Every day, our private health care information is being collected, shared, analyzed and stored with few legal safeguards. There was a time when our health care privacy was protected by our family doctors -- who kept hand-written records about us sealed away in big file cabinets. Today, revolutions in our health care delivery system mean that we have to place our trust in entire networks of insurers and health care professionals. The computer revolution means that our family secrets travel quickly from doctors to hospitals to insurance companies -- and cannot be protected by simply locking up the office doors each night. And, revolutions in biology mean that a whole new world of genetic tests have the potential to help either prevent disease or reveal our most personal secrets.
Right now, the way we currently protect the privacy of our medical records is erratic at best -- dangerous at worst. It is time for our nation to enact federal legislation to protect the age-old right to privacy in this new world of progress. This report recommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who serve them. Specifically, a federal privacy law should:
We are at a decision point. Depending on what we do, revolutions in health care, biotechnology, and communications can hold great promise or great peril. We must ask ourselves: Will we harness these revolutions to improve, not impede, health care? Will we strengthen, not strain, the very lifeblood of our health care system -- the bond of trust between a patient and a doctor. When all is said and done, will our health care records be used to heal us or reveal us?
Without safeguards to assure that obtaining health care will not endanger our privacy, public distrust could turn back the clock on progress in our entire health care system. Instead, we must keep our eye on the future, and act today.
The American people expect, and are entitled to, confidential, fair, and respectful treatment of health information about themselves. This report recommends that the Congress enact legislation requiring that treatment.
The need for such legislation is found in the rapid changes in the ways that health care is provided, documented, and paid for in the United States. These changes pose a challenge to American values that are both complementary and competing.
On the one hand, patients have a legitimate need for assurance of the confidentiality that permits them to be frank with their physicians about their health conditions and behavior. That assurance is fundamental to effective diagnosis, treatment and healing, and to the privacy that we in the United States cherish as essential to personal freedom and well-being.
On the other hand, participants in the health care system -- insurers, governments at all levels, managed care organizations -- have legitimate needs for access to health records in performing their roles in the system. Furthermore, those pursuing broad social purposes -- medical researchers, public health workers, governmental policy makers seeking to contain health care costs -- rely on the availability of data arising from these private transactions. Local public health agencies use health records to identify outbreaks of infectious disease, and to trace the source of infections like the recent e. coli infections. Researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers.
Until comparatively recently, any tension between these needs for confidentiality and access was resolved directly between patients and their physicians. They conducted an essentially one-on- one relationship, in examination, treatment and payment, and, with some exceptions, could limit access to information about the patient. The paper records once kept under the control of physicians are giving way to computerized information which is increasingly stored far from its source -- the patient and the physician -- in forms and even locations of which they may have only imperfect understanding. Even physicians may be frustrated in their traditional role as patient advocates by the complexity of the systems that process their patients' information.
Moreover, patients may have little if any contact with some of the doctors and payers involved in their care. The result has been a weakening of the traditional, if often informal, controls that patients and physicians previously exercised to protect patient information.
The President spoke to the importance of these concerns in his commencement address at Morgan State University on May 18, 1997. He said that "technology should not be used to break down the wall of privacy and autonomy free citizens are guaranteed in a free society". He acknowledged the special concerns surrounding health records in his call for enhanced protections for privacy in the face of new technological reality, when we are facing "the frightening prospect that private information -- even medical records -- could be made instantly available to the world."
Our Nation's participation in the Global Information Infrastructure (GII) has sharpened the issues, and our plans for that participation include attention to privacy protection. The statement of the President and Vice-President, A Framework for Global Electronic Commerce reflects this concern and commitment:
Americans treasure privacy, linking it to our concept of personal freedom and well-being. Unfortunately, the GII's great promise -- that it facilitates the collection, re-use, and instantaneous transmission of information -- can, if not managed carefully, diminish personal privacy. It is essential, therefore, to assure personal privacy in the networked environment if people are to feel comfortable doing business.
The concern about confidentiality of health information appears against a backdrop of more general concern about privacy, well expressed by Alan Greenspan, the Chairman of the Federal Reserve Board:
The fears of invasion of privacy, as a consequence of inexorable forces seemingly out of the control of the average American, has risen to a major public policy issue. (Speech, Conference, "Privacy in the Information Age", Salt Lake City, Utah, March 7, 1997)
These concerns are not confined to the United States. The European Union (EU) has addressed the issue, and the EU data protection directive requires member States to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data".(1)
The existing legal structure does not effectively control information about individuals' health. Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. Today, patients often sign blanket authorizations allowing use of their medical information in order to obtain treatment or payment for care. These authorizations may not really protect us, in part because they do not provide useful information about how our health records will be used, who will see them, or how we can get access to them. Such authorizations are not always voluntary -- if we do not sign the blanket authorization, we may sacrifice the ability to receive care or insurance benefits. In addition, as the health care system becomes more integrated and more computerized, it is becoming difficult to determine the appropriate person or place where our health information can be accessed or controlled.
For these reasons, we are recommending that Congress replace the ineffective use of authorizations with a system of Federal legislative controls on the use of health information collected by health care payers and providers. As described below, Federal legislation should authorize sharing information for health care treatment and payment, and prohibit use of that information for most other purposes. Such legislation should also provide consumers with specific rights to know how their information will be used, to get access to that information, to request correction of errors, and to know who has seen their medical information.
Before turning to the details of our recommendations, however, it is important to describe the current situation, and the general consensus that Federal action is needed.
Current Protections are Inadequate. Today the legal control of health information is, in general, a matter of State law. Limited Federal law covers specialized classes of information such as information about substance-abuse patients and information gathered in some Federally funded programs. The Privacy Act of 1974 provides some procedures and protections for records, including health records, held by Federal agencies.
All States have legal controls on the use and disclosure of health information, including a few comprehensive acts similar in broad outline to the Federal legislation we recommend here. Two States have enacted the Uniform Health-Care Information Act recommended by the National Conference of Commissioners on Uniform State Laws in 1985.(2) Many State laws protect special classes of health information, about HIV infection and AIDS patients and about mental health patients, for example. Some State case law imposes confidentiality duties.
These State laws vary greatly in scope and strength, and the situation has been described as "a morass of erratic law, both statutory and judicial, defining the confidentiality of health informa tion."(3)
The Health Care Information System Is Increasingly Interstate. The health care system, particularly its information component, is very much an interstate activity, and will continue to develop in that direction. Computerization and telecommunications render the concept of "location" of information nearly meaningless. Patients receive care in more than one State, infor mation about them is moved electronically across State borders to obtain payment (often through and to places remote from the patient and the provider), and providers operate across many States. In its administrative simplification requirements, the Health Insurance Portability and Accountability Act of 1996 calls for uniform standards for electronic transactions in health administration precisely because separate standards developed at other than the national level are not workable.
There is continuing movement toward a computer-based patient medical record, with national standards for content and format, and the possibility of ready interstate transmission as needed for patient care. A major impetus toward adopting this type of record was a report of the Institute of Medicine in 1991 that recommended adoption of the computer-based patient record as the standard for all patient care records.(4)
Likewise, increasing use of telemedicine means that patient information will often cross State lines, sometimes in real-time delivery of care. This promising development is an important facet of the National Information Infrastructure because of its potential to provide greater access to quality health care for all Americans, especially those living in rural and remote areas.
The Problems Are Urgent. The need for Federal protection is not theoretical; it is real and it is urgent. In a major American city, a local newspaper published medical record information about a Congressional candidate's attempted suicide. But it is not just public figures such as the Congressional candidate or Arthur Ashe (whose HIV status was published in a newspaper without his permission) who are at risk:
Inappropriate disclosure of personal medical information is not the only problem we are facing. Errors in health information, errors that can have profound financial effects, are often too difficult to correct. Such inappropriate handling of medical information can and should be prevented.
Calls for Federal Legislation. Numerous analyses over several years by government, industry, and professional groups have identified serious gaps in protections for health information, especially in the unregulated exchange of data, and have recommended Federal legislation to close them. There also has been significant Congressional action toward this goal, including several comprehensive health privacy bills introduced by Senators Bennett and Leahy, Representative McDermott, and Representative Condit. The fact that Congress, in the Health Insurance Portability and Accountability Act, mandated that the Department of Health and Human Services produce these recommendations is further evidence that the Congress understands that the time has come for action.
We thus conclude that Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. Such legislation should provide clear guidance and significant incentives for the confidential, fair, and respectful treatment of personal information that the public expects. It should encourage administrative, technological, and management choices in design of health information systems to these ends. And it should provide redress to those adversely affected by misuse of information.
We are aware that our recommendations come at a time of continuing, rapid change in the health care system and its information components. The standards for administrative simplification that the Department will soon publish, under the Health Insurance Portability and Accountability Act of 1996, will in themselves lead to new developments in the transfer and use of information. In addition, the boundaries between health information and other information are blurring. Marketing uses of health information and health uses of marketing information may ultimately make this activity a subject for legislation. New technologies and new uses, unthought of before now, will present new issues and new concerns. These possibilities may well warrant legislative attention in the future, and bear careful watching.
Aware of these contingencies, and of the need they may present for further legislative attention, we nevertheless recommend that the Congress enact legislation now, based on what we know now. Today, we should move forward with legislation that protects the heart of the health care system -- those who provide and pay for health care, and those who get information from them. Delay will leave the public unprotected as more information flows to more places.
Our recommendations are founded on five key principles:
Boundaries. An individual's health care information should be used for health purposes and only those purposes, subject to a few carefully defined exceptions. It should be easy to use information for those defined purposes, and very difficult to use it for other purposes. Federal health record confidentiality legislation should impose a legal duty of confidentiality on those who provide and pay for health care, and on other entities that receive health information from them.
Security. Organizations to which we entrust health information ought to protect it against deliberate or inadvertent misuse or disclosure. Federal law should require such security measures.
Consumer Control. Patients should be able to see what is in their records, get a copy, correct errors, and find out who else has seen them. Our recommendations significantly strengthen the ability of consumers to understand and control what happens to their health care information.
Accountability. Those who misuse personal health information should be punished, and those who are harmed by its misuse should have legal recourse. Federal law should provide new sanctions and new avenues for redress for consumers whose privacy rights have been violated.
Public Responsibility. Individuals' claims to privacy must be balanced by their public responsibility to contribute to the common good, through use of their information for important, socially useful purposes, with the understanding that their information will be used with respect and care and will be legally protected. Federal law should identify those limited arenas in which our public responsibilities warrant authorization of access to our medical information, and should sharply limit the uses and disclosure of information in those contexts.
Federal privacy legislation should not require any disclosure of information, except to patients who ask to see their own records. The recommended allowable disclosures are just that -- allowable. Thus, for disclosures that are not compelled by other law, providers and payers should be free to disclose or not, according to their own policies and ethical principles. We offer these recommendations as a basic set of legal controls. But ethics and professional practice will in many cases dictate more guarded disclosure policies.
Similarly, where our recommendations would permit disclosure, they are not intended to create any new legal basis for refusing to disclose if such disclosure is required by other law.
Finally, our recommended standards are not intended to preempt or supersede other laws -- State or Federal -- that are more protective of individual privacy.
The effect of implementing our recommendations would be that some current uses of informa tion could not continue without patient authorization. Some organizations that get information with ease now may not be able to get information without patient authorization, or without meeting new requirements. We have designed the requirements to serve patients.
These recommendations must steer a course between two extreme convictions: that privacy is already so compromised that attempts to control health information are futile, and that privacy is so weighty a value that we must reverse our efforts to use information effectively. Legislation must, therefore, strike a balance that permits socially important uses of information while protecting the privacy of people who seek care and healing. We believe our recommendations find that balance.
The remainder of this Introduction is a summary of the scope and content of what we believe a Federal health information privacy law should provide. A more detailed description of our specific recommendations for the rights of patients and the obligations of those who hold health information follows. Our recommendations are framed as expressions of basic policy for the major choices in designing such legislation. We appreciate the difficult choices and complex accommodations required to make Federal health privacy legislation a reality. We look forward to working closely with the Congress in developing such legislation.
There are four situations in which health information is collected, disclosed, or used, and that we recommend be addressed by Federal health privacy legislation:
Provision of and Payment for Health Care. A Federal health privacy law should focus on health care payers and providers and the information they create and receive for the provision and payment of health care, and on those who receive information from those payers and providers. Providers and payers are the foundation of the health care system, and the primary creators and collectors of health information. The provisions of a Federal privacy law generally should apply to information about a patient collected in the provision of health care services or in the payment for health care services.
A Federal privacy law should apply uniformly, regardless of the setting in which health care is provided. A person seeking treatment should be able to discuss his or her medical condition freely, with confidence that the information will be protected, whether treatment is sought from a private physician or hospital, a company doctor, or a community health center. Similarly, the law should apply uniformly to all such information, whether the information is oral or written, on paper or in a computer.
A Federal health privacy law should limit the ways providers and payers can use identifiable health information. However, it need not cover information that individuals voluntarily provide about themselves directly to parties other than providers or payers, such as retailers or marketers.
Health care research that includes the delivery of health care should be included in Federal privacy protections. Information obtained in this context should be protected by a Federal privacy law. Research that does not involve care, but which is based on medical records obtained from providers and payers, should also be protected, since the information is obtained directly from the health care system.
Employers that render on-site health care for their employees, or provide health benefits through a self-funded health plan, are acting as providers and payers, and in this context should be covered by a health privacy law. They should be able to collect and use identifiable health information for health care and directly related purposes, but should not use the information they collect a providers and payers for other purposes, such as hiring and firing, placement and promotions.
Health information often is obtained from individuals for purposes other than the provision of or payment for health care, and we recommend that these situations be addressed by other legisla tion. Thus, these recommendations do not extend to the results of a fitness-for-duty examination. Nor do our recommendations address the need for protection of genetic information in Federal and State DNA banks and DNA data banks for casualty identification or criminal investigation, or of information generated in workplace drug-testing programs. Some existing uses of health information should not be affected at all, such as reporting of birth and death and reporting of abuse such as child abuse. The confidentiality risks of these collections of information should be (and often are) addressed by legislation specific to them.
We recognize that distinctions among the various holders of health information are not always clear. We are particularly concerned about automobile and similar types of insurance that include a health coverage component. While these insurers may not be labeled "health insurers," as a practical matter they obtain the same information in the same ways, and serve the same functions, as health insurers. Similarly, there may be some grey areas regarding when an employer is functioning as a provider (and thus covered by a Federal privacy law) and when not. These are areas that would benefit from public debate and additional fact-finding. We continue to review specific instances, and may ultimately find that some information not now recommended for protection can and should be included in a Federal privacy law.
Similarly, we recognize that the collection, development, and use of information about health matters by entities other than providers and payers can present serious privacy hazards. It may well be appropriate to impose confidentiality restrictions in those contexts. While we now recommend a Federal health privacy law limited to health information held by providers and payers (and those receiving such information from them), we also believe that the Administration and Congress must continue to examine the hazards to privacy when health information is held in other settings, and consider ways of controlling those hazards.
Service Organizations. Providers and payers do not act alone. They engage other organizations to assist in processing health information. These "service organizations" may be claims processors, pharmacy benefits managers that provide information to pharmacists about coverage and drug interactions, or similar organizations that process information to help make the health care system work better. These organizations should be bound by the same restrictions that apply to the providers and payers from which they obtain the health information. Service organizations have access to patients' health information as an integral part of the provision of and payment for heath care, and should be bound by a Federal health privacy law.
Limited Disclosures for National Priorities. Federal health privacy legislation should also allow certain uses of identifiable health information needed to support national priority activities. In exchange for this access to information, legislation also should place strict boundaries around the use and redisclosure of that information to ensure that it is used for the identified priority purpose only. The major national priorities which we recommend for this treatment are public health, oversight of the health care system, research, and law enforcement. For these activities, it is not always possible to obtain permission and, in many cases, doing so would create significant obstacles in our efforts to fight crime, protect public health, or understand disease.
However, along with access should come the duty to use that information only subject to legislative restrictions on how the information may be used and disclosed, tailored to the particular situations.
Disclosure with Authorization. Sometimes a patient will authorize a provider or payer to disclose information to a third person not directly subject to the Federal health confidentiality legislation that we recommend. In these cases, the patient should be able to enforce an agreement with that third person about how the information will be used. Federal law should impose an enforceable obligation on the recipient to use the information only in accord with the agreement made with the patient at the time of the authorization.
For example, if a potential employer requires health information as part of a background check for security purposes, the applicant can authorize his or her health care providers to disclose the information. But the employer's use of the information should be governed by the employer's statement of how it will use the information, and that agreement should be enforceable.
We recommend that a Federal health privacy law impose new restrictions on health care payers and providers who create and receive health information, and on those who receive information from those payers and providers. Specifically:
The attached recommendations provide the details for how such restrictions might operate. Many of these recommended rules would simply codify sound professional practices. For example, a provider should be able to use identifiable health information for mailing reminders to patients to schedule appointments. It should not be able -- absent patient consent -- to make available its patient list to a health company for use in a direct mailing announcing a new product or service (even if that product or service might benefit the patient). Providers and payers should be limited in their internal use of information, so that, for example, employers who obtain health information through their operation of self-insured health plans (i.e. as payers) should be prohibited from using that information for personnel decisions.
Americans should know what rules protect their health records, how those records will be used and shared, how they can obtain their records and, if necessary, how they can correct errors in their records. We recommend that Federal law provide consumers with significant new rights to be informed about how their health information will be used and who has seen that information. Specifically:
Our intent is to incorporate basic fair information practices into the health care setting. The attached recommendations provide details for how to make these consumer controls real.
The requirement to safeguard information must be supported by real and severe penalties for violations. Federal legislation should include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. Specifically:
Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously.
A Federal health privacy law should permit limited disclosures of health information without patient consent for specifically identified national priority activities. We have carefully examined the many uses that the health professions, related industries, and the government make of health information, and we are aware of the concerns of privacy and consumer advocates about these uses. The allowable disclosures and corresponding restrictions we recommend reflect a balancing of privacy and other social values.
Specifically, in addition to disclosure for health care and payment purposes discussed above, we recommend that Federal legislation authorize disclosure of health information without explicit patient consent for four national priority activities. Recipients of information under such a legislative authorization should also be bound by restrictions on use and further disclosure of the information, tailored to their particular circumstances.
Oversight of the Health Care System (including audit, investigation, quality assurance, and licensure). Combating fraud, abuse, and waste in health care and related payment programs is a major national priority. In addition, we have both legal and ethical duties to improve the quality of health care and records review is essential to this important task. We recommend that the legislation not add additional restrictions to access to health information for these purposes. No new judicial or administrative procedure should be required before oversight agencies can see health records, or use them against patients, providers, and others for wrongdoing in health or related programs. At the same time, existing legal constraints that govern access to or use of such information by oversight organizations should remain in place. We are also recommending criminal penalties for obtaining health information under false pretenses.
For Public Health, and in Emergencies Affecting Life or Safety. The importance of public health and emergency medical activities to our health and safety cannot be overstated. Health information is necessary for tracing the source of rapidly spreading infectious diseases, finding links between diseases and their causes, and rendering appropriate medical care to victims in emergencies. We recommend that there be no new procedural burdens in the way of these priority, often urgent, activities. At the same time, public health workers should be prohibited from redisclosing that information for any other purpose.
For Health Research. Research is essential to our health care. Federal law should permit use of information for research without consent under carefully-defined circumstances, and should also include safeguards, including restrictions on redisclosure, to ensure that individual subjects are not harmed. Federal requirements should include a determination by an institutional review board that the research does not involve more than minimal risk, that the absence of consent will not harm the participants, and that the research would be impracticable if consent were required.
We also propose accommodating the special needs of clinical trials. Generally, patients should have access to their own records. For clinical trials, however, we recommend a limited exception to permit agreements that research subjects typically make, such as to forego access to their trial- related records for the duration of their participation in the trial, as long as they are consistent with Federal rules for the protection of research subjects.
Pursuant to Other Laws or Court Orders, such as: to Law Enforcement Authorities, to State Health Data Systems, and in Court Proceedings. Law enforcement agencies need access to health information for many purposes. We recommend that this Federal health privacy law not alter current practices; that is, it should neither expand nor contract current laws governing disclosure of health information to law enforcement authorities. In many instances, law enforcement authorities today can obtain, share, and use health information without patient consent and without legal process. We are not recommending changes to these practices. Similarly, existing legal constraints on law enforcement access to and use of medical information should remain in place.
We recognize that new issues are raised by the search capabilities of computerized records, and that there are arguments in favor of new restrictions to address these possibilities. However, until more experience is gained with the uses of computerization of these records, and the types and frequency of requested searches, it is premature to change existing law in this area.
Any Federal legislation controlling health information must be understood in the context of other State and Federal laws that also address, either incidentally or directly, the confidentiality of health information. In short, we recommend that existing confidentiality laws at both State and Federal level which provide more protection remain in force. A new Federal privacy law should provide a basic level of protection for everyone -- a "floor" of protection -- without reducing other protections.
State Law. As noted above, there exists today a patchwork of State health privacy laws. While some are comprehensive and strong, the array of protections we recommend here would, in general, be stronger than most existing State law.
We recommend that Federal health privacy legislation supersede State law that is less protective than the Federal law. If either the Federal or State law forbids a disclosure, the disclosure should not be made. Thus, the confidentiality protections should be cumulative, and the Federal legisla tion should provide "floor preemption."
We make this recommendation with the recognition that a single national standard may be preferable from the administrative simplification perspective, and that some privacy interests might also be better served thereby. However, at this time, the freedom of States to protect their citizens' privacy through their own legislation is more important than the benefits of standardization that totally preemptive Federal legislation would confer. The attention several States have given to this issue should be respected. Many States have statutes to protect informa tion about HIV infection and AIDS patients, and about mental health patients, designed after wide public debate to suit local needs. In addition, the Federal government can clearly learn from the experiences of States as they respond to the complex task of protecting patient information in a rapidly changing environment.
Other Federal statutes that afford protection to liberty, privacy, and consumers' rights generally do not displace stronger State laws. At present, the goals of this proposal argue that it not break that tradition.
In addition, Congress expressed a preference for leaving stronger State laws in place in the Health Insurance Portability and Accountability Act of 1996. That Act calls for the Secretary of Health and Human Services to impose confidentiality controls on electronic transaction systems if Congress does not legislate on confidentiality by August 1999, and directs that any such controls not supersede State law with more stringent requirements.(8) Likewise, the standards for administrative simplification of health financial and administrative transactions, which that Act requires the Secretary of HHS to promulgate, may not supersede stronger State confidentiality laws.(9)
Privacy needs, developments in health data systems, and the interests of nationwide administrative simplification for health transactions may ultimately justify preemptive Federal legislation. But, at least at present, as the National Committee on Vital and Health statistics noted, "this issue need not be treated as a single problem with a single solution."(10)
If the Congress enacts Federal legislation leaving State controls in place, the impact of the respective laws on individual privacy rights and on effective use of health information bears careful watching. To the extent that dual regulation impairs health care or the operation of infor mation and payment systems, poses risks to confidentiality arising from misunderstanding of the applicability of multiple laws, or creates uncertainty in patients about rights and redress, consideration of additional action, such as developing a single national law or preempting State laws in particular areas, may be warranted.
Federal Law. Similarly, we recommend that a Federal privacy law not limit or reduce other Federal legal protections that control how information about individuals is disclosed or used. As with State law, Federal privacy protections should be cumulative.
For example, even where the recommended Federal privacy law would allow a disclosure without patient consent or judicial process, it should not obviate the need to comply with other Federal statutes that do require consent or judicial process. Nor should it diminish any rights, of patients or record holders, to challenge disclosures under other Federal law. If another Federal law requires legal process, or specific showings, prior to a disclosure, a record holder should remain obligated to observe those requirements.
For Federal health records, the records management requirements and subject access provisions of the Privacy Act of 1974 should continue to apply. But we recommend that the Privacy Act's disclosure provisions be replaced by the general health information disclosure restrictions we recommend, to the extent that the latter are more stringent than the Privacy Act.
At present, we recommend that Federal health confidentiality law treat all types of health information alike. The intent is to provide a meaningful minimum floor of privacy protections in Federal law for all types of health information. We recognize, however, that there is a great deal of support for providing additional protection to certain types of health care information that people feel to be particularly sensitive. For example, Federal and State laws already provide stronger protections for certain information, (such as information about HIV status, substance abuse patient information, and mental health records), and we recommend that these standards remain in place. We further recognize that additional types of particularly sensitive information may be identified for special protection in the future, and look forward to working with the Congress in determining when such protections are appropriate.
* * * *
The following are our recommendations for the contents of a federal health privacy statute. There will be many important details to be discussed, both in drafting legislation and then in developing implementing regulations. The following recommendations are not intended to address privacy policy at that level of detail. Rather, the following are statements of principle and policy that describe our recommended framework for federal health privacy legislation. We look forward to working with the Congress on a bi-partisan basis to advance these principles and enact Federal legislation that provides a basic set of rights with respect to health information to all Americans. This is an essential beginning.