Consumer Bill of Rights and Responsibilities
Chapter Six
Confidentiality of Health Information¹

Statement of the Right Consumers have the right to communicate with health care providers in confidence and to have the confidentiality of their individually identifiable health care information protected. Consumers also have the right to review and copy their own medical records and request amendments to their records.

In order to ensure this right:

• With very few exceptions, individually identifiable health care information can be used without written consent for health purposes only, including the provision of health care, payment for services, peer review, health promotion, disease management, and quality assurance.
• In addition, disclosure of individually identifiable health care information without written consent should be permitted in very limited circumstances where there is a clear legal basis for doing so. Such reasons include: medical or health care research for which an institutional review board has determined anonymous records will not suffice, investigation of health care fraud, and public health reporting.
• To the maximum feasible extent in all situations, nonidentifiable health care information should be used unless the individual has consented to the disclosure of individually identifiable information. When disclosure is required, no greater amount of information should be disclosed than is necessary to achieve the specific purpose of the disclosure.

Rationale

At the same time, the quality of the health care system also depends on the regular exchange of information between providers, employers, plans, public health authorities, researchers, and other users. The changing structure of the health care system and rapid advances in information technology and medical and health care research have increased the demand for and supply of health information among traditional users such as the treating physician, and new users, such as large networks of providers, information management companies, quality and utilization review committees, and independently contracted service providers. Concerns have been raised that, under the current system of information exchange, various entities can access individually identifiable information without sufficient security safeguards and consent requirements.

Other activities undertaken to improve quality and efficiency may present new risks to the confidentiality of health information. For example, quality oversight activities by plans, providers, accreditation bodies, and regulatory agencies require detailed information about the treatment and benefit status of individual consumers. The growing role of employers in workforce health issues has also contributed to the confidentiality debate.

Congress has made repeated attempts to enact a comprehensive Federal confidentiality law but has, to date, been unsuccessful. The web of protections at the Federal and State level that has evolved in the absence of a comprehensive law leaves many aspects of health information unevenly protected. Specialized Federal protections already exist through statutes that address substance abuse, Medicaid beneficiaries, public health, research, government records, and those living with disabilities.

Several States have enacted comprehensive laws and an effort is currently under way at the National Association of Insurance Commissioners to draft a Protected Health Information Model Act for States. Other safeguards have evolved outside of the legislative arena. Accreditation bodies have incorporated requirements for confidentiality policies and patient consent (JCAHO 1996; NCQA 1997; URAC 1996) and continue to collaborate on security and confidentiality issues (JCAHO/NCQA Joint Session, 1997).

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services to submit to the Congress detailed recommendations on: (1) the rights that an individual who is a subject of individually identifiable information should have; (2) the procedures that should be established for the exercise of such rights; and (3) the uses and disclosures of such information that should be authorized or required (Public Law 104-191). On September 11, Health and Human Services Secretary Donna Shalala presented those proposals to the Congress (Shalala, 1997). Under the terms of HIPAA, if Congress fails to enact Federal confidentiality legislation by August 1999, the Secretary of HHS is required to promulgate regulations setting confidentiality standards.

The Secretary recommends a comprehensive Federal confidentiality law that would apply "floor preemption," meaning that the law would require that all States comply with a minimum set of confidentiality requirements but would not preempt stronger State laws.

Section 262 of HIPAA also requires the Secretary of HHS to adopt standards by February 1998 for electronic transmission of financial and administrative health care transactions (including information about claims, eligibility, payment, and injury), unique health identifiers (for individuals, employers, plans, and providers), and security.

The Commission believes that it is essential to establish a comprehensive confidentiality framework and encourages the Congress to move forward expeditiously.

Implications of the Right

Health plans, health providers, employers, and other group purchasers should examine existing confidentiality protections to safeguard against improper use or release of individually identifiable information. The Commission does not intend to impede employers or providers from complying with duties established by law. Health providers, facilities, and plans should develop procedures to ensure that when sensitive services (e.g., mental health, substance abuse, reproductive services, or treatment of sexually transmitted diseases) are involved, standard administrative techniques do not inadvertently disclose information to individuals other than the patient. This is not intended to create two standards of nondisclosure -- one for sensitive medical conditions and another for all others. It is merely a recognition that there may be high level concern about confidentiality with certain medical conditions by some patients.

Law enforcement officers, researchers, and public health agencies should examine their existing policies to ensure that they access individually identifiable information only when absolutely necessary and provide proper safeguards to assure confidentiality.

Consumers should become more aware of the content of their health records and pay particular attention to requests by providers, plans, employers, or others to gain access to those records.

References and Selected Reading

Joint Commission on Accreditation of Healthcare Organizations, Comprehensive Accreditation Manual for Health Care Networks; 1996.

Joint Commission on Accreditation of Healthcare Organizations and National Committee for Quality Assurance. Joint Session on Security and Confidentiality of Patient Medical Information. Washington, DC; 1997.

Lowrance W. Privacy and Health Research: A Report to the U.S. Secretary of Health and Human Services; May 1997.

National Association of Insurance Commissioners. "Insurance Information and Privacy Protection Model Act" (October 1992); "Quality Assessment and Improvement Model Act" (July 1996); "Utilization Review Model Act" (October 1996).

National Committee for Quality Assurance (NCQA). "Draft Standards for Accreditation;" 1997.

Public Law No. 104-191, "The Health Insurance Portability and Accountability Act of 1996."

Pyles JC, on behalf of the National Coalition for Patient Rights. "The Right to Medical Privacy: An Indispensable Element of Quality Health Care." Washington, DC; 1997.

Shalala, Donna E. Secretary of Health and Human Services. "Confidentiality of Individually Identifiable Health Information: Recommendations Pursuant to Section 264 of the Health Insurance Portability and Accountability Act of 1996." Submitted to The Committee on Labor and Human Resources and the Committee on Finance of the Senate, and The Committee on Commerce and the Committee on Ways and Means of the House of Representatives. September 11, 1997.

URAC National Network Accreditation Standards (April 1996).

_______________

1. In the context of this chapter, health care information is defined as "any information, whether oral or recorded, in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university, health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual."

Back to the Table of Contents

[ About the Commission | Charter | Commission Membership | Press Releases | Meetings ]