Abstract
As health care moves from paper to electronic data collection, providing easier access and dissemination of health information, the development of guiding privacy, confidentiality, and security principles is necessary to help balance the protection of patients' privacy interests against appropriate information access. A comparative review and analysis was done, based on a compilation of privacy, confidentiality, and security principles from many sources. Principles derived from ten identified sources were compared with each of the compiled principles to assess support level, uniformity, and inconsistencies. Of 28 compiled principles, 23 were supported by at least 50 percent of the sources. Technology could address at least 12 of the principles. Notable consistencies among the principles could provide a basis for consensus for further legislative and organizational work. It is imperative that all participants in our health care system work actively toward a viable resolution of this information privacy debate.
Responding to the information needs in our health care system and a heightened public awareness of health information privacy, many organizations are struggling to develop principles addressing the privacy, confidentiality, and security of health information. Some of the many factors contributing to public awareness are the growth of managed care and integrated delivery systems, the increase in the number of entities and persons accessing health information for various reasons, and legislative developments such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 HIPAA mandates the development of a national privacy law, security standards, and electronic transactions standards and provides penalties for standards violations and wrongful disclosures of health information. In addition, the Department of Health and Human Services' proposed rule on security and electronic signature standards (HCFA 0049-P) is also dependent on privacy policy decision making.2
Other contributing factors to this heightened awareness include the 1995 European Union's enactment of the Data Privacy Directive, which requires that all 15 European Union member states establish national privacy laws by October 1998. There is concern that this directive could limit data exchange between countries that do not have strong privacy protections in place, including the United States.3,4 Awareness of privacy issues has grown, too, with the increased use of technology in health care (e.g., electronic medical records), advancements in genetic testing, and news reports on the misuse of information, such as the sale by CVS and Giant of consumers' prescription information to a marketing company.5,6 In addition, the public is becoming aware of an inadequate legal environment, since no comprehensive federal law and only a patchwork of inconsistent state laws protect health information.7 This inadequacy can serve as an obstacle to health care providers and organizations when they transmit data electronically across state borders. Legal uncertainty also makes it difficult for consumers to be aware of and understand their privacy and confidentiality rights. However, a number of congressional8,9 and administrative10,11 initiatives may improve this environment.
The authors compiled a set of 28 independent draft principles on privacy, confidentiality, and security, which was primarily a consolidation of principles from numerous sources, as discussed below. These draft principles are summarized in ▶. The purpose of this paper is to provide a comparative analysis of the draft principles with those from ten identified sources, to serve as a guide in moving the discussion and development of a uniform set of principles forward. This paper also identifies those principles that technology can address and suggests ways technology can be utilized to help protect health information. It is the authors' purpose not to endorse the principles or detail potential conflicts among them, but rather to provide them as a means of generating further ideas and giving discussants parameters for decision making. We recommend that these principles be thoughtfully and thoroughly discussed in legislative, executive, and organizational settings and that exceptions as well as potential implications be determined. Any discussion of these principles must also take into account their potential interactions with other laws (such as ERISA) and local and state requirements, which are outside the scope of the paper. Last, discussions must also address the balance of sometimes competing needs—to protect privacy while ensuring access to information by those with a need to know.
Table 1.
Draft Principles on Privacy, Confidentiality, and Security
| 1. | Individuals have a right to the privacy and confidentiality of their health information. |
| 2. | Individuals have a right to access in a timely manner their health information. |
| 3. | Individuals have a right to copy, in a timely manner, their health information. |
| 4. | Individuals have a right to amend and/or correct their health information. |
| 5. | Individuals have the right to withhold their health information from electronic format including being stored, managed, or transmitted electronically. |
| 6. | Individuals have the right to segregate their health information from shared medical records. |
| 7. | Individuals have the right to the integrity of their health information. Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity. |
| 8. | Individuals have a right to control the access and disclosure of their health information and to specify limitations on period of time and purpose of use. |
| 9. | Outside the doctor-patient (other health care provider) relationship, health information that makes a person identifiable shall not be disclosed without prior patient informed consent and/or authorization. |
| 10. | Informed consent and/or authorization for release of personal health information shall include identification of requester, declaration of purpose and boundaries, restriction of redisclosure, and explanation of potential harmful risks that could result from the release of this information. |
| 11. | Individuals harmed by the abuse or misuse of their health information shall be afforded individual redress through civil and criminal penalties. |
| 12. | Health care providers have the right to maintain private recordings of observations, opinions, and impressions whose release they consider could be potentially harmful to the well-being of the patient. They shall not disclose this information without due reflection on the impact of such release. |
| 13. | The obligation of health care providers to maintain confidentiality and privacy of medical records shall not be undermined by outside organizations such as insurers, suppliers, employers, or government agencies (i.e., forced disclosure without informed consent). |
| 14. | Personally identifiable information collected for one purpose shall not be used for another purpose without prior informed consent of the patient. |
| 15. | No secret databases shall exist. |
| 16. | No medical record demographics or other potential patient identifiers shall be sold, utilized for marketing purposes, or utilized for other commercial or financial gain without the prior informed consent of the individual. |
| 17. | Access to aggregate data shall be made available to support public health research and outcome studies as long as individuals are not and can not be reasonably identified. |
| 18. | Information gathered from available aggregate data shall not be used to the detriment of any individual in employment, access to care, rate setting, or insurability. |
| 19. | Access to health information shall be limited to that information necessary for the entity's or individual's legitimate need and/or purpose. |
| 20. | Insurers have the right to access only that health information deemed necessary for claims administration and/or claims resolution. |
| 21. | Employers have a right to collect and maintain health information about employees allowable or otherwise deemed necessary to comply with state and federal statutes (e.g., ERISA, drug testing, worker's compensation). However, employers shall not use this information for job or other employee benefit discrimination. |
| 22. | A warrant requirement shall exist for law enforcement to obtain health information. |
| 23. | Health information and/or medical records that make a person identifiable shall be maintained and transmitted in a secure environment. |
| 24. | An audit trail shall exist for medical records and be available to patients on request. |
| 25. | All entities involved with health care information have a responsibility to educate themselves, their staff, and consumers on issues related to these principles (e.g., consumers' privacy rights). |
| 26. | All entities with exposure or access to individual health information shall have security/privacy/confidentiality policies, procedures, and regulations (including sanctions) in place that support adherence to these principles. |
| 27. | Current and new technologies should be continually incorporated in the design of information systems to support the implementation of these principles and compliance with them. |
| 28. | Support for these principles needs to be at the federal level. |
Definitions
For this paper, the authors adopted the following definitions of privacy, confidentiality, and security:
Privacy: “The right of individuals to be left alone and to be protected against physical or psychological invasion or the misuse of their property. It includes freedom from intrusion or observation into one's private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference.”12
Confidential: The “status accorded to data or information indicating that it is sensitive for some reason, and therefore it needs to be protected against theft, disclosure, or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know.”12
Data Security: “The result of effective data protection measures; the sum of measures that safeguard data and computer programs from undesired occurrences and exposure to accidental or intentional access or disclosure to unauthorized persons, or a combination thereof; accidental or malicious alteration; unauthorized copying; or loss by theft or destruction by hardware failures, software deficiencies, operating mistakes; physical damage by fire, water, smoke, excessive temperature, electrical failure or sabotage; or a combination thereof. Data security exists when data are protected from accidental or intentional disclosure to unauthorized persons and from unauthorized or accidental alteration.”12
System Security: “The totality of safeguards including hardware, software, personnel policies, information practice policies, disaster preparedness, and oversight of these components. Security protects both the system and the information contained within from unauthorized access from without and from misuse from within. Security enables the entity or system to protect the confidential information it stores from unauthorized access, disclosure, or misuse, thereby protecting the privacy of the individuals who are the subjects of the stored information.”12
Methodology
As members of the IEEE-USA Medical Technology Policy Committee, the authors began to consolidate these draft principles in September 1997 and drew on established principles from the following five sources: the Administration, Secretary of the Department of Health and Human Services (DHHS) Donna E. Shalala,10,11 the Koop Foundation (Koop),13 the National Research Council (NRC),7 the Center for Democracy and Technology (Center),14 and the Association of American Medical Colleges (AAMC).15 In March 1998, the authors revised the draft principles to incorporate language and principles from five additional sources: the Computer-based Patient Record Institute (CPRI),16 the American Society for Testing and Materials (ASTM),12 the draft Model Privacy Law of the National Association of Insurance Commissioners (NAIC),17 the Medical Privacy and Security Protection Act, introduced by Senators Patrick Leahy (D, Vt.) and Edward Kennedy (D, Mass.) (S.1368),9 and the discussion draft of the Medical Information Protection Act of 1998 (Bennett-Jeffords), written by Senators Robert Bennett (R, Utah) and James Jeffords (R, Vt.).8 Not all these sources had a set list of principles; therefore, the authors made interpretations based on the cited entities' materials.
These sources were obtained through a search that included personal contacts, congressional hearings, electronic files, and the Internet. The electronic files included the following DIALOG files: Health and Wellness Database (File 149), Information Access Company (IAC) Magazine Database (File 47), U.S. newspapers full text (File: PAPERS), Federal News Service (File 660), Bureau of National Affairs, Inc., Daily News from Washington (File 655), and IAC Newsearch (File 211). The titles and lead paragraphs of these articles (from the last two years) were searched for the following words: privacy or confidentiality or confidential (within five words of) patient or patients or record or records or medical or physician or physicians or doctor or doctors. The Internet search was done using the words security, privacy, confidentiality, and principles. In addition, references cited by the identified sources were reviewed for additional sources of principles. The authors recognize that there may be other entities with principles or position papers that our research did not disclose or that were developed after our initial research was done. In addition, the authors understand that legislation will be introduced after this initial research. However, the issues to be discussed and resolved should remain much the same, regardless of new legislation.
Comparative Review
▶ summarizes how principles of the ten sources compare with the draft principles to determine any gaps, consistencies, and inconsistencies. As detailed in the notes to that table, we analyzed the strength of support by the ten entities' principles, based on our interpretation of their language.
Table 2.
Comparison of Draft Principles and Other Sources
| Principles | DHHS | Koop | Center | AAMC | NAIC | S.1368 | Bennett-Jeffords | NRC | CPRI | ASTM |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | + | + | + | ≫ | + | + | + | ≫ | + | + |
| 2 | + | + | + | n | +(1) | + | +(2) | ≫ | + | +(3) |
| 3 | + | + | + | n | +(1) | + | +(2) | n | n | + |
| 4 | + | + | + | n | +(4) | + | + | n | + | + |
| 5 | n | +(5) | n | n | n | +(6) | n | n | n | n |
| 6 | n | ≫(7) | n | n | + | + | n | n | + | + |
| 7 | ≫ | ≫ | + | n | n | + | + | n | + | + |
| 8 | ≫ | + | + | n | ≫ | + | + | + | ≫ | + |
| 9 | +(8) | +(9) | +(10) | +(11) | +(12) | +(13) | +(14) | + | +(15) | +(16) |
| 10 | n | ≫(17) | +(17) | n | ≫(17) | +(17) | +(18) | +(17) | n | +(17) |
| 11 | +(19) | + | n | n | + | +(20) | +(21) | n | n(22) | +(23) |
| 12 | n | n | n | n | n | + | + | n | n | ≫(24) |
| 13 | n | n | n | + | n | n | n | n | n | n |
| 14 | ≫ | ≫ | + | n | ≫ | ≫ | + | n | n | + |
| 15 | n | +(25) | n | n | n | n | n | n | n | n |
| 16 | + | n | + | n | + | ≫ | ≫ | n | n | ≫ |
| 17 | + | + | ≫ | - | n | +(26) | +(27) | n | ≫ | n |
| 18 | ≫ | n | ≫ | ≫ | n | ≫ | ≫ | n | n | ≫ |
| 19 | ≫ | n | ≫ | n | n | + | + | + | + | + |
| 20 | ≫ | n | + | n | n | ≫ | ≫ | ≫ | ≫ | ≫ |
| 21 | + | ≫ | ≫ | n | ≫ | ≫ | ≫ | ≫ | ≫ | ≫ |
| 22 | - | + | n | n | n | + | +(28) | n | n | n |
| 23 | + | + | + | n | n | + | + | + | + | + |
| 24 | ≫ | +(29) | + | ≫(30) | n | +(31) | n(32) | + | ≫ | +(29) |
| 25 | + | +(33) | + | n | +(33) | +(34) | ≫(34) | + | + | + |
| 26 | + | + | + | + | + | + | + | + | + | + |
| 27 | ≫ | n | + | n | n | ≫ | ≫ | + | + | + |
| 28 |
+(35) |
+ |
n |
+(35) |
+(35) |
+(35) |
+(36) |
≫ |
n |
+ |
| Notes: Source entities are identified as follows: DHHS, the Secretary of the Department of Health and Human Services: Koop, the Koop Foundation; Center, the Center for Democracy and Technology; AAMC, the Association of American Medical Colleges; NAIC, the draft Model Privacy Law of the National Association of Insurance Commissioners; S.1368, the Medical Privacy and Security Protection Act; Bennett-Jeffords, the discussion draft of the Medical Information Protection Act of 1998; NRC, the National Research Council; CPRI, the Computer-based Patient Record Institute; ASTM, the American Society for Testing and Materials. | ||||||||||
| Support for principles is indicated as follows: A plus sign (+) indicates that the entity supports the principle; two arrows (≫), the entity supports the principle, based on the authors' understanding and analysis of the entities' materials; n, the entity does not address the principle; minus sign (-), the entity does not support the principle. | ||||||||||
| Exceptions are noted by a number in parentheses, as follows: (1) Except for fraud investigations, legal proceedings, quality assurance, and peer review activities. (2) Not required to permit the inspection or copying of protected health information if doing so would endanger life or safety or cause mental harm; if the source is confidential; or if the information was compiled in anticipation of litigation or for research purposes. (3) Access to all or part of the record can be denied by state law (e.g., if knowledge of the information would be injurious to the patient's health). (4) A limited right under certain circumstances. (5) Individuals can choose to have their data remain anonymous in the information data system. (6) Permits individual to indicate that protected health information shall not be transmitted outside the entity in a computerized, digital, optical, or other electronic format. (7) Supports withholding health information from electronic format and allows individuals to remain anonymous. (8) Except for public health research, quality care, fighting health fraud and abuse, fighting crime, and protecting the public health. (9) Except for research, quality assessment, and health reporting, but personal identifiers must be removed. (10) Except for emergencies and public policy decisions (e.g., disclose child abuse and gunshot wounds to local authorities). (11) Research on archival patient materials, whether linkable or not, should be permitted under a general informed consent mechanism, without necessarily requiring specific reconsent for each study in which archival materials may be used. (12) Except for law enforcement, subpoena, discovery request, and legitimate research. (13) Information can be disclosed to allay or remedy a threat of imminent physical or mental harm to an information subject; if there is an identifiable threat of serious injury or death to an identifiable individual or group and other requirements are met; for public health purposes, as long as there is a nexus between individual identity and threat of disease or death, and disclosure of individual identity would allow for the prevention of possible injury. (14) Except in emergency circumstances or for oversight (fraud and abuse), public health, and health research. (15) Except for the protection of public health as provided by law and other purposes required by law. (16) Unless otherwise permitted or directed by emergency or law (public health, law enforcement). (17) Does not include explanation of potential harmful risks that could result by releasing this information. (18) Does not include explanation of potential harmful risks that could result by releasing this information or restrictions of redisclosure. (19) Organizations are also afforded redress for violations of confidentiality. (20) Also permits debarment of health care providers, health researchers, health or life insurers, and schools and universities from receiving benefits from any federal health program. (21) Also permits debarment of health care providers, health researchers, health or life insurers, and schools and universities from receiving benefits under any federal health program. (22) Organizations should have a policy on penalties and sanctions for failure of entity or individual to comply with security procedures. (23) Only addresses civil sanctions, also allows organizations to bring civil suits. (24) As required by state law, e.g., for the safety of another person. (25) Citing elements of the Code of Fair Information Practices. (26) Circumstances when identifiers can be used: When an institutional review board has determined that such use is necessary, and adequate plans to protect identifiers are in place. Personal identifiers should not be used other than for research. (27) Unless the Institutional Review Board has determined that there is a health or research justification with an adequate plan to protect identifiers. (28) Allows for law enforcement access through low-level scrutiny as well, such as administrative summons; argument that this leaves door open for law enforcement to choose the path of least resistance. (29) Does not mention that patients have access to audit trail. (30) Audit functions mentioned in introductory text but not explicit in principles. (31) If using electronic records, entities must create an audit trail; otherwise, entities must keep a record of disclosures. (32) Requires keeping a record of disclosures. (33) Addresses educating consumers on privacy rights. (34) Mandates that a notice of information practices be provided to consumers, informing them of their rights under the law. (35) Floor-level protection. (36) Preemption. | ||||||||||
While reviewing the principles of the selected entities, it is important to take into account the specific purpose, charge, and perspective of each, to maintain objectivity (▶). For example, the NAIC, S.1368, and draft Bennett-Jeffords legislation are focused on protecting consumers; the Center's purpose is to help designers of health information systems incorporate privacy and security mechanisms; recommendations of DHHS stem from governmental concerns; the CPRI and ASTM security guidelines are meant to help organizations that utilize computer-based patient records; Koop focuses on public health policy; AAMC has an academic research focus; and NRC, under charge by the National Library of Medicine, has a research focus to evaluate practices that can be used to better protect electronic health information. These perspectives may indicate why some sources do support or address specific draft principles and some do not.
Table 3.
Source Analysis
| Source | Purpose | Entities Covered (Scope)* | Information Covered (Scope)† |
|---|---|---|---|
| DHHS | Protect privacy of individual identifiable health information and protect the inappropriate disclosure of medical records | Anyone who provides health care or pays for it or who receives health information from a provider or payer either with the authorization of patient or as authorized explicitly by the legislation (6) | Individually identifiable health information and medical records (paper, electronic, or other format) “if there is a reasonable basis to believe that the information can be used to identify an individual.” (6) |
| Koop | Provide public health policy perspective | Entire health care system; entities that collect, use, or disclose health information (5) | Health information (?) |
| Center | Assist designers of health care information systems in identifying and handling privacy and confidentiality concerns; assist policymakers as they evaluate and craft rules mandating strong enforceable privacy protections for sensitive health information | Health information systems (3) | Medical data; personal information: “data that identifies an individual or is reasonably likely to be used to identify an individual” (2) |
| AAMC | Encourage the responsible conduct of research and protect individuals from unauthorized release of their identified health and medical information (ensuring access to materials to support biomedical, behavioral, and health services research) | Organizations that deliver medical care or conduct biomedical, epidemiologic, or health services research (2) | Identified health and medical information (4) |
| NAIC | Establish standards that protect privacy rights of individuals regarding personal health information; establish standards that will not cripple the flow of useful information and will not impose prohibitive costs on insurance carriers and other entities under the jurisdiction of the state insurance departments; develop a Model Information Privacy Model Act for states to adopt for uniformity | All insurers (1) | Protected health information, which either identifies the individual who is the subject of that information or is information “with respect to which there is a reasonable basis to believe that the information could be used to identify the individual (4) |
| S.1368 | Protect privacy of protected health information, establish strong and effective mechanisms to protect against the unauthorized and inappropriate use of protected health information, provide individuals with the right to limit the use and disclosure of personally identifiable health information | Health care provider, health plan, health oversight agency, public health authority, employer, health researcher, law enforcement official, health or life insurer, school, university, or agent of any such individual or entity (6) | Protected health information: “any information, including genetic information, demographic information, and tissue samples collected from an individual, whether oral or recorded in any form or medium, that (a) is created or received by a health care provider, health researcher, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; and (b) (i) relates to the past, present, or future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii) (i) identifies an individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify an individual.” (6) |
| Bennett-Jeffords | Protect privacy and confidentiality of protected health information and establish strong and effective mechanisms to protect against the unauthorized and inappropriate use of protected health information; promote the efficiency and security of the health information infrastructure | Health care provider, health plan, health oversight agency; public health authority, employer, health or life insurer, health researcher, law enforcement official, school, or university (6) | Protected health information: “any information, including demographic information, which identifies such individual or with respect to which there is a reasonable basis to believe that the information can be used to identify such individual whether oral or recorded in any form or medium that (a) is created or received by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; and (b) (i) relates to the past, present, or future (i) physical or mental health or condition of an individual (including individual cells and their components); (ii) provision of health care to an individual; or (iii) payment for the provision of health care to an individual; and (ii) has been provided in an encrypted format together with a key and there is a reasonable basis to believe the key may be used to identify an individual, or that otherwise provides a method for decrypting the information” (6) |
| NRC | Assess (at the request of the National Library of Medicine) technical and organizational mechanisms currently used by health care organizations to protect the privacy and security of information systems in health care and to make recommendations and identify alternatives and areas for research | All organizations that handle patient-identifiable health care information, which should adopt the technical and organizational policies, practices, and procedures to protect such information; organizations that store, process, or collect health information, which should use software tools to help ensure that the information made available to users complies with their access privileges; health information systems (4) | Electronic health information, computer-based patient records (2) |
| CPRI | Protect patient and caregiver privacy and ensure information security | All bodies implementing and utilizing computer-based patient records (3) | All information created, maintained, and used by organizations utilizing computer-based patient records (2) |
| ASTM |
Provide guidelines and specifications on data security for health care information; focus of standard is the individual recipient of health care, but the standard also addresses the privacy and confidentiality interests of practitioners and providers; focus is on computer-based systems |
All organizations or individuals who possess or have access to identifiable health information and computer-based patient record systems and health information systems (4) |
Personally identifiable health information: health information that contains an individual's identifiers or a sufficient number of variables to allow identification of an individual (4) |
| Notes: DHHS indicates the Secretary of the Department of Health and Human Services: Koop, the Koop Foundation; Center, the Center for Democracy and Technology; AAMC, the Association of American Medical Colleges; NAIC, the draft Model Privacy Law of the National Association of Insurance Commissioners; S.1368, the Medical Privacy and Security Protection Act; Bennett-Jeffords, the discussion draft of the Medical Information Protection Act of 1998. | |||
| Notes: NRC indicates the National Research Council; CPRI, the Computer-based Patient Record Institute; ASTM, the American Society for Testing and Materials. | |||
The scope was assessed by an interpretation of the language and was scored on a scale from 6 (broad, i.e., anyone who provides, pays for, or receives information) to 1 (narrow, e.g., insurers).
The scope was assessed by an interpretation of the language and was scored on a scale from 6 (broad, e.g., identifiable information in paper, electronic, or other format) to 1 (narrow, e.g., computer-based patient record or electronic health information).
Discussion and Analysis
We found no uniform set of principles across these entities that combines privacy, security, and confidentiality considerations. This lack may be due to the differences in purpose of these entities and the scope of coverage of their principles. These various provisions are presented in ▶. These differences add to the difficulty of comparison and contribute to the complexities of establishing uniform principles. For example, the NAIC model privacy draft law applies to all insurers. In contrast, the Bennett-Jeffords draft and S.1368 legislation apply to a wide range of entities, including health plans, hospitals, and health and life insurers. The CPRI security guidelines apply to organizations that utilize computer-based patient records. In addition, each entity delineates what type of information (and its format) is covered and protected. For comparison, the principles of the CPRI and NRC apply to protecting electronic information and electronic records, and Koop states that it protects “health information” (it does not provide a detailed definition). An important finding is that seven of ten sources utilize the same words to describe the information to be protected—information that makes individuals “identifiable” or “reasonably identifiable.” This may indicate a possible consensus in the response to the public awareness for the need to safeguard health information from unauthorized disclosures and resultant discrimination.
We did find that many of the ten entities support specific draft principles, but they support them with exceptions. For example, eight entities support federal backing, but they differ on what type of pre-emption the law should have. If a federal law pre-empts state laws in such a way that no state may pass more protective laws, the term “floor-ceiling” pre-emption is used in the debate. A federal law that allows states to have more protective laws (such as protecting information about mental health and HIV diagnosis at a higher level than other health information), then the federal law is said to have a “floor” pre-emption. Bennett-Jeffords supports a floor—ceiling preemption, whereas DHHS, AAMC, NAIC, and S.1368 support the law as a floor. This is a notable and much debated distinction, as the NAIC reported concerns that health information regulations may be found in many places—insurance and probate codes, civil procedure codes, and public health laws. Therefore, the NAIC points out that it will be difficult to determine which laws in which subject areas will be pre-empted.17 Supporters of a floor-ceiling pre-emption argue for their approach because they view a floor pre-emption as leaving the door open for a continuing patchwork of state laws and thus not adequately addressing privacy concerns uniformly and completely. Advocates of floor pre-emption typically respond with support for allowing states to pass more protective laws in order to address and accommodate each state's unique needs.
Provisions regarding the ease with which law enforcement entities can access health information also differ. According to S.1368, Bennett-Jeffords, and Koop—but not DHHS—a warrant would be required. More specifically, Bennett-Jeffords supports the warrant requirement but also allows a less stringent legal proceeding for obtaining the warrant. The argument has been made that this could lead to law enforcement typically choosing the less stringent legal process.18 In addition, we found that many entities support individuals' rights to access their own information. However, most create exceptions, such as when a health care provider determines that an individual may be harmed by access to mental health information. Similarly, there is broad support for the principle requiring informed consent or authorization by the patient before information disclosure but, again, some sources specify exceptions to this requirement, such as in emergency situations, for public health purposes, and for reports of child abuse or gunshot wounds. While exceptions may be warranted, it is important to recognize their potential impact. For example, there may be so many exceptions for a principle that they de facto “swallow up” the principle's primary intention, which is to protect privacy.
Principles That Entities Consistently Support
Although many of these entities represent different views in the analysis, we did find a “top ten” (plus one) list of consistent principles across them. Again, it is important to take note of the exceptions and their potential impact on the total support for the principles. The principles that obtained the most support and their specific exceptions are as follows:
Individuals have a right to the privacy and confidentiality of their health information (Principle 1).
Outside the doctor-patient relationship, health information that makes a person identifiable shall not be disclosed without prior patient informed consent and / or authorization (Principle 9). Nine entities have exceptions to this principle, for allowing disclosure without prior informed consent or authorization, including emergencies, current legal and public health requirements, law enforcement, and research.
All entities with exposure or access to individual health information shall have security / privacy / confidentiality policies, procedures, and regulations (including sanctions) in place that support adherence to these principles (Principle 26).
Individuals have a right to access in a timely manner their health information (Principle 2). Three entities have exceptions to the right to access, for specific state law requirements or for the protection of an individual.
Individuals have a right to control the access and disclosure of their health information and to specify limitations on period of time and purpose of use (Principle 8).
Employers have a right to collect and maintain health information about employees allowable or otherwise deemed necessary to comply with state and federal statutes (e.g., ERISA, drug testing, worker's compensation). However, employers shall not use this information for job or other employee benefit discrimination (Principle 21).
All entities involved with health care information have a responsibility to educate themselves, their staff, and consumers on issues related to these principles (e.g., consumers' privacy rights) (Principle 25).
Individuals have a right to amend and/or correct their health information (Principle 4). One entity has an exception and refers to the exception as “under certain circumstances.”
Health information and/or medical records that make a person identifiable shall be maintained and transmitted in a secure environment (Principle 23).
An audit trail shall exist for medical records and be available to patients on request (Principle 24). Five entities support an audit trail but do not specifically mention that patients shall have access to it.
Support for these principles needs to be at the federal level (Principle 28). Five entities support this principle and then detail what that federal level should look like; four entities support a floor-level pre-emption, and one supports a floor-level pre-emption, and one supports a floor-ceiling pre-emption.
Principles with Limited Support
Our analysis found that there are three draft principles that garnered limited support among the ten entities. We recommend that entities at least consider addressing and discussing the following principles and their potential implications:
The obligation of health care providers to maintain confidentiality and privacy of medical records shall not be undermined by outside organizations such as insurers, suppliers, employers, or government agencies (i.e., forced disclosure without informed consent) (Principle 13).
No secret databases shall exist (Principle 15).
Individuals have the right to withhold their health information from electronic format, including being stored, managed, or transmitted electronically (Principle 5).
Principles That Technology Can Address
Technology exists to facilitate the application of and adherence to at least 11 of these proposed principles. Technology provides a means to easily access, collect, manage, and distribute data and provides security mechanisms to protect health information through audit trails, encryption, strengthened authorizations, access controls, and such.7 The principles and the subject areas that the technologic applications can address include the following:
Research. Technology can make personal health data anonymous, removing identifying details7 (Principle 17).
Access controls. Technology can help ensure the granting and restriction of access to those users with legitimate needs, by means of passwords, access codes, and other identifying mechanisms7,19 (Principles 1, 6, 8, 19, 20, 26, and 27).
Security in the maintenance and transmission of medical records. Technology provides mechanisms for utilizing encryption, firewalls, digital signatures, system backups, and other requirements to secure data (Principles 1, 7, 19, 23, 24, and 27).
Maintenance and presence of audit trails. Technology provides an electronic mechanism to track users, including details about information access, identity of the requester, the data and time of the request, the source and destination of the request, a descriptor of the information retrieved, and reason for access7 (Principles 24 and 27).
Aid in developing and maintaining proper security and policy procedures in organizations. Technology provides appropriate security mechanisms used for authentication such as passwords, digital signatures, biometrics, and access controls (Principles 19, 20, 26, and 27).
The need for new research and design of information systems to incorporate privacy, confidentiality, and security concerns. Technology is utilized to develop and implement tools to address these issues (Principle 27).
Technology cannot be relied on solely to protect health information. Privacy, confidentiality, and security policies, regulations, sanctions, and organizational procedures must also be established and enforced.
Summary
While obtaining, analyzing, and discussing the draft principles, the authors discovered two concepts that were not specifically addressed by these sources and that could be considered in the principles framework. The first concept evolved from discussion of the ease of law enforcement access to health information and the differential status and treatment accorded the attorney-client and doctor-patient relationships. The second concept developed from discussions of the importance of ensuring that there is no obstruction, either deliberate or unintentional, to obtaining health information. The authors contribute these concepts for others to consider when discussing guiding principles and their implications.
Privacy of communication in the doctor-patient relationship, including that documented in medical records, shall be afforded the same legal protection as attorney-client privilege.
No entity or individual shall hinder timely access, when appropriately authorized to a patient's health information.
Others may be able to identify significant gaps as well. We encourage further discussion to generate more ideas and concepts, to ensure a comprehensive approach.
Based on our analysis, the following are summary statements and recommendations for working toward resolving privacy, confidentiality, and security issues:
Health care providers should actively participate in the development of a uniform set of principles championing the rights of their patients and the doctor-patient relationship. Without establishing strong guidelines and enforcement mechanisms, health information may remain open to unauthorized access or disclosure that could have detrimental results.
There appears to be general consensus in the support of the draft principles, in that 23 out of the 28 principles have garnered the support of more than 50 percent of these ten sources. There are consistently supported principles (ten plus one) that can serve as a baseline consensus and guidance for Congress, other entities, and individuals to discuss and a reference as they move forward to develop security standards and national privacy legislation.
As important as the need to develop uniform privacy, confidentiality, and security principles is the need to establish clearly defined and uniform terms.
There is also a need to clearly delineate exceptions and to study the impact of these on each principle, to determine whether the exceptions in fact erode the principle. For example, a principle may state that information disclosure requires previous consent by the patient but provide for many exceptions, such as in emergency situations or as required by law. In reality, if there are too many exceptions, then the individual may only have a very limited right. In this comparative analysis, many of the entities' principles and guidelines were not explicit in their meanings, thus leaving much to interpretation. If consumer awareness and education of their privacy and confidentiality rights are a national priority, it is important that legislation, policies, and guidelines are clearly defined, understandable, and well researched.
The current legislation in Congress could more adequately incorporate the exploration and use of technology to protect health information. However, the use of specific technologies need not be mandated, given the rapidly changing and improving technology industry. Public awareness of health information privacy concerns has increased, and the public should be apprised that technology can address some of these concerns. Existing technology can help protect health information through the use of tools to grant and deny access privileges, maintain and transmit data in a secure manner, provide audit trails, and such. Technology is not a barrier to protecting health information; rather, unresolved policy issues are the obstacles.
It is important to note the differences and their potential implications of S.1368 and the draft Bennett-Jeffords legislation in Congress as compared to DHHS' because HIPAA mandates DHHS to promulgate national privacy legislation if Congress fails to enact legislation by August 1999.20
“No secret database shall exist” is an important principle, especially in light of the rapidly growing uses and capabilities of information technology. Only the Center for Democracy and Technology addressed this principle by referencing the Code of Fair Information Practices, which includes this statement.
Entities should consider including in their informed consent and authorization forms an explanation to the patient of the harmful risks that could result from the release of his or her information. Our research found that none of the ten entities explicitly incorporated this language into their consent and authorization forms. It would be helpful to research entities or states that have this language in their disclosure forms (e.g., Illinois) and find out about the impact of this inclusion.
Privacy, confidentiality, and security requirements should be defined and implemented in future health information systems in a cost-effective manner.
As important as utilizing the latest cost-effective technology is the establishment of organizational policies, procedures, sanctions, and training that ensure privacy, confidentiality, and security.
It is important to continue the work and collaboration by many organizations and Congress toward consensus on privacy, confidentiality, and security issues. For example, committee members from ASTM, CPRI, Health Level 7, and ASC X12N have already begun to coordinate data security standards for health care information.20
Educating the public about their privacy and confidentiality health information rights should be a priority. Maintaining the public's confidence that their health information is protected is necessary to preserve the trust in the doctor-patient relationship. It is reassuring and important to note that all entities except the AAMC specifically emphasize educating consumers of their rights with regard to health information. The S.1368 and Bennett-Jeffords legislation even mandate that entities provide a “notice of information practices” to consumers.
Conclusion
The privacy, confidentiality, and security of personal health information have been long-standing needs and concerns in our society, especially to health care providers and the public. Also important to the public, health care providers, and organizations is the legitimate need to access information to deliver quality health care. The increasing use of information technology in health care has heightened both of these needs as it has enabled easy access and exchange of vast amounts of information to more individuals and entities. In response to this changing health care environment, there is an urgent need to balance privacy and access and to proactively develop guiding principles, policies, and legislation to ensure that the information “near and dear” to the public—their sensitive and private health information—is protected now and in the future.
The authors are members of the Institute of Electrical and Electronics Engineers—USA Medical Technology Policy Commitee, which is working to identify the technologic requirements for ensuring the privacy, confidentiality, and security of health information.
References
- 1.Department of Health and Human Services. Office of the Assistant Secretary for Planning and Evaluation. Administrative simplification. ASPE Web site. Available at: < http://aspe.os.hhs.gov/admnsimp>. Accessed Feb 1998.
- 2.Federal Register, Aug 12, 1998;63(155):43241-80. Also, ASPE Web site. Available at: <http://aspe.os.hhs.gov/admnsimp/nprm/secnpm.txt>. Accessed Oct 8, 1998.
- 3.Legislation relating to the confidentiality of medical information. Hearings Before the Senate Labor and Human Resources Committee, Feb 26, 1998. (opening statement of James Jeffords, senator from Vermont).
- 4.Pasher VS: EU privacy law dangers cited. National Underwriter. Jan 12, 1998;102(2):1, 24. [Google Scholar]
- 5.Senate panel to study health privacy issue. Boston Globe. Feb 26, 1998:D2.
- 6.Pledger M. Patients worry about privacy, customers complain about telemarketing. The Plain Dealer. Feb 21, 1998: 1C.
- 7.Computer Science and Telecommunication Board. For the Record: Protecting Electronic Health Information. Washington, D.C.: National Academy Press, 1997. [PubMed]
- 8.Discussion draft of the Medical Information Protection Act of 1998, introduced by Senators Robert Bennett and James Jeffords. Document O:/BAI/BAI 98:273. Obtained from the office of Senator Bennett in Washington, D.C., Feb 1998.
- 9.The Medical Information Privacy and Security Act, S.1368, introduced by Senators Patrick J. Leahy and Edward M. Kennedy. Available at: <http://thomas.loc.gov/cgi-bin/query/C?c105:./temp/∼c105gQPqNe>. Accessed Mar 18, 1998.
- 10.Remarks on privacy and health care by Donna E. Shalala, Secretary of Health and Human Services, at the National Press Club, Washington, D.C., Jul 31, 1997. Department of Health and Human Services Web site. Available at: <http://www.hhs.gov/progorg/as1/testify>. Accessed Mar 10, 1998.
- 11. Testimony of Donna E. Shalala, Secretary of Health and Human Services, before the Senate Committee on Labor and Human Resources Committee, Sep 11, 1997. Department of Health and Human Services Web site. Available at: http://www.hhs.gov/progorg/as1/testify. Accessed Mar 10, 1998.
- 12.American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97.
- 13.Koop Foundation. Privacy principles. Draft dated Feb 25, 1997. (Written communication from Deborah Rudolph, Manager, Technology Policy Council, IEEE-USA.)
- 14.Goldman J, Mulligan D. Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality. Washington, D.C.: The Center for Democracy and Technology, 1996.
- 15.Association of American Medical Colleges. Medical records and genetic privacy, health data security, patient privacy, and the use of archival patient materials in research. AAMC Web site. Available at: <http://aamcinfo.aamc.org/findinfo/privacy/start.htm>. Accessed Jan 14, 1998.
- 16.Computer-based Patient Record Institute. Security guidelines for organizations with computer-based patient record systems. CPRI Web site. Available at: <http://www.cpri.org/docs/policy.html>. Accessed Mar 18, 1998.
- 17.Legislation relating to the confidentiality of medical information. Hearings Before the Senate Labor and Human Resources Committee, Feb 26, 1998. (prepared testimony of Kathleen Sebelius, Commissioner of Insurance, National Association of Insurance Commissioners, Special Committee on Health Insurance).
- 18.Legislation relating to the confidentiality of medical information. Hearings Before the Senate Labor and Human Resources Committee, Feb 26, 1998. (prepared testimony of Janlori Goldman, Director, Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University).
- 19.Morrissey J. Data security: as health care invests heavily in computer technology, confidentiality issues may be short-changed. Modern Healthcare. Sep 30, 1996:35-6.
- 20.Blair J. Standards bearers: the standardization of healthcare information gains momentum. Healthcare Informatics. Feb 1998:113-4, 120. [PubMed] [Google Scholar]