F. SPECIALIZED CLASSES OF PERSONS AND ENTITIES

1. DECEASED PERSONS

We recommend that patients be covered by the protections of the legislation for two years after death, and that the right to control the patient's health in formation within that time be held by an executor or administrator, or in the absence of such an officer, by next-of-kin, determined under State law, or in absence of both, by the holder of the health information.

Whether to apply confidentiality legislation to information about deceased patients is a difficult issue, with good arguments in favor both of protecting and not protecting this information. In traditional privacy law, privacy interests, in the sense of the right to control disclosure of infor mation about oneself, cease at death. The underlying purpose of health record confidentiality -- to encourage a person seeking treatment to be frank in the interest of obtaining care -- may require, from the patient's perspective, confidential treatment of information even after death. However, the problem of ensuring confidentiality after death is complicated by the traditional method of managing affairs after death -- control by an executor or administrator, who is often a relative. The result may be that the very people the deceased may have hoped would not know of his or her health condition will control the information.

At the same time, perpetual confidentiality has serious drawbacks. If information is needed for legitimate purposes, there should be someone legally authorized to disclose it, by analogy with authorization by a living person. A permanent bar to disclosure would serve privacy interests only rarely, and could interfere with important and acceptable uses of information, such as historical research.

A two year period of confidential treatment, with provisions for authorization by specific persons, would preserve dignity and respect by preventing uncontrolled disclosure of information immediately after death but permitting disclosure for proper purposes during this period. It should be noted that providers may, apart from legally compelled disclosure, choose to keep in formation confidential for a longer period.

2. IDENTIFICATION OF DECEASED PERSONS

We recommend that health information be permitted to be disclosed to identify a dead person, or to aid a medical examiner's or coroner's investigation.

Information from health records is used to identify dead persons, and this recommendation permits providers and payers to disclose information for this purpose. In an instance where in formation so disclosed reveals information about a living person, that information should not be used for any purpose relating to the living individual.

Medical records are used in investigation of causes of death, and should be permitted to be disclosed for that purpose.

3. CORRECTIONAL AND DETENTION FACILITIES

We recommend that health information about patients who are inmates of correctional facilities, or incarcerated in detention facilities, be available to prison and detention officials responsible for the custody and care of the inmates and detainees, and that no further restrictions apply to the use and disclosure of this information. We recommend that the rights and obligations of the legislation not apply to inmates or detainees, or the officials or entities responsible for their care and custody.

This recommendation acknowledges the special situation of persons in correctional facilities, whose health care is a fundamental responsibility of the officials of those facilities.

4. MINORS

We recommend that patients below the age of 18 who, acting alone, have the legal capacity to apply for and obtain health care and who have sought such care, should have all rights under the legislation with respect to information relating to such care.

We recommend that in cases not covered by the preceding condition, and in which the patients is age 14, 15, 16, or 17, either the patient or the parents or legal guardians be authorized to exercise all rights under the law.

We recommend that the rights of patients under 14 years of age be exercised by the parent or legal guardian of the patient.

These recommendations recognize the special situation of minors. They take into account the responsibility and concern of parents for their children, and at the same time acknowledge the ability under many State laws of minors to consent to their own care for particular conditions named in statute.

5. POWERS OF ATTORNEY

We recommend that persons authorized by law (other than on account of minority) to act for a patient, or authorized by an instrument recognized under law, to act as agent, attorney, proxy or other legal representative, exercise all rights of the patient to the extent authorized by the grant of authority.

We recommend that persons authorized by law, or by an instrument recognized under law, to make decisions about a patient's health care exercise the rights of the patient to the extent necessary to effectuate the terms or purposes of the grant of authority.

These recommendations address situations in which patients have formally authorized others to act for them, or are unable to act for themselves. They are necessary accommodations in situations where, for purposes beyond decisions about information, others are acting for patients.

As it relates to persons authorized to make health care decisions for others, this recommendation recognizes the power, under the laws of most States, of individuals to designate others to make health care decisions on their behalf, in the form of durable powers of attorney or similar instruments. The definition of rights we recommend is similar to one offered by the National Conference of Commissioners on Uniform State Law, in the Uniform Health-Care Decisions Act (9 Part I U.L.A. 93 (Supp. 1994)) in this circumstance.

6. PATIENTS UNABLE TO MAKE CHOICES FOR THEMSELVES

We recommend that if a patient is not capable of exercising his or her rights under the legislation but has not been legally adjudicated as incompetent or has not had a legal representative appointed, the patient's rights under the recommended Federal privacy act be exercised by a person who holds a health care power of attorney for the patient, or in the absence of such a person, by next of kin, or in the absence of such a person, the health care provider.

We recommend that anyone exercising these rights be required to do so in the best interest of the patient.

This is intended to deal with situations where a patient is unable to exercise the rights under the confidentiality law, and there is no formal legal arrangement for others to exercise those rights.

7. BANKING AND PAYMENT PROCESSES

We recommend that providers and payers be permitted to disclose, in connection with payment by debit, credit, or other payment card or account number, or other electronic payment means, the minimum amount of health information necessary to complete the payment transaction.

We recommend that a debit, credit, or other payment card issuer, or anyone otherwise directly involved in payment or billing transactions through such means, be permitted to use or disclose health information about a patient only for authorization, settlement, billing or collection, and for other purposes directly related to these financial operations.

Financial organizations such as banks that issue credit cards now process payment for health care. In the course of making payment for health care, and billing customers, they may incidentally receive health information. When a patient pays a provider using a credit card, the transaction does not use health information as such, and the provider should not include health information in communicating with the bank to receive payment.

However, some health information can be derived by ready inference from information that is included in the financial transaction. The specialty of a provider, which is easily determined, may indicate the type of health care being received. The amount or pattern of charges may suggest with some precision the gravity or character of a patient's condition.

Any health information so disclosed should be used only for the immediate purposes of the transaction.

Since entities performing these functions are typically regulated as financial or credit institutions, and transactions with health information are integrated into their more general operations, there is no value in identifying them as payers or service organizations and subjecting them to the range of obligations imposed on providers and payers and their service organizations.

The legislation should prevent them from using identifiable patient information for purposes beyond the immediate transactions. In particular, they should not be allowed to use health infor mation for purposes like direct marketing by the processor or by others, for the development of consumer profiles, for prescreening, for credit evaluation, or for other purposes.

The limitations we recommend should not interfere with use of patient information in audits, transfer of receivables or accounts, or the range of activities that surround the sale or transfer of receipts, or any legal or regulatory access to information that is common to the transactions of the processor more generally. The intent is to prevent the use of health information as such for any purpose beyond those narrowly connected with payment.

8. DISCLOSURES WITHIN THE DEPARTMENT OF VETERANS AFFAIRS

We recommend that disclosures of health information within the Department of Veterans Affairs for the purposes of the benefit programs of that Department be permitted without explicit authorization.

In the Department of Veterans Affairs health information about its beneficiaries currently flows as necessary from its medical facilities to its benefits payment elements, to permit benefit determinations based on health status. There is little value in requiring, for these information transfers within that agency, that veterans give the same authorization they would have to provide, for example, to permit disclosure of a private provider's records to a private insurance company. Simplicity and convenience for the veterans, and reduction of merely formalistic documentation, warrant this exception to the authorization requirements. The Privacy Act of 1974 provides a structured framework for the maintenance of the information, and existing confi dentiality statutes cover DVA information without distinguishing health information from other information (38 U.S.C. § 5701).

9. MILITARY SERVICES -- MEMBERS

We recommend that the Secretaries of Departments including military services be authorized to promulgate regulations permitting disclosure without patient authorization of health information about members of the military services, by health care providers and payers that are part of the military services or operating on behalf of the military services.

The purpose of the health care system of the military services differs in its basic character from that of the health care system of society generally, and the leadership of the military services has a special relationship with its members. The special situation of the military services is acknowledged by the Constitutional provision for separate lawmaking for them (U.S. Const. art. I, § 8, cl. 14), and in their separate criminal justice system, under the Uniform Code of Military Justice (10 U.S.C. §§ 801 et seq.)

Officials of the military services are responsible for the health of the members, and use informa tion, including health information, to make operational choices about assignment of personnel and other matters relating to the national defense functions. Examples include the medical status of pilots, the reliability of nuclear weapons personnel, and compliance with controlled substance policies. The normal role of the patient in authorizing disclosure of health information would be inconsistent with these responsibilities and relationships, and thus we recommend that the military departments be permitted to modify the disclosure rules as necessary.

Under this recommendation, the rules could be modified for providers and payers which are direct military activities, as well as for civilian facilities serving members of the military services pursuant to contract (such as TRICARE managed care support contractors). We recommend that the authority to modify the disclosure rules apply only to health information about members of the military services.

The legislation should not permit promulgation of regulations to permit disclosure or use of in formation that is restricted or controlled by other law.

This recommendation is applicable to the Department of Defense and the Department of Transportation.

10. MILITARY SERVICES -- CIVILIAN EMPLOYEES AND CONTRACTORS

We recommend that the Secretaries of Departments including military services be authorized to promulgate regulations restricting the revocation of authorizations for disclosure of information by civilian employees and contractors' employees in instances where ongoing access to health informa tion is necessary for the conduct of national defense functions.

This provision addresses the situation of civilian employees of the military services, and contractor personnel, who authorize use of their health records to evaluate their suitability for deployment and other defense-related activities. Information about their health is needed on a continuous basis, and revocation of the authorization would interfere with use of the information, possibly in situations where the lack of information could have serious operational consequences.

G. RELATIONSHIP TO OTHER LAW

1. CERTAIN LAWS NOT AFFECTED

We recommend that the legislation not preempt, supersede, or modify the operation of

-- any law that provides for the reporting of vital events such as birth and death;

-- any law requiring the reporting of abuse or neglect of any individual;

-- the provisions of the Public Health Service Act regarding notification of emergency response employees of possible exposure to infectious diseases (Public Health Service Act subpart II, part E, title XXVI (42 U.S.C. §§ 2681-2690);

-- any law requiring or explicitly authorizing the reporting of injuries or illnesses in connection with a workers' compensation program; or

-- any law that establishes a privilege for records used in health professional peer review activities.

These activities are all subject to existing law, and we recommend that they not be affected at all by the legislation. This proposal is not simply that disclosures to comply with these laws be allowed: it is that these disclosures and activities under these should not be affected at all.

The reporting of vital events like birth and death may include health information, but the reports are made pursuant to an existing body of law which controls use of the information so disclosed, and are for public purposes beyond health care. All States have laws in this area, many based in whole or in part on the model statute promulgated by the National Center for Health Statistics (Centers for Disease Control and Prevention, National Center for Health Statistics, Model State Vital Statistics Act and Regulations (1992)).

The reporting of neglect or abuse is addressed by law in every State.

In workers' compensation programs, State laws require employers to report injuries to State agencies or workers' compensation insurance carriers. While in many cases these reports will come from employers and will not include health information, there will be instances in which a health care provider will make the report. The legislation should not affect these reports.

To the extent that health information is used in health professional peer review activities, control of its use and disclosure should be left to the specialized statutes governing those activities.

2. PRIVILEGE STATUTES

We recommend that a patient's authorization for disclosure of health infor mation for health care or payment, or disclosure under the legislation for those purposes without patient authorization not diminish, waive, or otherwise impair any testimonial privilege.

Existing privileges, which in some instances can be abrogated by disclosure of the information covered by the privilege, should be preserved.

3. THE PRIVACY ACT OF 1974

We recommend that providers and payers now subject to the Privacy Act of 1974 remain subject to that Act.

We recommend that these providers and payers be obliged to observe the disclosure restrictions of federal privacy legislation as well as any disclosure restrictions of the Privacy Act that are more restrictive than such legislation.

We recommend that Federal agencies be permitted to make disclosures now allowed by the Privacy Act to the National Archives and Records Administration.

The Privacy Act of 1974 (5 U.S.C. § 552a) was a pioneering statute for the use and control of personal information, and continues to serve the public well as a control on the use and disclo sure of information by the Federal government. Its significant contribution to privacy interests are its requirements that agencies maintain only information necessary to the agencies' purposes; that individuals have the right to access and to request amendment of their records; and that agencies be open about the records they keep and their uses and disclosures.

Written to cover the wide variety of records found in the entire Federal government in 1974, including many of minimal sensitivity, its use and disclosure provisions are not highly restrictive. The Act explicitly identifies many disclosures as allowable without individual consent. Information may be used by employees of an agency who have a need to know the information to perform their duties, and "agency" includes an entire cabinet Department. Infor mation may be disclosed pursuant to court order and pursuant to proper requests from law enforcement authorities, and to certain other Federal agencies. There are several other specified allowable disclosures. Beyond those set out in the text of the Act, agencies have discretion to make other disclosures through their administrative power under the Act to establish, by notice, comment, review by the Office of Management and Budget and Congress, a routine use -- a dis closure of information outside the agency "for a purpose which is compatible with the purpose for which it was collected." In devising their routine uses agencies have latitude in determining what is "compatible," although the courts have been looking more closely in recent years at agency choices.

Many Federal agencies conduct activities that would be covered by the legislation we recommend, such as the provision of care by the Clinical Center of the National Institutes of Health, the hospitals and clinics of the Department of Veterans Affairs, the Department of Defense and the Indian Health Service, and the payment activities of Medicare and the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS).

We recommend that federal health record confidentiality legislation limit the latitude of these agencies to make the disclosures otherwise permitted by the Privacy Act. Federal agencies should be restricted in their intra-agency disclosures, and in promulgation of routine uses, to the purposes and uses set out in the health privacy legislation we recommend.

This recommendation is based on these principles:

Health information is a specialized class of information that deserves the more careful treatment, in terms of disclosure restrictions, that the legislation we now recommend would provide.

Federal and other (private, State and local government) health care and payment activities ought, as much as possible, to be subject to the same confidentiality rules.

A common set of rules for health records in all health programs is more important than a common set of rules for records whose only similar feature is their Federal maintenance.

At present, existing confidentiality statutes are often overlaid on the Privacy Act, with the effect that the protections are cumulative. That is the result sought here, and it should be addressed explicitly in the law.

There are strong reasons to encompass both Federal and other health records within a common protective scheme. There is increasing interaction among the Federal, private, and State government sectors in sharing of facilities, purchase of care, and the like. The work of all these facilities and their personnel would be simplified by a common set of rules.

We recommend that the proposal leave in place the subject access and amendment provisions of the Privacy Act, and that it not diminish any protections against disclosure provided by that Act.

Unforeseen circumstances can be accommodated under the administrative authority we recommend, below (discussed under AUTHORITY FOR LIMITED SUSPENSION).

The archives provision deals with the special situation of Federal agencies whose records are subject to the Federal Records Act.

4. STATE LAW

We recommend that the legislation preempt State laws only to the extent that those laws are less stringent or restrictive than the Federal law.

We recommend that the Federal legislation supersede State law only when the State law is less protective than the Federal law. If either the Federal or State law forbids a disclosure, the disclo sure should not be permitted. Thus, the confidentiality protections would be cumulative, and the Federal legislation would provide "floor preemption."

Generally, Federal statutes that provide rights to individuals with respect to privacy and liberty do not displace stronger State laws, and we believe that the legislation we recommend should follow that tradition.

We are aware of the strong arguments, and repeated recommendations, that Federal law in this area should be totally preemptive, i.e., that it totally occupy the field of protection of health care information, so that no State could maintain or establish any law governing use and disclosure of health information.

Those arguments are based on the increasing integration of the health care information system in this country, in which information passes easily from State to State, when information generated in one State may with ease be retrieved in another State, and when it is difficult even to identify the "location" of information to determine which State's law applies.

Nevertheless, we have concluded that the careful attention States have given, and continue to give, to this issue, should be respected. Some States have comprehensive health confidentiality statutes analogous to the one recommended here, and others are considering them. Many have carefully designed statutes protecting specialized classes of information, particularly information about AIDS and HIV infection patients, and mental health patients.

The Federal protection would ensure that everyone has an adequate level of privacy protection, and if the people of the several States wish more, or see special privacy needs which are not being met, they can retain or enact additional safeguards.

5. OTHER LAW GOVERNING HEALTH INFORMATION

We recommend that the legislation not modify or supersede other Federal or State law that provides greater protection.

Some health information subject to the legislation we recommend will also be subject to other law restricting its use and disclosure. The subjects of this information ought to have the benefit of all applicable law.

This may be the case with information held by payers and providers, in States with more protective statutes for some elements of health information (as discussed above in STATE LAW), and will be the case with some information held by Federal agencies. It may also be the case with information disclosed by payers and providers under provisions of the legislation without patient authorization.

In the latter instance, the information would, in its new setting, become subject to other statutes as well as the redisclosure provisions of the legislation we recommend. For example, informa tion disclosed for research may become subject to statutes governing certain statistical activities (Public Health Service Act § 308(d), 42 U.S.C. § 242m(d)), health services research activities of the Agency for Health Care Policy and Research and its grantees and contractors (Public Health Service Act § 903(c), 42 U.S.C. § 299a-1(c)), or research subject identity protection (Public Health Service Act § 301(d), 42 U.S.C. § 241(d)). In other instances, State law may also restrict the disclosure of this information.

In the case of Peer Review Organizations, which review health information to ensure the quality of care for Medicare beneficiaries, health information is protected by its authorizing statute (Social Security Act § 1160, 42 U.S.C. § 1320c-9).

The Americans with Disabilities Act prohibits discrimination on the basis of disability, and in regulating the assessment of applicants and employees, requires employers, among other things, to keep medical information "on separate forms and in separate medical files" and to treat this "as a confidential medical record." (§§ 102(c)(3) and (4), 42 U.S.C. §§ 12112(c)(3) and (4)). Section 503 of the Rehabilitation Act of 1973, 29 U.S.C. § 793, provides the same protections for Federal contractor employees and job applicants (regulation at 41 C.F.R. § 60-741.23).

These laws should continue to apply. Information obtained by employers in providing health care or payment should be subject to the legislation we propose. Information subject to the Americans with Disabilities Act or Rehabilitation Act (whether or not obtained in treatment or payment) should continue to be covered by these laws. There should be no conflict between the requirements, since neither those laws nor the legislation we recommend requires any disclosure that violates the other law.

In providing for the continuance of stronger State law, the legislation should not modify the scope of the Employment Retirement Income Security Act of 1974 (ERISA) (29 U.S.C. § 1134) preemption of State laws. We recommend new minimum federal standards that would apply to many different entities that hold health information, including ERISA plans. However, we are not recommending that States be given new authority to apply more protective privacy standards to ERISA plans.

6. FEDERAL SUBSTANCE ABUSE CONFIDENTIALITY STATUTE

We recommend that the Secretary of Health and Human Services be authorized to determine, by regulation, which elements of the Federal substance abuse confidentiality statute ((Public Health Service Act § 543, 42 U.S.C. § 290dd-2) should continue to apply, so that the net effect of that statute and the one recommended will be at least as strong protection for the information concerned.

We recommend that the Secretary of Veterans Affairs be similarly empowered with respect to the statute governing substance abuse, sickle cell disease, and HIV infection in the records of the Department of Veterans Affairs (38 U.S.C. § 7332).

This recommendation will ensure that the strongest protections of the new legislation and the existing laws will both apply to covered information. The relevant Cabinet Secretaries would publish regulations to specify what rules apply.

H. ENFORCEMENT

1. CIVIL

We recommend that any patient whose rights have been violated knowingly or negligently be permitted to bring an action, in a U.S. District Court or any court of competent jurisdiction for actual damages and for equitable relief. We recommend that actual damages encompass nonpecuniary losses such as physical and mental injury as well as pecuniary losses. We recommend that in the case of knowing violation, attorneys' fees and punitive damages should be available.

We recommend that common law liability be eliminated for any disclosure that is permitted by the legislation we recommend and is not otherwise prohibited by State or Federal statute.

We recommend that members of institutional review boards and their parent entities not be liable for a good faith determination of the propriety of a dis closure for research under the provisions allowing for such disclosure.

We recommend that there be no liability for a disclosure based on good faith reliance on a certification by a government authority or other person that a requested disclosure is in accord with the law.

The ability to seek redress for violations is an important element of confidentiality protection. There have been, and will continue to be, improper disclosures of health information, through negligence or deliberate choice. The victims of such disclosures should be able to seek civil redress.

The Privacy Working Group of the President's Information Infrastructure Task Force identified this as a basic principle in its Principles for Providing and Using Personal Information:

III.C. Redress Principle
Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information.

The President's statement on the Global Information Infrastructure, A Framework for Global Electronic Commerce (June 1997) reiterates this point:

Under these principles, consumers are entitled to redress if they are harmed by improper use or disclosure of personal information or if decisions are based on inaccurate, outdated, incomplete, or irrelevant personal information.

Other statutes establishing confidentiality obligations provide a cause of action, such as the Fair Credit Reporting Act, which permits suits in the U.S. District Courts, or in any other court of competent jurisdiction, to enforce liabilities under that act (15 U.S.C. §§ 617-618). Cable television operators are forbidden to disclose subscriber information except under defined circumstances, and violations give rise to civil liability, with a cause of action in the U.S. District Court (47 U.S.C. § 551(f)). The wrongful disclosure of video tape rentals or sales information gives rise to a similar cause of action (18 U.S.C. § 2710(c)). New restrictions on disclosure of State motor vehicle information were imposed by the Violent Crime Control and Law Enforcement Act of 1994, and individuals have a cause of action in the U.S. District Court against persons who obtain or disclose information in violation of the restrictions (Pub. L. No. 103-322, § 300002, 108 Stat. 1796, 2101, 18 U.S.C. § 2724).

We recommend that the legislation take a balanced approach that compensates, in the case of negligence, only for actual losses, although not only monetary losses. In the case of a knowing violation, punitive damages and attorneys' fees should also be available.

Our recommended definition of actual damages envisages better recovery possibilities than the Privacy Act of 1974, whose damages provisions (subsections (g)(1)(D) and (g)(4))) have in some instances been read to mean only pecuniary damages, and whose standard for recovery is that the Federal agency acted intentionally or wilfully ((g)(4)). The Privacy Protection Study Commission, responding to a specific Congressional request to address this issue, recommended expansion of the Privacy Act recovery to both special and general damages (Personal Privacy in an Information Society 530-1 (1997)). The limitations of the Privacy Act in providing satisfactory remedies has been noted by various commentators, including Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law § 5-5(a)(1996).

We recommend that the rights provided by the legislation be enforceable in any court of competent jurisdiction, as in the case of the Fair Credit Reporting Act, and we recommend that there be nothing to prevent States from providing other remedies in State law for violation of the Federal law.

We recommend that recovery for the wrongful behavior of public employees acting in an official capacity be against their agencies, in accord with current law.

Some current enforcement of privacy rights occurs through litigation under common law theories of a general public policy of medical confidentiality (derived from privilege and licensing statutes), contract, malpractice, and tortious invasion of privacy. Federal confidentiality legislation should bring certain and uniform standards to the redress and recovery process, and thus we recommend that there be no common law recovery for uses and disclosures of informa tion permitted by the Federal law and not otherwise prohibited.

These recommendations are intended to protect record holders and those who assist in making determinations about disclosures against liability based on those disclosures if they act in good faith. Record holders should be able to, but should not have to, make their own inquiries into requests for allowable disclosures in the absence of a facial irregularity in the request.

2. CIVIL MONEY PENALTIES

We recommend that there be authority to impose civil money penalties on any covered entity which has demonstrated a pattern or practice of failure to comply with the provisions of the law.

We recommend this additional remedy for grave or continuing offenses. The procedural aspects of the penalties could be similar to those for wrongdoing in the Medicaid and Medicare programs, under section 1128A of the Social Security Act.

3. ALTERNATIVE DISPUTE RESOLUTION

We recommend that the alternative dispute resolution procedures be available for disputes giving rise to civil liability under the law.

4. CRIMINAL PENALTIES

We recommend criminal penalties (including fine and imprisonment) at the felony level for obtaining health information under false pretenses, for knowing and unlawful obtaining of health information, and for knowing and unlawful use or disclosure of health information.

We recommend that the penalties be higher for any of these acts performed for profit or monetary gain.

Activities that should violate the law would be requesting or obtaining health information under false pretenses from a covered entity; knowingly obtaining protected health information with the intent to sell, transfer, or use the information for profit or monetary gain; knowingly selling, transferring, or using health information for profit or monetary gain; or knowingly using or disclosing health information in violation of the law's requirements for nondisclosure.

The penalties we recommend are modeled on the penalties provided in the Health Insurance Port ability and Accountability Act of 1996 for violation of disclosure restrictions in the administrative simplification provisions of that Act (Social Security Act § 1177, 42 U.S.C. § 1320d-6).

I. ADMINISTRATION

1. IMPLEMENTATION

We recommend that the legislation provide authority to issue regulations to implement the legislation.

We recommend that there be authority to

-- sponsor research relating to the privacy and security of health information;

-- develop information and technical guidance for protection of health informa tion; and

-- develop technology to implement standards regarding health information.

We recommend that there be authority to promulgate

-- model notices of information practices for use by entities subject to the legis lation;

-- model authorizations for disclosure and model statements of intended use of health information by persons requesting that patients authorize disclosure of health information;

-- guidelines for the administrative, technical, and physical safeguards required to protect health information;

-- guidelines for what levels and amounts of information constitute "identifiable" information, and guidelines for minimum allowable disclosures in particular situations;

-- guidelines for use within organizations of health information "only for purposes compatible with and directly related to the purposes for which the information was collected or received";

-- requirements for institutional review boards authorized to approve disclo sures for research;

-- model notices to advise patients of efforts to obtain health information in legal proceedings; and

-- standards for electronic and magnetic writings that would fulfill the requirements of the legislation.

This recommendation recognizes the need for interpretation and application when new confiden tiality standards govern health information. An ongoing Federal authority is needed to preclude doubt and confusion, to provide certainty in applying the rules, and to be a point of public reference and recourse with respect to violations subject to civil money penalties.

In addition, there should be authoritative sources for technical guidance for several matters that cannot be addressed in detail in legislation. Entities subject to the legislation should be assured that they are in compliance if they used model notices, security practices, and other forms and techniques promulgated centrally. In some areas, like restricting use of health information to the purposes for which it was collected, new organizational and administrative techniques could be promulgated to assist small businesses to comply.

2. AUTHORITY FOR LIMITED SUSPENSION

We recommend that there be authority to suspend, by regulation, any provision of the legislation for a limited period in the event of an unforeseen significant threat to health or safety, significant threat to patient privacy, major economic disruption, or manifest unfairness.

The design of precise controls on the use and disclosure of information is a complex task, and it is possible that the legislation would forbid a disclosure, or otherwise constrain behavior, in a way that causes unanticipated hardship.

Authority to suspend a provision would ensure that situations like this could be addressed, on a temporary basis, pending Congressional consideration of amendments.

Federal agencies are accustomed to the flexibility provided by the Privacy Act of 1974, whose routine use provision (5 U.S.C. § 552a(a)(7) and (b)(3)) permits agencies to make administrative choices to disclose information beyond the disclosures explicitly allowed in the statute. We do not recommend administrative authority as flexible as the routine use provision, which appears in a law covering all activities of all Federal agencies, and where a statutory catalog of all possible uses of information was not feasible. We recommend a provision to deal with extraordinary situations that may have not been foreseen, and then only for a limited time.

3. EFFECTIVE DATE

We recommend that the obligations of the providers and payers become effective 9 months after the promulgation of implementing regulations.

We recommend that there be authority to exempt records in existence on the date of enactment from compliance with specific provisions of the law, for time-limited periods.

These recommendations are for an implementation schedule to ensure adequate time to apply the rules to health information in the hands of providers and payers.

The requirements we recommend can be applied with minimal trouble to new transactions with patients and to records developed with the legislation as background and guidance. At the same time, to apply the legislation to existing records, including some that are in archival status, could present undue hardships, with little benefit to patients. It is not intended that patients whose records exist already should not get the protection of the law. The exemption provision should be available only for situations where there is no significant adverse privacy effect on the patient.

III. CONCLUSION

Thomas Jefferson said: "Our laws and institutions must keep pace with the progress of the human mind." We believe that these recommendations should be the first -- not the last -- chapter in an on-going bipartisan process to safeguard our citizens' right to health care privacy in an ever-changing world.

Ultimately, we must judge ourselves by whether we leave the next generation with real federal privacy standards grounded in fundamental principles. Will we have boundaries to ensure that, with very few exceptions, our health care information is used only for health care? Will we have assurances that our information is secure? Will we have knowledge about and control over what happens to our health care records? Will those who violate our privacy be held accountable -- and those who are violated be able to seek redress? Will we be able to safeguard our privacy rights while still protecting our core public responsibilities like research, public health , and law enforcement?

In short, will we be able to harness these revolutions in biology, communications, and health care delivery to breath new life into the trust between our patients and their doctors, between our citizens and their government, between our past and our future. We can. And, if we work together and act quickly, we will.


FOOTNOTES

(1) The directive requires EU States to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data". (Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, art. 25, ¶ 1 (Eur. O.J. 95/L281)).

(2) 9 Part I, U.L.A. 475 (1988 and Supp. 1996)

(3) Workgroup for Electronic Data Exchange, Report to the Secretary of U.S. Department of Health and Human Services Appendix 4, Confidentiality and Antitrust Issues 5 (1992). For other analyses of the State law situation see Robert M. Gellman, Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy, 62 N.C. L. Rev. 255 (1984); Lawrence O. Gostin, Health Information Privacy, 80 Cornell L. Rev. 101 (1995); Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law § 7-3 (1996).

(4) Richard S. Dick and Elaine B. Steen, eds., The Computer-Based Patient Record: An Essential Technology for Health Care (1991). A revised version of this report is expected in the autumn of 1997.

(5) The National Committee on Vital and Health Statistics, an advisory committee to the Secretary of Health and Human Services, is established by the Public Health Service Act § 306(k), 42 U.S.C. § 242k(k), and its membership was expanded to include persons distinguished in "privacy and security of electronic information" by the Health Insurance Porta bility and Accountability Act of 1996. In the course of its consultation on these recommendations, its Subcommittee on Privacy and Confidentiality held six days of hearings on health privacy during the first two months of 1997. Witnesses included health care providers, researchers, public health authorities, Federal and State oversight agencies, accreditation organizations, insurers, claims processors, pharmaceutical manufacturers, Federal agencies, law enforcement agencies, and patient and privacy advocates. (Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistics, Approved on June 25, 1997)

(6) U.S. Congress, Office of Technology Assessment, Protecting Privacy in Computerized Medical Information 44 (1993).

(7) Molla A. Donaldson and Kathleen N. Lohr, eds. Health Data in the Information Age: Use, Disclosure and Privacy 190 (1994).

(8) Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 264(c)(2), 110 Stat. 1936, 2033 (1996). Congress has provided for confidentiality protection for a limited class of information if legislation is not enacted.

If Congress does not enact legislation on standards for privacy of health information transmitted in connection with financial and administrative transactions (i.e. the information subject to the standards to be developed under section 262) within 36 months, the Secretary of HHS must issue regulations with privacy standards for these transactions within 42 months of enactment (§ 264(c)(1)). This is timed to coincide with the effective date of the standards under section 262.

(9) Social Security Act § 1178(a)(2)(B), added by section 262 of the Health Insurance Portability and Accountability Act of 1996.

(10) Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistics, Approved on June 25, 1997