In August 1996 a Health Insurance Portability and Accountability Act was signed into law.108 The Act set new requirements for private health insurance, established new ways for providing health insurance, and created a framework for standardizing transmission of information for financial and administrative transactions relating to health care.
The law's "Administrative Simplification subtitle (F)" establishes several requirements relevant for privacy and research. Standards for electronic financial and administrative transactions must be adopted by the Secretary of Health and Human Services (HHS), including providing for "a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system" (§1173(b)). Such an identifier number may prove very useful for keeping track of research subjects, linking data, and so on, but its confidentiality will have to be safeguarded carefully.
The law also requires that the Secretary develop security standards and safeguards (§1173(d)). Within twelve months of the law's enactment (i.e., by August 1997) she must submit "detailed recommendations" to the Congress "on standards with respect to the privacy of individually identifiable health information" (§ 264). Among other matters these recommend- ations must cover data-subjects' rights, procedures for assuring those rights, and rules on use and disclosure of the data.109
On all of these matters the Secretary is required to consult the National Committee on Vital and Health Statistics. In early 1997 the Committee held a series of public hearings and will duly advise the Secretary.110
Even though the privacy-protection standards to be established under this law apply mainly to administrative and financial transactions in health care, the data covered (such as the "Medicaid" data which are so important for understanding the health problems of low-income people) are the subject of much research. Moreover, the standards surely will set some example for future standards covering other aspects of health data.
(108) Public Law 104-191, known as the "Kennedy–Kassebaum Act" after its Senate sponsors.
(109) If "legislation governing standards with respect to the privacy of individually identifiable health information [relating to electronically transmitted claims]" is not enacted by 36 months after this Act was enacted, the Secretary [of HHS] must promulgate final regulations containing such standards no later than 42 months after the Act was enacted. (§264).
(110) Transcripts of the hearings are available on the Internet at < http://ncvhs.hhs.gov >.