Question

: Evaluation of Authorizations for ROI-Case Studies

AHIMA Competencies:

III. Domain: Health Services Organization and Delivery: III.B: Subdomain: Healthcare Privacy, Confidentiality, Legal, and Ethical Issues:
                1. Adhere to the legal and regulatory requirements related to health information infrastructure;
                2. Apply policies and procedures for access and disclosure of personal health information;
                3. Release patient-specific data to authorized users;
                                * Apply legislative and regulatory processes;
                                * Evaluate confidentiality, privacy, and security policies, procedures, and monitoring;
                                * Evaluate release of information policies and procedures.

Directions:

You are the ROI Coordinator and have just received the following nine (9) authorizations. Before you pull the charts, you must evaluate each authorization to determine if it is valid.

Review the following nine (9) authorizations as case studies. Determine if the authorizations are in compliance with privacy regulations as you know them. If any authorization is deemed noncompliant, identify the specific deficiencies that exist on that authorization.

A Word document or Excel spreadsheet should be used to identify each case study by its name. For example, the first case study is referred to as “Authorization for Release of Information Sample 1.” You may abbreviate this to “Sample 1.” After determining if each authorization is compliant or noncompliant, reflect that in the next column. Again, for noncompliant authorizations, be sure to identify the specific deficiencies in a separate column.

Show transcribed image text

228 Section 4 . HEALTHCARE PRIVACY, CONFIDENTIALITY, LEGAL, AND ETHICAL ISSUES AUTHORIZATION FOR RELEASE OF INFORMATION Patient Name: Josiah Nix DOB: 7-16-52 Social Security number: 123-45-6789 Phone number: (478) 555-8153 and (478) 555-3630 Josiah Nix requests Mountaintop Health Care Center to disclose the following protected health information to: Dr. Thomas Jones 123 Elm Street Thomas, Georgia 12345 Information to be disclosed: Time period: November 5, 2010 to Present ER record, path report, X-ray, discharge summary This authorization expires 60 days from the date of the signature below. I may revoke this authoriza- tion in writing at any time by sending written notification to the Director of HIM. I understand that once the above information is disclosed, it may be redisclosed by the recipient and the information may not be protected by federal privacy laws or regulations. Call when it is ready and I will pick up and take it to Dr. Jones. 2014 Cangge Lang All rights Penel Luolah Nic 3/15/2013 Signature of patient Dale Figure 4-4 Authorization for Release of information Sample ?

Answer 1

1 .

Health records are used for a variety of clinical purposes, including serving as the chronological record of a patient's care, as a method of communication for current and subsequent episodes of care, and as the basis of research and quality improvement activities. As such, health records are used by clinicians. Health records serve secondary purposes that are not clinical in nature, including the billing function, the legal record of a patient's care, and the documentation to support a claim of disability. As such, health records are used by nonclinicians.

How does a health record serve as a legal document?

It serves as the way to reconstruct an episode of patient care. This reconstruction provides the ability to prove what did or did not happen in a particular case and establish whether the applicable standard of care was met.

Is it legally proper for a physician in a group practice to sign medical entries made by another physician in the same practice? Why or why not?

Ordinarily, it is not legally proper for the physician to sign medical entries made by another physician, because authentication principles dictate that only the author of the entry may authenticate the entry. The exception would be where specific accreditation standards or regulations allowed for this action.

How can an electronic health record be corrected?

An addendum is added to the electronic health record reflecting the correction. The original document/entry in the electronic health record is not altered, but a computer code attribute is used to reference the original document to the addendum.

Explain the concept of an amendment to the record under the HIPAA Privacy Rule.

The Privacy Rule provides patients with a right to amend patient-specific health information and sets a minimum standard to follow in allowing amendments to the health record by a patient. This rule requires the health-care provider to respond to the patient that it has made the requested amendment or if the amendment is not made, give written notice to the requestor.

What legal requirements apply to a record retention policy?

Statutes on the state level and regulations on the both the federal and state levels apply.

Will civil or criminal liability apply to a health-care institution that destroys a record in other than the ordinary course? Why?

Yes, civil liability generally will apply if the health-care provider accidentally or incidentally discloses health information when destroying a record in the ordinary course. Ordinarily, criminal liability would not apply.

2 .

SOURCES OF CONCERNS ABOUT PRIVACY AND THE CONFIDENTIALITY OF HEALTH RECORDS

Two somewhat distinct trends have led to increased access to the primary health record and subsequent concerns about privacy. One has to do with primary health records regardless of how they are created and maintained; the other involves health records stored electronically.

Health Care Records

The quantity and type of health care information now collected has also increased dramatically in recent years. The participation in health care delivery of many different individuals and groups of providers exerts strong pressures to document in ever greater detail. The expanding numbers of available technologies for diagnosis and therapy mean that details that a provider could at one time recall must now be recorded and thus become available for inspection by others. Further, information on lifestyle (e.g., use of tobacco or alcohol), family history, and health status have become of greater interest and relevance as we learn more about the relationship of these factors to overall health and well-being. In addition, genetic data are becoming more readily available, not only for prenatal testing but also for assessing an individual's degree of risk for an inherited condition.4

The more detailed the information about an individual or class of individuals, the more appropriate, one hopes, is the treatment they will be given. Further, documentation of care and risk factors are essential to promoting continuity of care over time and among providers. It is also a first defense against charges of malpractice.

The primary health record is no longer simply a tool for health care providers to record their impressions, observations, and instructions. Rather, it serves many purposes beyond direct health care. Third-party payers access patient record information to make payment determinations, and managed care organizations access patient records for precertification and case management.

Other parties external to the healing relationship seek person-identified information and assert socially beneficial reasons for access. What was once the "business" only of patients and possibly their physicians has now become the business of such groups as: (1) officers of government entitlement programs checking on eligibility, and on patient and provider fraud and abuse; (2) agencies granting security clearance; (3) attorneys bringing criminal or civil charges; and (4) social service workers protecting possibly abused children, to name only a few. Others access secondary health records or obtain portions of the medical record when making decisions about hiring, granting a license, or issuing life, health, or disability insurance.

Electronic Records

Other trends give rise to particular concerns about the confidentiality of health information that is stored electronically. First is the ability to access, transmit, and copy large volumes of data easily. Photocopying paper records is, of course, possible, but it is hardly feasible for large numbers of geographically dispersed medical records. Electronic storage and transmittal of data, by contrast, enable interested parties to aggregate information for individuals over time and across institutions and providers of care.

Second, databases were at one time discrete—often held in physically secure rooms on tape drives—with identifiers that were unique to a given institution or insurer. Now, however, data from diverse sources can be combined and linked. Once data are stored electronically, networks of databases can be explored almost imperceptibly from remote locations. Unless security systems are designed to record access, the curious, entrepreneurial, or venal can enter databases without leaving evidence of having done so.

Third, computer-based health data have become a very valuable commodity. Some companies obtain information from physicians' computers and pharmacy records for sale to pharmaceutical companies in return for incentives such as low-cost computer hardware and software. These companies gather such identifying variables as age, sex, and Social Security numbers even if patient names are either not taken or are later stripped off (Miller, 1992).

Other companies resell information from prescription or claims databases to companies that sort it by physician for marketing purposes. For example, Health Information Technologies, Inc., helps automate private physicians' insurance claims. When it transmits claims and payments between the insurance company and the physician, it retains electronic copies of these records, and it can later sell them (presumably without physician or patient names) for pharmaceutical and other related kinds of marketing (Miller, 1992).

In August 1993, Merck & Company purchased Medco Containment Services, a mail-order prescription firm. The purchase price, $6 billion, was based in part on the value of the information in its databases to influence physician prescribing practices (Tanouye, 1993). HDOs will control a gold mine of information, and they may find it difficult indeed to resist economic benefits from allowing access to their data files by third parties.

Finally, because developers of HDOs have compared claims transmittal to electronic funds transfer (EFT), it is helpful to examine how the Privacy Protection Study Commission regarded confidentiality in EFT. The commissioners were alert to problems that might result if records created by EFT could not be controlled by institutions. Noting that automated clearinghouses centralize information that would otherwise be segregated among diverse depository institutions, their report (PPSC, 1977a) expressed worry about threats posed by the accumulation and centralization of the financial information that flows through such clearinghouses. The commissioners also recognized that the resulting pools of information would become attractive sources of person-identifiable information for use "in ways inimical to personal privacy" (p. 121). They urged that adequate protections be established for person-identifiable information flowing through an EFT data communications network and that such account information be retained for as limited a period of time as was essential to fulfill operating requirements of the service provider. Thus, in contemplating EFT, the commissioners did not foresee, and certainly did not encourage, the creation of an information repository now contemplated under the concept of an HDO.

3 .   

Privacy

The most general and common view of privacy conveys notions of withdrawal, seclusion, secrecy, or of being kept away from public view, but with no pejorative overtones. By contrast, an invasion of privacy occurs when there is intentional deprivation of the desired privacy to which one is entitled. In public policy generally and health policy in particular, privacy takes on special meanings, some derived from moral theories, others from legal doctrine, and one from the widespread use of health information.

Privacy is sometimes characterized as the "right to be left alone" (Cooley, 1880; Warren and Brandeis, 1890; Elison and Nettiksimmons, 1987; Turkington, 1987; Herdrich, 1989). Many experts, however, have objected that such a definition is too broad to be helpful in the health context. There are innumerable ways of not being left alone that arguably have nothing to do with privacy (Thomson, 1975; Reiman, 1976; Parent, 1983), such as when an individual is subjected to aggressive panhandling on a city street. Consequently, theorists have sought to refine their conceptions of privacy. Their aim has been to isolate what is unique about privacy, to identify what constitutes its loss, and to distinguish among a variety of conceptually related but separable senses of privacy (Gerety, 1977; McCloskey, 1980; Schoeman, 1984).

The development and application of the concept of privacy in American law encompasses three clusters of ideas.5 First, privacy embodies autonomy interests; it protects decisions about the exercise of fundamental constitutional liberties with respect to private behavior, such as decisions relating to marriage, procreation, contraception, family relationships, and child-rearing. This is frequently characterized as decisional privacy (Tribe, 1978). Second, privacy protects against surveillance or intrusion when an individual has a "reasonable expectation of privacy." Examples include protections against unlawful searches of one's home or person and unauthorized wiretapping. Third, privacy encompasses informational interests; this notion is most frequently expressed as the interest of an individual in controlling the dissemination and use of information that relates to himself or herself (Shils, 1966; Westin, 1967), or to have information about oneself be inaccessible to others. This last form-informational privacy-is the main subject of this chapter.

Informational Privacy

Informational privacy—"a state or condition of controlled access to personal information" (Schoeman, 1984; Allen, 1987; Powers, 1993)—is infringed, by definition, whenever another party has access to one's personal information by reading, listening, or using any of the other senses. Such loss of privacy may be entirely acceptable and intended by the indi vidual, or it may be inadvertent, unacceptable, and even unknown to the individual.

This definition of privacy thus reflects two underlying notions. First, privacy in general and informational privacy in particular are always matters of degree. Rarely is anyone in a condition of complete physical or informational inaccessibility to others, nor would they wish to remain so. Second, although information privacy may be valuable and deserving of protection, many thoughtful privacy advocates argue that it does not, in itself, have moral significance or inherent value (Allen, 1987; Faden, 1993).

Nonetheless, informational privacy has value for all in our society, and it accordingly has special claims on our attention. In his pivotal book, Privacy and Freedom, Westin (1967) described it as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" (p. 7). This definition served as the foundation for the Privacy Act of 1974 (P.L. 93579; 5 U.S.C. § 552a). This act, arguably the most significant step to protect privacy in recent decades, was enacted to control use of personally identifiable information maintained in federal government databases.

Recordkeeping Privacy

In recent decades, discussions about privacy have almost exclusively addressed the use of information about people to make decisions about some right, privilege, benefit, or entitlement—so-called "recordkeeping privacy." This focus was of particular interest to those framing the Privacy Act of 1974.

More recently the desire for informational privacy has become an important expectation, not because of a benefit or entitlement sought, but for its own sake. Information may be created as a byproduct of some event—for example, an individual's geographic location becomes available when he or she uses a bank card for a financial transaction; similarly, one's preferences are known when one buys goods by mail order or uses a check-verification card at the local supermarket. In yet other cases, information derives from aggregating data from many sources, including public records; such aggregation can also include data that have been derived from computer processing (e.g., buying profiles or dossiers).

Data subjects want informational privacy to be respected in such contexts as well. Many people in the United States would like to believe that data collected about them legitimately, in connection with some transaction or incidentally through participation in the general activities of society, will not be exploited for secondary purposes such as advertising, soliciting, telemarketing, promotional activities, or other actions that are distinct from and unrelated to the activities for which the data were originally collected (see Harris/Equifax, 1993). As should be clear from the discussion in this chapter, however, these hopes are often not realized in general or in relation to health information.

Privacy Rights

To assert a right is to make a special kind of claim. Rights designate some interests of the individual that are sufficiently important to hold others under a duty to promote and protect, sometimes even at the expense of maximizing or even achieving the social good (Raz, 1986). Two interests are widely cited as providing the moral justification for privacy rights: the individual's interest in autonomy and the instrumental value that privacy may have in promoting other valuable human goods.

With respect to autonomy, privacy fosters and enhances a sense of self (Reiman, 1976). Respecting privacy enhances an individual's autonomy (Westin, 1967; Benn, 1971; Bloustein, 1984). It allows the individual to develop the capacity to be self-governing or "sovereign," a notion analogous to the sense in which autonomous states are sovereign (Beauchamp and Childress, 1989). The loss or degradation of privacy can enable others to exercise an inordinate measure of power over the individual's economic, social, and psychological well-being (Gavison, 1980; Parent, 1983).

With respect to the value of privacy to promote other ends, its instrumental value, privacy permits the development of character traits and virtues essential to desirable human relationships. These include trust, intimacy, and love. Without some measure of privacy, these relationships are diminished or may not be possible (Fried, 1968; Rachels, 1975).

The existence of informational privacy rights means that someone is under a duty either not to disclose information or to prevent unauthorized access to information by others. Dworkin (1977) has argued that for a right to be meaningful implies that any policy or law overriding such duties must withstand rigorous scrutiny and that considerations of social utility alone are inadequate grounds to override it. That is, to take rights seriously is to recognize some limits on the prerogative of government or others to mandate the common good at the expense of the individual. This is not to say, however, that rights function as an absolute barrier to the pursuit of collective goals; indeed, the tension between individual and social goals is reflected in the issues raised in Chapter 3, as well as in this chapter.

Balancing Benefits of HDOs Against Loss of Informational Privacy

There cannot be much doubt that HDOs will serve legitimate societal interests as described in Chapter 2. Nevertheless, because HDOs will represent one of the most comprehensive and sensitive automated personal record databases ever established, they inevitably implicate interests protected by informational privacy principles. Accordingly, HDO advocates will be well served from an ethical as well as legal viewpoint if they consider what social goods justify possible loss of privacy and such loss can be minimized or prevented.

Whether HDOs can achieve their potential for good in the face of their possible impact on privacy will likely turn on the interplay of three considerations. First, to what extent do the HDOs provide important (and perhaps irreplaceable) health care benefits to their regions and perhaps to the nation? Second, do the societal benefits resulting from the implementation of HDOs outweigh the privacy risks? Third, to what extent have adequate privacy safeguards been incorporated into the HDOs?

Federal and State Privacy Protection

No explicit right to privacy is guaranteed by the Constitution of the United States; in fact, the word "privacy" does not appear. The presumed right as the basis of a civil action is based on legal opinion written by Justice Louis D. Brandeis in 1890, and its constitutional status derives from various amendments to the Bill of Rights.

The issues surrounding the constitutional status of privacy protection are too numerous and controversial to explore in detail here. Most constitutional scholars agree that federal constitutional protections are unlikely to provide the first line of defense for privacy of health information. The Constitution generally has not provided strong protection for the confidentiality of individual health care information; the constitutional protection for informational privacy is thus very limited and derived from case law interpreting the Constitution.

The courts have made clear that, at least theoretically, information privacy principles based on the Constitution limit a government agency's collection and use of personal information to situations in which the use bears a rational relationship to a legitimate governmental purpose. The government's interest in the information program must outweigh the threat to personal privacy posed by the program.6

In Whalen v. Roe (429 U.S. 589 [1977]), for example, the Supreme Court balanced the privacy threat posed by a New York State law against the statute's benefits. The New York State statute required pharmacists and physicians to report sensitive health record information to state officials, in this case prescriptions for controlled drugs. It required physicians to report the names of patients receiving certain types of prescription drugs to a state agency. The court concluded that the statute was constitutional on two grounds: the societal interests served by the statute (combating the illegal use of otherwise legal drugs) and extensive privacy and confidentiality protections in the law (redisclosure of the drug information, for example, was prohibited). The court suggested that if the statute had lacked these confidentiality protections it would have been found to violate constitutional privacy principles (Chlapowski, 1991). Thus, privacy rights are to be considered derived and not explicit rights.

In United States v. Westinghouse Electric Corp. (638 F. 2d 570, 578 [3rd Cir. 1980]), the Third Circuit identified seven factors that should be weighed in determining whether to permit a government agency to collect personal information and thus undertake a program that infringes privacy. These were the type of record requested; the subject matter of the information; the potential for harm in a subsequent nonconsensual disclosure; the damage to the relationship in which the record was generated; the adequacy of safeguards to prevent unauthorized disclosure; the degree of need for access; and whether there is an express, statutory mandate, articulated public policy, or other recognizable public interest tilting toward access.

Various state constitutional provisions offer more protection. For one to have a claim for a violation of a constitutional privacy right, however, the individual generally must show that state action caused the violation. California's constitution (Cal. Const., Art. 1, § 1) is an exception to this general rule because it makes privacy rights explicit. California courts have held that the state's constitutional privacy provision can be asserted against private parties who infringe on citizens' privacy; see, for instance Heda v. Superior Court, 225 Cal. App. 3rd 525 (Cal., Dist. Ct., App. 1990) and Soroka v. Dayton Hudson Corp., 1 Cal. Rptr. 2nd 77 (1991). Other common law and statutory remedies, as well as institutional policies and practices, will be of greater immediate importance. This and the relevance of existing laws to HDOs is discussed in the next section.

Confidentiality

Confidentiality relates to disclosure or nondisclosure of information. Historically a duty to honor confidentiality has arisen with respect to information disclosed in the context of a confidential relationship, such as that between an individual and his or her physician, attorney, or priest. In such relationships, the confidante is under an obligation not to redisclose the information learned in the course of the relationship. Now the law applies such duties to some holders of information who do not have a confidential relationship to a patient. In the health sector, this includes such holders as utilization management firms in many states and local, state, or federal health agencies that receive reports of communicable diseases.

When one is concerned about data disclosure, whether or not any relationship exists between a data subject and a data holder, an essential construct is that of data confidentiality. Data confidentiality is the status accorded data indicating that they are protected and must be treated as such. In the federal Freedom of Information Act (FOIA, 5 U.S.C., Section 552), certain categories of data are specified as confidential and thus not disclosable; for instance, Exemption 6 states that FOIA is not applicable to ''personnel and medical files and similar files, the disclosure of which would constitute clearly unwarranted invasion of personal privacy." Data confidentiality is discussed in more detail in a later section.

Confidentiality Obligations in Health Care

Professional obligations to privacy and confidentiality. The importance of confidentiality to the medical profession is reflected in the physician's "Oath of Hippocrates." Adopted in roughly the fourth century B.C.E., it remains a recognized element of medical ethics:

Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets (Bulger, 1987).

In similar fashion, the American Medical Association Principles of Medical Ethics (AMA, 1992, Section 5.05) states that "The information disclosed to a physician during the course of the relationship between the physician and patient is confidential to the greatest possible degree . . . The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law."

Within the healing relationship, four justifications may be offered for medical confidentiality (adapted from Faden, 1993). First is a respect for privacy and patient autonomy. In the earliest practice of medicine, physicians treated patients in their homes, and medical privacy was an extension of the privacy of the home. The Hippocratic Oath, for instance, does not justify confidentiality on any ground other than respect for privacy. If information concerning a patient's mind and body are viewed as extensions of the patient, than the concept of autonomy requires that the patient be able to control disclosure and use of that information. The value placed on personal autonomy gives rise to the notion of informed consent. As Justice Benjamin N. Cardozo wrote in his opinion in Schloendorff v. Society of New York Hospital, 211 N.Y. 125, "Every human being of adult years and sound mind has a right to determine what shall be done with his body."

A second justification related to respect for privacy is the implicit and sometimes explicit expectation or promise of confidentiality. Third is the special moral character of the doctor-patient relationship, which is characterized by trust and intimacy. Confidentiality can be instrumental in fostering patients' trust in their physicians; when this trust encourages patients to speak freely and disclose information they would otherwise keep secret, it facilitates diagnosis and treatment. Fourth, respecting confidentiality protects patients from harm that might befall them if the information were to become widely available and indiscriminately used.

Legal obligations of confidentiality. Various federal and state laws impose a duty to preserve the confidentiality of personal health information. These laws can be divided into two categories: those imposing confidentiality obligations on recordkeepers and those protecting health information that is deemed highly sensitive. Examples of the former include general confidentiality statutes about health care information such as the Uniform Health Care Information Act (National Conference, 1988) and the California Confidentiality of Medical Information Act (Cal. Civil Code §§ 5656.37 [1992]), as well as various state laws and Medicare and Medicaid regulations. Laws and regulations imposing confidentiality requirements for sensitive personal health information include those related to alcohol and drug abuse records and laws governing nondisclosure of records of patients with acquired immunodeficiency syndrome (AIDS), the results of antibody tests for human immunodeficiency virus (HIV), psychiatric and developmental disability records, and information concerning results of genetics screening and testing.

Courts have also recognized a legal obligation to maintain the confidentiality of personal health care information. In response to harm resulting from unauthorized release of personal health information, courts have granted legal relief under a number of theories: breach of trust, breach of confidence, breach of implied contract, invasion of privacy, defamation, and negligence (Waller, 1992).

Disclosure of Health Information

As one looks beyond the protected sphere of the patient-provider relationship, it is not always clear who is rightly in the community of "knowers," nor is there universal agreement on principles that ought to control disclosure. With the growth of managed care, utilization review, third-party payment systems, and claims administration for self-insured health plans, information sharing for purposes of adjudicating claims and managing high-risk or high-cost cases has become part and parcel of the provision of health care. Westin has described these supporting and administrative activities as "Zone 2" in comparison to "Zone 1," which refers to information flow to support direct medical care (Westin, 1976; Harris/Equifax, 1993). These wide-ranging claims of need for sensitive health information, which are emblematic of modern health care, raise difficult problems for the preservation of privacy and maintenance of confidentiality.

Patients generally understand that, with consent, information in their medical records will be shared widely within a hospital and for insurance and reimbursement purposes. They also expect that data collected about them will be used only for the purpose of the initial collection and that such data will be shared with others only for that same purpose. Outside the health care institution, patients expect that confidential data will not be shared with people or organizations not authorized to have such information and that legitimate users of the data will not exploit such access for purposes other than those for which the information was originally obtained (e.g., see Harris/Equifax, 1993).

Consent. Such exceptions to the rule of confidentiality as described above are rationalized as being conducted by consent of the patient or a patient representative. A patient may be asked to accede to disclosure by signing a blanket consent form when applying for insurance or employment. In such cases, however, consent cannot be truly voluntary or informed. Such authorizations are often not voluntary because the patient feels compelled to sign the authorization or forego the benefit sought, and they are not informed because the patient cannot know in advance what information will be in the record, who will subsequently have access to it, or how it will be used.

Although consent may be the best-recognized way to permit disclosures of private information, consent is so often not informed or is given under economic compulsion that it does not provide sufficient protection to patients. As will be seen in the recommendations section of this chapter, this committee generally does not regard "consent" procedures as sufficient to protect sensitive information from inappropriate disclosure by HDOs, although they are a necessary adjunct to other autonomy protections.

Mandatory reporting and compulsory process. Other situations exist in which sensitive health information about individuals must be disclosed to third parties. Such sharing of health information for socially sanctioned purposes may be truly voluntary; it may also be required through mandatory reporting or coerced by court order.

Mandatory reporting requirements are justified by society's need for information; these include filing reports of births and deaths, communicable diseases, cancer, environmental and occupational diseases, drug addiction, gunshot wounds, child abuse, and other violence-related injuries. Some statutes requiring that records be retained for 10 to 25 years in some cases make past diagnoses retrievable long after they no longer accurately describe the patient. Another type of reporting requirement involves the expectation that third parties require warning about threats to their life.7

Physicians and others may also find themselves compelled to divulge patient information when they would otherwise choose not to do so. Such requirements—sometimes termed "compulsory process"—may take the form of subpoenas or discovery requests and may be enforced by court order. In some instances personal health care information may be protected from disclosure in court and administrative proceedings by virtue of the physician-patient privilege, which may be mandated by statute or derive from the common law. Information that is so privileged cannot be introduced into evidence and is generally not subject to discovery.

Weaknesses of Legal Protection for Confidentiality

Legal and ethical confidentiality obligations are the same whether health records are kept on paper or on computer-based media (Waller, 1992). Current laws, however, have significant weaknesses. First, and very important, the degree to which confidentiality is required under current law varies according to the holder of the information and the type of information held.

Second, legal obligations of confidentiality often vary widely within a single state and from state to state, making it difficult to ascertain the legal obligations that a given HDO will have, particularly if it operates in a multistate area. These state-by-state and intrastate variations and inconsistencies in privacy and confidentiality laws are well established among those knowledgeable about health care records law (e.g., see Powers, 1991; Waller, 1991; WEDI, 1992; Gostin et al., 1993; OTA, 1993; for examples ranging across many types of professionals, institutions, and ancillary personnel). This is important because some HDOs will routinely transmit data across state lines. Interstate transmission already occurs with data such as claims or typed dictation. When confidential data are transmitted across state lines, it is not always clear which state's confidentiality laws apply and which state's courts have jurisdiction over disputes concerning improper disclosure of information.

Third, current laws offer individuals little real protection against redisclosure of their confidential health information to unauthorized recipients for a number of reasons. Once patients have consented to an initial disclosure of information (for example, to obtain insurance reimbursement), they have lost control of further disclosure. Information disclosed for one purpose may be used for unrelated purposes without the subject's knowledge or consent (sometimes termed secondary use). For instance, information about a diagnosis taken from an individual's medical record may be forwarded to the Medical Information Bureau in Boston, Massachusetts (MIB, 1989; and see Kratka, 1990) and later used by another insurance company in an underwriting decision concerning life insurance. Redisclosure practices represent a yawning gap in confidentiality protection.

As a practical matter, policing redisclosure of one's personal health information is difficult and may be impossible. At a minimum, such policing requires substantial resources and commitment. With the use of computer and telecommunications networks, an individual may never discover that a particular disclosure has occurred, even though he or she suffers significant harm—such as inability to obtain employment, credit, housing, or insurance—as a result of such disclosure. Pursuing legal remedies may result in additional disclosure of the individual's private health information.8

Fourth, in some instances federal law preempts state confidentiality requirements or protections without imposing new ones. For example, the Employment Retirement Insurance Security Act (ERISA) preempts some state insurance laws with respect to employers' self-insured health plans, yet ERISA is silent on confidentiality obligations. Because 74 percent or more of employers with 1,000 or more employees manage self-insured health plans (Foster Higgins, 1991, in IOM, 1993e), such preemption is particularly troublesome.

Last, enforcing rights through litigation is costly, and money damages may not provide adequate redress for the harm done by the improper disclosure.

Security

In the context of health record information, confidentiality implies controlled access and protection against unauthorized access to, modification of, or destruction of health data. Confidentiality has meaning only when the data holder has the will, technical capacity, and moral or legal authority to protect data-that is, to keep such information (or the system in which it resides) secure (NRC/CBASSE, 1993). Data security exists when data are protected from accidental or intentional disclosure to unauthorized persons and from unauthorized or accidental alteration (IOM, 1991a).

In computer-based or computer-controlled systems, security is implemented when a defined system functions in a defined operational environment, serves a defined set of users, contains prescribed data and operational programs, has defined network connections and interactions with other systems, and incorporates safeguards to protect the system against a defined threat to the system, its resources, and its data. More generally, protective safeguards include:

• hardware (e.g., memory protect);

• software (e.g., audit trails, log-on procedures);

• personnel control (e.g., badges or other mechanisms to control entry or limit movement);

• physical object control (e.g., logging and cataloging of magnetic tapes and floppy disks, destruction of paper containing person-identifiable printouts);

• disaster preparedness (e.g., sprinklers, tape vaults in case of fire, flood, or bomb);

• procedures (e.g., granting access to systems, assigning passwords);

• administration (e.g., auditing events, disaster preparedness, security officer); and

• management oversight (e.g., periodic review of safeguards, unexpected inspections, policy guidance).

The collective intent of these safeguards is to give high assurance that the system, its resources, and information are protected against harm and that the information and resources are properly accessed and used by authorized users.

Health-Related Information

In a study that focuses on the protection of health-related data about individuals, defining which items are health related is more difficult than one might initially think. The most obvious categories are medical history, current diagnoses, diagnostic test results, and therapies. Other pieces of information are more distantly related to health—because of what one might infer about a person's health. Examples include type of specialist visited, functional status, lifestyle, and past diagnoses. Nevertheless, not everything in a medical record is relevant to health status or is health related.

Insurance coverage and marital status are cases in point. Some elements could nevertheless be considered sensitive because of the social stigma that could result if they are revealed. Examples include sexual preference, address, or the receipt of social services.

The same disclosure might be harmful to one individual but not another, or harmful to an individual in one circumstance but not in another. Personal data, particularly health-related personal data, are not inherently sensitive, but they become so because of the harmful way(s) in which they might be used. Thus, any data element in medical records, and many data items from other records, could be considered either health-related or sensitive, or both. Where the boundaries for the protection of personal health information lie is not at all obvious. In considering the actions of HDOs, this committee takes a relatively broad view of health-related data; it proceeds from an assumption that all information concerning an individual and any transactions relating directly or indirectly to health care that HDOs access or maintain as databases must be regarded as potentially requiring privacy protection