4
Confidentiality and Privacy of Personal Data

Earlier chapters introduced the Institute of Medicine (IOM) committee's conceptualization of health database organizations (HDOs), outlined their presumed benefits, listed potential users and uses, and examined issues related to the disclosure of descriptive and evaluative data on health care providers (institutions, agencies, practitioners, and similar entities). This chapter examines issues related to information about individuals or patients—specifically, what this committee refers to as person-identified or person-identifiable data. It defines privacy, confidentiality, and security in the context of health-related information and outlines the concerns that health experts, legal authorities, information technology specialists, and society at large have about erosions in the protections accorded such information. It pays particular attention to the status that might be accorded such data when held by HDOs.

Existing ethical, legal, and other approaches to protecting confidentiality and privacy of personal health data offer some safeguards, but major gaps and limitations remain. The recommendations at the end of this chapter are intended to strengthen current protections for confidentiality and privacy of health-related data, particularly for information acquired by HDOs.

HISTORICAL PERSPECTIVES AND GENERAL OBSERVATIONS ON DISCLOSURE OF INFORMATION

The Privacy Protection Study Commission (PPSC) was created by the Privacy Act of 1974 to investigate the personal data recordkeeping practices 



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 136
--> 4 Confidentiality and Privacy of Personal Data Earlier chapters introduced the Institute of Medicine (IOM) committee's conceptualization of health database organizations (HDOs), outlined their presumed benefits, listed potential users and uses, and examined issues related to the disclosure of descriptive and evaluative data on health care providers (institutions, agencies, practitioners, and similar entities). This chapter examines issues related to information about individuals or patients—specifically, what this committee refers to as person-identified or person-identifiable data. It defines privacy, confidentiality, and security in the context of health-related information and outlines the concerns that health experts, legal authorities, information technology specialists, and society at large have about erosions in the protections accorded such information. It pays particular attention to the status that might be accorded such data when held by HDOs. Existing ethical, legal, and other approaches to protecting confidentiality and privacy of personal health data offer some safeguards, but major gaps and limitations remain. The recommendations at the end of this chapter are intended to strengthen current protections for confidentiality and privacy of health-related data, particularly for information acquired by HDOs. HISTORICAL PERSPECTIVES AND GENERAL OBSERVATIONS ON DISCLOSURE OF INFORMATION The Privacy Protection Study Commission (PPSC) was created by the Privacy Act of 1974 to investigate the personal data recordkeeping practices 

OCR for page 136
--> of governmental, regional, and private organizations. In its landmark 1977 report, Personal Privacy in an Information Society (PPSC, 1977a), the commissioners noted that: Every member of a modern society acts out the major events and transitions of his life with organizations as attentive partners. Each of his countless transactions with them leaves its mark in the records they maintain about him. The report went on to point out that: ... as records continue to supplant face-to-face encounters in our society, there has been no compensating tendency to give the individual the kind of control over the collection, use, and disclosure of information about him that his face-to-face encounters normally entail. The warnings implicit in the commissioners' statement are even more pertinent today. The emergence of HDOs in the 1990s comes at a time when the American public is expressing growing concern about threats to personal privacy. A 1993 Louis Harris poll found that 79 percent of the American public is "very" (49 percent) or "somewhat" (30 percent) worried about the threat to personal privacy (Harris/Equifax, 1993).1 This response has remained stable since 1990 when it rose sharply from a figure of 64 percent cited for 1978. There was agreement by 80 percent of respondents that "consumers have lost all control over how personal information about them is circulated and used by companies." The 1992 survey also asked about the effect of computers on privacy. Sixty-eight percent agreed strongly or very strongly that "computers are an actual threat to personal privacy," and almost 90 percent agreed that computers have made it much easier to obtain confidential personal information improperly (Equifax, 1992). Many privacy experts have described the ready availability of personal information (e.g., see Piller, 1993). Rothfeder (1992) asserts that about five billion records in the United States describe each resident's whereabouts and other personal information. He also claims that such information is moved from one computer to another about five times a day (pp. 22-23): Information about every move we make—buying a car or a home, applying for a loan, taking out insurance, purchasing potato chips, requesting a government grant, getting turned down for credit, going to work, seeing a 1   In October 1993, Equifax, a credit reporting company, released the results of a Louis Harris poll, the most recent in a series of surveys commissioned by Equifax and conducted periodically since 1978. For the first time, the 1993 survey assessed the beliefs and attitudes about privacy and disclosure of health information of a sample of the public and of "health leaders." A number of the survey questions bear directly on the issues addressed in this chapter.

OCR for page 136
--> doctor—is fed into ... databases owned by the credit bureaus, the government, banks, insurance companies, direct marketing companies, and other interested corporations. And from these databases it's broadcast to thousands ... of regional databanks as well as to numerous information resellers across the country. Rothfeder believes that such pervasive data acquisition and exchange can lead to a feeling of powerlessness in the face of privacy intrusion. His language is evocative (p. 30): Increasingly, people are at the whim of not only pressure groups, but also large organizations—direct marketers, the credit bureaus, the government, and the entire information economy—that view individuals as nothing but lifeless data floating like microscopic entities in vast electronic chambers, data that exists [sic] to be captured, examined, collated, and sold, regardless of the individual's desire to choose what should be concealed and what should be made public. It may be that the increasing aggregation of personal data documenting the details of our physical attributes and defects, behaviors, desires, attitudes, failings, and achievements creates a virtual representation of us. Some have called this a ''computerized alter ego" or a "digital version of each of us to go with our public personae" (Rothfeder, 1992, p. 16, citing Miller). To the extent this is so, the privacy of this "virtual person" requires protection. Recently the U.S. Congress has given serious attention to reform of the Fair Credit Reporting Act (Public Law [P.L.] 102-550; see below). It has also looked at technology-driven privacy issues: most pertinent are legislative proposals to restrict caller I.D. programs (S. 652; H.R. 1305; also see, House Report No. 102-324, 102nd Congress 2d Session), junk telephone calls and junk faxes (P.L. 102-243, "Telephone Consumer Protection Act of 1991"). Some congressional efforts, such as bills related to DNA testing and genetic profiling (S. 1355, "DNA Identification Act of 1991"; H.R. 2045, "Human Genome Privacy Act"), were intended to protect individuals against threats posed by medical technologies or initiatives. In October 1991, the Committee on Government Operations of the U.S. House of Representatives, Subcommittee on Government Information, Justice, and Agriculture, held hearings on genetic privacy issues, and in April 1992 it issued a report calling for reforms related to the privacy of genetic information. Both the U.S. Congress and the Administration have undertaken activities related to the protection of medical information. In October 1993 the Senate Committee on the Judiciary held hearings on High Tech Privacy Issues in Health Law, and in November, the Subcommittee on Government Information, Justice, and Agriculture of the Committee on Government Operations held a hearing on a report prepared by the Office of Technology

OCR for page 136
--> Assessment (OTA, 1993) at the request of that subcommittee and the Senate Subcommittee on Federal Services, Post Office, and Civil Service. The former committee has also been drafting legislation to protect the privacy of health information.2 A Task Force on Privacy was established in 1990 by the Assistant Secretary for Planning and Evaluation to report on the privacy of private sector health records. Another DHHS group established at the same time, the Workgroup on Electronic Data Interchange (WEDI, 1991) also addressed the protection of information when medical insurance claims are handled electronically. The recommendations of that workshop are discussed later in this chapter. Two of President Clinton's Health Care Reform Task Forces met during the spring of 1993. They considered the implications of and generated plans for the protection of health-related data that would be acquired and held under the administration's proposal for health reform. The legislative proposals in the Health Security Act contain specific privacy protection provisions.3 2   The OTA report was released just as the IOM report was being completed. 3   The Administration's Health Security Act (HSA, 1993) calls for the development of Health Information System Standards within two years of its enactment to promulgate standards and security safeguards for the privacy of individually identifiable health information that is in the health information system (see Footnote 1, Chapter 2). The proposed legislation states the following principles: (1) All disclosures of individually identifiable health information by an individual or entity shall be unauthorized unless (a) the disclosure is by the enrollee identified in the information or whose identity can be associated with the information; (b) the disclosure is authorized by such enrollee in writing in a manner prescribed by the Board; (c) the disclosure is to Federal, State, or local law enforcement agencies for the purpose of enforcing this Act or an Act amended by this Act; or (d) the disclosure otherwise is consistent with this Act and specific criteria governing disclosure established by the Board. Further, disclosure of individually identifiable health information shall be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is being disclosed. It would require that any individual or entity who maintains, uses, or disseminates individually identifiable health information implement administrative, technical, and physical safeguards. It stipulates that an enrollee (or an enrollee representative) has the right to know (a) "whether any individual or entity uses or maintains individually identifiable health information concerning the enrollee; and (b) for what purposes the information may be used or maintained" (Sec. 5120). It also specifies a right to access to see, copy, and have entered a notation of any amendment or correction of his or her information. It specifies a right to receive a written statement concerning (1) the purposes for which individually identifiable health information may be used or disclosed by, or disclosed to, any individual or entity; and (2) the right of access described above. The legislation also calls for the use of a unique identifier to be used in transmitting information. It further specifies that individually identifiable health care information may not be used in making employment decisions. Sec. 5121 calls for the National Health Board to sponsor (1) research relating to the privacy and security of individually identifiable health information; (2) the development of consent

OCR for page 136
--> State legislatures have also been active. In the past three years, for example, many states have adopted legislation that prohibits employers from discriminating against applicants and employees on the basis of off-the-job, lawful activity or some specific subset of lawful activity, such as cigarette smoking.  SOURCES OF CONCERNS ABOUT PRIVACY AND THE CONFIDENTIALITY OF HEALTH RECORDS Two somewhat distinct trends have led to increased access to the primary health record and subsequent concerns about privacy. One has to do with primary health records regardless of how they are created and maintained; the other involves health records stored electronically. Health Care Records The quantity and type of health care information now collected has also increased dramatically in recent years. The participation in health care delivery of many different individuals and groups of providers exerts strong pressures to document in ever greater detail. The expanding numbers of available technologies for diagnosis and therapy mean that details that a provider could at one time recall must now be recorded and thus become available for inspection by others. Further, information on lifestyle (e.g., use of tobacco or alcohol), family history, and health status have become of greater interest and relevance as we learn more about the relationship of these factors to overall health and well-being. In addition, genetic data are becoming more readily available, not only for prenatal testing but also for assessing an individual's degree of risk for an inherited condition.4 The more detailed the information about an individual or class of individuals, the more appropriate, one hopes, is the treatment they will be given. Further, documentation of care and risk factors are essential to promoting      forms governing disclosure of such information; and (3) the development of technology to implement standards regarding such information. It should also establish education and awareness programs, foster adequate security practices, train personnel of public and private entities in appropriate practices. Sec. 5122. calls for a proposal not later than three years after enactment of the HSA to provide a comprehensive scheme of Federal privacy protection for individually identifiable health information that would include a Code of Fair Information Practices and provide for enforcement of the rights and duties created by the legislation. (Health Security Act. Title V. Part 2. Privacy of information.) 4   An IOM report on assessing genetic risk explores these issues in considerable detail and develops a strong pro-privacy stance (IOM, 1993b).

OCR for page 136
--> continuity of care over time and among providers. It is also a first defense against charges of malpractice. The primary health record is no longer simply a tool for health care providers to record their impressions, observations, and instructions. Rather, it serves many purposes beyond direct health care. Third-party payers access patient record information to make payment determinations, and managed care organizations access patient records for precertification and case management. Other parties external to the healing relationship seek person-identified information and assert socially beneficial reasons for access. What was once the "business" only of patients and possibly their physicians has now become the business of such groups as: (1) officers of government entitlement programs checking on eligibility, and on patient and provider fraud and abuse; (2) agencies granting security clearance; (3) attorneys bringing criminal or civil charges; and (4) social service workers protecting possibly abused children, to name only a few. Others access secondary health records or obtain portions of the medical record when making decisions about hiring, granting a license, or issuing life, health, or disability insurance. Electronic Records Other trends give rise to particular concerns about the confidentiality of health information that is stored electronically. First is the ability to access, transmit, and copy large volumes of data easily. Photocopying paper records is, of course, possible, but it is hardly feasible for large numbers of geographically dispersed medical records. Electronic storage and transmittal of data, by contrast, enable interested parties to aggregate information for individuals over time and across institutions and providers of care. Second, databases were at one time discrete—often held in physically secure rooms on tape drives—with identifiers that were unique to a given institution or insurer. Now, however, data from diverse sources can be combined and linked. Once data are stored electronically, networks of databases can be explored almost imperceptibly from remote locations. Unless security systems are designed to record access, the curious, entrepreneurial, or venal can enter databases without leaving evidence of having done so. Third, computer-based health data have become a very valuable commodity. Some companies obtain information from physicians' computers and pharmacy records for sale to pharmaceutical companies in return for incentives such as low-cost computer hardware and software. These companies gather such identifying variables as age, sex, and Social Security numbers even if patient names are either not taken or are later stripped off (Miller, 1992). Other companies resell information from prescription or claims data-

OCR for page 136
--> bases to companies that sort it by physician for marketing purposes. For example, Health Information Technologies, Inc., helps automate private physicians' insurance claims. When it transmits claims and payments between the insurance company and the physician, it retains electronic copies of these records, and it can later sell them (presumably without physician or patient names) for pharmaceutical and other related kinds of marketing (Miller, 1992). In August 1993, Merck & Company purchased Medco Containment Services, a mail-order prescription firm. The purchase price, $6 billion, was based in part on the value of the information in its databases to influence physician prescribing practices (Tanouye, 1993). HDOs will control a gold mine of information, and they may find it difficult indeed to resist economic benefits from allowing access to their data files by third parties. Finally, because developers of HDOs have compared claims transmittal to electronic funds transfer (EFT), it is helpful to examine how the Privacy Protection Study Commission regarded confidentiality in EFT. The commissioners were alert to problems that might result if records created by EFT could not be controlled by institutions. Noting that automated clearinghouses centralize information that would otherwise be segregated among diverse depository institutions, their report (PPSC, 1977a) expressed worry about threats posed by the accumulation and centralization of the financial information that flows through such clearinghouses. The commissioners also recognized that the resulting pools of information would become attractive sources of person-identifiable information for use "in ways inimical to personal privacy" (p. 121). They urged that adequate protections be established for person-identifiable information flowing through an EFT data communications network and that such account information be retained for as limited a period of time as was essential to fulfill operating requirements of the service provider. Thus, in contemplating EFT, the commissioners did not foresee, and certainly did not encourage, the creation of an information repository now contemplated under the concept of an HDO. DEFINITIONS Below, the committee offers definitions of critical terms—privacy (especially informational privacy), confidentiality, security, and health-related information. Privacy The most general and common view of privacy conveys notions of withdrawal, seclusion, secrecy, or of being kept away from public view, but with no pejorative overtones. By contrast, an invasion of privacy occurs

OCR for page 136
--> when there is intentional deprivation of the desired privacy to which one is entitled. In public policy generally and health policy in particular, privacy takes on special meanings, some derived from moral theories, others from legal doctrine, and one from the widespread use of health information. Privacy is sometimes characterized as the "right to be left alone" (Cooley, 1880; Warren and Brandeis, 1890; Elison and Nettiksimmons, 1987; Turkington, 1987; Herdrich, 1989). Many experts, however, have objected that such a definition is too broad to be helpful in the health context. There are innumerable ways of not being left alone that arguably have nothing to do with privacy (Thomson, 1975; Reiman, 1976; Parent, 1983), such as when an individual is subjected to aggressive panhandling on a city street. Consequently, theorists have sought to refine their conceptions of privacy. Their aim has been to isolate what is unique about privacy, to identify what constitutes its loss, and to distinguish among a variety of conceptually related but separable senses of privacy (Gerety, 1977; McCloskey, 1980; Schoeman, 1984). The development and application of the concept of privacy in American law encompasses three clusters of ideas.5 First, privacy embodies autonomy interests; it protects decisions about the exercise of fundamental constitutional liberties with respect to private behavior, such as decisions relating to marriage, procreation, contraception, family relationships, and child-rearing. This is frequently characterized as decisional privacy (Tribe, 1978). Second, privacy protects against surveillance or intrusion when an individual has a "reasonable expectation of privacy." Examples include protections against unlawful searches of one's home or person and unauthorized wiretapping. Third, privacy encompasses informational interests; this notion is most frequently expressed as the interest of an individual in controlling the dissemination and use of information that relates to himself or herself (Shils, 1966; Westin, 1967), or to have information about oneself be inaccessible to others. This last form-informational privacy-is the main subject of this chapter. Informational Privacy Informational privacy—"a state or condition of controlled access to personal information" (Schoeman, 1984; Allen, 1987; Powers, 1993)—is infringed, by definition, whenever another party has access to one's personal information by reading, listening, or using any of the other senses. Such loss of privacy may be entirely acceptable and intended by the indi- 5   In the United States, privacy is restricted to real persons. In Europe, legal persons are generally included.

OCR for page 136
--> vidual, or it may be inadvertent, unacceptable, and even unknown to the individual. This definition of privacy thus reflects two underlying notions. First, privacy in general and informational privacy in particular are always matters of degree. Rarely is anyone in a condition of complete physical or informational inaccessibility to others, nor would they wish to remain so. Second, although information privacy may be valuable and deserving of protection, many thoughtful privacy advocates argue that it does not, in itself, have moral significance or inherent value (Allen, 1987; Faden, 1993). Nonetheless, informational privacy has value for all in our society, and it accordingly has special claims on our attention. In his pivotal book, Privacy and Freedom, Westin (1967) described it as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" (p. 7). This definition served as the foundation for the Privacy Act of 1974 (P.L. 93579; 5 U.S.C. § 552a). This act, arguably the most significant step to protect privacy in recent decades, was enacted to control use of personally identifiable information maintained in federal government databases. Recordkeeping Privacy In recent decades, discussions about privacy have almost exclusively addressed the use of information about people to make decisions about some right, privilege, benefit, or entitlement—so-called "recordkeeping privacy." This focus was of particular interest to those framing the Privacy Act of 1974. More recently the desire for informational privacy has become an important expectation, not because of a benefit or entitlement sought, but for its own sake. Information may be created as a byproduct of some event—for example, an individual's geographic location becomes available when he or she uses a bank card for a financial transaction; similarly, one's preferences are known when one buys goods by mail order or uses a check-verification card at the local supermarket. In yet other cases, information derives from aggregating data from many sources, including public records; such aggregation can also include data that have been derived from computer processing (e.g., buying profiles or dossiers). Data subjects want informational privacy to be respected in such contexts as well. Many people in the United States would like to believe that data collected about them legitimately, in connection with some transaction or incidentally through participation in the general activities of society, will not be exploited for secondary purposes such as advertising, soliciting, telemarketing, promotional activities, or other actions that are distinct from and unrelated to the activities for which the data were originally collected

OCR for page 136
--> (see Harris/Equifax, 1993). As should be clear from the discussion in this chapter, however, these hopes are often not realized in general or in relation to health information. Privacy Rights To assert a right is to make a special kind of claim. Rights designate some interests of the individual that are sufficiently important to hold others under a duty to promote and protect, sometimes even at the expense of maximizing or even achieving the social good (Raz, 1986). Two interests are widely cited as providing the moral justification for privacy rights: the individual's interest in autonomy and the instrumental value that privacy may have in promoting other valuable human goods. With respect to autonomy, privacy fosters and enhances a sense of self (Reiman, 1976). Respecting privacy enhances an individual's autonomy (Westin, 1967; Benn, 1971; Bloustein, 1984). It allows the individual to develop the capacity to be self-governing or "sovereign," a notion analogous to the sense in which autonomous states are sovereign (Beauchamp and Childress, 1989). The loss or degradation of privacy can enable others to exercise an inordinate measure of power over the individual's economic, social, and psychological well-being (Gavison, 1980; Parent, 1983). With respect to the value of privacy to promote other ends, its instrumental value, privacy permits the development of character traits and virtues essential to desirable human relationships. These include trust, intimacy, and love. Without some measure of privacy, these relationships are diminished or may not be possible (Fried, 1968; Rachels, 1975). The existence of informational privacy rights means that someone is under a duty either not to disclose information or to prevent unauthorized access to information by others. Dworkin (1977) has argued that for a right to be meaningful implies that any policy or law overriding such duties must withstand rigorous scrutiny and that considerations of social utility alone are inadequate grounds to override it. That is, to take rights seriously is to recognize some limits on the prerogative of government or others to mandate the common good at the expense of the individual. This is not to say, however, that rights function as an absolute barrier to the pursuit of collective goals; indeed, the tension between individual and social goals is reflected in the issues raised in Chapter 3, as well as in this chapter. Balancing Benefits of HDOs Against Loss of Informational Privacy There cannot be much doubt that HDOs will serve legitimate societal interests as described in Chapter 2. Nevertheless, because HDOs will represent one of the most comprehensive and sensitive automated personal record

OCR for page 136
--> databases ever established, they inevitably implicate interests protected by informational privacy principles. Accordingly, HDO advocates will be well served from an ethical as well as legal viewpoint if they consider what social goods justify possible loss of privacy and such loss can be minimized or prevented. Whether HDOs can achieve their potential for good in the face of their possible impact on privacy will likely turn on the interplay of three considerations. First, to what extent do the HDOs provide important (and perhaps irreplaceable) health care benefits to their regions and perhaps to the nation? Second, do the societal benefits resulting from the implementation of HDOs outweigh the privacy risks? Third, to what extent have adequate privacy safeguards been incorporated into the HDOs? Federal and State Privacy Protection No explicit right to privacy is guaranteed by the Constitution of the United States; in fact, the word "privacy" does not appear. The presumed right as the basis of a civil action is based on legal opinion written by Justice Louis D. Brandeis in 1890, and its constitutional status derives from various amendments to the Bill of Rights. The issues surrounding the constitutional status of privacy protection are too numerous and controversial to explore in detail here. Most constitutional scholars agree that federal constitutional protections are unlikely to provide the first line of defense for privacy of health information. The Constitution generally has not provided strong protection for the confidentiality of individual health care information; the constitutional protection for informational privacy is thus very limited and derived from case law interpreting the Constitution. The courts have made clear that, at least theoretically, information privacy principles based on the Constitution limit a government agency's collection and use of personal information to situations in which the use bears a rational relationship to a legitimate governmental purpose. The government's interest in the information program must outweigh the threat to personal privacy posed by the program.6 In Whalen v. Roe (429 U.S. 589 [1977]), for example, the Supreme Court balanced the privacy threat posed by a New York State law against the statute's benefits. The New York State statute required pharmacists and physicians to report sensitive health record information to state officials, in  6   See, Plante v. Gonzalez, 575 F. 2d 1119, 1123 (5th Cir. 1978). However, in J.P. v. DeSanti, 653 F. 2d 1080, 1090 (6th Cir. 1981), the Sixth Circuit held that the Constitution's right-to-privacy standard does not extend to the disclosure of personal information.

OCR for page 136
--> only one circumstance: when needed by the treating practitioner. In such a situation it will be important that specific consent techniques be in place. The following requirements, similar to those in the Uniform Health Care Information Act, are based on PPSC recommendations for medical record information consent forms. Patient consent must: be in writing or electronically provided in an acceptable manner; be signed or authorized electronically by the individual on a date specified; be clear about the entities being authorized to disclose information; be specific about the nature of the information to be disclosed; be specific as to the institutions or persons to whom the information may be disclosed; be specific about the purposes for which the information may be used, both at the time of the intended disclosure and at any future time; and be specific as to the date when the authorization expires. Requirements of signed and written consent, which arose at a time when all records were kept on paper, are still valid, but they will require modification to permit consent by computer, such as by keypad attached to a terminal in a treating physician's office. The Uniform Act expressly states that the signing of an authorization is not a waiver of any privacy rights that the patient may have under other statutes, rules of evidence, or common law. It further requires that providers (or, in this case, HDOs) retain a copy of each authorization and provides that an authorization may not permit the release of health record information relating to health care that is to be provided more than 90 days in the future. (Exceptions are made for disclosures to third-party payers, but they would be irrelevant for HDOs.) Finally, the Uniform Act states that a patient may revoke a disclosure authorization in writing at any time. Even if consent and participation rights are in place, privacy protection is not ensured, because strategies used to obtain consent, in particular, are fallible. As discussed earlier in this chapter, for example, patients experience substantial pressure to sign authorizations and waivers in order to facilitate both access to and payment for health care. Release of Person-identified Data In the seven cases listed in Recommendation 4.3, the committee believes that values other than confidentiality justify access to person-identifiable information with or without consent, and that there exist adequate safeguards for the protection of data in these very limited circumstances. Those values include autonomy for patients in accessing their records, fiduciary responsibility for those unable to care for themselves or make health

OCR for page 136
--> decisions for themselves, beneficence in providing health care in acute situations, and the social benefits of epidemiologic and health services research. The rationale for each case is described below. The Standing of Other HDOs HDOs will need to acquire information about out-of-area care provided to persons in their databases and should be able to do so for those specific circumstances. For example, one HDO might ask another to provide information for state residents of given zip codes who have been hospitalized in other states. The committee concludes that if the requesting HDO has confidentiality and security protections that are at least as stringent as those of the HDO that would be releasing the information, the data should be released. Such HDOs might be in adjoining states (e.g., when Vermont residents are hospitalized in New Hampshire) or within a single state; in other cases they might include overlapping geographical areas such as one or more states and a metropolitan area. In all such cases, individuals might be expected to be found in several different HDOs, and in their best interest (insofar as needed health care is concerned), their data ought to be shared or transferred.  The Standing of Persons, Parents, and Legal Representatives The second case cited in Recommendation 4.3 is self-evident-when—information about themselves is sought by individuals. The third and fourth cases reflect the need to care for minors and persons who are legally incompetent to give consent for themselves. One important case concerns the parents of a minor child except when certain actions are protected by state law. Such exceptions include, for instance, family planning services. Emancipated minors are those who live away from home or are in the armed forces and manage their own financial affairs. Mature minors, although still dependent on their parents, are judged to be mature enough to understand the treatment or issue in question and to give informed consent for their own care. The committee believes that privacy and confidentiality for emancipated and mature minors should have the same protection as that given to adults. Parental involvement should be related to the age and development of the minor. Current state laws regarding emancipated or mature minors do not consistently protect such information, and uniform federal legislation is desirable. The other important case involves legal representatives of incompetent patients. Such legal or personal representatives include guardians as well as individuals who are named in advance directives and granted durable power of attorney.

OCR for page 136
--> The Special Standing of Research The fifth case in Recommendation 4.3—researchers with approval from relevant human subjects committees or institutional review boards (IRBs)—is a different category. In this case person-identified information is not being sought by the patient or for care of the patient, but to conduct studies that in some fashion are regarded to be in the public's interest. Such uses of the databases are considered by this committee to be central and vital to the effective implementation of HDOs. For this reason, researchers whose research design and study plans are deemed appropriate and approved by a review panel—typically but not necessarily an IRB at the lead researcher's university or institution-should be permitted access to person—identified or person-identifiable data in the HDO files. An IRB is a specially constituted review body established to protect human subjects, usually those recruited for biomedical and behavioral research, when that research is conducted under the auspices of the institution (USDHHS, 1993b). Review and approval by an IRB is required for research that is conducted by investigators supported by a department or agency subject to federal policy. IRBs function under policies set by federal legislation (45 CFR 46 for Department of Health and Human Services; Federal Register, 1991a) and by policies of the institution. Members of the IRB carefully weigh the likely risks and benefits of the proposed research and the procedures and protections for the research subjects. When research involves only the review of records, such as those in HDOs, the IRB is encouraged to determine that an institutional approval or an expedited review is sufficient. It may do so if it is persuaded: (1) of the significance of the research and that use of data in personally identifiable form is necessary, (2) that any risk of harm to subjects is minimal, (3) that adequate safeguards will be implemented to protect the record or information from unauthorized disclosure, and (4) that removal and destruction of identifiers will be carried out when the research is complete. The committee urges institutions to review applications when requested by serious investigators who many not be affiliated with an institution. Alternatively, such requests might be considered as exceptions by the Data Protection Board on a case-by-case basis. The committee believes it will usually not be necessary for researchers to obtain consent from record subjects for access to person-identified or -identifiable material, but methods should be incorporated for protecting a record subject's privacy, including notification by the HDO of the uses that may be made of the records. Contacting potential subjects to obtain further information is a more sensitive matter. It requires careful attention and sensitivity to who would make initial contact and what information would be conveyed to potential

OCR for page 136
--> subjects or their relatives in the course of the contact. The information conveyed should include the purpose of the study and the kind of data that would be collected, the identity of the persons who will have access to the data, the safeguards that will be used to protect the data from inappropriate disclosure, and the risks that could result from disclosure. Such negotiations should also give written assurance that any publications that result will present the data only in aggregate form so that individuals are not identifiable. Research subjects should also be told if they will be contacted in the future (USDHHS, 1993b). Special Patient Care Considerations The sixth case in Recommendation 4.3 involves treating licensed practitioners with a need to know in life-threatening situations, whom the committee believes ought to be able to access data about a patient. This requires that the patient be unable to consent at the time care is rendered. A patient in a situation that threatens loss of life or limb sometimes cannot provide coherent but needed medical information because of mental impairment, stress, or substance abuse and is not considered to be a ''reliable historian." In such cases the committee believes it appropriate to access such data, if available, through the HDO. When the patient cannot be identified, access to the HDO might be particularly helpful if biometric (nonvolitional) identifiers are part of the database. The committee has chosen the term "licensed practitioner" advisedly, a broader concept than "physician." Circumstances justifying access might occur in a hospital emergency department, in an intensive care unit, or outside the hospital when a health care professional is present and determines that in his or her judgment obtaining certain health information is crucial. All such cases presume that a primary medical record is not available and that no one (patient, family, or friend) can reliably provide needed health information in a timely way. The seventh case—the release of data to licensed practitioners when treating patients in all other (non-life-threatening) situations, but only with the informed consent of the patient—is the only case in which the committee has recommended the use of informed consent to release of person-identifiable information. Such a circumstance might occur when a treating physician wishes to access the HOD database in addition to the medical records he or she keeps. For example, information on medications prescribed by other practitioners might be pertinent. In such cases, the treating practitioner should obtain explicit consent of the patient. As discussed earlier, consent might be given electronically and might be time limited.

OCR for page 136
--> Prohibition on Access to Person-identifiable Data The committee recommended that HDOs not authorize access to or release of health information on individuals, with or without the informed consent of the individual, in any situation or to any requestor other than those stated above. To ensure that individuals (i.e., patients, parents of minor children, or legal representatives) are not placed in an untenable situation concerning release of information, the committee has opted for a position that does not rely on consent procedures in most uses or disclosures of data. It prefers to rely on stringent policies against disclosure or release of personal information on individuals. It should be noted that the consent procedures described in this recommendation are for release of information by the HDO. Patients will always be able to consent to release of information by each of their care providers. Nevertheless, in some circumstances the committee envisions that consent procedures will be invoked before HDOs will release person-identifiable information. The importance of consent as a concept, and adequate procedures for implementing consent, is accentuated by the multiplicity of uses of HDOs. Given this multiplicity, it is difficult to argue that, by providing information, record subjects have implied their consent to subsequent uses and redisclosures. It may well turn out that record subjects will have little or no idea of the number or variety of disclosures that could be made from an HDO. Implications of Recommendations Denying Access The reason for prohibiting broad disclosure following patient consent is that HDOs may contain a longitudinal record about all health care delivered to a patient and many personal details about the patient. Permitting the same ritual of consent to authorize disclosure of this information will result in an increased abridgment of patient privacy. The prohibition on access to person-identifiable information is very broad. If this limitation is enacted into law or such a policy is promulgated by the HDO, it would have several consequences. For example, employers could not obtain information about "out-of-health-plan" use by their employees even for case management purposes. No access for law enforcement would be permissible through compulsory process (if prohibited by federal preemptive legislation). Attorneys could not access the database to build a case on behalf of clients except through compulsory process in accordance with governing law. Secret service agents seeking information about a person suspected of being a security threat to an elected official could not seek information from the HDO.

OCR for page 136
--> Prohibiting access could result in some disadvantage or inconvenience to the recordholder as well as possible harm to society. Nevertheless, the committee believes that risks to individual privacy and the importance of a clear and unambiguous policy for HDOs outweigh such possible disadvantages. In some circumstances, the committee foresees difficult situations that seem to present a conflict between policies. For example, an individual might wish to obtain a copy of his information in the database that he could then supply to an attorney who needs it for a malpractice case or to an employer who demands it for determining new assignments or for case management purposes. The committee, as noted elsewhere, sees little way to "protect" patient information when the individual requests the information from an HDO and then transfers it as he or she sees fit. Employer Access RECOMMENDATION 4.4. RESTRICTING EMPLOYER ACCESS The committee recommends that employers not be permitted to require receipt of an individual's data from a health database organization as a condition of employment or for the receipt of benefits. Special circumstances exist in the health sector of particular concern to the committee. One involves the current practice of extensive exchange of medical information between employer and payer, with little control by providers or patients. This practice has dramatic implications for patients whose information is accessed by an HDO if the employer and payer are readily able to tap into data in the network. HDOs could make such exchanges of information more harmful to patients because the information exchanged could cover all encounters the patient has with the health care system (not just those covered by insurance or by the employer's health plan). The committee acknowledges the danger and inappropriateness of these practices. It thus concurs with a recent IOM report (IOM, 1993e) that urged that access to information collected in connection with employment-based health benefits be limited through provisions analogous to those contained in the Americans with Disabilities Act of 1990 (P.L. 101-336). In Recommendation 4.4, the committee attempts to prohibit the use of HDOs by employers for employment-related decisions about employees. In particular, it seeks to constrain access to person-identifiable data and prevent employers from coercing employees to provide such data about themselves or their families as a condition of employment (e.g., promotion, placement, retention, or termination). This recommendation applies only to

OCR for page 136
--> the HDO and would not, of course, prevent employers or others from acquiring health information from other sources—examination, a treating physician, an insurer, and so forth. Employees might wish, however, to provide access to their records to their employer's case managers in circumstances relating to needed health care. To account for this, the committee advises that there be a clear and enforceable division of functions between employment and personnel decisions of an employer and the employer's health benefits administration and case management. In the absence of state or federal legislation limiting access and threatening liability, employers should at least promulgate and enforce such internal policies. Universal Person Identifiers Unique, individual person identifiers are essential to facilitate the efficient operation and data interchange of HDOs. The committee also recognizes the strong arguments against the use of the SSN as that unique identifier. The great majority of the committee agreed on the need for a new unique identifier of the grounds that the SSN offers too many opportunities to breach confidentiality. The creation of a new number would: (1) permit legislative protection of that number, (2) offer the possibility of greater protection for health information than is possible with the SSN, and (3) could occur at the time of implementation of universal health care coverage, which will, if enacted, require some scheme for unique identification. COMMENT In this report the committee has addressed its views and concerns about a new entity in health care delivery and recordkeeping—the HDO. Little is really understood about how HDOs will function, what effects they will really have as opposed to the benefits they are expected to offer, and how they will evolve over the next decade or so. These matters will be worked out in an environment of change and stress, as the nation sorts out its posture toward health care and health reform. This report, therefore, must be seen as laying the groundwork for the context in which HDOs come into being and function. It cannot be read as providing answers to all HDO issues that may arise, but neither could the committee ignore the future completely. In matters of privacy, the unique aspects of the HDO are two: (1) the concentration of medical information about very large numbers of individuals, coupled with (2) the large number of end users who have authorized access to some or all of an individual's record. The HDO will inevitably

OCR for page 136
--> lead to much more varied use of health care information, and therein is a privacy issue of substantial significance for the future. Undoubtedly, both anticipated and innovative uses of HDO databases will be evolutionary. In an operational sense, this is probably wise and unavoidable; in matters of privacy, it is risky because a small number of seemingly innocuous uses can cumulatively create a substantial privacy risk. Some uses that arise will prove repugnant to society and will be impermissible; others will be considered annoying, but will be tolerated. Some could be so discriminatory or otherwise distasteful that they might well be proscribed by law. The committee notes that the privacy dimension of medical records, regional databases, and HDOs is not a matter that can be examined once and thereafter ignored. New dimensions of privacy will arise, as will extensions of old concerns, new threats to privacy, and new uses of data that prove unwise. From time to time, perhaps every few years in the beginning of the "HDO movement," the privacy issue needs to be revisited and reevaluated. New mechanisms for assuring privacy may need to be invented; new actions by Congress may be needed. Security safeguards that protect the confidentiality of data and the automated systems themselves have similar characteristics. New threats will materialize; penetrators will become more skilled; new motivations for surreptitiously acquiring health data will appear. From time to time, the safeguards will need upgrading and strengthening. The New Privacy Privacy concerns have centered historically on the use of information about an individual that governs some decision about her (e.g., a right, entitlement, or privilege) or some action taken for or against her. The benefit or harm as well as the risk of information misuse applies to the same individual. With the growth of an information industry that deals widely with information about people, the benefit-risk aspect has changed; the benefit has turned toward organizations and society, but the risk has remained for the individual. The traditional recordkeeping characterization of privacy is far too limited given the intense pace of automation in recordkeeping and the electronic linkages of systems of all kinds. Conflicts have already begun to appear with regard to medical data. The most frequently quoted anecdote is that of the pharmaceutical company that uses patient drug use as the basis for targeted mailings and advertising. Some people will tolerate such nonmedical use of health data as an annoyance; others will feel strongly about it; some will be harmed because a mailing can reveal a medical condition that was being concealed. Employer

OCR for page 136
--> use of health data also brings two motivations into conflict: that of the employer who, having paid for the health care in whole or in part, feels it is entitled to have the data for more efficient management of the organization and that of the individual who considers that health data are personal and to be shared only as he sees fit. Other conflicts will arise, and the concentration of so many kinds of information in an HDO will be a stimulus to their further creation. Looking well to the future, therefore, a Code of Fair Health Information Practices is likely to be necessary. It need not be exactly like the one in the federal Privacy Act; indeed, it would probably have additional provisions for controlling the use of health data. For example, society has not yet expressed its view on how very sensitive kinds of medical information can be used; genetic data is a case in point. It may be decided that prohibitions against particular uses of information will be accepted. If so, then one mechanism for implementation is incorporation of the prohibition, possibly stated in a very general way, into a fair code; another is to cast it into law. There is precedent for such prohibitions; for example, personnel forms cannot ask certain kinds of questions such as those dealing with religion or sexual orientation. For the most part, privacy law in this country has been formulated under the assumption that holders of information about people may generally do with it what they please, constrained only by corporate ethics and the good taste of business, societal acceptance (or outrage), occasional attention by the government, pressures of consumer activist groups, and the consequences of legal actions brought by individuals or consumer groups. This historical view may prove inappropriate or even dangerous in regard to health data. There is now evidence that the American public agrees. Westin has found high medical privacy concerns among 48 percent of respondents and high privacy concerns in general among 25 percent of survey respondents whom he terms Privacy Fundamentalists. This group would seek sharp limits on organized data collection and legal protection for privacy. Another 57 percent of the public has been termed Privacy Pragmatists. He describes this group as examining each situation to see whether information is really needed for a legitimate societal function and whether safeguards are being followed. The final group he calls Privacy Unconcerned. This small group is not apprehensive about the use of personal data (Harris/Equifax, 1993). Our society and country are designed to operate with what the engineer would call feedback, or what society would call controls, weakly defined and often ad hoc or de facto. The country, its people, its government, and its institutions have survived thus far under this paradigm. With the coming concentration of health information about huge numbers of people in the

OCR for page 136
--> HDO, is this an acceptable national posture for information that is potentially the most sensitive of all data ever collected about people? It is difficult to attempt answers to a question such as this because the near future of health care is so poorly defined. Events under way—for example, national health care reform—will have a major impact on the motivations of managers in charge of health care providers. The country might be safe with the perception and handling of privacy as it has been done for over two decades, but it might not. There can easily arise distasteful practices in the way health care information is exploited for other than delivery and payment of care. It is simply not known which uses of health care information will be acceptable to society, will wisely serve the needs of society and the health care industry, and will strike an acceptable balance between the desires of a profit-oriented health care industry (which may be ever more prevalent in the future) and the invasion-of-privacy consequences for patients. In short, the privacy dimension of health care information is dynamic, and it must be treated accordingly. SUMMARY The committee has examined sources of concerns about informational privacy and the confidentiality of health-related information and security, and it defines each in the context of health information. After a review of privacy rights, confidentiality obligations and disclosure policies, and disclosure as it is treated by law and in practice, the committee concluded that there was much basis for concern about confidentiality, but little applicable legal guidance for HDOs. It reviewed options related to uniform legislation, consent and participation rights, disclosure policies, and governance, and advanced a set of recommendations favoring strong federal preemptive legislation and responsible organizational policies to protect privacy and confidentiality of person-specific information. In the context in which "confidential" is a designation given data to be protected in terms of security and access, the committee has made a number of recommendations that would help HDOs achieve these ends. First, confidentiality is addressed by a recommendation for preemptive federal legislation that all health care data be confidential, protected as such, and access to it controlled. Second, the committee recommends the establishment of data protection and data integrity boards to provide oversight of security and access in HDOs. To implement protection of health care data, the committee has addressed security and recommended that automated systems and networks supporting HDOs have comprehensive system and network security that reflect the state of the art.

OCR for page 136
--> Third, to address patient privacy rights, the report has recommended that patients can have access and other rights regarding their records, and be dealt with through a code of fair health information practices. To accommodate patient expectations of privacy, the committee recommended that patients have certain legally assured rights to recover damages and force compliance if health care information is misused, abused, or improperly released to unauthorized parties. Fourth, to address privacy—the issue of access to personal information—the committee has made recommendations concerning who should and should not have access to person-identified information and under what circumstances.