We recommend that Federal health privacy legislation apply primarily to health care providers and payers.
We recommend that persons receiving information under the provisions of such legislation without patient authorization for health oversight, public health, research, State data system purposes be subject to the requirements of the legislation.
We recommend that health care providers be defined as persons who receive, create, use, or maintain, health information while providing health care in the ordinary course of business or practice of a profession, pursuant to license, certification, registration, or other legal authorization.
We recommend that payers be defined to include persons who pay for health care through contracts of insurance or in connection with employment, and government programs that pay for care under a benefit plan.
The legislation we recommend should apply in the first instance to providers of health care and payers for health care. They are at the heart of health care, and typically receive information directly from patients and generate health information. They are often one and the same.
In turn, others who receive health information under the provisions of the legislation without patient authorization should be bound by its requirements. They are referred to as "those receiving health information under the provisions of the law without patient authorization."
Providers are persons -- individual and institutional -- who receive, create, use, or maintain, health information while providing health care (including preventive health services) in the ordinary course of business or practice of a profession, pursuant to license, certification, registration, or other legal authorization.
Health care payers pay for health care pursuant to advance agreements or statutory obligations -- the range of entities commonly described as "plans." They may include licensed insurance companies, hospital or medical service corporations, health maintenance organizations, or other entities licensed or certified by a State to provide health insurance or health benefits. They include employee welfare benefit plans and other arrangements that provide health benefits, whether or not funded through the purchase of insurance policies or contracts. They include public programs that pay for health care under a health benefit plan, such as Medicare, Medicaid, the health programs of the Veterans Health Service, and the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS). The term should not be defined to include individuals and families who pay for their own care.
The definition does not encompass liability insurers who receive health information, as needed, pursuant to claimants' authorization. Nor does it include life insurers, who receive information, with the patient's authorization, not as part of health care or payment, but to make underwriting decisions.
We are making no recommendations with respect to including workers' compensation under Federal health privacy legislation at this time. Although workers' compensation carriers receive health care information in much the same manner as health plans, the need under workers' compensation systems to coordinate the health benefits provided with both the indemnity benefits (e.g., lost wages and disability payments) provided under the system and the determination of a worker's ability to return to work raises potential questions about the appropriateness of certain disclosures of medical information. We are continuing to review the need for federal privacy standards in this area and will inform Congress of any recommendations that we have in this area when we complete our review.
We do not recommend that employers as such be controlled by the legislation, But they should be considered health care providers or payers when they actually perform those activities, and obliged to conduct themselves accordingly. (Controls on employers' use of health information so obtained for other purposes is discussed below in LIMITATIONS ON USE).
We recommend that health care be defined to include
-- any preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body;
-- any sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; and
-- procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.
We recommend that health information include any information, oral or recorded, in any form or medium, including demographic information
-- that relates to the past, present, or future physical or mental health or condition of a patient, the provision of health care to a patient, or the past, present, or future payment for the provision of health care to a patient;
-- that is received, created, used, or maintained by a health care provider in the ordinary course of business or practice of a profession, or by a health care payer, or received by entities receiving informa tion under the provisions of the legislation without patient authorization; and
-- that identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the patient.
We recommend that the legislation cover any information about the patient held by providers and payers for their health care and payment activities. Thus, information that in other settings would not be health information -- name, identification number, employment status, address, financial data, family size, education, employment history -- should be covered by the protections of the legislation we recommend if held by a health care provider or payer for health care or payment purposes.
The description of identifiability we recommend follows the text of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (Social Security Act § 1171(6)). We recommend that a legislative definition be no more specific at this time. A precise advance definition is difficult, and there is inadequate basis at this time for recommending one. The only effective formulation now is a test of reasonableness: Information is identifiable if there is a reasonable basis to believe that the information can be used to identify an individual.
No single rule can define what constitutes readily identifiable data. Information is clearly identifiable if it includes a name, social security number or other generally known or readily available identification number, or photograph. Health information will normally be identifiable within providers and payers, and the identifiability question will typically have to be answered when information is to be disclosed outside a provider or payer. Reasonableness may depend on a judgment based on what other information is known to be available to a recipient, and the amount of effort and time that would be needed to achieve a positive identification.
Other legal formulations are not more precise than the HIPAA formulation. The European Union data protection directive, a recent well-debated formulation of privacy rules, uses this test:
an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; (Art. 2(a))
The Council of Europe's "Recommendations of the Committee of Ministers to Member States on the Protection of Medical Data" (No. R(97)5 (1997)) states a reasonableness test, but adds an "effort" standard:
....the expression "personal data" covers any information relating to an identified or identifiable individual. An individual shall not be regarded as "identifiable" if identification requires an unreasonable amount of time and manpower. (Appendix, Art 1.)
The standard we recommend should not be read to mean that information is identifiable if there is a remote chance that somebody might possibly be able to identify a patient from a general description. The Panel on Confidentiality and Data Access of the Committee on National Statistics addressed this issue, and noted that zero-risk requirements for disclosure of statistical records were unrealistic. It recommended a standard that calls for a "reasonably low risk of disclosure of individually identifiable data." (George T. Duncan et al, eds., Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics 137 (1993)). The panel recommended that the Office of Management and Budget should continue to coordinate re search work on statistical disclosure analysis (at 155-157). This will be especially important as changes in the character and availability of technology alter the quantum of information constituting an identifier. Our recommendations include authority for issuance of guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations (IMPLEMENTATION, below).
Records disclosed in a form not intended to be individually identifiable should not be used intentionally to identify a person. A person who obtains such information with the intention of identifying individuals should be regarded as having obtained health information under false pretenses (CRIMINAL PENALTIES, below).
Our recommendations do not distinguish among different types of health information based on presumed sensitivity, although we recommend leaving in place State and Federal laws that make that distinction. Our intent at this time is to recommend a meaningful minimum floor of privacy protections in Federal law for all types of health information. At the same time, we recognize that there are arguments for providing additional protection to certain types of health information that people view as particularly sensitive. We can learn from, and build on, States' experience with privacy laws that protect such information, and work with interest groups, privacy advocates, and others to assess how such information is best protected. Such information could be the subject of future Federal action; we look forward to working with the Congress in determining when such protections are appropriate.
We recommend that research in which care is not delivered not be considered "health care," and thus not covered. There are some existing protections for information gathered solely for re search, which should continue to apply (RESEARCH, below).
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be permitted to engage other organizations, "service organizations," pursuant to contractual arrangements, to carry out functions for them that require use of health information.
We recommend that providers and payers be required to advise their service organizations that their work is subject to the law, whereupon these organizations should become subject to the law.
We recommend that service organizations be obliged to observe the use and disclosure restrictions, and to have a statement of information practices and to make it available upon request, but not be obliged to provide subject access and correction rights.
Much health information obtained and used by the providers and payers is processed by service organizations engaged by contract. The patient does not have a direct relationship with these organizations and typically does not know of their role in the flow of information.
Physicians and other providers engage companies to code, and to process bills and forward them to the appropriate payer. These companies may in turn deal with others engaged by payers. Between them, yet other companies may process health information by passing it from a provider's clearinghouse to a similar organization engaged by a payer. In some instances, these organizations make substantive or adjudicatory choices affecting the patient on behalf of their principals. In others, they do not, and may not retain the information in ways that permit easy retrieval.
Often there are not clear distinctions among the functions these many processors are performing. As an agent of a payer, a pharmacy benefit management company adjudicates and pays claims, and may manage a formulary. It also provide health care, in conjunction with the pharmacist, in looking for drug interactions -- advising the pharmacist, physician, or patient that a prescribed drug taken in combination with one prescribed earlier may have adverse effects. A payer may engage a pharmacy benefit manager to operate a disease management program to assist patients in managing their illnesses, often chronic conditions such as asthma and diabetes, by education through direct mail and telephone communication to the patient, online communication with phy sicians and pharmacists, and video materials.
We recommend that everyone in this chain of information handling be covered by the same rules.
Patients must be assured that their privacy protections are not lessened when the providers or payers with which they have established relationships give information to outside service organizations for processing. Thus, service organizations, once advised of the nature of the in formation they are handling, should be independently bound by the confidentiality restrictions applicable to the principal which engaged them.
They should not use or disclose patient information unless their principals explicitly permit, and the principals should be bound by the legislation in granting such permission. Thus, a service organization should not make independent use of this information unless the provider or payer permits such use, and then only if the legislation permits such use, i.e., with the authorization of the patient, or for a purpose for which the payer or provider could use it or disclose it.
The complexity and multitude of these arrangements, and the typical lack of contact with the patient, make it impractical to impose on service organizations the obligation to provide access and correction rights (discussed below in PATIENT INSPECTION AND COPYING OF RECORDS and PATIENT CORRECTION OF RECORDS.) However, patients should be able to exercise these rights by contacting their providers or payers, and providers and payers may by contract require their processors to provide the necessary access and correction. Service organizations should not be required by law to offer patients a statement of the information practices, but they should be required to have such a statement and to make it available upon request.
Processing of information by these organizations is a natural and understandable source of concern. There have been proposals that patients be permitted to forbid the computerization of their records, or otherwise to control directly the flow of information through the payment system. The National Committee on Vital and Health Statistics considered this possibility and had this observation:
The Committee is not sympathetic to the notion that patients should have a choice in the technology used to create, store and transmit health information. This is not a choice that record subjects [have] for records maintained by other third party record keepers such as banks and employers. Requiring health record keepers -- who are spending vast sums on computerization -- to retain parallel paper systems is impractical and costly. It would deny the benefits and savings that the Congress has already determined will result from increased use of modern information technology. Computers are an inevitable part of modern health care and indeed are intrinsic to the actual delivery of hospital care today. Patients must accept this and move on to debate the proper protections for records in a computerized environment. (Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistics, Approved on June 25, 1997)
Control at this level of detail would be harmful to patients, since the effective and rapid processing of information, often for the benefit of the patient, depends on computerized systems. Our recommendation is for legislation that permits relationships necessary to operate the care and payment system, with common legal controls on all concerned to protect the patient informa tion.
However, should it appear in the future that patient interests are being compromised by contractual arrangements that obscure choices about use and disclosure of information, or that thwart legitimate patient control over information, Congress might want to consider imposing obligations directly on these entities.
In addition to engaging outside organizations to process information about patients, providers and payers will on occasion need to give identifiable information to attorneys, insurers, auditors, and similar special-purpose service organizations. These recipients should be subject to the same use and disclosure restrictions that apply to the information in the hands of the providers and payers.
A similar mechanism, provision for a "qualified service organization," has long been in use under the Federal substance abuse confidentiality statute (Public Health Service Act § 543, 42 U.S.C. § 290dd-1). The regulation interpreting that statute permits substance abuse treatment providers to share patient information with outside organizations under agreements similar to the ones we propose here (42 C.F.R. §§ 2.11 (Qualified service organization) and 2.12(c)(4)).
We recommend that providers and payers which are Federal, State, or local government agencies be permitted to employ other government agencies, in accord with applicable law, to carry out functions for them that require identifiable health information. The other governmental organizations should be subject to the same disclosure and use restrictions as the covered entity.
This is a governmental counterpart to the previous recommendation. Entities which provide or pay for health care, including government agencies, should be obliged to limit patient health in formation to the units or organizations actually performing those functions. However, government health providers or payers might on occasion use either outside private organizations (as discussed above) or other parts of their own departments or other departments of government for functions that involve personally-identifiable information, such as central data processing facilities. Likewise, State attorneys general's offices, and the Department of Justice, provide legal services to State and Federal health care facilities and may in the course of that work have access to health information. For such divisions of work within government, existing statutes may govern relationships, and the private contractual model is not directly useable. But the service agencies should be subject to the same use and disclosure restrictions as the covered entity, and thus should not use information about patients obtained in the course of this work for other purposes.
We recommend that there be a duty not to use or disclose health information except as authorized by the patient, or as explicitly permitted by the legislation.
We recommend that there be no duty to disclose information (except to the patient), and that other laws providing greater protection for health informa tion, or rights for the patient, remain in effect.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be permitted to use the health information only for purposes compatible with and directly related to the purposes for which the information was collected or received, or for purposes for which they would be authorized to disclose the information.
We recommend that legislation constrain the use of information within organizations. Organizations with many purposes and activities do on occasion create or collect information while acting as health care providers or payers. They may also receive information from providers or payers.
The fact that an organizational entity holds information is not a proper basis for its uncontrolled use within the organization. Under the requirement we recommend, entities holding records should have to make distinct and explicit choices about which activities are sufficiently connected with their health activities to warrant the use of identifiable health information. Other uses could be made only with patient authorization, or under provisions of the legislation that permit disclosure without patient authorization.
This requirement should not interfere with normal uses of information in the health care delivery or payment process, but should prevent uses extraneous to health, and may limit some existing uses of health information. We recommend that this be a somewhat more restrictive control than the Federal Privacy Act, which permits disclosure to officers and employees of the agency maintaining the record who have a need for the record in the performance of their duties (5 U.S.C. § 552a(b)(1)).
It is not possible or desirable to set forth in legislation all appropriate internal uses for health information by providers and payers. A general statutory standard is required, and so our recommendation calls for limiting use of health information to purposes compatible with and directly related to the purpose for which the information was collected or received.
For hospitals, for example, the use of health information to provide health care is obviously within the purpose of collection, and providing health care includes a wide variety of activities like management analysis, quality assurance and similar oversight activities, carrying out mandates of law, teaching, training, and research activities. Likewise, a provider or payer should be permitted to use information internally for a purpose for which it could make a disclosure.
This limitation on how patient information is used is especially applicable to organizations that are not primarily health care providers or payers, but that perform those functions, such as employers. This proposal is not intended to cover employers as such. Existing laws (such as the Americans with Disabilities Act of 1990 § 102 (42 U.S.C. § 12112) and the Rehabilitation Act of 1973, (29 U.S.C. § 793) (with regulation at 41 C.F.R. § 60-741.23)) constrain the collection, use and disclosure of health information by employers and should not be disturbed.
But we recommend that employers, when they function as providers or payers, be required to conduct themselves as such under the legislation. Workers have worried that employers get health information about them, and often their families, in the claims payment process, and may use it to discriminate against them. (Marilyn J. Field and Harold T. Shapiro, eds., Employment and Health Benefits: A Connection at Risk at 148 (1993)). This study by the Institute of Medicine recommends explicitly (at 246) that employer access to certain information collected in connection with health benefits be limited through controls similar to those in the Americans with Disabilities Act of 1990.
We recommend just such controls, by regulating how an employer uses information received in the payment process, either as a self-insurer or by processing claims en route to an insurance company. Information should not be used outside of the payment activity. An employer could not use it, for example, to make decisions about promotions or job assignments. Even if employers have information in identifiable form for statistical and analytic operations related to payment, or for oversight of an outside payer, the legislation should forbid its use for anything but these payment-related purposes. Employers should be required to build impermeable barriers between activities that use health information and their other activities.
The same considerations apply to health care delivered by an employer, or on the employer's premises, or by employee assistance programs. The information obtained in rendering these health services should not be used by the employer for purposes outside the purposes for which it was collected, except as authorized by the patient or otherwise allowed by the law.
The examples here are from the employment context; the requirement should be applicable to all who have health information.
We recommend that providers and payers and those receiving information under the provisions of the legislation without patient authorization be required to maintain reasonable and appropriate administrative, technical, and physical safeguards
-- to ensure the integrity and confidentiality of health information; and
-- to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information.
We recommend the statutory formulation of a basic obligation of all record holders -- to safeguard the information.
No legislation can effectively specify how to do this, but it can require diligent and attentive choices of security measures. The technology is varied and dynamic, and different types of technology and information call for different types and degrees of security. We recommend that the legislation require providers and payers to take the appropriate levels and types of protective measures. The legislation should not create an obligation of absolute security. The key words are "reasonable," "appropriate," and "reasonably anticipated," to permit consideration of the degree of risk, the likely consequences of compromise, and the expenditure, financial and other, required to address the risk.
The measures should especially include employee education, clear and certain punishment for misuse, and technical controls on access to information within an organization, since there is evidence that a substantial threat to information is careless or deliberate misuse by those who have authorized access to it in their normal work activities.
A growing body of policy and technical material will help managers in formulating their plans in this regard.
The Office of Management and Budget has promulgated policy establishing a minimum set of controls to be included in Federal automated information security programs (OMB Circular A- 130, Management of Federal Information Resources, Appendix III, (February 1996)).
A recent study (commissioned by the National Library of Medicine of the National Institutes of Health and funded by the Library with additional support from the NIH Warren G. Magnuson Clinical Center and the Massachusetts Health Data Consortium), identifies best practices in social and technical mechanisms for protecting privacy and maintaining security that are currently used in information systems for health care. (National Research Council, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Informa tion (1997)).
The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to develop standards for electronic transmission of financial and administrative information about health transactions, including security standards. Most of these standards will be published for initial comment this year.
The Center for Democracy and Technology has produced Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality (1996), a guide to help designers of electronic health information systems to identify and deal with confidentiality issues.
The Computer-based Patient Record Institute (CPRI) has produced a series of publications with guidance on security policies for computer-based patient records. (Guidelines for Establishing Information Security Policies at Organizations Using Computer-based Patient Records (January 1996), Guidelines for Information Security Education Programs (June 1995), Guidelines for Managing Information Security Programs (January 1996), Sample Confidentiality Statements and Agreements (May 1996), and Security Features for Computer-based Patient Record Systems (September 1996)).
We recommend that all uses and disclosures be restricted, to the extent practicable, to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed.
This recommendation is for an obligation to design systems to limit the amount of information that is disclosed to the minimum necessary for the intended purpose.
Any judgment about what is practicable, and what is minimum, must take into account the technical capabilities of record systems and the costs of limiting uses and disclosures. It is likely to be easier to limit disclosure when disclosing computerized records than when providing access to paper records. Technological mechanisms to limit the amount of information available for a particular purpose, and make information available without identifiers, are an important contribution of computerization to personal privacy. For example, limited fields of information can be disclosed, and identifiers can be stripped. As a practical matter, sorting through paper records to ensure that only the minimum amount is disclosed will be expensive and time- consuming and can risk compromising the integrity of the record, and these factors relate to practicability.
As technologies develop, it will become easier and cheaper to provide minimum information and to limit disclosure. We recommend that a Federal agency be authorized to issue guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations.
Recent studies have emphasized the value of privacy-enhancing technologies (PETS) in accomplishing necessary transactions with a minimum of identifying information. The Dutch Data Protection Authority and the Information and Privacy Commissioner for the Province of Ontario, Canada, both governmental privacy protection entities, recently collaborated in producing a report exploring privacy technologies that permit transactions to be conducted anonymously. (Information and Privacy Commissioner/Ontario, Canada, and Registratiekamer, the Netherlands, Privacy-Enhancing Technologies: The Path to Anonymity (1995)).
The provision we recommend should not be a basis for automatic withholding of records in situations where the requester is best positioned to determine what information is necessary, such as oversight and public health investigations.
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be required to prepare a written notice to inform patients of their information practices and of the patients' rights regarding the health information.
We recommend that the explanation be required to provide information on whatever rights the patient has with respect to information, including, if applicable
-- the uses and disclosures of information authorized under the legislation and intended by the holder, as well the protections available;
-- the right of the patient to prevent or limit disclosure in whatever circumstances that right exists;
-- the right to inspect and copy information and to seek amendments;
-- the procedures for authorizing disclosure of information and for revoking disclosure authorizations;
-- the procedures for the exercise of rights under the legislation, and the procedures, if any, for complaint, redress, or appeal; and
-- the fact that service organizations and those receiving information under the provisions of the legislation without patient authorization have explanations of information practices which are available upon request.
We recommend that providers and payers be required to give patients this explanation, or at least advise patients affirmatively of its availability and provide a copy upon request.
We recommend that service organizations and those receiving information under the provisions of the legislation without patient authorization be required to develop explanations of information practices meeting the same standards, and to provide a copy to patients upon request.
An informed citizenry is essential to protection of privacy. The basic structures for protection of health information should include requirements that patients be told what is being done with in formation about them, and what their rights are.
The Privacy Working Group of the President's Information Infrastructure Task Force formulated personal privacy principles (Principles for Providing and Using Personal Information (June 1995)), and three of them point to the centrality of public information and education:
II.B. Notice Principle. Information users who collect personal information directly from the individual should provide adequate, relevant information about:
- Why they are collecting the information;
- What the information is expected to be used for;
- What steps will be taken to protect its confidentiality, integrity, and quality;
- The consequences of providing or withholding information; and
- Any rights of redress.
II.E. Education Principle. Information users should educate themselves and the public about how information privacy can be maintained.
III.A. Awareness Principle. Individuals should obtain adequate, relevant information about:
- Why the information is being collected;
- What the information is expected to be used for;
- What steps will be taken to protect its confidentiality, integrity, and quality;
- The consequences of providing or withholding information; and
- Any rights of redress.
Likewise, the National Information Infrastructure Advisory Council (a public advisory committee to the President's Information Infrastructure Task Force) issued a statement, Common Ground: Fundamental Principles for the National Information Infrastructure (March 1995), which includes the following among its privacy and security principles:
10. Collectors and users of personally identifiable information on the NII should provide timely and effective notice of their privacy and related security practices.
11. Public education about the NII and its potential effect on individual privacy is critical to the success of the NII and should be provided.
The reasoning behind these principles emphasized that the public should be aware of uses and transfer of information that may not be clear or obvious. Health information is transmitted and used by a large number of agencies and institutions, and patients should know at least in a general way where it is going, how they can make corrections, and how to find out more infor mation.
The explanation is of special importance in view of our recommendation below (HEALTH CARE AND PAYMENT) that disclosures of health information for health care and for payment be permitted without patient authorization, but that patients be permitted to object to particular disclosures for these purposes. The explanation of the patient's right in this regard is an integral element (together with direct legal controls on use of information by providers and payers) of this more realistic and informed patient control of information that we offer to replace the consent processes under which patients now permit their records to be passed around.
The Privacy Act of 1974 requires that Federal agencies advise the subjects of Federal records of their intended uses (5 U.S.C. § 552a(e)(3)). Cable television subscribers are entitled, under the Cable Communications Policy Act of 1984, to an annual notice of the cable company's informa tion practices (47 U.S.C. § 551(a)). The recommended requirement would bring these salutary practices to health information.
All organizations should be required to have statements to inform patients, if they request it, of how they use health information, and what the rights of the patients are. The health care providers and payers, which have direct relationships with patients, should make this explanation available in an affirmative fashion, for example, at health care facilities, or with written material sent by mail to subscribers to health insurance plans. We recommend that the legislation require a written explanation that can be retained by the patient, so that patients can examine the policies and become aware of their rights at their leisure (when not under the anxiety sometimes attendant to receiving health care) and consult others as necessary. At the same time, we do not believe that it is desirable to prescribe in legislation the details of how the notice should be given.
Federal agencies could incorporate in the explanation proposed here the notice of information practices required by the Privacy Act.
Organizations that do not have direct contact with patients should also be required to prepare such an explanation and to make it available upon request.
We recommend that patients be allowed to inspect and copy health informa tion about them held by providers and payers. We recommend that patients be allowed to inspect and copy health information held by public health authorities, and by oversight agencies in any situation in which an oversight agency has made an adverse decision about the rights, benefits, or privileges of the patient.
We recommend that those holding health information be permitted to deny patient inspection of particular information under any of these circumstances:
-- the information is about another person (other than a health care provider) and the holder determines that patient inspection would cause sufficient harm to another individual to warrant withholding.
-- inspection could be reasonably likely to endanger the life or physical safety of the patient or anyone else.
-- the information includes information obtained under a promise of confidentiality (from someone other than a health care provider), and inspection could reasonably reveal the source.
-- the information is held by an entity that has received it under the health oversight provisions of the legislation, and access by the patient could be reasonably likely to impede an ongoing oversight or law enforcement activity.
-- the information is collected in the course of a clinical trial, the trial is in progress, an institutional review board has approved the denial of access, and the patient has agreed to the denial of access when consenting to participate.
-- the information is compiled principally in anticipation of, or for use in, a legal proceeding.
We recommend that providers and payers be permitted to deny inspection if the information is used solely for internal management purposes and is not used in treating the patient or making any administrative determination about the patient, or if it duplicates information available for inspection by the patient.
We recommend, in instances where a patient is to be denied inspection, that the holder of the record be required to make available to the patient, to the maximum extent possible, any portion of the health information which is not allowed to be denied to the patient under the standards above.
We recommend that providers and payers be permitted to charge a reasonable, cost-based fee for inspection and copying a record.
We recommend that entities obliged to provide inspection rights be required to make a decision on patient inspection within 30 days of a request, and that if they deny inspection rights they be required to give the patient a written statement of the reason.
We recommend that existing rights of subject access and correction under the Privacy Act of 1974 not be diminished.
The ability to see one's own record is central to effective control of information and is a basic fair information practice. A patient's decision whether to disclose a record may depend on what the record says, and so access to the record is integral to making an informed choice to disclose in formation.
The "Code of Fair Information Practice" recommended in 1973 by the Secretary's Advisory Committee on Automated Personal Data Systems includes as one of its five basic principles:
There must be a way for an individual to find out what information about him is in a record and how it is used.
(U.S. Department of Health and Human Services, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens 41 (1973)).
The Privacy Protection Study Commission recommended that this right be available. (Personal Privacy in an Information Society 299 (1977)). A right to see one's record is available by law in 31 States (described in Public Citizen Health Research Group, Medical Records: Getting Yours (1995)), and has been a right (with very limited exceptions) in Federal health record systems since the Privacy Act of 1974 (5 U.S.C. § 552a(d)).
The exceptions that we recommend provide for the limited situations in which, in the judgment of health professionals, access to the record by the patient would cause grave harm, or, in the case of oversight activities, would endanger the oversight activity, or in the case of clinical trials, would endanger a trial.
There should be no obligation to employ the exceptions. In general, patients should be able to see and copy their records, but there should be a provision to permit health professionals to exercise their judgment to withhold information in the rare instances where that is appropriate. Further, the record holder should be able to deny access only to the portion of the record that falls within the stated exceptions. The record holder should redact the portions allowed to be denied, and should give the patient the rest of the information.
There need be no obligation to let patients see information used solely for internal management purposes, which is a duplicate of the basic patient record (e.g., a back-up copy), or which is gathered for litigation.
Some clinical trials will involve health care and thus will be covered by the law, and the usual right to see one's record raises a special issue in these cases. We believe that a right to see one's own record, properly managed, need not impair research.
Subjects in clinical trials are often, by design of the research, unaware of the identity of the medication they are taking, or of other elements of their record. The research design precludes their seeing their own records and continuing in the trial. Further, patient access during the trial could endanger the entire trial.
Thus, we recommend that it be clear that a patient can waive the normal right to inspect informa tion while the trial is in progress, regardless of the length of the trial. This waiver would be an element of the patient's consent to participate in the trial. The institutional review board should have to approve it, and the patient should be told clearly of this condition. The subject should have the usual right to see the record after the trial is completed.
Some entities other than providers and payers should be obliged to provide patient access (and the related correction rights, described below). Public health agencies may be able to take actions to affect the lives of the patients. Some health oversight agencies can make operational choices that affect the patient, such as denial of payment, and it is essential that patients be able to see records held by these agencies, after a decision adverse to the patient is taken. Under current law, such disclosure is already required, and through adversary proceedings, patients can challenge incorrect information which served as the basis for the adverse decision.
In other instances (e.g., an accreditation study of a hospital by the Joint Committee on Accreditation of Health Care Organizations) no individual patient interest is at stake in the oversight activity, and access is less significant.
However, the right recommended here is not simply a right to fair procedure in an administrative transaction or criminal or civil legal action (which may be provided in any case by other law); it is a freestanding fair information practice right to see one's record at a time of one's choosing regardless of actual use in a proceeding or for decision making. It should be available unless there is a danger that patient access would impede the investigation. We recommend that any procedures established to implement these provisions not be unduly burdensome on law enforcement or oversight agencies.
We do not recommend that researchers who receive information under the provisions of the legislation without patient authorization be obliged to permit patient access. In most instances, they have no direct contact with patients, and under our recommendations would be prohibited from using such information against a patient.
The section on SERVICE ORGANIZATIONS, above, addresses the rights of patients to see in formation held by service organizations operating on behalf of entities that are obliged to give patients access to their records.
We recommend that patients be permitted to seek correction or amendment of health information about them held by any entity obliged to permit patients to inspect health information about them.
We recommend that these conditions govern responses to such requests:
-- if the entity makes the requested change, it must make reasonable efforts to inform others who have received the incorrect information about the change,
who are identified by the patient; or
who the entity knows have received the information, when it is reasonably foreseeable that the incorrect information may have an adverse impact on the recipient or patient.
-- if the entity makes the requested change, it must make reasonable efforts to inform known sources of incorrect information.
-- if an entity denies a request, it should inform the patient of the reasons for the denial and of any procedures for further review. The burden of proving that information needs to be amended or corrected should fall on the patient, and the legislation should not require a process for further review.
-- if a patient's request is denied, the patient should have the right to file a concise statement with the requested correction and the patient's reasons for disagreeing with the refusal. This statement should be included in any subsequent disclosure of the disputed portion of the information about the patient. The holder may include a concise statement of its reasons for not making the requested change.
This recommendation is intended to ensure basic fairness with respect to accuracy of informa tion. It follows the pattern established by the Privacy Act of 1974 for Federal agencies (5 U.S.C. § 552a(d)(2)). It is not intended to interfere with medical practice, or modify standard record- keeping practices.
Reasonable attempts at notification of others should prevent the perpetuation and further transmission of erroneous information. The legislation should explicitly state a test of reasonableness in this regard, so that the vigor of the effort required is proportional to the importance of the information and the degree of hazard in disseminating incorrect information.
We recommend that it be clear that this provision is not intended to provide a procedure for substantive review of decisions such as coverage determinations by payers. It is intended to deal with the content of records, not the underlying truth or correctness of the events recounted in them. Attempts under the Privacy Act of 1974 to use the Act's correction mechanism as a basis for collateral attacks on agency determinations have generally been rejected by the courts. We intend the result to be the same here.
It is the standard practice of medical record keepers not to expunge any information in a treatment record. The usual procedure is to mark incorrect information and to add the correct information. Even if information is wrong, it is essential to the purpose of the medical record that the record reflect the information available when treatment decisions were made. We recommend no change in these practices, and there should be no requirement that information be erased or deleted. A record should be considered corrected or amended if incorrect information is marked as such, and the correct information added.
We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be required to retain a history of all disclosures of health information made for treatment, payment, research, oversight, public health, emergencies, to State data systems, for law enforcement, in judicial proceedings, and with the authorization of the patient.
We recommend that the record include the date and purpose of the disclosure; the name and address of the person to whom the disclosure was made or the location to which the disclosure was made; and where practicable, a description of the information disclosed.
We recommend that patients be permitted to see this record, except in the case of disclosures to and by health oversight agencies and to law enforcement agencies where access by the patient could be reasonably likely to impede those activities.
We recommend that the disclosure history be retained for the life of the record to which it relates.
We recommend that there be no obligation on service organizations to retain a record of disclosures in the course of treatment and payment transactions.
Patients ought to know who has seen information about them. This basic right was recommended by the Privacy Protection Study Commission (Personal Privacy in an Information Society 316 (1977), and is available, with limited exceptions, under the Privacy Act of 1974 (5 U.S.C. § 552a(c)). The ability to see who has seen one's record is a form of control on disclo sure. In a health facility where employees who receive care at the facility can easily check who has accessed their records, they often do check, and staff at the facility see this as an important confidentiality control (National Research Council, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Information 98 (1977)).
Our recommendation does not envision that the legislation specify any particular form for retention of this history, as long as the inquiring patient can find out where his or her information went. Health facilities may choose to keep the disclosure history in a patient file, in a separate log, or in any other way, as long as it is possible to identify or accurately reconstruct the disclo sures.
Our recommendations call for an exception to the right of patient access when access could be reasonably likely to impede oversight or law enforcement activities. We recommend that any procedures to implement these provisions not be unduly burdensome on oversight or law enforcement agencies.
No accounting should required for disclosures made under the next-of-kin and directory information provisions (described below).