The Department examined statements issued by five major professional groups, one national electronic network association and a leading managed care association. 38
There are a number of common themes that all the organizations appear to subscribe to:
- The need to maintain and protect an individual's health information;
- The development of policies to ensure the confidentiality of individually identifiable health information;
- A restriction that only the minimum necessary information should be released to accomplish the purpose for which the information is sought.
Beyond these principles, the major associations differ with respect to the methods used to protect individually identifiable health information. There is no common professional standard across the health care field with respect to the protection of individually identifiable health information. One critical area of difference is the extent to which professional organizations should release individually identifiable health information. A major mental health association advocates the release of identifiable patient information ". . .only when de-identified data are inadequate for the purpose at hand." A major association of physicians counsels members who use electronically maintained and transmitted data to require that they and their patients know in advance who has access to protected patient data, and the purposes for which the data will be used. In another document, the association advises physicians not to "sell" patient information to data collection companies without fully informing their patients of this practice and receiving authorization in advance to release of the information.
Only two of the five professional groups state that patients have the right to review their medical records. One group declares this as a fundamental patient right, while the second association qualifies its position by stating that the physician has the final word on whether a patient has access to his or her health information. This association also recommends that its members respond to requests for access to patient information within ten days, and recommends that entities allow for an appeal process when patients are denied access. The association further recommends that when a patient contests the accuracy of the information in his or her record and the entity refuses to accept the patient's change, the patient's statement should be included as a permanent part of the patient's record.
In addition, three of the five professional groups endorse the maintenance of audit trails that can track the history of disclosures of individually identifiable health information.
The one set of standards that we reviewed from a health network association advocated the protection of individually identifiable health information from disclosure without patient authorization and emphasized that encrypting information should be a principal means of protecting individually identifiable health information. The statements of a leading managed care association, while endorsing the general principles of privacy protection, were vague on the release of information for purposes other than treatment. The association suggested allowing the use of protected health information without the patient's authorization for what they term "health promotion." It is possible that the use of protected health information for "health promotion" may be construed under the rule as part of marketing activities.
Based on the review of the leading association standards, we believe that the final rule embodies most or all of the major principles expressed in the standards. However, there are some major areas of difference between the rule and the professional standards reviewed. The final rule generally provides stronger, more consistent, and more comprehensive guarantees of privacy for individually identifiable health information than the professional standards. The differences between the rule and the professional codes include the individual's right of access to health information in the covered entity's possession, relationships between contractors and covered entities, and the requirement that covered entities make their privacy policies and practices available to patients through a notice and the ability to respond to questions related to the notice. Because the regulation requires that (with a few exceptions) patients have access to their protected health information that a covered entity possesses, large numbers of health care providers may have to modify their current practices in order to allow patient access, and to establish a review process if they deny a patient access. Also, none of the privacy protection standards reviewed require that health care providers or health plans prepare a formal statement of privacy practices for patients (although the major physician association urges members to inform patients about who would have access to their protected health information and how their health information would be used). Only one HMO association explicitly made reference to information released for legitimate research purposes. The regulation allows for the release of protected health information for research purposes without an individual's authorization, but only if the research where such authorization is waived by an institutional research board or an equivalent privacy board. This research requirement may cause some groups to revise their disclosure authorization standards.