter 5) in life insurance and the mentioned types of health insurance. It should be noted, however, that the corresponding recommendation in Chapter 5, Insurance Recommendation (18), calls for the signature date on the authorization statement to be the same as the date of the policy, thereby limiting the period of validity to two years.

To enable the individual to verify the fact that an authorized disclosure has been made, the Commission further recommends:

Recommendation (14).

That each time a medical-care provider discloses information about an individual pursuant to a valid authorization, it be required to retain a copy of the authorization and, for the purpose of Recommendation (S) on patient access, treat it as part of the record(s) from which the disclosure was made.

National Health Insurance

Public and political pressure for a Federal health insurance program continues even as this report is issued. The Commission is acutely aware that the process of setting a national health insurance program into motion will open up unparalleled opportunities to reevaluate medical record-keeping policies and practices and hopes its recommendations will assist the public, medical- record keepers, and the Congress to that end.

In exploring the possible effects of such a program on existing use and disclosure of medical records, the Commission's staff reviewed 18 national health insurance proposals presented to the 94th Congress. These varied from the Kennedy-Corman bill (H.R. 21), which proposed a mandatory, government-administered program covering the entire population; to the AMA-supported Fulton bill (H.R. 6222), which proposed a Medicare-like system of private-sector intermediaries to administer premiums and reimbursements; to a voluntary, catastrophic health-insurance plan available only to individuals whose medical expenses exceed a specified amount (H.R. 1373, the so-called "Roe bill").

Of the 18 bills only five contained specific provisions to protect the confidentiality of the records that would be created by the program and even these were vague. Most of the five merely specified that all information collected and maintained for program purposes must be considered confidential. While it is too soon to say which, if any, of these various forms of national health insurance will be enacted into law, or how soon, the Commission sees a clear need to devise specific safeguards to prevent unfairness and protect the confidentiality of the medical-care relationship, whatever form such a program may take.

If current private and publicly funded health-insurance programs are any indication, a universal health-insurance program will likely involve the creation and retention of records beyond the control of the provider with whom the individual has a medical-care relationship. Thus, the Commission urges that the recommendations in this chapter be adopted and that any legislation providing for national health insurance include safeguards covering the acquisition and dissemination of medical records and medical record information.