President's Advisory Commission on Consumer Protection and Quality in the Health Care Industry

Consumer Bill of Rights and Responsibilities
Chapter Six
Confidentiality of Health Information1

Statement of the Right Consumers have the right to communicate with health care providers in confidence and to have the confidentiality of their individually identifiable health care information protected. Consumers also have the right to review and copy their own medical records and request amendments to their records.

In order to ensure this right:


The legal right to confidentiality of health care information and its essential role in the delivery of quality health care has been recognized by the United States Supreme Court, lower Federal and State courts, and Federal and State lawmakers. Similarly, a health care provider's obligation to protect the confidentiality of health information is universally recognized. The assurance that consumers' health information will remain confidential is "fundamental to effective diagnosis, treatment and healing" (Shalala, 1997).

At the same time, the quality of the health care system also depends on the regular exchange of information between providers, employers, plans, public health authorities, researchers, and other users. The changing structure of the health care system and rapid advances in information technology and medical and health care research have increased the demand for and supply of health information among traditional users such as the treating physician, and new users, such as large networks of providers, information management companies, quality and utilization review committees, and independently contracted service providers. Concerns have been raised that, under the current system of information exchange, various entities can access individually identifiable information without sufficient security safeguards and consent requirements.

Other activities undertaken to improve quality and efficiency may present new risks to the confidentiality of health information. For example, quality oversight activities by plans, providers, accreditation bodies, and regulatory agencies require detailed information about the treatment and benefit status of individual consumers. The growing role of employers in workforce health issues has also contributed to the confidentiality debate.

Congress has made repeated attempts to enact a comprehensive Federal confidentiality law but has, to date, been unsuccessful. The web of protections at the Federal and State level that has evolved in the absence of a comprehensive law leaves many aspects of health information unevenly protected. Specialized Federal protections already exist through statutes that address substance abuse, Medicaid beneficiaries, public health, research, government records, and those living with disabilities.

Several States have enacted comprehensive laws and an effort is currently under way at the National Association of Insurance Commissioners to draft a Protected Health Information Model Act for States. Other safeguards have evolved outside of the legislative arena. Accreditation bodies have incorporated requirements for confidentiality policies and patient consent (JCAHO 1996; NCQA 1997; URAC 1996) and continue to collaborate on security and confidentiality issues (JCAHO/NCQA Joint Session, 1997).

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services to submit to the Congress detailed recommendations on: (1) the rights that an individual who is a subject of individually identifiable information should have; (2) the procedures that should be established for the exercise of such rights; and (3) the uses and disclosures of such information that should be authorized or required (Public Law 104-191). On September 11, Health and Human Services Secretary Donna Shalala presented those proposals to the Congress (Shalala, 1997). Under the terms of HIPAA, if Congress fails to enact Federal confidentiality legislation by August 1999, the Secretary of HHS is required to promulgate regulations setting confidentiality standards.

The Secretary recommends a comprehensive Federal confidentiality law that would apply "floor preemption," meaning that the law would require that all States comply with a minimum set of confidentiality requirements but would not preempt stronger State laws.

Section 262 of HIPAA also requires the Secretary of HHS to adopt standards by February 1998 for electronic transmission of financial and administrative health care transactions (including information about claims, eligibility, payment, and injury), unique health identifiers (for individuals, employers, plans, and providers), and security.

The Commission believes that it is essential to establish a comprehensive confidentiality framework and encourages the Congress to move forward expeditiously.

Implications of the Right

References and Selected Reading

Hurwit C. Citizen Action. testimony before the President's Advisory Commission on Consumer Protection and Quality in the Health Care Industry. May 13, 1997.

Joint Commission on Accreditation of Healthcare Organizations, Comprehensive Accreditation Manual for Health Care Networks; 1996.

Joint Commission on Accreditation of Healthcare Organizations and National Committee for Quality Assurance. Joint Session on Security and Confidentiality of Patient Medical Information. Washington, DC; 1997.

Lowrance W. Privacy and Health Research: A Report to the U.S. Secretary of Health and Human Services; May 1997.

National Association of Insurance Commissioners. "Insurance Information and Privacy Protection Model Act" (October 1992); "Quality Assessment and Improvement Model Act" (July 1996); "Utilization Review Model Act" (October 1996).

National Committee for Quality Assurance (NCQA). "Draft Standards for Accreditation;" 1997.

Public Law No. 104-191, "The Health Insurance Portability and Accountability Act of 1996."

Pyles JC, on behalf of the National Coalition for Patient Rights. "The Right to Medical Privacy: An Indispensable Element of Quality Health Care." Washington, DC; 1997.

Shalala, Donna E. Secretary of Health and Human Services. "Confidentiality of Individually Identifiable Health Information: Recommendations Pursuant to Section 264 of the Health Insurance Portability and Accountability Act of 1996." Submitted to The Committee on Labor and Human Resources and the Committee on Finance of the Senate, and The Committee on Commerce and the Committee on Ways and Means of the House of Representatives. September 11, 1997.

URAC National Network Accreditation Standards (April 1996).


  1. In the context of this chapter, health care information is defined as "any information, whether oral or recorded, in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university, health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual."

Back to the Table of Contents

U.S. eagle seal
[ About the Commission | Charter | Commission Membership | Press Releases | Meetings ]

Last Revised: Thursday, June 25, 1998