An Institute of Medicine (IOM) study committee has examined the potential that existing and emerging health database organizations offer in improving the health of individuals and the performance of the health care system. Health Data in the Information Age: Use, Disclosure, and Privacy advances recommendations related to the public disclosure of quality-of-care information and the protection of the confidentiality of personal health information. The emergence of health database organizations—whether through national health reform, state legislative initiatives, commercial ventures, or local business, medical, and hospital association coalitions—provides the impetus to explore how such assembled patient-level health care information can be used appropriately.
The desire to understand and improve the performance of the health system begets a need for better health data for several purposes: to assess the health of the public and patterns of illness and injury; identify unmet regional health needs; document patterns of health care expenditures on inappropriate, wasteful, or potentially harmful services; identify cost-effective care providers; and provide information to improve the quality of care in hospitals, practitioners' offices, clinics, and other health care settings.
This, in turn, motivates proposals for the creation and maintenance of comprehensive, population-based health care databases that can provide such
information with ease and reliability. Considerable obstacles lie in the way of achieving these goals. Some relate to the content and structure of current health databases; others concern the difficulties and costs of creating and maintaining comprehensive databases. Furthermore, public health databases (e.g., those maintained by states) may themselves lack connections with one another. Other problems include the need to create longitudinal records to understand how patients fare ''in the system as a whole"; the need to adjust for important characteristics about patients' sociodemographic circumstances or health status (risk and severity adjustment); and the need to have information on the health of the population as a whole, not just of those who use the health system. Finally, the need for information on both end results (the outcomes) of care as well as on the processes of care poses great challenges to database developers.
The current push for health care reform has made clear to many that the success of reform options—as well as the ability to assess the effect of a reformed system on the health of the public—depends on access to the kinds of data that too often are unavailable.
Finally, as the reasons for creating large health databases mount, so do the possibilities that such databases (or, more correctly, their users) will do harm to patients, providers (institutions, physicians, and others), payers (government, private insurers, and corporations), and the public at large. The balance between the advantages of such databases and their potential for harm, or at least unfairness, to some groups is not yet clear, and the question of whether and how such entities ought to evolve has not been explored.
Recently, diverse groups of researchers, business leaders, and policymakers at state and regional levels have begun to develop databases intended to overcome some of the problems cited above and to permit increasingly sophisticated analyses of community health needs, practice patterns, costs, and quality of care. The interests that have prompted such action cover a broad range: the need to control business costs attributable to health benefits, the desire to use technological and computer applications to decrease administrative costs of processing insurance claims, the wish of experienced health services researchers to exploit the potential of health databases to evaluate and improve health care, the responsibility of community leaders to plan expansion and contraction of health care facilities and services across the nation, and the need to transmit medical history information for an increasingly mobile population.
Coincident with these interests are the greatly enhanced electronic capabilities for data management in many aspects of daily life. Comprehensive computer-based health data files can be easily linked and information from those files moved instantaneously. Many observers believe that an unparalleled opportunity exists to apply computer technologies creatively to
address many of the informational needs and data problems noted above. The report focuses on steps that might be taken to foster such action and progress through what the IOM committee terms health database organizations.
The committee uses health database organization (HDO) to refer to entities that have access to (and possibly control of) databases and a primary mission to publicly release data and the results of analyses done on the databases under their control. Although such entities do not yet exist, many are moving forcefully toward implementation. Prototypical HDOs have several characteristics; they
- operate under a single, common authority;
- acquire and maintain information from a wide variety of sources and put their databases to multiple uses;
- have files containing person-identified or person-identifiable data;
- serve a specific, defined geographic area;
- have inclusive population files;
- have comprehensive data with elements that include administrative, clinical, health status, and satisfaction information;
- anipulate data electronically; and
- support electronic access for real-time use.
For maximum accountability, protection, and control over access to person-identifiable data, HDOs will need an organizational structure, a corporate or legal existence, and a physical location. The value of HDOs and their databases might be said to be the timely provision of reliable and valid information to address all the major questions in health care delivery facing the nation today and in the coming years. The prospect of creating these entities has raised numerous issues, including (1) worries on the part of health care providers and clinicians about use or misuse of the information HDOs will compile and release, and (2) alarm on the part of consumers, patients, and their physicians about how well the privacy and confidentiality of personal health information will be guarded.
Institute of Medicine Study
In early 1992 the IOM appointed a study committee to address these issues. The project took place during the 18 months before the Clinton administration introduced its Health Security Act in the fall of 1993; it was neither designed nor intended to reflect specifics of that or any of the other health care reform proposals that were debated beginning in late 1993. The study committee consisted of 16 individuals with expertise in administration of medical centers and academic health centers, the practice of medi-
cine, administration of large (nonhealth) corporations, health insurance, utilization management, use of large administrative and research databases for research purposes, consumer services, health and privacy law, ethics, data security, informatics, and state health data organizations. In addition to meeting with experts in these areas and reviewing the literature, the committee conducted five major site visits; it met with groups developing HDOs in business coalitions and other organizations, practicing physicians and representatives of local medical societies, insurers and third-party claims administrators, health maintenance organizations, consumers, hospital administrators and hospital associations, researchers, state and county health officials, employers, and computer system developers. At the conclusion of the study, the report underwent formal external review following the procedures of the National Research Council and the IOM.
The IOM committee took as a given that a variety of HDOs were being created and moving into operational phases and focused on two primary issues. The first is public release of descriptive and evaluative data on the costs, quality, and other attributes of health care institutions, practitioners, and other providers. The second involves the risks to and opportunities for protecting the privacy and confidentiality of data that do (or may) identify individuals in their role as patients or consumers, not as clinicians or providers.
Uses and Users of Information in HDOs
Chapter 2 examines users and uses of HDO data and issues related to data quality. The major users of HDOs include health care provider organizations and practitioners, patients, their families, community residents, academic and research organizations, payers and purchasers, employers, health agencies, and others. The committee emphasizes that HDOs ought not necessarily to satisfy all such claimants. It does acknowledge, however, that the mere existence of a database creates new demands for access and new users and uses. Consequently, those who establish health databases and HDOs may be creating something for which the end uses cannot always be anticipated. Large databases such as those maintained by HDOs will be dynamic; in the committee's view, policies regarding access to those databases should, therefore, be based on firm principles that are flexible enough to accommodate unavoidable changes and unanticipated uses.
A database is "a large collection of data in a computer, organized so that it can be expanded, updated, and retrieved rapidly for various uses." Although databases may eventually be linked (or linkable) to primary medi-
cal records held by health care practitioners, the report addresses databases composed of secondary records that are generated subsequent to the primary record or that are separate from any patient encounter. They are not intended to be the major source of information about specific patients for the treating physician. The committee was particularly interested in linked databases that have, at a minimum, two specific characteristics: (1) their linking involves movement of health data outside the care setting in which they have been generated and (2) they include person-identified or person-identifiable data.
Key Attributes of Databases
In reviewing the considerable variation in databases that might be accessed, controlled, or acquired by HDOs, the committee sought a simple way to characterize them by key attributes. It selected two critical dimensions of databases: comprehensiveness and inclusiveness.
Comprehensiveness. Comprehensiveness describes the completeness of records about patient care events. It refers to the amount of information one has on an individual both for each patient encounter with the health care system and for all of a patient's encounters over time.
Inclusiveness. Inclusiveness refers to which populations in a geographic area are included in a database. The more inclusive a database, the more it approaches coverage of 100 percent of the population that its developers intend to include. Databases that aim to provide information on the health of the community ought to have an enumeration of all residents of the community (e.g., metropolitan area, state) so that the information accurately reflects the entire population of the region, regardless of insurance category. Conversely, inclusiveness is reduced when membership is restricted to certain subgroups or when individuals expected to be in the database are missing.
Databases may be (and often are) designed to include only subsets of the entire population of a geographic area. The potential benefits of the database, however, will increase as the database moves toward being inclusive of the entire population of a defined geographic area.
Other Characteristics of Databases
The more comprehensive and inclusive they are, the more databases facilitate detailed and sophisticated uses. In turn, these attributes entail both greater anticipated benefits and possible harms. Factors determining the magnitude of either benefits or harms can depend on several properties of databases in addition to comprehensiveness and inclusiveness. Among the more important characteristics are linkage over time; the accuracy and
completeness of data; whether the databases are under public- and private-sector control; and their origin (e.g., hospital discharge abstracts, self-completed questionnaires from patients, insurance claims, computer-based pharmacy files, computer-based patient records).
For purposes of this report, person-identified data contain pieces of information or facts that singly or collectively refer to one person and permit positive (or probable) identification of that individual. An obvious piece of identifying information is an individual's name. Other identifiers may be biometric, such as a fingerprint, a retinal print, or a DNA pattern. The committee uses person-identifiable to characterize information that definitely or probably can be said to refer to a specific person. It includes items of information (e.g., the fact of a physician visit on a given day) that will allow identification of an individual when combined with other facts (e.g., zip code of residence, date of birth, or gender). To render data non-person-identifiable, some data managers convert facts to a more general form before releasing those data to others. Concerns with person-identifiable data arise because of the ability of computers to combine and cross-match data in various databases. It is thus the more inclusive of these terms.
Throughout its discussions, the committee focused on regional databases—those that pertain to a defined population of individuals living in, or receiving health care in, some specifiable geographic area. Far-thinking experts envision a time when regional entities will be linked across the nation, even if their governance and operations remain close to home; this creates the very long-range view of a national health data repository (operated by either a single organization or a consortium of regional or state entities) as a federation of functionally linked databases from all regions of the country. Some proposed and developing HDO models are based on state legislation that requires submission of health data to a public agency. Other models are based on voluntary community cooperation and may be based on provider or local business coalitions.
Ensuring the Quality of Data
The real rewards from the development and operation of HDOs will depend heavily on the quality of their data, which must be reliable and valid for their intended purposes. Developers must ensure that the data in their systems are of high enough quality that analyses can be done in a credible, defensible manner. Success in meeting this responsibility will call for attention to the reliability, completeness, and accuracy of the data. Although the federal government may have to take the lead in standards development and improved coding systems, the committee urges HDOs to encourage and work toward national standards for coding and definitions for core data elements. Finally, the basic structure and content of these databases ought
to be carefully designed from the beginning, but they must have sufficient capacity for expansion and change to accommodate the health care sector as it evolves in coming years.
To address these issues, the committee recommends that HDOs take responsibility for assuring data quality on an ongoing basis and, in particular, take affirmative steps to ensure: (1) the completeness and accuracy of the data in the databases for which they are responsible and (2) the validity of data for analytic purposes for which they are used (Recommendation 2.1, see Box S-l).
The absence of sufficient clinical information in most databases today leads investigators to acquire needed information through manual abstraction of relevant information in hospital records, but this approach is costly and time-consuming. Some means are needed to obtain this information more directly from patient records. The best method of enhancing the comprehensiveness of HDO databases and the accuracy and completeness of data elements is to move toward a computer-based patient record (CPR). This is admittedly a daunting task. Accordingly, the committee recommends that HDOs support and contribute to regional and national efforts to create computer-based patient records (Recommendation 2.2) including the development and adoption of relevant standards.
BOX S-I COMMITTEE RECOMMENDATIONS
RECOMMENDATION 2.1 ACCURACY AND COMPLETENESS
To address these issues, the committee recommends that health database organizations take responsibility for assuring data quality on an ongoing basis and, in particular, take affirmative steps to ensure: (1) the completeness and accuracy of the data in the databases for which they are responsible and (2) the validity of data for analytic purposes for which they are used.
Part 2 of this recommendation applies to analyses that HDOs conduct. They cannot, of course, police the validity of data when used by others for purposes over which the HDOs have no a priori control.
RECOMMENDATION 2.2 COMPUTER-BASED PATIENT RECORD
Accordingly, the committee recommends that health database organizations support and contribute to regional and national efforts to create computer-based patient records.
RECOMMENDATION 3.1 CONDUCTING PROVIDER-SPECIFIC EVALUATIONS
The committee recommends that health database organizations produce and make publicly available appropriate and timely summaries, analyses, and multivariate analyses of all or pertinent parts of their databases. More specifically, the committee recommends that health database organizations regularly produce and publish results of provider-specific evaluations of costs, quality, and effectiveness of care.
RECOMMENDATION 3.2 DESCRIBING ANALYTIC METHODS
The committee recommends that a health database organization report the following for any analysis it releases publicly:
RECOMMENDATION 3.3 MINIMIZING POTENTIAL HARM
The committee recommends that, to enhance the fairness and minimize the risk of unintended harm from the publication of evaluative studies that identify individual providers, each HDO should adhere to two principles as a standard procedure prior to publication: (1) to make available to and upon request supply to institutions, practitioners, or providers identified in an analysis all data required to perform an independent analysis, and to do so with reasonable time for such analysis prior to public release of the HDO results; and (2) to accompany publication of its own analyses with notice of the existence and availability of responsible challenges to, alternate analyses of, or explanation of the findings.
RECOMMENDATION 3.4 ADVOCACY OF DATA RELEASE: PROMOTING WIDE APPLICATIONS OF HEALTH-RELATED DATA
To foster the presumed benefits of widespread applications of HDO data, the committee recommends that health database organizations should release non-person-identifiable data upon request to other entities once those data are in analyzable form. This policy should include release to any organization that meets the following criteria:
The committee also recommends, as a related matter, that health database organizations make public their own policies governing the release of data.
RECOMMENDATION 4.1 PREEMPTIVE LEGISLATION
The committee recommends that the U.S. Congress move to enact preemptive legislation that will:
RECOMMENDATION 4.2 DATA PROTECTION UNITS
The committee recommends that health database organizations establish a responsible administrative unit or board to promulgate and implement information policies concerning the acquisition and dissemination of information and establish whatever administrative mechanism is required to implement these policies. Such an administrative unit or board should:
RECOMMENDATION 4.3 RELEASE OF PERSON-IDENTIFIED DATA
The committee recognizes that there must be release of patient-identified data related to the processing of health insurance claims. The committee recommends, however, that a health database organization not release person-identifiable information in any other circumstances except the following:
Otherwise, the committee recommends that health database organizations not authorize access to, or release of, information on individuals with or without informed consent.
RECOMMENDATION 4.4. RESTRICTING EMPLOYER ACCESS
The committee recommends that employers not be permitted to require receipt of an individual's data from a health database organization as a condition of employment or for the receipt of benefits.
Public Disclosure of Data on Health Care Providers and Practitioners
Chapter 3 examines public disclosure of data on health care practitioners and providers and presents recommendations about how HDOs can ensure that such analyses are fair to those identified and to the public.
HDOs are presumed to have two major capabilities. One is the ability to amass credible descriptive information and evaluative data on costs, quality, and cost-effectiveness for hospitals, physicians, and other health care facilities, agencies, and providers. The other is the capacity to analyze data to generate knowledge and then to make that knowledge available for purposes of controlling the costs and improving the quality of health care—that is, of obtaining value for health care dollars spent. The committee characterizes the activities that HDOs might pursue to accomplish these goals as public disclosure, defined as the timely communication, or publication and dissemination, of certain kinds of information to the public at large. The aims are to improve the public's understanding about health care issues generally and to help consumers select providers of health care.
The committee stance favoring public disclosure takes two forms. One is that the HDOs ought themselves to carry out some minimum number of consumer-oriented studies and analyses and publish them routinely. The other is that HDOs must make appropriate data available for others to use in such studies and analyses, where the expectation is that the results of such work will be publicly disclosed.
Acceptance of HDO activities and products relating to public disclosure over time will depend in part on the balance struck for fairness to patients, the public in general, payers, and health care providers. Fairness to patients involves protecting their privacy and the confidentiality of information about them. Fairness to the public involves distributing the accurate and reliable information needed to make informed decisions about providers and health care interventions. Finally, fairness to providers entails ensuring that data and analyses are reliable, valid, and impartial, giving providers some opportunity to confirm data and methods before information is released to the public, and finding some means of publishing their perspectives when it is released.
Key Factors in Public Disclosure
Public disclosure is acceptable only when it (1) involves information and analytic results that come from studies that have been well conducted, (2) is based on data that can be shown to be reliable and valid for the purposes at hand, and (3) is accompanied by appropriate educational material.
Several elements are crucial to successful public disclosure of health-related information. Among the more significant are topics of analysis (e.g., hospital-specific death rates) and who is identified in such releases (e.g., health plans, institutional providers, and individual practitioners). The full report explores these matters in some detail.
In the committee's view, disclosure of information about larger aggre-
gations of health care providers, such as hospitals, will generally be less prone to cause undeserved losses of reputation, income, or career than disclosure of information on specific individual practitioners. The committee takes the position that public disclosure is a valuable goal to pursue, to the extent that it is carried out with due attention to accuracy and clarity and does not undermine the quality assurance and quality improvement (QA/QI) programs that health care institutions and organizations conduct internally.
Analyses and Disclosure of Results
The committee recommends that HDOs produce and make publicly available appropriate and timely summaries, analyses, and multivariate analyses of all or pertinent parts of their databases. More specifically, the committee recommends that HDOs regularly produce and publish results of provider-specific evaluations of costs, quality, and effectiveness of care (Recommendation 3.1).
The subjects of such analyses should include hospitals, health maintenance organizations, and other capitated systems; fee-for-service group practices of all sorts; physicians, dentists, podiatrists, nurse-practitioners, or other independent practitioners; long-term-care facilities; and other health providers on whom the HDOs maintain reliable and valid information.
The intended audience for publication or disclosure is the public, not simply member or sponsoring organizations. Some HDOs may be based in the private sector, operate chiefly for the benefit of for-profit entities, and have no connection with or mandate from states or the federal government. In these cases, the imperative to make information and analytic results available to the public on a broad scale is less clear. In the committee's view, however, the charters and bylaws of such HDOs ought to include firm commitments to conduct consumer-oriented studies, and where state legislation is used to establish HDOs or similar entities (e.g., data commissions), the enabling statutes themselves should contain such requirements. If public funds are used to support the development of HDOs, public release of analyses should be required as a condition of funding.
Describing Analytic Methods
The committee recommends that an HDO report the following for any analysis it releases publicly:
- general methods for ensuring completeness and accuracy of data;
- a description of the contents and the completeness of all data files and of the variables in each file used in the analyses;
- information documenting any study of the accuracy of variables used in the analyses (Recommendation 3.2).
The committee expects HDOs to accompany public disclosure of provider-specific information with clear descriptions of the database (including documentation of its completeness, accuracy, and data sources), of methods of risk adjustment, and of appropriate uses by the public, payers, and government of the data and analyses—including notice of those uses of data and analyses that are not valid.
Minimizing Potential Harms
The committee has taken a strong pro-disclosure stance toward comparative, evaluative data. Disclosure proponents assume that such studies will be done responsibly, and the public has every right to expect that to be the case. The committee sees some potential for harm in public release of comparative or evaluative studies on costs, quality, or other measures of health care delivery, however, and did not wish to rely solely on marketplace correctives; it believes that a more protective stance is needed. To enhance the fairness and minimize the risk of unintended harm from the publication of evaluative studies that identify individual providers, the committee recommends that each HDO should adhere to two principles as a standard procedure prior to publication: (1) to make available to and upon request supply to institutions, practitioners, or providers identified in an analysis all data required to perform an independent analysis, and to do so with reasonable time for such analysis prior to public release of the HDO results; and (2) to accompany publication of its own analyses with notice of the existence and availability of responsible challenges to, alternate analyses of, or explanations of the findings (Recommendation 3.3). Feedback from providers may reveal problems with data quality and study methods that HDOs would want to remedy. This set of recommendations reflects what might be regarded as a fairness doctrine.
HDOs might well serve as a major repository of data that will be accessible to other groups. To foster the presumed benefits of widespread applications of HDO data, the committee recommends that HDOs should release non-person-identifiable data upon request to other entities once those data are in analyzable form. This policy should include release to any organization that meets the following criteria:
- It has a public mission statement indicating that promoting public health or the release of information to the public is a major goal.
- It enforces explicit policies regarding protection of the confidentiality and integrity of data.
- It agrees not to publish, redisclose, or transfer the raw data to any other individual or organization.
- It agrees to disclose analyses in a public forum or publication.
The committee also recommends, as a related matter, that HDOs make public their own policies governing the release of data (Recommendation 3.4).
Strengthening Quality Assurance and Quality Improvement Programs Through Data Feedback
HDOs could help to improve the quality of health care through direct assistance to health care institutions, facilities, and clinical groups by making available to providers and practitioners the data for or results of evaluative studies of their services and those of their peers.
The committee assumed such an activity would occur chiefly as a part of or as an adjunct to a formal QA/QI process that providers and plans might conduct. Information on identified providers and individual clinicians would be made available to organizations' QA/QI programs so that they could take constructive action.
Some readers may think that a tension will exist between public disclosure and such feedback for internal use, but the committee believes that both will be important tools available to HDOs to improve quality and foster informed choices in health care. Thus, it voices support for both functions, in the belief that one activity does not—or at least need not—discredit the other and that effective combination strategies can be designed.
Confidentiality and Privacy of Personal Data
Chapter 4 of the IOM report examines privacy, confidentiality, and security of information about individuals or patients—what this committee refers to as person-identified or person-identifiable data.
Two somewhat distinct trends have led to increased access to the primary health record and subsequent concerns about privacy. One has to do with primary health records, however they are created and maintained, and the other involves health records stored electronically.
The increasing complexity of health care and the involvement of greater numbers of individuals in health care delivery has resulted in ever more people accessing the health record to deliver and document care. The pri-
mary health record serves many purposes beyond direct health care, and many parties external to the healing relationship seek person-identified information. Of particular concern is the confidentiality of health information that is stored electronically; the aggregation of information on individuals from diverse databases will make computer-based health data increasingly valuable and in need of protection from unauthorized access.
Existing ethical, legal, and other approaches to protecting confidentiality and privacy of personal health data offer some confidentiality safeguards, but major gaps and limitations remain. The committee's recommendations are intended to strengthen current protections for confidentiality and privacy of health-related data, particularly for information acquired by HDOs.
Privacy and Privacy Rights
The most general and common view of privacy conveys notions of withdrawal, seclusion, secrecy, or of being kept away from public view, but with no pejorative overtones. In public policy generally, and in health policy in particular, privacy takes on a special meaning, namely, that of informational privacy, ''a state or condition of controlled access to personal information." Informational privacy is infringed, by definition, whenever another party has access to one's personal information by reading, listening, or using any of the other senses. Such loss of privacy may be entirely acceptable and intended by the individual, or it may be inadvertent, unacceptable, and even unknown to the individual.
This definition of privacy thus reflects two underlying notions. First, privacy in general and informational privacy in particular are always matters of degree. Rarely is anyone in a condition of complete physical or informational inaccessibility to others, nor would they wish to remain so. Second, although informational privacy may be valuable and deserving of protection, many thoughtful privacy advocates argue that it does not, in itself, have moral significance or inherent value.
Nonetheless, informational privacy has value for all in our society, and it accordingly has special claims on our attention. The most salient federal protections for privacy are the principles of fair information practices embodied in the Privacy Act of 1974. The act addresses the right to know about, challenge, control, and correct information about oneself in federal government databases.
No explicit right to privacy is guaranteed by the Constitution of the United States. The presumed right as the basis of a civil action is based on
legal opinion written by Justice Louis D. Brandeis in 1890, and its constitutional status derives from various amendments to the Bill of Rights. The Constitution generally has not provided strong protection for the confidentiality of individual health care information; the constitutional protection for informational privacy is very limited and derived from case law interpreting the Constitution.
To assert a right is to make a special kind of claim. Rights designate some interests of the individual that are sufficiently important to hold others under a duty to promote and protect, sometimes even at the expense of maximizing or even achieving the social good. Two interests are widely cited as providing the moral justification for privacy rights: the individual's interest in autonomy and the instrumental value that privacy may have in promoting other valuable human goods.
Whether HDOs can achieve their potential for good in the face of their possible impact on privacy will likely turn on the interplay of three considerations. First, to what extent do HDOs provide important (and perhaps irreplaceable) health care benefits to the regions in which they operate, and perhaps to the nation? Second, how will adequate privacy safeguards be incorporated into the HDOs? Third, do the societal benefits resulting from the implementation of HDOs outweigh the privacy risks?
There cannot be much doubt that HDOs will serve legitimate societal interests. Nevertheless, because HDOs will represent one of the more comprehensive and sensitive automated personal record databases yet established, the system inevitably implicates interests protected by informational privacy principles.
Confidentiality relates to disclosure or nondisclosure of information. Historically, a duty to honor confidentiality has arisen with respect to information disclosed in the context of a relationship such as that between a physician and a patient. When one is concerned about data disclosure, whether or not any relationship exists between a data subject and a data holder, an essential construct is that of data confidentiality. It is the status accorded data indicating that they are protected and must be treated as such.
Exceptions to confidentiality requirements are widely acknowledged. Situations exist in which sensitive health information about individuals must be disclosed to third parties. Such reporting requirements are justified by society's need for information. Examples include mandatory reporting of communicable diseases and gunshot wounds. Physicians and other health professionals may also be required to divulge personal health information under legal "compulsory process," which may take the form of subpoenas or discovery requests enforced by court order.
The most important exception to the rule of confidentiality, however, is that of disclosure authorized by consent of a patient or a patient representative in the course of applying for insurance, employment, or reimbursement for medical claims. Such disclosure may or may not be justifiable and acceptable to patients. In such a case, however, consent cannot be truly voluntary or informed. Such authorizations are often not voluntary because the patient feels compelled to sign the authorization or forego the benefit sought, and they are not informed because the patient cannot know in advance what information will be in the record, who will subsequently have access to it, or how it will be used. Although such consent procedures are a necessary adjunct to other autonomy protections, this committee generally does not regard these procedures as sufficient in themselves to protect sensitive information from inappropriate disclosure.
Legal and ethical confidentiality obligations are the same whether health records are kept on paper or computer-based media. Current laws, however, have significant weaknesses. First, and very important, the degree to which confidentiality is required under current law varies according to the holder of the information and the type of information held.
Second, legal obligations of confidentiality often vary widely within a single state and from state to state, making it difficult to ascertain the legal obligations that a given HDO will have, particularly if it operates in a multistate area. These state-by-state and intrastate variations and inconsistencies in privacy and confidentiality laws are well established among those knowledgeable about health care records law; they are worrisome because some HDOs will routinely transmit data across state lines.
Third, current laws offer individuals little real protection against redisclosure of their confidential health information to unauthorized recipients for a number of reasons. Once patients have consented to an initial disclosure of information (for example, to obtain insurance reimbursement), they have lost control of further disclosure. Information disclosed for one purpose may be used for unrelated purposes without the subject's knowledge or consent. Such redisclosure practices represent a yawning gap in confidentiality protection.
As a practical matter, policing redisclosure of one's personal health information is difficult and may be impossible. At a minimum, such policing requires substantial resources and commitment. With the use of computer and telecommunications networks, an individual may never discover that a particular disclosure has occurred, even though he or she suffers significant harm—such as inability to obtain employment, credit, housing, or insurance-as a result of such disclosure. Pursuing legal remedies may result in additional disclosure of the individual's private health information.
Further, federal law may preempt state confidentiality requirements or protections without imposing new ones. For example, the Employment
Retirement Insurance Security Act (ERISA) preempts some state insurance laws with respect to employers' self-insured health plans, yet ERISA is silent on confidentiality obligations.
Last, enforcing rights through litigation is costly, and money damages may not provide adequate redress for the harm done by the improper disclosure.
In the context of health record information, confidentiality implies controlled access to and protection against unauthorized access to, modification of, or destruction of health data. In computer-based or computer-controlled systems, security is implemented when a defined system functions in a defined operational environment, serves a defined set of users, contains prescribed data and operational programs, has defined network connections and interactions with other systems, and incorporates safeguards to protect the system against a defined threat to the system, its resources, and its data.
Two consequences flow from defining data as sensitive and needing protection. First, those data must be made secure; second, access must be controlled. Access control can be operationalized by HDO planners and legislators in a form that this committee would term "information-use policy." It leads to policymaking about who may be allowed to use health-related information and how they may use it. It might also include consideration of whether some data should be collected at all.
In a study that focuses on the protection of health-related data about individuals, defining which items are health-related is more difficult than one might initially think. Any data element in medical records, and many data items from other records, could be considered either health-related or sensitive, or both. In considering the actions of HDOs, this committee proceeds from an assumption that all information concerning an individual and any transactions relating directly or indirectly to health care that HDOs access or maintain as databases must be regarded as potentially requiring privacy protections.
A National Identification System or Dossier
HDOs may be perceived as enabling the development of a national identification system or dossier. Privacy advocates can be expected to express acute concern about the potential for HDOs to be linked not only with one another, but, more importantly, with government databases and with other personal databases such as the financial, credit, and lifestyle databases maintained by consumer reporting agencies. The committee believes that HDO proponents should take every practicable step, including
those recommended by the committee, to assure that HDOs will not contribute to the development of a national identification database.
Personal Identifiers and the Social Security Number
The personal identifier (ID) that is used in an HDO to "label" each of the individuals on whom it keeps data is a crucial issue. It not only is related to past practices, but it will also be strongly influenced, if not mandated, by the health care reform actions now under way in the nation.
An "Ideal" Identifier
The choice of a personal ID that is satisfactory for the operational needs of health care delivery but at the same time assures the confidentiality of medical data and the privacy of individuals is neither easy nor casual. An ideal identifier would meet the requirements described in detail in the report. Superficially, the choice would be the Social Security number (SSN), Medicare number, or something similar simply because people are accustomed to using them, systems are used to handling them, and the government would bear the burden of administering the enumeration system and the cost of assigning new numbers. The SSN has many faults, however, that are familiar to researchers and privacy experts. Perhaps the most salient of these is that if the SSN were to become the ID for health care delivery, linkage of medical records to all the other databases would become easy.
The most problematic objection to the SSN as a medical ID is that it has no legal protection, and because its use is so widespread, there is no chance of retroactively giving it such protection. As a data element, it is not characterized by law as confidential; hence, organizations holding it are under no legal requirement to protect it or to limit the ways in which it is used. Its use is for all practical purposes unconstrained, and this makes the risk of commingling health data with all other forms of personal data and an individual's actions extremely high. Major privacy risks arise when medical information is used in decisions unrelated to health care, such as employment, promotion, and eligibility for insurance or other benefits. Further, access by unauthorized users would be very much simpler because the SSN is so readily available.
Relevance to HDOs of Existing Laws on Confidentiality and Privacy
The committee examined existing law—constitutional, statutory, and common law—for its relevance to HDOs and its adequacy for protecting
patient privacy and confidentiality. The committee also examined the way these laws might affect the design, establishment, and operation of HDOs.
It concludes that most of this body of law is unlikely to apply to HDOs. With the exception of laws that regulate certain information considered sensitive, existing laws regulate recordkeepers and their recordkeeping practices; they do not regulate on the basis of either the content or the subject matter of a record.
Recommendations Regarding Protection of Patient and Person-identifiable Data
Given (1) the unprecedented comprehensiveness and inclusiveness of information expected to be in HDO databases, (2) the generally scanty and inconsistent legal protections across geopolitical jurisdictions, and (3) the current public interest in and concern about privacy protections, the committee believes that HDOs have both an obligation and an opportunity to fashion well-delineated privacy protection programs that will also foster the realization of HDO goals. Some of these protections, such as the establishment of data protection boards and organizational policies regarding security and access control, can be implemented in the short term. Others, such as passage of federal preemptive legislation, will likely require longer-term efforts.
The committee recommends that the U.S. Congress move to enact preemptive legislation that will:
- establish a uniform requirement for the assurance of confidentiality and protection of privacy rights for person-identifiable health data and specify a Code of Fair Health Information Practices that ensures a proper balance among required disclosures, use of data, and patient privacy;
- impose penalties for violations of the act, including civil damages, equitable remedies, and attorney's fees where appropriate;
- provide for enforcement by the government and permit private aggrieved parties to sue;
- establish that compliance with the act's requirements would be a defense to legal actions based on charges of improper disclosure; and
- exempt health database organizations from public health reporting laws and compulsory process with respect to person-identifiable health data except for compulsory process initiated by record subjects (Recommendation 4.1).
In the last item, the committee believes that both processes—public health reporting and responding to compulsory process such as subpoenas—should remain the responsibility of the provider, as is now the case.
The committee concludes that federal preemptive legislation is required to establish uniform requirements for the preservation of confidentiality and protection of privacy rights for health data about individuals. It further advises that Congress enact such legislation, including a Code of Fair Health Information Practices, as soon as possible. At a minimum, federal legislation should establish a floor and allow states or HDOs to implement more stringent standards so that state-imposed safeguards are not weakened.
Although current state protections often apply duties of confidentiality to the recordkeeper (e.g., the hospital), such protection is no longer in effect once the data have left the recordkeeper's control. This means that health data can be deprived of legal protection unless such protection is specified by another law; furthermore, such protection is likely to be left to the discretion of organizations or individuals who acquire such information as secondary data. That is little shelter indeed. Therefore, legislation should clearly establish that the confidentiality of person-identifiable data is a property afforded to the data elements themselves, regardless of who holds those data. Proper preemptive legislation should also provide for enforcement by government officials and aggrieved private parties. It should also impose penalties for violations of the act. It will be important that the legislation clarify whether individuals have standing to bring suit.
Federal legislation can be expected to encourage standard setting in such areas as connectivity and transmissions standards. Standard setting is a major obstacle to the development of automated medical records and will be no less a problem for HDOs. Thus, the committee sees the route of federal legislation as one more mechanism for addressing this problem for all computer-based systems that deal with health data.
Data Protection Units
HDOs will need clear and enforceable, written organizational policies and procedures in several areas: informing patients of their rights regarding their own data; protecting medical information and materials; ensuring the accuracy of data; and verifying compliance with their policies. Members of the public should be able to request and receive clearly written materials describing these policies. Although precise policies cannot be written to cover every eventuality, they must be broad enough to address the most common situations, such as types of data and potential requestors. Organizations should also make considerable efforts to educate (and reeducate) staff, the public, and potential requestors about these policies. Thus, the committee recommends that HDOs establish a responsible administrative
unit or board to promulgate information policies concerning the acquisition and dissemination of information and to establish whatever administrative mechanism is required to implement these policies. Such an administrative unit or board specifically should:
- promulgate and implement policies concerning data protection and analyses based on such data;
- develop and implement policies that protect the confidentiality of all person-identifiable information, consistent with other policies of the organization and relevant state and federal law;
- develop and disseminate educational materials for the general public that will describe in understandable terms the analyses and their interpretation of the rights and responsibilities of individuals and the protections accorded their data by the organization;
- develop and implement security practices in the manual and automated data processing and storage systems of the organization; and
- develop and implement a comprehensive employee training program that includes instruction concerning the protection of person-identifiable data (Recommendation 4.2).
The commitment to protection of confidentiality of the governing body and executives of the HDO will be critical, and these objectives should be written into the organization's bylaws. The committee strongly advises that HDO policy boards include in their policies and procedures fair health information practices. Any HDO should consider these practices as the foundation of its privacy framework and depart from them only after careful consideration and explanation.
Legislation and organizational policies have sometimes distinguished among levels of sensitivity of various elements of health-related data, based on the belief that it is possible to identify categories of data that warrant special protection. Despite precedent for adopting such a stance, this committee has decided otherwise. It has concluded that a given data element cannot always be designated reliably as inherently sensitive; rather, the sensitivity of data depends on the kinds of harm to which individuals are or believe themselves to be vulnerable if the information were known to others. Such assessments could differ dramatically from one person to another, one circumstance to another, one place to another, and over time as cultural attitudes change. Rather than recommending special protections for certain categories of data, the committee prefers that all data accessed by HDOs be afforded stringent, and essentially equal, protection.
Release of Person-Identified Data
Policies Relating to Access and Disclosure
Clearly, the question of who outside the HDO has access to what data, and under what circumstances, is supremely important and is the essence of the privacy issue from the patient's point of view. The committee takes up these matters in a series of recommendations (presented below) that refer to person-identified or person-identifiable information only. As discussed earlier in this summary, the committee recommends release and disclosure of non-person-identifiable information that protects patient identity but that provides reliable, valid, timely, and useful descriptive and evaluative information on a full range of health care providers and clinicians.
The committee recognizes that there must be release of patient-identified data related to the processing of health insurance claims. The committee recommends, however, that a health database organization not release person-identifiable information in other circumstances except the following:
- to other HDOs whose missions are compatible with and whose confidentiality and security protections are at least as stringent as their own;
- to individuals for information about themselves;
- to parents for information about a minor child except when such release is prohibited by law;
- to legal representatives of incompetent patients for information about the patient;
- to researchers with approval from their institution's properly constituted Institutional Review Board;
- to licensed practitioners with a need to know when treating patients in life-threatening situations who are unable to consent at the time care is rendered; and
- to licensed practitioners when treating patients in all other (non-life-threatening) situations, but only with the informed consent of the patient.
Otherwise, the committee recommends that health database organizations not authorize access to, or release of, person-identifiable information with or without informed consent (Recommendation 4.3).
In the last item, the committee has specifically recommended that consent for access to the database be a necessary and sufficient condition in only one circumstance: when needed by the treating practitioner in non-life-threatening situation. In such a situation it will be important that specific consent mechanisms be in place. Otherwise, the committee believes that
informed consent should not be required for release of person-identifiable information in six situations as described below.
First, HDOs will need to acquire information about out-of-area care provided to persons in their databases and should be able to do so. Second, HDOs also ought to release person-identifiable data without requiring consent when individuals seek information about themselves. The third and fourth cases above reflect the need to care for minors and persons who are legally incompetent to give consent for themselves.
The fifth case concerns researchers with approval from relevant human subjects committees or institutional review boards (IRBs). In this case, person-identified information is not being sought by a patient or for care of a patient, but to conduct studies that are regarded as being in the public's interest. Such uses of the databases are considered by this committee to be central and vital to the effective implementation of HDOs.
The sixth case involves treatment of licensed practitioners with a need to know in life-threatening situations, whom the committee believes also ought to be able to access data about a patient. This requires that the patient be unable to consent at the time care is rendered.
The seventh case—the release of data to licensed practitioners when treating patients in all other (non-life-threatening) situations, but only with the informed consent of the patient—is the only case in which the committee has recommended the use of informed consent to release of person-identifiable information. Such a circumstance might occur when a treating physician wishes to access the HDO database in addition to the medical records he or she keeps. For example, information on medications prescribed by other practitioners might be pertinent. In such cases, the treating practitioner should obtain explicit consent of the patient. As discussed earlier, consent might be given electronically and might be time limited.
Finally, the committee recommends above that HDOs not authorize access to or release of health information on individuals with or without the informed consent of the individual in any situation or to any requestor other than those stated above. To ensure that individuals (i.e., patients, parents of minor children, or patients' legal representatives) are not placed in an untenable situation concerning release information, the committee has opted for a position that does not rely on consent procedures insofar as most uses or disclosures of data are concerned. It prefers to rely on stringent policies against disclosure or release of personal information on individuals. The consent procedures described in this recommendation are for release of information by the HDO. Patients will always be able to consent to release of information directly by each of their care providers.
Special circumstances exist in the health sector that are of particular concern to the committee. One involves the current practice of extensive exchange of medical information between employer and payer with little
control by providers or patients. This practice has dramatic implications for patients whose information is accessed by an HDO if the employer and payer are readily able to tap into data in the network. Such exchanges of information could be especially harmful to patients because the information exchanged could cover all encounters the patient has with the health care system (not just those covered by insurance or by the employer's health plan). The committee acknowledges the danger and inappropriateness of these practices and regarded them as sufficiently worrisome that it recommends that employers not be permitted to require receipt of an individual's data from a health database organization as a condition of employment or for the receipt of benefits (Recommendation 4.4).
The committee believes that unique individual person-identifiers are essential to facilitate the efficient operation and data interchange of HDOs. The committee also recognizes that there are strong arguments against the SSN being used as the unique identifier. The great majority of the committee agreed on the need for a new unique identifier on the grounds that the SSN offers too many opportunities to breach confidentiality. The creation of a new number would (1) permit legislative protection of that number, (2) offer the possibility of providing greater protection for health information than is possible with the SSN, and (3) likely occur at the time of implementation of universal health care coverage, which will, if enacted, require some scheme for unique identification.
Little is yet known about how HDOs will function, what their likely benefits will be, or how they will evolve over time. In emphasizing the use of aggregated health information, the Clinton Administration's health reform proposal has put the issue of confidentiality squarely on the agenda. What is not known is which uses of health care information will be acceptable and will wisely serve the needs of society. Moreover, new uses for and users of data will emerge, some raising new threats to privacy. Accordingly, the privacy dimension of health care information is dynamic and should be revisited from time to time.
Regional HDOs hold tremendous promise for evaluating and improving health care and implementing effective new ways to protect health information. Although the great public benefit may be easily understood, the potential for harm or lack of fairness may create concern and fear in many. To gain public support for the vision advanced in this report—and to ensure the best public use of the health-related information that will be released—
HDOs, government agencies, and public- and private-sector institutions must implement carefully planned strategies for fairness and privacy protection and educate the public, health care providers, policymakers, and patients about these protections. This report is intended to be an early step in that educational and public policymaking process.