Table 3.
Source Analysis
| Source | Purpose | Entities Covered (Scope)* | Information Covered (Scope)† |
|---|---|---|---|
| DHHS | Protect privacy of individual identifiable health information and protect the inappropriate disclosure of medical records | Anyone who provides health care or pays for it or who receives health information from a provider or payer either with the authorization of patient or as authorized explicitly by the legislation (6) | Individually identifiable health information and medical records (paper, electronic, or other format) “if there is a reasonable basis to believe that the information can be used to identify an individual.” (6) |
| Koop | Provide public health policy perspective | Entire health care system; entities that collect, use, or disclose health information (5) | Health information (?) |
| Center | Assist designers of health care information systems in identifying and handling privacy and confidentiality concerns; assist policymakers as they evaluate and craft rules mandating strong enforceable privacy protections for sensitive health information | Health information systems (3) | Medical data; personal information: “data that identifies an individual or is reasonably likely to be used to identify an individual” (2) |
| AAMC | Encourage the responsible conduct of research and protect individuals from unauthorized release of their identified health and medical information (ensuring access to materials to support biomedical, behavioral, and health services research) | Organizations that deliver medical care or conduct biomedical, epidemiologic, or health services research (2) | Identified health and medical information (4) |
| NAIC | Establish standards that protect privacy rights of individuals regarding personal health information; establish standards that will not cripple the flow of useful information and will not impose prohibitive costs on insurance carriers and other entities under the jurisdiction of the state insurance departments; develop a Model Information Privacy Model Act for states to adopt for uniformity | All insurers (1) | Protected health information, which either identifies the individual who is the subject of that information or is information “with respect to which there is a reasonable basis to believe that the information could be used to identify the individual (4) |
| S.1368 | Protect privacy of protected health information, establish strong and effective mechanisms to protect against the unauthorized and inappropriate use of protected health information, provide individuals with the right to limit the use and disclosure of personally identifiable health information | Health care provider, health plan, health oversight agency, public health authority, employer, health researcher, law enforcement official, health or life insurer, school, university, or agent of any such individual or entity (6) | Protected health information: “any information, including genetic information, demographic information, and tissue samples collected from an individual, whether oral or recorded in any form or medium, that (a) is created or received by a health care provider, health researcher, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; and (b) (i) relates to the past, present, or future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii) (i) identifies an individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify an individual.” (6) |
| Bennett-Jeffords | Protect privacy and confidentiality of protected health information and establish strong and effective mechanisms to protect against the unauthorized and inappropriate use of protected health information; promote the efficiency and security of the health information infrastructure | Health care provider, health plan, health oversight agency; public health authority, employer, health or life insurer, health researcher, law enforcement official, school, or university (6) | Protected health information: “any information, including demographic information, which identifies such individual or with respect to which there is a reasonable basis to believe that the information can be used to identify such individual whether oral or recorded in any form or medium that (a) is created or received by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; and (b) (i) relates to the past, present, or future (i) physical or mental health or condition of an individual (including individual cells and their components); (ii) provision of health care to an individual; or (iii) payment for the provision of health care to an individual; and (ii) has been provided in an encrypted format together with a key and there is a reasonable basis to believe the key may be used to identify an individual, or that otherwise provides a method for decrypting the information” (6) |
| NRC | Assess (at the request of the National Library of Medicine) technical and organizational mechanisms currently used by health care organizations to protect the privacy and security of information systems in health care and to make recommendations and identify alternatives and areas for research | All organizations that handle patient-identifiable health care information, which should adopt the technical and organizational policies, practices, and procedures to protect such information; organizations that store, process, or collect health information, which should use software tools to help ensure that the information made available to users complies with their access privileges; health information systems (4) | Electronic health information, computer-based patient records (2) |
| CPRI | Protect patient and caregiver privacy and ensure information security | All bodies implementing and utilizing computer-based patient records (3) | All information created, maintained, and used by organizations utilizing computer-based patient records (2) |
| ASTM |
Provide guidelines and specifications on data security for health care information; focus of standard is the individual recipient of health care, but the standard also addresses the privacy and confidentiality interests of practitioners and providers; focus is on computer-based systems |
All organizations or individuals who possess or have access to identifiable health information and computer-based patient record systems and health information systems (4) |
Personally identifiable health information: health information that contains an individual's identifiers or a sufficient number of variables to allow identification of an individual (4) |
| Notes: DHHS indicates the Secretary of the Department of Health and Human Services: Koop, the Koop Foundation; Center, the Center for Democracy and Technology; AAMC, the Association of American Medical Colleges; NAIC, the draft Model Privacy Law of the National Association of Insurance Commissioners; S.1368, the Medical Privacy and Security Protection Act; Bennett-Jeffords, the discussion draft of the Medical Information Protection Act of 1998. | |||
| Notes: NRC indicates the National Research Council; CPRI, the Computer-based Patient Record Institute; ASTM, the American Society for Testing and Materials. | |||
*
The scope was assessed by an interpretation of the language and was scored on a scale from 6 (broad, i.e., anyone who provides, pays for, or receives information) to 1 (narrow, e.g., insurers).
†
The scope was assessed by an interpretation of the language and was scored on a scale from 6 (broad, e.g., identifiable information in paper, electronic, or other format) to 1 (narrow, e.g., computer-based patient record or electronic health information).