ity of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital must ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records must be released by the hospital only in accordance with Federal or state laws, court orders, or subpoenas."5

In addition to these acts and statutes, multiple federal agencies have laws that also provide specific policies the agency must follow regarding types of data collected, how the data can be used, and how access to the data is managed. The procedures of other agencies, however, do not have specific statutory-based policies and thus must rely on common law tradition and the application of ethical decision making in these agencies.

Limitations of Federal Protections

Federal protections for health information have several weaknesses. Both federal laws to protect alcohol and drug abuse information and the Privacy Act suffer from a limited scope of influence. Federal alcohol and drug abuse regulations apply only to federal or federally funded facilities that offer treatment for alcohol or drug abuse.6 The Privacy Act, perhaps the most comprehensive of the federal protections, for example, applies only to information collected by government agencies. Federal agencies, primarily the Department of Defense and HCFA, do collect considerable amounts of personal health information, but the majority of health records in the United States are collected and maintained by nongovernment entities and fall outside the jurisdiction of the Privacy Act.

The Privacy Act suffers from additional weaknesses as well. Individuals who do not regularly review the Federal Register find the notification system unnecessarily burdensome and ineffective. The act also fails to provide a government oversight mechanism, instead placing the burden of monitoring privacy and redressing grievances on the individual. Other critics suggest that penalties prescribed in the Privacy Act are inadequate and that the act mandates no specific measures for protecting privacy (e.g., it does not define technical mechanisms that must be used to ensure compliance).7

Constitutional protections have also been weakened by a lack of enforcement. The Supreme Court's major modern discussion of an informa-


Medicare Conditions of Participation for Hospitals, §482.24.


42 U.S.C. §§290dd-1. See Whyte v. Connecticut Mutual Life Insurance Company, 818 F.2d 1005, 1010 (1st Cir. 1987); Heartview Foundation v. Glaser, 361 N.W.2d 232,235 (N.D. 1985).


Office of Technology Assessment. 1993. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. U.S. Government Printing Office, Washington, D.C., September, pp. 78-79.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement