Health Data in the Information Age Use, Disclosure, and Privacy (1994) / Chapter Skim
Currently Skimming:
Confidentiality and Privacy of Personal Data
Confidentiality and Privacy of Personal Data
Pages 136-213
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 136... ...
HISTORICAL PERSPECTIVES AND GENERAL OBSERVATIONS ON DISCLOSURE OF INFORMATION The Privacy Protection Study Commission (PPSC) was created by the Privacy Act of 1974 to investigate the personal data recordkeeping practices 136
|
From page 137... ...
Sixty-eight percent agreed strongly or very strongly that "computers are an actual threat to personal privacy," and almost 90 percent agreed that computers have made it much easier to obtain confidential personal information improperly (Equifax, 19921. Many privacy experts have described the ready availability of personal information (e.g., see Filler, 1993~.
|
From page 138... ...
1355, "DNA Identification Act of 1991"; H.R. 2045, "Human Genome Privacy Act")
|
From page 139... ...
It further specifies that individually identifiable health care information may not be used in making employment decisions.
|
From page 140... ...
5122. calls for a proposal not later than three years after enactment of the HSA to provide a comprehensive scheme of Federal privacy protection for individually identifiable health information that would include a Code of Fair Information Practices and provide for enforcement of the rights and duties created by the legislation.
|
From page 141... ...
social service workers protecting possibly abused children, to name only a few. Others access secondary health records or obtain portions of the medical record when making decisions about hiring, granting a license, or issuing life, health, or disability insurance.
|
From page 142... ...
Finally, because developers of HDOs have compared claims transmittal to electronic funds transfer (EFT) , it is helpful to examine how the Privacy Protection Study Commission regarded confidentiality in EFT.
|
From page 143... ...
Informational Privacy Informational privacy "a state or condition of controlled access to personal information" (Schoeman, 1984; Allen, 1987; Powers, 1993) is infringed, by definition, whenever another party has access to one's personal information by reading, listening, or using any of the other senses.
|
From page 144... ...
Recordkeeping Privacy In recent decades, discussions about privacy have almost exclusively addressed the use of information about people to make decisions about some right, privilege, benefit, or entitlement-so-called "recordkeeping privacy." This focus was of particular interest to those framing the Privacy Act of 1974. More recently the desire for informational privacy has become an important expectation, not because of a benefit or entitlement sought, but for its own sake.
|
From page 145... ...
The existence of informational privacy rights means that someone is under a duty either not to disclose information or to prevent unauthorized access to information by others. Dworkin (1977)
|
From page 146... ...
The Constitution generally has not provided strong protection for the confidentiality of individual health care information; the constitutional protection for informational privacy is thus very limited and derived from case law interpreting the Constitution. The courts have made clear that, at least theoretically, information privacy principles based on the Constitution limit a government agency's collection and use of personal information to situations in which the use bears a rational relationship to a legitimate governmental purpose.
|
From page 147... ...
19801) , the Third Circuit identified seven factors that should be weighed in determining whether to permit a government agency to collect personal information and thus undertake a program that infringes privacy.
|
From page 148... ...
, certain categories of data are specified as confidential and thus not disclosable; for instance, Exemption 6 states that FOIA is not applicable to "personnel and medical files and similar files, the disclosure of which would constitute clearly unwarranted invasion of personal privacy." Data confidentiality is discussed in more detail in a later section. Confidentiality Obligations in Health Care Professional obligations to privacy and confidentiality.
|
From page 149... ...
, as well as various state laws and Medicare and Medicaid regulations. Laws and regulations imposing confidentiality requirements for sensitive personal health information include those related to alcohol and drug abuse records and laws governing nondisclosure of records of patients with acquired immunodeficiency syndrome (AIDS)
|
From page 150... ...
Patients generally understand that, with consent, information in their medical records will be shared widely within a hospital and for insurance and reimbursement purposes. They also expect that data collected about them will be used only for the purpose of the initial collection and that such data will be shared with others only for that same purpose.
|
From page 151... ...
Such requirements sometimes termed "compulsory process" may take the form of subpoenas or discovery requests and may be enforced by court order. In some instances personal health care information may be protected from disclosure in court and administrative proceedings by virtue of the physician-patient privilege, which may be mandated by statute or derive from the common law.
|
From page 152... ...
Last, enforcing rights through litigation is costly, and money damages may not provide adequate redress for the harm done by the improper disclo sure. Security In the context of health record information, confidentiality implies controlled access and protection against unauthorized access to, modification of, or destruction of health data.
|
From page 153... ...
Nevertheless, not everything in a medical record is relevant to health status or is health related.
|
From page 154... ...
Personal data, particularly health-related personal data, are not inherently sensitive, but they become so because of the harmful waylay in which they might be used. Thus, any data element in medical records, and many data items from other records, could be considered either health-related or sensitive, or both.
|
From page 155... ...
Data confidentiality is a matter of law and regulation. Legislation would be required to establish that health-related information is confidential, to spell out the rationale for the position, and to clarify the ramifications and consequences of attaching protection to health data.
|
From page 156... ...
Health leader respondents to the 1993 Harris/Equifax survey showed that 71 percent were somewhat or very concerned about threats to the confidentiality of medical records, and 24 percent were "aware of violations of the confidentiality of individuals' medical records from inside an organization that embarrassed or harmed the individual." Respondents identified test results and diagnostic reports as the most frequently disclosed information. Of the responding public, some 27 percent believed that their own medical records had been improperly disclosed.
|
From page 157... ...
Disclosure related to the human penchant for gossip and carelessness in leaving medical records "lying around" or leaving information displayed on computer terminals is common. Westin (1972)
|
From page 158... ...
The "secondary use" principle is an important component of fair information practices. It reflects the notion that when personal information is collected for a particular purpose the information should be used for only that purpose or a compatible one.~° An especially troublesome problem is the difficulty of confining the migration of information to third, fourth, or fifth parties without the individual's knowledge or consent.
|
From page 159... ...
Although corporate and professional ethics tend to discourage abuse, few barriers exist to an employer's use of its employees' medical and insurance claims records. The threat of liability under the Americans with Disabilities Act has served as a brake on some employers' access to and use of their employees' health records.
|
From page 160... ...
Examples include information brokers who tap into computerized systems by using false names or by bribing database employees to supply information about celebrities or the names of individuals with certain characteristics. In health care institu tions, there is also a risk that employees will browse through medical records out of curiosity (as tax and credit bureau employees have done)
|
From page 161... ...
, and medical records per sonnel and researchers report that errors and omissions are extremely common in all health records. Harm from such problems may range from trivial to severe.
|
From page 162... ...
Third, HDOs may exacerbate societal concerns about the emergence of national, centralized personal record databases, which may be perceived as a national identification system or dossier. Issues concerning the Social Security number and its analogs are especially pertinent here.
|
From page 163... ...
Once such a system were in place, some fear that both those with and without bona fide access would be able to call up a remarkably comprehensive and intrusive dossier comprising detailed biographic information, family history information, employment information, financial and insurance information, and, unless prevented, of course, medical record information about every citizen participating in the system. In the view of many, this development would bring the nation perilously close to a national identification database.
|
From page 164... ...
S1) Over the years the Congress, the press, and privacy advocates have fiercely resisted any proposal for the development of databases that appeared to facilitate establishment of a national identification or database system.
|
From page 165... ...
If the HDO initiative is viewed by opinion leaders as a precursor to the establishment of any type of automated, national identification or dossier system, the initiative will likely fail. HDO proponents should take every practicable step to assure advocacy groups, the media, legislators, and the American people that the emergence of HDOs will not contribute to the development of a centralized, automated national dossier system or a national identification system through linkage with non-health-related databases or the gradual relaxation of confidential .
|
From page 166... ...
The method of providing the identifier will result in higher or lower assurance of its accuracy: an individual's memory is probably the least assurance of correctness; an embossed card is better; and an electronic reader for the card is better still. The present health care information infrastructure runs largely without external visible error controls.
|
From page 167... ...
The Department of Defense adopted it as a military identification number during World War II, and in 1961 the Internal Revenue Service (IRS) adopted it as the taxpayer identification number.
|
From page 168... ...
Some government decisions, notably to use the SSN as the taxpayer identification number and as the basis of the Medicare number, forced its wide diffusion throughout the private sector through financial transactions and benefits payments. In this way partly deliberately and partly inadvertently-a very sensitive item of personal information has become widely disseminated.
|
From page 169... ...
Although federal, state, or local governments usually require the SSN under law, private-sector requests serve the purposes and motivations of the organization. The essential point is that the SSN is in extraordinarily wide use as a personal identifier.
|
From page 170... ...
As a data element, it is not characterized by law as confidential; hence, organizations that use it are under no legal requirement to protect it or to limit the ways in which it is used. For all practical purposes its use is unconstrained, this makes the risk of commingling health data with all other forms of personal data enormously high.
|
From page 171... ...
Whether these steps are sufficient in the HDO context requires reexamination. Because HDO databases will include many elements of personal information collected for single, specific purposes and subsequently used for multiple, diverse purposes, they have the potential to conflict with the secondary use principle.
|
From page 172... ...
HDOs may well have governmental status, and the legal implications of that status are described in more detail, with particular attention to the Privacy Act of 1974. Laws Governing Insurance Support Organizations The NAIC Model Act defines an insurance support organization as "any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions" (emphasis added)
|
From page 173... ...
In states that have passed the NAIC Model Act, an HDO would be subject to the following six requirements. First, the HDO could not disclose personal information about an individual without the written authorization of the individual or unless the disclosure was needed: to further an insurance function, provided there is no redisclosure; to a health care institution or health professional; to an insurance regulatory authority; to a law enforcement authority; in circumstances otherwise permitted or required by law; in response to compulsory process; for the purpose of a bona fide research study, provided that no individual can be identified in any subsequent research report; for marketing purposes; to consumer reporting agencies; to a group policyholder; to a professional peer review organization; or ~ ~ .
|
From page 174... ...
These statutes regulate the collection, use, and dissemination of personal information by consumer reporting agencies. Federal law defines a consumer reporting agency as an organization that "regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties" (FCRA 15 U.S.C.
|
From page 175... ...
If that charter were to require the submission of personally identifiable medical record information (on the part of record subjects, providers, or others) , this statutory requirement provides a basis for a challenge on constitutional privacy grounds, just as did the reporting requirements in Whalen.
|
From page 176... ...
Washington State's FOIA, for example, includes an exemption for medical records, pharmacy records, client records held by domestic violence programs, and various types of research data. The Washington courts have also held that medical records are exempt from disclosure under Washington's FOI statute.l6 Fair Information Practices In addition, the federal government and approximately one-third of the states have adopted fair information practices and statutes covering governmental agencies within each jurisdiction.
|
From page 177... ...
The Privacy Act of 1974 incorporated the five elements of the Code of Fair Information Practices as eight principles that are manifest as specific requirements (PPSC, 1977a)
|
From page 178... ...
. in addition to establishing privacy guidelines for federal databases, the Privacy Act also created the Privacy Protection Study Commission (PPSC)
|
From page 179... ...
i9 Some state and federal laws will restrict the ability of providers to disclose medical record information to HDOs, at least in the absence of patient consent or a legislative mandate. In addition, in some states it may be difficult or impossible to word a patient consent to such disclosure that does not result in waiver of the physician-patient privilege.
|
From page 180... ...
Federal preemptive legislation refers to federal law that supersedes any state law or legislation that either covers the same matter or conflicts with the federal legislation. Such preemptive legislation in this area could establish uniform requirements for the preservation of confidentiality and protection of privacy rights for health data about individuals because health data, particularly in electronic form, will cross state boundaries when accessed and disclosed by HDOs.
|
From page 181... ...
WEDI recommended that federal legislation include the following steps and provisions: · establish uniform requirements for preservation of confidentiality and privacy rights in electronic health care claims processing and payment; · apply these requirements to the collection, storage, handling, and transmission of individually identifiable health care data, including initial and subsequent disclosures in electronic transactions by all public and private payers, providers of health care, and all other entities involved in the transactions; · exempt state public reporting laws; · delineate protocols for secure electronic storage and transmission of health care data; · specify fair information practices that ensure a proper balance between required disclosures, use of data, and patient privacy; · require publication of the existence of health care data banks; · establish appropriate protections for highly sensitive data, such as data concerning mental health, substance abuse, and communicable and genetic diseases;
|
From page 182... ...
The committee's dim view of the development of national identification systems has already been noted. Uniform State Legislation The main alternatives to federal legislation would be the status quo or enactment of model state acts.
|
From page 183... ...
Another option is for individuals to receive a complete and detailed written description of an HDO's permissible disclosures and other information practices and a complete description of their information rights. Stronger options would allow individuals the right to revoke their authorization and, in any event, the authorization would be effective only for 20 Notification is included as one of the recommendations of the IOM committee studying privacy and confidentiality protections in the genetics testing environment (IOM, 1993b)
|
From page 184... ...
. ter~st~cs: · Individuals would receive a complete and detailed written description of an HDO's permissible disclosures and other information practices and a complete description of their information rights.
|
From page 185... ...
Adopting a disclosure-oriented approach would also make most person-identifiable information available to third parties, as long as the user had a legitimate business purpose for accessing the information. Furthermore, under a disclosure-oriented policy HDOs would routinely make person-identifiable information available in response to subpoenas, other forms of compulsory process, or formal, voluntary requests from law enforcement or regulatory authorities.
|
From page 186... ...
(The Uniform Act noted earlier takes a similar approach with respect to compulsory process.) Governance Options as an Approach to Privacy Protections Issues relating to the structure and governance of an HDO will be critical to both the substance and the appearance of privacy protection and, therefore, to the HDO's political acceptability.
|
From page 187... ...
Because some of these have operated for some time, typical characteristics are worth reviewing here. Iowa, for example, created a health data commission as a "statewide health data clearinghouse for the acquisition, compilation, correlation, and dissemination of data from health care providers, the state Medicaid program, third-party payers, and other appropriate sources." The Iowa statute gave the commission authority to require providers, payers, and others to submit medical record information in a person-identifiable format to the commission.
|
From page 188... ...
A legislative charter could serve at least nine purposes in the protection of privacy. First, a legislative charter could bring constitutional privacy protections to bear in some circumstances.
|
From page 189... ...
Medical records may require secured- that is, encrypted-communication because the inherent value of the records is very high. Another option is the creation of a data integrity board.
|
From page 190... ...
Congress move to enact preemptive legislation that will: . establish a uniform requirement for the assurance of confidentiality and protection of privacy rights for person-identifiable health data and specify a Code of Fair Health Information Practices that ensures a proper balance among required disclosures, use of data, and patient privacy;
|
From page 191... ...
Arguments for Federal Legislation The committee concludes that federal preemptive legislation is required to establish uniform requirements for the preservation of confidentiality and protection of privacy rights for health data about individuals because health data, particularly in electronic form, will cross state boundaries when accessed and disclosed by an HDO. In general, the committee subscribes to the positions laid out in the WEDI report (1992)
|
From page 192... ...
Uniform Requirements The committee has concluded that ensuring an appropriate balance between the protection of confidentiality of health data about individuals and disclosures of database information requires several important features in legislation or implementing regulations. The first is the inclusion and observance of selected fair information practices, such as those found in the Privacy Act of 1974.23 These practices-not yet available or understood in the health sector are described in more detail in the following recommendation on data protection boards.
|
From page 193... ...
To overcome this possible aversion to risk on the part of HDOs, the committee argues that compliance with requirements of any federal legislation in this area ought to be a straightforward and sufficient defense against legal actions based on charges of improper disclosure. In taking this position, however, the committee further stipulates its expectations that federal legislation will have strong privacy and confidentiality protections that meet, if not exceed, the usual provisions of fair information practices statutes or regulations.
|
From page 194... ...
They should also adopt policies of resisting compliance with subpoenas or other forms of compulsory process, asserting all available privileges, and notifying record subjects of an access request so that subjects would have an opportunity to contest production of such data. Data Protection Units HDOs will need clear, enforceable, written organizational policies and procedures in several areas: patients' rights regarding their own data; how to protect medical information and materials; how to ensure the accuracy of data; and how to know they have gained compliance with their policies.
|
From page 195... ...
Such policy boards and their formal policy statements should be in place before HDOs begin operations, and regardless of whether such policies are specified and enacted in federal preemptive legislation. Policies and procedures should explicitly deal with authorized and unauthorized access to and authorized and unauthorized release of information from HDO databases.
|
From page 196... ...
HDOs should develop and promulgate strong internal policies and procedures concerning the protection of health information with policies on public disclosure of information and evaluation studies. The committee further advises that such policies, which it assumes will be set by the data protection boards, specifically address the following administrative points:
|
From page 197... ...
Policies should cover topics such as types and sources of data over time, notice to individuals about the databases accessed by the HDO, and similar matters. As a broad principle, the committee believes that HDOs must draw on the Privacy Act of 1974 and its principles of Fair Information Practices.
|
From page 198... ...
Information relating to an individual's exercise of First Amendment rights might be an example. HDOs should agree to collect personal information to the fullest extent possible directly from record subjects and their health care providers.
|
From page 199... ...
In short, contractual protections are weak, so they should be used only as an adjunct to, and not as a substitute for, appropriate new federal legislation to protect the confidentiality of sensitive patient information held by HDOs. Routine blocking of sensitive data.
|
From page 200... ...
, whether labeled that way or not. Overseeing Data Integrity HDO data protection boards would oversee safeguards to prevent health information from being disclosed to unauthorized recipients.
|
From page 201... ...
Long-term success is likely to be predicated in part on their ability to protect confidentiality of personal health data, and the committee believes that they will therefore have to devote adequate resources to some form of data protection board. It may well be that monetary or human resources sufficient to maintain independent data protection and data integrity units will not be available; those resource allocation decisions, however, are best left to individual HDOs.
|
From page 202... ...
The committee recommends, however, that a health database organization not release person-identifiable information in any other circumstances except the following: · to other HDOS whose missions are compatible with and whose confidentiality and security protections are at least as stringent as their own; to individuals for information about themselves; to parents for information about a minor child except when such release is prohibited by law; to legal representatives of incompetent patients for information about the patient; . to researchers with approval from their institution's properly constituted Institutional Review Board; · to licensed practitioners with a need to know when treating patients in life-threatening situations who are unable to consent at the time care is rendered; and · to licensed practitioners when treating patients in all other (nonlife-threatening)
|
From page 203... ...
The following requirements, similar to those in the Uniform Health Care Information Act, are based on PPSC recommendations for medical record information consent forms. Patient consent must: · be in writing or electronically provided in an acceptable manner; · be signed or authorized electronically by the individual on a date specified; · be clear about the entities being authorized to disclose information; · be specific about the nature of the information to be disclosed; · be specific as to the institutions or persons to whom the information may be disclosed; · be specific about the purposes for which the information may be used, both at the time of the intended disclosure and at any future time; and · be specific as to the date when the authorization expires.
|
From page 204... ...
Current state laws regarding emancipated or mature minors do not consistently protect such information, and uniform federal legislation is desirable. The other important case involves legal representatives of incompetent patients.
|
From page 205... ...
Alternatively, such requests might be considered as exceptions by the Data Protection Board on a case-by-case basis. The committee believes it will usually not be necessary for researchers to obtain consent from record subjects for access to person-identified or -identifiable material, but methods should be incorporated for protecting a record subject's privacy, including notification by the HDO of the uses that may be made of the records.
|
From page 206... ...
situations, but only with the informed consent of the patient is the only case in which the committee has recommended the use of informed consent to release of personidentifiable information. Such a circumstance might occur when a treating physician wishes to access the HDO database in addition to the medical records he or she keeps.
|
From page 207... ...
No access for law enforcement would be permissible through compulsory process (if prohibited by federal preemptive legislation)
|
From page 208... ...
RESTRICTING EMPLOYER ACCESS The committee recommends that employers not be permitted to require receipt of an individual's data from a health database organization as a condition of employment or for the receipt of benefits. Special circumstances exist in the health sector of particular concern to the committee.
|
From page 209... ...
To account for this, the committee advises that there be a clear and enforceable division of functions between employment and personnel decisions of an employer and the employer's health benefits administration and case management. In the absence of state or federal legislation limiting access and threatening liability, employers should at least promulgate and enforce such internal policies.
|
From page 210... ...
Some could be so discriminatory or otherwise distasteful that they might well be proscribed by law. The committee notes that the privacy dimension of medical records, regional databases, and lIDOs is not a matter that can be examined once and thereafter ignored.
|
From page 211... ...
Looking well to the future, therefore, a Code of Fair Health Information Practices is likely to be necessary. It need not be exactly like the one in the federal Privacy Act; indeed, it would probably have additional provisions for controlling the use of health data.
|
From page 212... ...
First, confidentiality is addressed by a recommendation for preemptive federal legislation that all health care data be confidential, protected as such, and access to it controlled. Second, the committee recommends the establishment of data protection and data integrity boards to provide oversight of security and access in HDOs.
|
From page 213... ...
Fourth, to address privacy the issue of access to personal information the committee has made recommendations concerning who should and should not have access to person-identified information and under what circumstances.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.