2
The Public Policy Context

The privacy and security of health information is influenced by many factors that operate at the public policy level. In the United States, protection of health information is generally divided between coverage for records systems operated by federal or state government agencies and record systems operated by the private sector.1 At the federal level, data protection measures are found in constitutional law, the Privacy Act of 1974, and a few statutes that regulate narrow areas of data use. State health record laws generally define the types of information considered confidential and the circumstances under which health information can be shared without patient consent (Table 2.1). Records held by the private

1  

Other countries have different frameworks for protecting health information that reflect their different cultures, histories, and political structures. While perhaps providing additional models for consideration in attempts to devise policy for the United States, it is not clear that these structures could be easily adapted to the U.S. system of governance or culture. Hence, they are not reviewed in this report. For a review of privacy policy in the European Community, see Schwartz, Paul M., and Joel R. Reidenberg, 1996, Data Privacy Law: A Study of United States Data Protection, Michie Law Publishers, Charlottesville, Va.; Schwartz, Paul M., 1995, "European Data Protection Law and Restrictions on International Data Flows," Iowa Law Review 80(3): 471-496; and Schwartz, Paul M., 1995, "The Protection of Privacy in Health Care Reform," Vanderbilt Law Review 48(2):310. For a historical review of international perspectives on privacy and privacy policies, see Aries, Phillipe, and Georges Duby (eds.), 1987, A History of Private Life, Vols. 1-5, Belknap Press of Harvard University Press, Cambridge, Mass.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 37
--> 2 The Public Policy Context The privacy and security of health information is influenced by many factors that operate at the public policy level. In the United States, protection of health information is generally divided between coverage for records systems operated by federal or state government agencies and record systems operated by the private sector.1 At the federal level, data protection measures are found in constitutional law, the Privacy Act of 1974, and a few statutes that regulate narrow areas of data use. State health record laws generally define the types of information considered confidential and the circumstances under which health information can be shared without patient consent (Table 2.1). Records held by the private 1   Other countries have different frameworks for protecting health information that reflect their different cultures, histories, and political structures. While perhaps providing additional models for consideration in attempts to devise policy for the United States, it is not clear that these structures could be easily adapted to the U.S. system of governance or culture. Hence, they are not reviewed in this report. For a review of privacy policy in the European Community, see Schwartz, Paul M., and Joel R. Reidenberg, 1996, Data Privacy Law: A Study of United States Data Protection, Michie Law Publishers, Charlottesville, Va.; Schwartz, Paul M., 1995, "European Data Protection Law and Restrictions on International Data Flows," Iowa Law Review 80(3): 471-496; and Schwartz, Paul M., 1995, "The Protection of Privacy in Health Care Reform," Vanderbilt Law Review 48(2):310. For a historical review of international perspectives on privacy and privacy policies, see Aries, Phillipe, and Georges Duby (eds.), 1987, A History of Private Life, Vols. 1-5, Belknap Press of Harvard University Press, Cambridge, Mass.

OCR for page 37
--> TABLE 2.1 Existing Federal and State Protections for Health Information Mechanism Purpose Limitations FEDERAL PROTECTIONS Privacy Act of 1974       Requires federal agencies to publicly disclose the existence of government record systems; allows individuals the right to access information about themselves and to copy, correct, or amend records kept by the government; limits the purposes for which the federal government can collect or disclose information without consent. Applies only to record-keeping systems operated by federal agencies or their contractors. Freedom of Information Act of 1966 Allows individuals open access to federal agency records, except for those with specific exemptions. Does not specifically address disclosure of information held by federal agencies. Americans with Disabilities Act Prevents public and private organizations from discriminating against individuals because of a disability. Applies only to those conditions specifically defined as disabilities, not to all health information. United States Code, Sections 290dd-3 and 290ee-30 Establish special rules of confidentiality for records of patients who seek treatment for drug or alcohol abuse at federally funded facilities. Limited in scope to information about drug and alcohol abuse; apply only to federally funded facilities. Medicare Conditions of Participation Requires hospitals to have a procedure for ensuring the confidentiality of patient records and allows information to be released only to authorized individuals. Does not address security mechanisms or evaluate practices. Constitutional law Interpreted as protecting the privacy of information about individuals. Lower courts have not strongly enforced this interpretation.

OCR for page 37
--> Mechanism Purpose Limitations STATE PROTECTIONS     Statutes  Establish confidentiality of the doctor-patient relationship and common tort remedies for breaches of confidentiality. Statutes do not exist in all states and are not uniform across states. Most do not address the flows of information to secondary users. Constitutional law Interpreted as limiting the collection and dissemination of health information Rights are not clearly delineated and vary from state to state; they are difficult to enforce. Common law Prevents public disclosure of private records, defamation. Generally limited to only widespread disclosures of information to the public or to disclosures to parties without a legitimate interest (i.e., not employers who pay for insurance coverage). sector are covered under a number of limited laws targeted at specific industries. In general, government and industry-wide protections are limited in scope. Most health information in the United States is collected and processed by private organizations, which are unlikely to meet the applicable threshold tests for state action. Constitutional protections for informational privacy are subject to interpretation and have not been rigorously enforced. Similarly, the Privacy Act sets rules only for personal data controlled by federal agencies. Other federal statutes that regulate health data processing focus on even narrower sectors of information use. As a result, most health data are entirely outside the protections of either constitutional or federal law, although with the passage of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the public policy context for protecting health information is changing. Federal And State Protections Federal and state laws attempt to balance the public's right to access information gathered by the government against the individual's right to

OCR for page 37
--> protect personal information from inappropriate disclosure. Maintaining this balance is becoming increasingly difficult as technology provides new and improved means to collect, manage, and distribute data and as groups of citizens have developed conflicting desires to protect special categories of data and acquire access to data and information. Yet, privacy and access are not mutually exclusive. Systems can be developed that provide suitable protections against unwarranted uses of health information while respecting the need for legitimate access. Federal Statutes and Regulations Federal statutes provide one framework for protecting health information. The primary vehicle for existing protections is the Privacy Act of 1974.2 The Privacy Act was designed to provide private citizens some control over the information about them collected by the federal government. It protects individuals from nonconsensual government disclosure of personal information. The act prohibits federal agencies from disclosing information contained in record systems to any person or agency without prior written consent of the individual to whom the record pertains unless the disclosure or further use is consistent with the purpose for which the information was collected. The Privacy Act contains the following key provisions: Individuals are given the right to know that identifiable, personal information is available in a government record system and to know what that information is used for. Individuals have the right to access the information, have a copy made of all or any portion of it, and correct or amend the records. The information may not be used for any purpose beyond that for which it was collected. No information may be disclosed to any person or to another agency without the consent of the individual to whom the information pertains, except for certain routine uses and other specific uses described in the law. Agencies are subject to civil suit for damages that occur as a result of willful or intentional action that violates any individual rights under the act. Health care facilities operated by the federal government, such as those operated by the Indian Health Service, the Department of Veterans 2   Public Law 93-579, 5 U.S.C. §552a.

OCR for page 37
--> Affairs, and the Department of Defense, are bound by the Privacy Act's requirements regarding access, use, and disclosure of health information. The Health Care Financing Administration (HCFA) is also covered by the Privacy Act's requirements for information collected on Medicare beneficiaries. Contractors who operate a record system on behalf of a government agency are also subject to the Privacy Act, and their employees are considered agency employees for purposes of applying criminal penalties.3 The Privacy Act also allows individuals to request that amendments be made to their records if they believe them to be inaccurate, irrelevant, untimely, or incomplete. If the agency refuses to amend the records as requested, individuals may request a review of the refusal and, if the amendment is still not allowed, may file a civil suit in federal district court. The act requires that agencies publish reports in the Federal Register when they create or change a system of records. The reports must describe the categories of records maintained, their routine uses, policies on storage and retrieval, and other procedures related to their use, disclosure, and amendment. Additional privacy protections are contained in the Freedom of Information Act of 1966, which governs public access to all records maintained by the federal government. The act was created to improve public access to government information and promote openness in government. The Freedom of Information Act provides that any person has open access to federal agency records, except those records that are protected from disclosure by one of nine exemptions to the act. Medical files, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy, are specifically exempted from the act. Two federal statutes establish special rules to protect the records of patients who seek drug or alcohol abuse treatment at federally funded facilities.4 These statutes apply to oral and written communication of information containing the identity, diagnosis, prognosis, or treatment of patients enrolled in programs for education, rehabilitation, research, training, or treatment. They provide a high level of protection and allow only limited exceptions for release of patient information, including disclosure with the written consent of the patient. Because they have the full force of federal law, these statutes supersede state laws on confidentiality. The Medicare program has also served as a vehicle for expanding privacy protections. The Medicare Conditions of Participation for Hospitals requires that ''the hospital have a procedure for ensuring the confidential- 3.   5 U.S.C. §552a(m). 4.   42 U.S.C. §§290dd-3 and 290ee-3 (1988).

OCR for page 37
--> ity of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital must ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records must be released by the hospital only in accordance with Federal or state laws, court orders, or subpoenas."5 In addition to these acts and statutes, multiple federal agencies have laws that also provide specific policies the agency must follow regarding types of data collected, how the data can be used, and how access to the data is managed. The procedures of other agencies, however, do not have specific statutory-based policies and thus must rely on common law tradition and the application of ethical decision making in these agencies. Limitations of Federal Protections Federal protections for health information have several weaknesses. Both federal laws to protect alcohol and drug abuse information and the Privacy Act suffer from a limited scope of influence. Federal alcohol and drug abuse regulations apply only to federal or federally funded facilities that offer treatment for alcohol or drug abuse.6 The Privacy Act, perhaps the most comprehensive of the federal protections, for example, applies only to information collected by government agencies. Federal agencies, primarily the Department of Defense and HCFA, do collect considerable amounts of personal health information, but the majority of health records in the United States are collected and maintained by nongovernment entities and fall outside the jurisdiction of the Privacy Act. The Privacy Act suffers from additional weaknesses as well. Individuals who do not regularly review the Federal Register find the notification system unnecessarily burdensome and ineffective. The act also fails to provide a government oversight mechanism, instead placing the burden of monitoring privacy and redressing grievances on the individual. Other critics suggest that penalties prescribed in the Privacy Act are inadequate and that the act mandates no specific measures for protecting privacy (e.g., it does not define technical mechanisms that must be used to ensure compliance).7 Constitutional protections have also been weakened by a lack of enforcement. The Supreme Court's major modern discussion of an informa- 5   Medicare Conditions of Participation for Hospitals, §482.24. 6   42 U.S.C. §§290dd-1. See Whyte v. Connecticut Mutual Life Insurance Company, 818 F.2d 1005, 1010 (1st Cir. 1987); Heartview Foundation v. Glaser, 361 N.W.2d 232,235 (N.D. 1985). 7   Office of Technology Assessment. 1993. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. U.S. Government Printing Office, Washington, D.C., September, pp. 78-79.

OCR for page 37
--> tional privacy right remains Whalen v. Roe.8 In Whalen, the Court accepted that the right to privacy includes a generalized "right to be let alone," which includes "the individual interest in avoiding disclosure of personal matters." Despite finding a theoretical right to avoid disclosure of intimate personal matters, however, in Whalen the Court allowed New York State to keep a computerized list of prescription records for dangerous drugs and to require physicians to disclose the names of patients for whom they prescribed those drugs. The decision balanced the social interest in informational privacy against the state's ''vital interest in controlling the distribution of dangerous drugs." Finding New York's program to be narrowly tailored and replete with security provisions designed to reduce the danger of unauthorized disclosure, the Supreme Court held that the constitutional balance tilted in favor of the statute. Despite upholding the mandatory compilation and disclosure of prescription data, the Court left the door open to future restrictions in light of technical change, noting that it was "not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files." In so doing, the Court set the stage for claims that the Constitution embodies a right to informational privacy, although the Court has yet to expand on this idea in any significant way.9 Despite the considerable power of the decision, lower courts have not capitalized on this constitutional doctrine's promise for improving health care privacy.10 Weaknesses also exist in the Americans with Disabilities Act (ADA).11 This statute has proven less than efficacious in protecting medical privacy. To begin with, health information per se is not covered by this law. Rather, the ADA's applicability turns on whether or not an impairing condition fits among those conditions that have been found to fall within 8   429 U.S. 589 (1977). 9   429 U.S. 599-604 (1977). An alternative view is provided by A. Michael Froomkin (see "Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases," available on the World Wide Web at www.law.miami.edu/-froomkin/articles/oceanno.htm). 10   See, for example, Doe v. Attorney General, 941 F.2d 780, 795 (9th Cir. 1991); American Civil Liberties Union v. Mississippi, 911 F.2d 1066, 1069-1070 (5th Cir. 1990); Walls v. City of Petersburg, 895 F.2d 188, 192-194 (4th Cir. 1990); Gitorerrez v. Lynch, 826 F.2d 1534, 1539 (6th Cir. 1987); Mann v. University of Cincinnati, 824 F.Supp. 1190, 1198-1199 (S.D. Ohio 1993); Doe v. Borough of Barrington, 729 F.Supp. 376, 382 (D.N.J. 1990). 11   42 U.S.C. §§12111-12117. See Miller, Frances H., and Philip A. Huvos. 1994. "Genetic Blueprints, Employer Cost-Cutting, and the Americans with Disabilities Act," Administrative Law Review 46(369):383. ("Disabilities law has not yet caught up with the recent explosion in genetic technology that now facilitates testing for a wide range of genetic anomalies potentially detrimental to employee health.")

OCR for page 37
--> this statute's definition of "disability."12 Another limitation of the ADA concerns its lack of practical impact: job applicants and employees are often either unaware or unable to prove that employers have made decisions based on the health information about their employees.13 The ADA may, however, sometimes provide privacy protection by making some employers reluctant to collect and process certain kinds of personal information. Because of fear of litigation, employers may avoid collection of data regarding health conditions that place an employee or a qualified job applicant under the ADA's protection. Collecting such data might lead to inference of an ADA violation. State Statutes and Regulations At the state level, measures for protecting health information include constitutional law and statutes. Constitutional law has sometimes been interpreted as setting limits on the collection and dissemination of health data.14 Statutory measures establish doctor-patient confidentiality and common law tort remedies.15 More than a dozen states have enacted laws that place limitations on the use of genetic information by health insurers.16 States have specific laws that govern how open the records of the state will be, and many state agencies have agency-specific statutes governing confidentiality, access, and use of their data. However, little uniformity exists among state statutes and regulations protecting health information. Protections vary according to the holder of the information 12   42 U.S.C. §12112(a). See Rothstein, Mark A. 1992. "Genetic Discrimination in Employment and the Americans with Disabilities Act," Houston Law Review 29(23):83. ("The ADA's coverage of a wide range of genetic conditions is not resolved.") 13   See generally Burgdorf, Jr., Robert L. 1991. "The Americans with Disabilities Act," Harvard C.R.-C.L. Law Review 26(413):434-437. See also Schultz, Ellen E. 1994. "Open Secrets: Medical Data Gathered by Firms Can Prove Less Than Confidential," Wall Street Journal, May 18, p. Al. 14   California Constitution, Art. I, §1. For cases interpreting this right, see Urbaniak v. Newtown, 226 Cal. App. 3d 1128, 277 Cal. Rptr. 354, 357-358 (1991); Division of Medical Quality v. Gherardini, 93 Cal. App. 669. 156 Cal. Rptr. 55, 61-62 (1979). 15   See, for example, California Civil Code §56; Wisconsin Statutes Annotated §146.82; Rhode Island General Laws § 5-37-9. For cases interpreting the duty of confidentiality, see Horne v. Patton, 291 Ala. 701, 287 S.2d 824, 827-830 (1974); Hague v. Williams, 37 N.J. 328, 181 A.2d 345, 347-349 (1962). See also Gellman, Robert. 1984. "Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy," North Carolina Law Review 62(255):274-278. 16   For an overview and excellent analysis, see Rothenberg, Karen H., 1995, "Genetic Information and Health Insurance: State Legislative Approaches," Journal of Law, Medicine, and Ethics 23(312):312-319.

OCR for page 37
--> and the type of information (i.e., mental health, HIV or AIDS, substance abuse, genetic information). Most statutes do not address redisclosure of health information and lack penalties for misuse or misappropriation. Few states have enacted statutes and regulations as to whether medical records can be created, authenticated, and stored electronically. Only 28 states explicitly protect and ensure the rights of patients to review their medical records so that they can see what information exists about them and recommend changes or make amendments if necessary. Four states allow patient access to hospital records only, whereas 24 provide access to hospital and physician records. As health care providers have expanded their reach across state borders, the need for greater uniformity has increased. In recent years, the National Conference of Commissioners on Uniform State Laws developed the Uniform Healthcare Information Act in an attempt to stimulate uniformity among states on health care information management issues. As of 1996, only two states, Montana and Washington, had enacted this model legislation.17 Clearly, efforts must be directed toward developing national standards of confidentiality and security to support the development of computer-based patient record systems and to instill trust by consumers in the use of technology. Limitations of State Protections For the most part, state law has not overcome the weaknesses in current federal data protection. State statutes do not address the flow of health information to secondary users outside the provider setting. They do not address the responsibilities of third-party payers in handling health information, nor do they impose rules on the use of health information by secondary users of the data. Most state statutes fail to recognize the particular challenges posed by the use of electronic health records and by the rapid growth of organizations that compile information about patients-in both patient-identifiable and aggregated form—for sale to interested corporations.18 17   The main provisions of this model legislation are (1) to give patients the right to have access to their own medical records; (2) to allow patients to correct or amend their records if the content is suspected to be in error; (3) to require providers to obtain a written authorization before disclosing patient information to other parties; and (4) to outline situations in which patient information may be disclosed without patient authorization. (gopher:// leginfo.leg.wa.gov:70/00/pub/rcw/title_70). 18   Office of Technology Assessment. 1993. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. U.S. Government Printing Office, Washington, D.C., September, pp. 43-44.

OCR for page 37
--> The state legislative approaches to genetic privacy currently focus narrowly on genetic tests rather than genetic information that is generated in other ways.19 In addition, the practice and administration of medicine now increasingly take place on an interstate level, which makes state solutions to data protection increasingly unwieldy. The weaknesses of these state solutions become even clearer when one considers the common law right of privacy. One branch of this interest has been found to prevent public disclosure of private records.20 Most courts have, however, found that such a claim requires widespread disclosure to the public, which will not occur in most cases involving the release of health information.21 Another restrictive element of the public disclosure tort is that most courts define disclosure as the release of information to someone without a "legitimate interest" in the information. Some courts have found employers to have a legitimate interest in their employees' health information.22 A second branch of the tort right of privacy prevents intentional intrusions on the private affairs or concerns of an individual.23 Such intrusion must be "highly offensive"; moreover, something in the nature of "prying or intrusion" must occur.24 Courts have failed to find that disclosure of sensitive health information by an employer to an individual's coworkers creates such an intrusion; the employee had, after all, "voluntarily" provided the information to her employer.25 State protection of health information is further limited by the federal Employee Retirement and Income Security Act (ERISA). This law preempts state regulation of companies that provide health care benefits 19   Rothenberg, Karen H. 1995. "Genetic Information and Health Insurance: State Legislative Approaches," Journal of Law, Medicine, and Ethics 23(312):312-319. 20   American Law Institute. 1976. Restatement (Second) of the Law of Torts, §652D. 21   Porten v. University of San Francisco, 64 Cal. App. 3d 825, 134 Cal. Rptr. 839, 841 (1976). For criticisms of the requirement of widespread publication, see Miller v. Motorola, 202 Ill. App. 3d 976, 560 N.E.2d 900, 902 (1990). See also Keeton, W. Page (ed.) 1984. Prosser and Keeton on the Law of Torts. West Publishing Company, St. Paul, Minn., §117 at 857-858. 22   Keeton, W. Page (ed.) 1984. Prosser and Keeton on the Law of Torts. West Publishing Company, St. Paul, Minn., §117 at 857-858. 23   American Law Institute. 1976. Restatement (Second) of the Law of Torts, §652B. 24   Keeton, W. Page (ed.) 1984. Prosser and Keeton on the Law of Torts. West Publishing Company, St. Paul, Minn., §117 at 855. 25   Miller v. Motorola, 202 Ill. App. 3d 976, 560 N.E.2d 900, 903 (1990). See Mares v. Conagra, 971 F.2d 492, 496-497 (10th Cir. 1992) (request of employer for worker to supply it with detailed medication information does not constitute a "substantial interference with her seclusion").

OCR for page 37
--> through self-insurance.26 Due to weak federal protection, ERISA creates a considerable loophole for self-insured companies, which are not restricted from gaining access to personally identifiable health information pertaining to their employees. Over 60 million Americans held health insurance through a self-insured employer in 1993.27 Nongovernmental Initiatives Outside of government, a number of initiatives are under way to develop industry-wide standards for the security and confidentiality of health information. These efforts span a wide range of topics, from attempts to develop technical standards for security, to models for evaluating existing practices, to educational initiatives. They are being conducted by a large number of organizations, including the American National Standards Institute, the Computer-based Patient Record Institute, and the Joint Commission on Accreditation of Healthcare Organizations. While moving in the right direction, these efforts have not yet resulted in a set of enforceable standards that have been broadly adopted by industry. American National Standards Institute To facilitate the development of standards for health care information systems, the American National Standards Institute (ANSI) has established the Health Informatics Standards Board (HISB). Its charter is to promulgate standards for (1) health care models and electronic health records; (2) the interchange of health data, images, sounds, and signals within and among health care organizations; (3) health care codes and terminology; (4) communication with diagnostic instruments and health care devices; (5) representation and communication of health care protocols, knowledge, and statistical databases; (6) privacy, confidentiality, and security of medical information; and (7) other areas of concern or interest regarding health information.28HISB coordinates the work of standards groups for health care data interchange, such as the Institute of Electrical and Electronics Engineers, the American Society for Testing and Materi- 26   ERISA, §502(a), codified at 29 U.S.C. §1132. See Bobinski, Mary Anne. 1990. "Unhealthy Federalism," U.C. Davis Law Review 24(255). See also Rothstein, Mark A. 1992. "Genetic Discrimination in Employment and the Americans with Disabilities Act," Houston Law Review 29(23):80-81. 27   Health Insurance Association of America. 1996. Source Book of Health Insurance Data. Health Insurance Association of America, Washington, D.C., Table 2.5. 28   American National Standards Institute (ANSI), Healthcare Informatics Standards Planning Panel. 1992. "Charter Statement," ANSI, September.

OCR for page 37
--> als, and the International Organization for Standardization (ISO). Its goal is to develop a unified set of standards that are compatible with the ISO and other bodies. HISB does not write standards or make technical determinations but instead coordinates the activities of other accredited standards bodies. Its voting membership consists of private companies, government agencies, individual experts, and other organizations. It includes users and producers of health information, professional and trade organizations, government agencies, and standards organizations. Computer-based Patient Record Institute The Computer-based Patient Record Institute (CPRI) is an organization of public and private entities that promotes the use of electronic health records. CPRI has recognized the importance of providing for information security in the implementation of computer-based patient records and has established the Work Group on Confidentiality, Privacy, and Security. The work group was chartered to encourage the creation of policies and mechanisms to protect patient and caregiver privacy and to ensure information security. As part of its efforts, the work group is developing a series of security guidelines for organizations implementing electronic medical record systems. Products issued to date include guidelines for (1) establishing information security policies, (2) establishing information security education programs, (3) managing information security programs, and (4) establishing confidentiality statements and agreements.29 It has also developed a guide to security features for health information systems.30 The thrust of these initiatives is purely educational. CPRI has no mechanism or authority to ensure compliance with the guidelines it promulgates. Joint Commission on Accreditation of Healthcare Organizations The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) certifies the compliance of hospitals with a number of specific accreditation standards. The 1996 JCAHO Accreditation Manual for Hospi- 29   Computer-based Patient Record Institute (CPRI). 1995. Guidelines for Establishing Information Security Policies at Organizations Using Computer-based Patient Record Systems. CPRI, Schaumburg, Ill., February. Also, Computer-based Patient Record Institute. 1995. Guidelines for Information Security Education Programs at Organizations Using Computer-based Patient Record Systems. CPRI, Schaumburg, Ill., June. 30   Computer-based Patient Record Institute. 1996. Security Features for Computer-based Patient Record Systems. CPRI, Schaumburg, Ill., September.

OCR for page 37
--> tals specifies information management (IM) standards. IM.2 states that the "confidentiality, security and integrity of data and information are maintained." IM.2.2 states that "the hospital determines appropriate levels of security and confidentiality for data and information . .. " and continues by stating that the "collection, storage and retrieval systems are designed to allow timely and easy use of data and information without compromising its security and confidentiality." IM.2.2.3 states that "records and information are protected against loss, destruction, tampering and unauthorized access or use.'' The intent of these standards is to ensure that a hospital maintains the security and confidentiality of data and is especially careful about preserving the confidentiality of sensitive data. The hospital is expected to determine the level of security and confidentiality maintained for different types of information. Access to each category of information is based on need and defined by job title and function. According to the JCAHO, an effective process defines the following: Who has access to information; The information to which an individual has access; The user's obligation to keep information confidential; When release of health information or removal of the medical record is permitted; How information is protected against unauthorized intrusion, corruption, or damage; and The process followed when confidentiality and security are violated. JCAHO examines hospital practices in the area of information management during its triennial reviews. The reviews address information management practices at an overall level but do not directly ascertain the occurrence of specific instances in which hospital practices may have been violated. JCAHO reviews are nominally voluntary, but organizations that participate in the Medicare and Medicaid programs (and expect to be reimbursed for services offered under these programs) are required to receive JCAHO accreditation. Improving Public Policy Better protection of electronic health information will require efforts at the national level. The lack of uniform national standards for the privacy and security of health information creates particular problems for health care organizations that serve constituents in multiple states and creates additional confusion for patients regarding their rights. The re-

OCR for page 37
--> sults are administrative uncertainty and potential violations of privacy in states with weaker confidentiality requirements. To further compound the problem, few mechanisms exist, inside or outside government, for monitoring and enforcing compliance with laws, regulations, and standards governing the confidentiality of health information. In particular, an individual whose information has been compromised generally lacks recourse for a specific incident and cannot receive compensation or ensure that those responsible for the incident are punished. Conflicting views of data ownership and a lack of patient understanding of health data flows and of their rights to privacy and confidentiality also need to be addressed at a national rather than an institutional or organizational level. As site visits and briefings to the committee attest, patients, providers, health researchers, and other users of health information often have conflicting views regarding the ownership of identifiable health information. Patients tend to believe that information about their health history, diagnosis, and treatment belongs to them because it is about them. Health care organizations believe patient health information belongs to them because they invest resources in collecting, storing, and analyzing it and because they are required to collect data regarding patient care. Insurance companies, pharmaceutical manufacturers, and market research companies claim some ownership rights because of their vested interests. In addition, there is evidence that vendors of medical diagnostic equipment believe the data collected by their instruments belong to them because their devices have enabled its collection. The resulting confusion has frustrated efforts to enhance the privacy and security of health information by frustrating efforts to determine responsibility for protecting information. Building National Consensus Over the past several years, a consensus has emerged within Congress and among the general public regarding the need for federal legislation to address this important issue. The Office of Technology Assessment (OTA), in its report Protecting Privacy in Computerized Medical Information,31 found that current laws, in general, do not provide consistent, comprehensive protection of health information confidentiality. Focusing on the impact of computer technology, the report concluded that computerization reduces some concerns about the privacy of health infor- 31   Office of Technology Assessment. 1993. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. U.S. Government Printing Office, Washington, D.C., September.

OCR for page 37
--> mation while increasing others. A 1994 Institute of Medicine report32 recommends that federal preemptive legislation be enacted to establish uniform requirements for the preservation of confidentiality and the protection of privacy rights for health data about individuals. A more recent OTA report33 identifies the issues of privacy and confidentiality as particularly important areas in dealing with health information. The report suggests that if there is little confidence that electronic medical information systems will protect them, providers and patients will be unwilling to use them. The report concludes that Congress may wish to establish federal legislation and regulation to protect medical information, as well as electronic data standards for storage and transmission of medical information. As these reports recognize, legal regulation of medical privacy cannot focus solely on the doctor-patient relationship or the site at which the information is processed or stored. Moreover, an individual's own control over his or her health information cannot be complete because these data are essential for the modern distribution of health care services. In the computer age, health data pass through an increasing number of professional settings and organizations. The processing of personal information already plays a critical role in the provision, regulation, and financing of health services by government and private entities. Beyond the traditional doctor-patient relationship and the provision of health services in hospitals, a variety of public and private organizations now use personal health data. Moreover, health care reform will further increase the extent to which health care data are applied and shared. As part of this process, greater use will be made of information technology in an attempt to control costs and increase the quality of care. In preparing and implementing laws and policies to provide privacy, policy makers cannot ignore the possibility that individuals may be discriminated against on the basis of specific illnesses or conditions they have or that sensitive or adverse information may be used against an individual's economic interests in some way. For example, an employer may refuse to hire or promote an individual with a long and expensive history of medical claims (or with the prospect of probable expensive or chronic medical problems in the future based on family history). Policy makers must assume that such discrimination is likely to continue in the 32   Institute of Medicine. 1994. Health Data in the Information Age: Use, Disclosure, and Privacy, Molla S. Donaldson and Kathleen N. Lohr (eds.). National Academy Press, Washington, D.C. 33   Office of Technology Assessment. 1995. Bringing Health Care On line: The Role of Information Technologies. U.S. Government Printing Office, Washington, D.C.

OCR for page 37
--> future, particularly in light of the additional genetic information that will become available as a result of advances such as those associated with the human genome project. Already, evidence exists to support claims that individuals experience discrimination by employers, insurers, and others based on the existence of genetic predispositions to particular ailments rather than on manifestations of such ailments.34 Furthermore, even if individuals are not necessarily subject to economic discrimination as the result of such information, they may well wish to limit the dissemination or availability of information that might be embarrassing (e.g., a history of sexually transmitted diseases, treatment for depression, or a familial history of alcoholism). Legislative Initiatives In an attempt to improve protections for health information, a number of bills were introduced in the 104th Congress to address the use and disclosure of health information and to establish civil and criminal penalties for misuse of such information. These included the Medical Records Confidentiality Act of 1995 (S. 1360), Fair Health Information Practices Act of 1995 (H.R. 435), Medical Privacy in the Age of New Technologies Act of 1996 (H.R. 3482), and Health Insurance Portability and Accountability (HIPA) Act of 1996 (H.R. 3103). The Fair Information Practices Act was reintroduced into the 105th Congress in January 1997. Of these, only HIPA has been signed into law. HIPA contains several provisions regarding health data standards and health information privacy. The purposes of these provisions are (1) to improve the efficiency and effectiveness of the health care delivery system by standardizing the electronic exchange of administrative and financial data and (2) to protect the confidentiality and security of transmitted health information. Under HIPA, the Secretary of Health and Human Services is required to adopt standards by February 1998 providing for a unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. The Secretary is also required to adopt security standards that take into account (1) the technical capabilities of record systems used to maintain health information; (2) the costs of security measures; (3) the need for training persons who have access to health information; (4) the value of audit trails in computerized record systems; 34   Billings, Paul R., Mel A. Kohn, Margaret de Cuevas, Jonathan Beckwith, Joseph S. Alper, and Marvin R. Natowicz. 1992. "Discrimination as a Consequence of Genetic Testing," American Journal of Human Genetics 50:476-482.

OCR for page 37
--> and (5) the needs and capabilities of small health care providers and rural health care providers. HIPA requires that each person who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information; to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information; and to ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures that isolate its activities with respect to processing information in a manner that prevents unauthorized access to such information. By August 1997, the Secretary is required to submit to Congress detailed recommendations on standards with respect to the privacy of individually identifiable health information. These recommendations must address the rights that should be guaranteed to an individual who is a subject of patient-identifiable health information, the procedures that should be established for the exercise of such rights, and the uses and disclosures that should be authorized or required. HIPA contains penalties ranging from $50,000 to $250,000 and 1 to 10 years in jail for wrongful disclosure of individually identifiable health information. If legislation is not enacted by August 1997, the Secretary is required to promulgate final regulations containing such standards not later than 6 months after that date. In carrying out this section, the Secretary must consult with the National Committee on Vital and Health Statistics and the Attorney General. The Health Insurance Portability and Accountability Act represents an important first step in better protection of health information. By mandating the promulgation of standards and regulations for security and privacy, the act begins to fill the void in existing legislation for protecting health information. It remains to be seen, however, how the act will be implemented and whether its standards and regulations will be enforced firmly. Without strong measures and ways of ensuring that they are implemented, patient health information may continue to remain vulnerable to potential misuse.