Electronic Privacy Information Center  

Medical Privacy

Overview | News Items |Federal Law | Genetic Information | State Law | Employment | Marketing | Law Enforcement | Consumer Advice | Resources | Previous News

Whatsoever things I see or hear concerning the life of men, in my attentance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets.

- Oath of Hippocrates, 4th Century, B.C.E.

Top News

  • Virginia Tech Shooting Report Released. A panel of experts who were asked to investigate the April 16, 2007 shooting deaths of dozens of students and faculty at Virginia Tech released their final report a little over four months following the tragedy. The report cited misinterpretations of information privacy laws as the reason why action was not being taken to inform the parents of the shooter on his mental health history at the school, nor preventative measures taken to prevent the tragedy. (Aug. 30)

  • EPIC Urges Appellate Court to Consider SubstantialPrivacy Interest in De-Identified Patient Data. EPIC and 16 experts in privacy and technology today filed a "friend of the court" brief (pdf) in a case concerning a New Hampshire state lawb anning the sale of prescribe-identifiable prescription drug data formarketing purposes. The experts urged the First Circuit Court of Appeals to reverse the ruling (pdf) of the lower court, which held that the NH Prescription Confidentiality Act violated the free speech rights of data mining companies. The experts said the lower court should be reversed because there is a substantial privacy interest in de-identified patient data that the lower court failed to consider. This privacy interest, in part flows from the reality that data may not be, in fact, truly de-identified, and also because de-identified data does impact actual individuals. See EPIC's IMS Health v. Ayotte page. (Aug. 20)

  • U.S. Company Implants Chips Into Two Employees. An Ohio video surveillance company, CityWatcher.com, has embedded silicon chips into two of its employees. The chips are planted in the person's upper right arm and "read" by a device similar to a card reader. The company says it is testing the technology as a way to limit access to a security area. In 2004, the Food and Drug Administration approved the use of an implantable computer chip for health care information applications. Called the VeriChip, it is a radio frequency identification (RFID) device about the size of a grain of rice. For more information, see EPIC's radio frequency identification (RFID) and VeriChip pages. (Feb. 13)

  • VeriChip RFID Implant Is Cloned. Programmer Jonathan Westhues has recently proved that the VeriChip implantable RFID chip can be easily copied. Anybody capable of purchasing off the shelf electronics equipment and reading the description below can now impersonate the bearer of the chip and gain access to their medical records, among other things. As VeriChip has marketed their chip as a means of managing access control to buildings and medical records, this represents a significant threat to the bearer's privacy and security. Formore information, see EPIC's VeriChip page. (Feb. 10)

  • EPIC Urges CDC to Limit Passenger Data Collection. EPIC said in comments (pdf) to the Centers for Disease Control and Prevention that it should limit a proposed rule that would require airline and shipping industries to gather passenger information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request. EPIC urged the CDC to narrow the scope of data collected to that which is necessary and set strict security standards to keep passenger data secure from unauthorized access and misuse. The CDC also should require the clear and open disclosure that travelers can refuse to submit their information without facing penalties, EPIC said. (Jan. 31)

Overview

Since the creation of the Hippocratic oath about 400 B.C., protecting the privacy of patients has been an important part of physicians' code of conduct. Over time, health information has come into use by many organizations and individuals who are not subject to medical ethics codes, including employers, insurers, government program administrators, attorneys and others. As uses of medical information multiplied, so have regulatory protections for this highly sensitive and deeply personal information.

The regulatory regime for protecting privacy of health information is complex and fragmented. Some protections apply only to information held by government agencies. Some protections apply to specific groups, such as federal employees or school children. Some protections apply to specific medical conditions or types of information, such as information related to HIV/AIDS or substance abuse treatment. The first comprehensive set of federal regulation of health information, the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), came into effect in April 2003. The Security Rule, also required under HIPAA, was issued in final form on February 20, 2003 and will become effective in 2005.

News Items

Federal Law

HIPAA

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the "federal floor" of privacy protection for health information in the United States, while allowing more protective ("stringent") state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation.

The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. The complementary Security Rule includes standards for protection of health information in electronic form.

Rights Under the Privacy Rule

The individual, who is the subject of Protected Health Information (PHI), has the following rights under the Privacy Rule:

  • Right to access, inspect and copy PHI held by hospitals, clinics, health plans and other "covered entities," with some exceptions
  • Right to request amendments to PHI held by "covered entities"
  • Right to request an accounting of disclosures that have been made without authorization to anyone other than the individual for purposes other than treatment, payment and health care operations
  • Right to receive a Notice of Privacy Practices from doctors, hospitals, health plans and others in the health care system
  • Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
  • Right to request restrictions on uses or disclosures, although the "covered entity" receiving the request is not obligated to accept it
  • Right to complain about privacy practices to the "covered entity" and to the Secretary of Health and Human Services
Limits on uses and disclosures

"Covered entities" that hold PHI may use it without an individual's consent for the purposes of providing treatment to the individual, for payment activities such as claims adjudication and premium setting, and for operating their businesses. They are also permitted to use and disclose PHI as required or permitted by other laws, e.g., laws related to reporting of child or elder abuse, public health oversight and national security investigations. However, those who have PHI must obtain an individual's signed authorization for use of PHI in marketing, research, fundraising, or any other activities that are not part of treatment, payment, health care operations, and other categories specifically identified under the Privacy Rule. A few types of disclosures require that the individual be given an opportunity to agree or object to the disclosure, e.g., whether information should be included in a hospital directory or given to clergy. Based on the professional judgment of a health care professional, some disclosures may be made to friends and family who are involved in an individual's care if such disclosures are found to be in the best interest of the individual.

In addition to specific restrictions on uses and disclosures, the Privacy Rule imposes a general "minimum necessary" requirement on those who hold and use PHI. Except for disclosures to the individual who is the subject of PHI or disclosures for treatment purposes, organizations must limit their uses and disclosures to "minimum necessary" information required to perform a task. They must have policies and procedures that specify what PHI can be viewed by different classes of employees within their workforces, what PHI should be released in response to routine inquiries, and must have a process in place for deciding what PHI should be released in response to non-routine requests.

"Covered entities" must also have formal contracts with their business associates, which use PHI to perform functions on their behalf. Examples of business associates include law firms, accounting firms, accreditation organizations, credentialing services, billing services and third-party administrators. Business associate agreements must stipulate that the business associate will safeguard PHI and will assist the "covered entity" in complying with its obligations with regard to individual rights and oversight by the Secretary of Health and Human Services.

Penalties for violations of privacy

The Privacy Rule includes both civil and criminal penalties for violations of privacy. Generally, penalties are expected to be assessed in cases where organizations or individuals act with willful neglect or intent to cause harm. Civil penalties are specified at $100 per violation, not to exceed $25,000 per person per year for identical violations. Criminal penalties for wrongful disclosure of PHI can go up to $250,000 and/or 10 years imprisonment if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Security standards

Requirements for safeguarding protected health information (PHI) are found in two separate but complementary Rules under HIPAA. The Privacy Rule requires "covered entities" to have in place "appropriate administrative, physical and technical measures" to safeguard PHI. This obligation must be passed on to business associates in business associate agreements and to researchers in limited data use agreements. The Security Rule, published in final form on February 20, 2003, contains considerably more detail about the meaning of appropriate safeguards.

Although the Privacy Rule applies to PHI in any form, including oral communication, the Security Rule applies only to PHI in electronic form. The standards are divided into three groups: administrative safeguards, physical safeguards, and technical safeguards. Administrative standards include risk analysis and management, assigning security responsibilities, policies and procedures, training of the workforce and contract requirements. Physical safeguards include access to facilities and workstations, as well as device and media controls. Technical safeguards include access controls and audits, authentication and transmission security.

The basic principles for security standards can be found in the HIPAA legislation. The law specifies, among other things, that standards must take into account technical capabilities of systems that contain PHI, cost of security measures and scalability issues, particularly as these might affect small and rural providers. The Department of Health and Human Services (HHS) translated these principles into regulation by creating standards (what must be done) and implementation specifications (how the standard can be met). Implementation specifications are further divided into two groups: those that are required (e.g., risk analysis) and those that are "addressable" (e.g., encryption for transmission of PHI). If an entity chooses not to implement an addressable specification, it must document its reasons why the specification would not be reasonable or appropriate, and implement alternative equivalent measures if reasonable and appropriate.

With the compliance date in April 2005, it is too early at this time to know how doctors, health plans and other entities will interpret and implement the Security Rule. The Rule does require that "covered entities" think about and document the risks they identify and measures they take to ensure protection of PHI. These records are likely to be used for both enforcement and legal actions.

Substance Abuse Confidentiality Requirements

Information related to substance abuse and chemical dependency treatment is protected by section 543 of the Public Health Service Act, and its implementing regulation, 42 CFR, Part 2. This regulation, which supercedes both HIPAA and all more permissive state laws, requires that any disclosure of information related to substance abuse and chemical dependency treatment be accompanied by the individualÌs signed authorization. There are no exceptions for disclosures related to treatment, payment or health care operations. The only exception relates to movement of information between different components of the Armed Services, including Veterans Administration. Although the regulation applies only to "federally-assisted" specialized alcohol or drug abuse program, it is widely interpreted as applying to any federally conducted or funded program, any federally licensed or certified program, programs that are tax exempt, and programs that receive federal funds in any form, e.g., via the Medicaid program.

Other Federal Laws

In addition to being subject to HIPAA and Substance Abuse Confidentiality Requirements, health care organizations may be subject to several federal laws that touch in some way on privacy of health information. The Preamble to the Privacy Rule lists the following applicable laws: Privacy Act of 1974, Family Educational Rights and Privacy Act, Freedom of Information Act, Employee Retirement Income Security Act of 1974 (ERISA), Gramm-Leach-Bliley Act, federally funded health programs regulations, Food, Drug and Cosmetic Act, Clinical Laboratory Improvement Amendment, federal disability and non-discrimination laws, and U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection). In addition, many federal regulations require disclosure of specific PHI for specific purposes in specific circumstances.

In the Preamble to the Privacy Rule, HHS states that there should be few instances of conflict between HIPAA regulations and other federal laws because HIPAA permits but does not require many disclosures. Therefore, when disclosures are required under other federal law, PHI may be disclosed as required by other law. If a disclosure is not required but only permitted under other law, an entity must determine whether the disclosure is permissible under HIPAA and then follow HIPAA requirements for making such a disclosure. If another federal law prohibits disclosure that is permitted but not required under HIPAA, entities must comply with the other federal law.

Genetic Information

Genetic information is generally considered protected health information (PHI) under the Privacy Rule. However, given the sensitive nature of such information and the potential harm that might be caused by misuse or disclosure, special legislation for the protection of genetic information has been introduced in Congress since 1997. The latest activity in Congress took place in May 2003. The Senate Committee on Health, Education, Labor and Pensions passed the Genetics Nondiscrimination Act of 2003, S.1053 (pdf). The bill prohibits health insurance plans from denying enrollment or charging premiums on the basis of an individual's or family members' genetic information. It also prohibits health insurers from basing premiums of a group health plan on the basis of genetic information of plan members or their families. The bill prohibits disclosures or collection (requesting, requiring or purchasing) of genetic information for underwriting purposes. In addition, it prohibits the use of genetic information in employment decisions and applies the same procedures and remedies as apply to other forms of employment discrimination. Following the model of the HIPAA Privacy Rule, the Genetic Nondiscrimination Act provides basic protections for genetic information while permitting greater protection under other federal and state measures. The language of the Senate bill has been introduced in the House as HR 1910.

State Law

State laws cover several areas related to privacy of health information. These include regulation of health insurance, regulation of organizations that perform certain administrative functions such as utilization review or third-party administration, licensure requirements for various medical specialties and medical organizations (including requirements for record-keeping and disclosure), access to medical records by patients, guardians and other interested parties, reporting of information to the state and local authorities, e.g., birth and death or disease incidence, use of information for quality assurance and health care operations, issuance of notices of privacy practices, and reporting and providing access to law enforcement authorities. In recent years many states have also passed confidentiality laws related to specific conditions or types of health information. Examples include laws related to mental health records, HIV/AIDS, reproductive rights and genetic testing.

The HIPAA legislation explicitly addresses interaction between federal and state law. Generally, "covered entities" are required to comply with both HIPAA and state law whenever possible. If it is not possible to comply with both, HIPAA preempts any contrary provision of state law, including state law provisions that require written records rather than electronic ones. State law is not preempted in the following circumstances:

  • When state law is necessary for regulation of insurance or health plans, prevention of fraud and abuse, or reporting on health care system operations and costs
  • When state law addresses controlled substances
  • When a state law relates to reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention
  • When a provision of state law is more stringent than the requirements of the federal Privacy Rule

The most difficult of these exceptions is the stringency exception. A provision of state law is defined to be more stringent if it prohibits or restricts use or disclosure of PHI that would be permitted under the Privacy Rule. Specifically, a more stringent state law:

  • Permits greater rights of access and amendment to the individual who is the subject of the PHI
  • Provides more information about use, disclosure, rights and remedies to the individual
  • Narrows the scope or duration of express legal permission required from the individual for use or disclosure or reduces the coercive effect of the requirement for legal permission for use or disclosure of PHI
  • Increases the duration or requires more detailed accounting of disclosures
  • Provides greater privacy protection to the individual

In many cases it is not clear whether a particular state law provision is contrary to HIPAA and, if it is, whether or not it is more stringent. An example of such a provision is a state law that requires a review of PHI by the treating physician prior to release of PHI to the individual. The Privacy Rule allows PHI to be withheld if, in the professional opinion of a licensed health care professional, releasing the information would endanger the life or physical safety of the individual or another person. This implies that PHI would be reviewed by a health care professional prior to release. If the review by the treating physician is conducted for this purpose, the state law provision would not be contrary to HIPAA and, therefore, the state law would not be preempted. However, if a review by the treating physician is conducted in addition to a review conducted by another licensed professional, e.g., one employed by a health insurer, it might be viewed as a way of reducing access and, therefore, contrary to HIPAA. In that case, the provision would be preempted.

Although many analyses of interaction between HIPAA and state law (called "preemption analyses") have been performed on behalf of health care companies and professional associations, these analyses are advisory in nature. There is general agreement that final decisions about the applicability of specific provisions of state and federal law will be made by the courts.

Health Information and Employment

Generally, the Privacy Rule prohibits disclosure of health information for employment-related decisions without the explicit authorization of the individual. Employers that have self-funded health plans regulated under ERISA (Employee Retirement Income Security Act of 1974) must build "firewalls" around these plans to ensure that health information received by plans as part of their operations is adequately safeguarded and not used for other purposes. Employer-sponsors must provide a certification to their group health plans that any PHI they receive from the group health plan will not be used for employment-related decisions. However, once an employer obtains health information, it is not obliged to protect this information under the Privacy Rule.

There are several instances when an employer may be able to obtain health information without individual authorization. Information related to pre- and post-employment drug testing is not considered PHI under the Privacy Rule. The Privacy Rule does not apply to workers' compensation programs, so information obtained by an employer as part of a workers' compensation claim is not protected under the Privacy Rule. If a credit report obtained during a background check contained explicit or implied health information, that information would not be considered PHI. In addition, Department of Transportation regulations, the Federal Aviation Administration, and the Federal Highway Administration rules, contain provisions that require doctors and others to disclose health information to employers. Such disclosures are permitted when required by law and become part of an employee's employment file which is not subject to the Privacy Rule.

Use of Health Information in Marketing

The Privacy Rule explicitly addresses the concern that health information, which was collected for the purposes of providing treatment or paying claims, will be sold or used to market products and services. The 2002 version of the Rule contains a two-part definition of marketing:

  • "to make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service"; or
  • "to disclose PHI to another entity for direct or indirect payment so the other entity can market its own products or services."

In order to use protected health information (PHI) for marketing, covered health care providers, health plans or other entities need to obtain an individual's signed authorization except when the communication occurs face-to-face or involves a gift of nominal value. When an authorization is required, it must explicitly state whether the entity is receiving payment from third parties to engage in a marketing communication.

Although the definition of marketing seems quite broad, several categories of activities and communications are explicitly excluded from being considered marketing. Under the Privacy Rule, an organization is not engaged in marketing:

  1. When a communication is about a health-related product or service that is included in the individuals plan of benefits provided by the entity making the communication, including information about participating network providers, services offered by participating providers, replacement or enhancement to a health plan, or value-added health-related products or services available only to participants of the plan, even if these products or services are not part of the plan;
  2. When the communication is related to the individual's treatment; or
  3. When the communication involves case management or care coordination for an individual, or directions or recommendations for alternative treatments, therapies, health care providers or settings of care for the individual.

Excluded communications are not considered marketing whether a doctor, hospital, health plan or another covered entity delivers them directly or engages a business associate, such as a mailing house or a telemarketer. The Privacy Rule notes that it does not change any restrictions that may exist in other federal or state laws, such as anti-kickback statutes or substance abuse regulations.

The exclusions from the definition of marketing have raised concerns that some consumers may receive unwanted communications or be misled about the nature of the information contained in communications they receive. Below are some examples of such communications:

  • A drug manufacturer can pay a physician or a pharmacy to send refill reminders to patients, or to send information about a drug to all patients identified with a particular condition or taking particular medications. Although the drug manufacturer would not get PHI from the physician or pharmacy, it would accomplish the same marketing goals by paying someone else to promote its products. Furthermore, because the communication would come from an individual's physician or pharmacist, the information in the communication might be viewed as more trustworthy than it would be if it came from a drug manufacturer.
  • An individual may find that PHI related to a condition such as diabetes or HIV/AIDS is being used to send her information regarding services or products related to the condition. An exception for case management or coordination of care could be used to exclude such offers from a requirement for written authorization.
  • A doctor or a health plan may send information about health-related products such as health club memberships, massage therapy or herbal supplements, as long as these products, services or discounts are health-related and not available to the general public.
  • A dentist may continue give patients toothbrushes, floss and toothpaste samples because these are considered to have nominal value.

When the Privacy Rule was being revised in early 2002, privacy advocates objected to excluding these types of communications from the definition of marketing. The Department of Health and Human Services agreed that there may be some confusion about the appropriate scope of activities that fall under "treatment" and "marketing", and that abuses may occasionally occur. Nevertheless, it decided that differentiating between various communications from a covered entity would be too difficult and confusing and might even be seen as an attempt to interfere with the ability to provide high quality health care. Therefore, all communications that fall under the exceptions are permitted without individual's authorization. Although an individual has a right to ask for a restriction on uses and disclosures of his or her PHI, including uses and disclosures for treatment, the covered entity is not obligated to comply with the request. As a result, an individual may have no recourse with respect to communications that fall under the marketing exception.

Disclosure of Health Information for Law Enforcement and National Security

The HIPAA Privacy Rule permits but does not require disclosures of PHI required by other laws. Such disclosures must be limited to meet the compliance requirements of those other laws. Substance abuse regulations, which are more stringent than the Privacy Rule, prohibit some disclosures that would otherwise be permitted.

Disclosures to law enforcement officials

The Privacy Rule includes a standard for disclosures to law enforcement officials. The standard permits the following types of disclosures:

  • Pursuant to a legal process or otherwise required by law, including disclosures of certain types of wounds, and disclosures in response to court orders, subpoenas, and administrative requests. Administrative requests must be specific and limited, relevant to a legitimate ongoing investigation, and must demonstrate that de-identified information (that is, information without individual identifiers) cannot be used.
  • Limited information disclosures for the location of a fugitive, suspect, material witness or missing person.
  • Information about an individual who is or is believed to be a victim of crime if the individual agrees to the disclosure or, under specific rules, if the individual is unable to agree or object.
  • Information about decedents.
  • Information about crime on the premises of the covered entity if there is a good faith belief that the disclosed PHI is evidence of a crime.
  • Limited disclosure in emergencies in order to alert law enforcement about the commission of a crime.

Additional disclosures to law enforcement officials are permitted under other parts of the Privacy Rule. For example, disclosure is permitted if a covered entity believes that an individual may pose serious threat to health and safety and the disclosure may help law enforcement authorities reduce the harm or apprehend the individual.

Although disclosures to law enforcement authorities may be made without individual authorization and, in some cases, without giving the individual an opportunity to agree or object, such disclosures generally become part of Accounting for Disclosures that an individual can request from a covered entity. If a law enforcement official requests that law enforcement-related disclosures not be listed in the Accounting for a specified period of time, the entity providing the Accounting must suspend the individual's right to see a listing of such disclosures.

PHI of inmates and detainees in correctional institutions is generally subject to protections under the Privacy Rule, with some exceptions. The Rule permits covered entities to share inmates' PHI for specified health care and custodial purposes without authorization. Once individuals are released from custody, their PHI becomes subject to all protections under the Privacy Rule.

Some concerns have been raised that health oversight agencies may lawfully obtain PHI under the Privacy Rule and then re-disclose the information to law enforcement authorities. In its comments on the December 2000 Privacy Rule, HHS acknowledged that potentially such re-disclosures could take place, but stated that is does not have statutory authority to regulate health oversight agencies.

Regulations dealing with substance abuse are more stringent then the Privacy Rule when it comes to disclosures related to law enforcement. Information related to substance abuse may not be disclosed to law enforcement officials without individual authorization.

Disclosures for National Security

Covered entities are permitted to disclose PHI to authorized federal representatives for conduct of intelligence, counter-intelligence, and other national security activities, as well as to provide protective services to the President and others. These disclosures do not require individual authorization and do not become part of the Accounting for Disclosures. HHS states in the Preamble to the December 2000 Privacy Rule that the Rule does not confer any new authority with regard to disclosures related to national security or protective services because it does not compel covered entities to release information for these purposes. Of course, if new law is passed that requires disclosures of PHI for national security purposes, these disclosures would fall under provisions for disclosures required by law, and covered entities would have to comply with these requirements.

Consumer Advice to Safeguard Your Medical Records

What's In Your Medical Records?

Besides information about physical health, these records may include infomation about family relationships, sexual behavior, substance abuse, and even the private thoughts and feelings that come with psychotheraphy. This information is often keyed to a social security number. Because of a lack of consistent privacy protection in the use of Social Security Numbers, the information may be easily accessible.

Information from your medical records may influence your credit, admission to educational institutions, and employment. It may also affect your ability to get health insurance, or the rates you pay for coverage (OTA report). More importantly, having others know intimate details about your life may mean a loss of dignity and autonomy.

Maintaining Medical Record Privacy

  • Threats to the privacy of your medical information.
  • Protect the privacy of your social security number.
  • Tell your physician everything necessary for proper treatment, but "think twice before disclosing information that has no bearing on your health." (Consumer Reports, Oct. 1994, p. 629).
  • Ask your doctor if any of the records can be accessed from outside the office. If so, ask for what purpose they may be accessed.
  • Before the office sends your medical records to another party, such as an insurance company, ask to view the record.
  • Ask for a notification if your medical records are ever subpoenaed.
  • Controlling access to other personal information.

Resources

   Medical Privacy Law and Policy

      EPIC Overview

  • EPIC review of medical privacy issues (AHIMA 1994)

    • "Privacy protection is critical for delivery of health care services"
  • Marc Rotenberg's review of Institute of Medicine report on medical privacy in Journal of Health, Law, and Public Policy

    • From an administrative viewpoint, a single national law would clearly be preferable. But from a privacy viewpoint, the desirability of that outcome is less clear. A weak national law that preempts a strong state statute will leave some persons with less protection than they previously enjoyed. A single federal law can also stifle innovative state initiatives."
  • Public support for real privacy safeguards for medical records.

    • "75% percent are concerned a "great deal" or "fair amount" about health insurance companies putting medical information about them into a computer information bank that others have access to." (ACLU 1994)
    • "85% believe that protecting the confidentiality of medical records is "absolutely essential" or "very important" in health care reform." (Lou Harris 1993)
  • Principles for a good medical privacy bill.

    • Scope
    • Patient Access
    • Enforcement and oversight
    • Third Party Access
    • National Databases
    • Research Records
    • Security
    • Identification Numbers
    • Preemption

  • Massachusetts Medical Society Policy, Patient Privacy and Confidentiality, as adopted by the MMS House of Delegates, November 8, 1996.

  • INFORMATION POLICY FOR THE U.S. HEALTH SECTOR: ENGINEERING, POLITICAL ECONOMY, AND ETHICS by F. Reid Cushman, Ph.D. and Don E. Detmer, M.D, The Milbank Quarterly, September 1997.

  Documents

      Laws

  • Health Insurance Portability And Accountability Act of 1996 (HIPAA), PL 104-191. Includes the Administrative Simplification provision that requires standards for health care transactions and code sets, privacy, security, and national identifiers for employers, health plans, health care providers and individuals.

  • HHS Recommendations to Congress, Sept 11, 1997. Donna Shalala, the Secretary of the Department of Health and Human Services, recently urged Congress to pass medical privacy legislation. But some lawmakers and the ACLU say that the Administration's proposal does not go far enough to restrict law enforcement access to personal medical information.

  • The Privacy Act of 1974, which states that no federal agency may disclose information without the consent of the person. Agencies must also meet certain requirements for protecting the information.

  • Other Federal Laws. These laws only cover federal agencies, such as Medicare and Medicaid. The bulk of medical records are covered by various, inconsistent and often ineffectual state laws.

  • State Laws. This document allows you to look at the privacy laws, including medical privacy laws, for each state. Only about half of the states guarantee patients the right to see their medical records (CR, Oct. 1994, p. 629). You can obtain more information by looking in your state code or by contacting Privacy Journal.

  • Lawrence Gostin, et al., "Legislative Survey of State Confidentiality Laws", Feb. 1997.

      Cases

  • Pachowitz v. LeDoux, No. 02-2100 (Wis. Ct. App. May 28, 2003): Wisconsin Court of Appeals upheld a jury verdict, agreeing that, Ms. LeDoux, an Emergency Medical Technician, violated Ms. Pachowitz's privacy by disclosing Pachowitz's medical information to Pachowitz's co-worker. The appeals court agreed with the lower court that disclosing such information is not permitted under the state "invasion of privacy" law, and that it does not matter whether the information is disclosed to one person or many.

  • Citizens for Health et al. vs. Tommy G. Thompson, Complaint for Declaratory and Injunctive Relief April 10, 2003 USDC ED PA Plaintiffs seek invalidation of those parts of the HIPAA Administrative Privacy Rule eliminating any requirement for consent to be obtained prior by a covered entity prior to using or disclosing protected health information for treatment, payment, or health care operations.

  • United States of America ex rel. Mary Jane Stewart et al., v. The Louisiana Clinic, et al., Civil Action No. 9901767, Section "N" (2), U. S. District Court, E. D. Louisiana, December 11, 2002 Decision about preemption of Louisiana law by provisions of the Privacy Rule.

  • United States of America v. Franklin Sutherland, Defendant, Case No. 1:00CR00052, Case No. 1:00CR00093, Opinion and Order (pdf). Although the HIPAA Privacy Rule was not effective for enforcement at the time the decision was handed down, the existence of a federal standard was considered sufficient for the application of that standard to the governmentÌs request for health information.

  • Jaffee v. Redmond established privilege for communications between a psychotherapist and a patient. Summary - opinion - dissent ç additional information

  • Merck & Co forced to settle with Minnesota Attorney General after violating privacy rights of consumers in disclosure of pharmeceutical records.
    • "The settlement requires significant managed care reforms and measures to protect consumers' privacy rights."

  Research

  Security Issues

  Identification Number

  • Letter from privacy advocates to Hillary Clinton urging that the Social Security Number not be used as the Health Identification Number (April 1993).
    • "It is our belief that the SSN should not be used for medical record identification and that an alternative identification scheme must be developed."

  Genetic Information

  • Bloodsaw v. Lawrence Berkeley Labs, 9th Circuit Court of Appeals, Feb . 3, 1998.


  • The Icelantic Parliament approved the creation of a genetic database of all residents of Iceland in December. Association for Ethics in Science and Medicine pages. CNN story on the controversy.

  History of the Privacy Rule

  • Health Insurance Portability And Accountability Act of 1996 (HIPAA), PL 104-191 included a three year window for Congress to pass legislation to protect privacy of health information. Several bills were introduced during that period.

    • H.R.1815 : To protect the privacy of health information in the age of genetic and other new technologies, and for other purposes, introduced by Rep Jim McDermott 6/5/1997

    • H.R.3900 : To establish Federal penalties for prohibited uses and disclosures of individually identifiable health information, to establish a right in an individual to inspect and copy their own health information, and for other purposes, introduced by Rep. Christopher Shays 5/19/1998

    • H.R.4312 : To repeal sections 1173(b) and 1177(a)(1) of the Social Security Act, to prohibit Federal agencies from constructing Federal law as authorizing the establishment of a national medical identification card, and for other purposes, introduced by Rep. Bob Barr 7/22/1998

    • H.R.1057 : To provide individuals with access to health information of which they are a subject, ensure personal privacy with respect to health-care-related information, impose criminal and civil penalties for unauthorized use of protected health information, to provide for the strong enforcement of these rights, and to protect States' rights, introduced by Rep Edward J. Markey 3/10/1999

    • H.R.1941 : To protect the privacy of personally identifiable health information, introduced by Rep. Gary Condit 5/25/1999

    • H.R.2404 : To protect the privacy of individuals by ensuring the confidentiality of information contained in their medical records and health-care-related information, and for other purposes, introduced by Rep. John P. Murtha 6/30/1999

    • H.R.2878 : To protect the privacy of health information in the age of genetic and other new technologies, and for other purposes, introduced by Rep. Jim McDermott 9/15/1999

    • S.1368 : A bill to provide individuals with access to health information of which they are the subject, ensure personal privacy with respect to personal medical records and health care-related information, impose criminal and civil penalties for unauthorized use of personal health information, and to provide for the strong enforcement of these rights, introduced by Sen. Patrick Leahy 11/4/1997

    • S.573 : A bill to provide individuals with access to health information of which they are a subject, ensure personal privacy with respect to health-care-related information, impose criminal and civil penalties for unauthorized use of protected health information, to provide for the strong enforcement of these rights, and to protect States' rights, introduced by Sen. Patrick Leahy 3/10/1999

    • S.578 : A bill to ensure confidentiality with respect to medical records and health care-related information, and for other purposes, introduced by Sen. James M. Jeffords 3/10/1999

  • Proposed Privacy Rule issued by the Department of Health and Human Services on November 3, 1999

  • Final Privacy Rule issued on December 20, 2000 with February 20, 2003 compliance date

  • Report to Congress, required under 5 U.S.C. 801(a)(1), was not received at the time the Final Rule was published, so the compliance date was extended to April 14, 2003

  • Final Rule re-opened for comments on February 28, 2001

  • Modifications to Final Rule issued in March 2002, keeping April 14, 2003 compliance date

  • Additional modifications (pdf) to the Final Rule issued on August 14, 2002

Previous News

  • Government Agency Seeks New Power to Track Airline Passengers. The Centers for Disease Control and Prevention has proposed a rule that would greatly expand the powers of the federal government to track travelers. Airline and shipping industries would be required to gather passenger contact and health information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request. The public has 60 days to comment on this rule. EPIC and Patient Privacy Rights are calling for strong medical privacy protections in an online petition. (Nov. 23)

  • Medical Records Privacy Important to Americans, Survey Finds. Sixty-seven percent of adults are concerned about the privacy of their personal medical records, according to a poll by the California HealthCare Foundation and the Health Privacy Project. Also, 52 percent fear that their health insurance information might be used by employers to limit job opportunities. Congress is considering a proposal to build a national Health Information Network, which does not yet include adequate privacy safeguards. EPIC and Patient Privacy Rights are calling for strong medical privacy protections in an online petiton. (Nov. 9)

  • EPIC and Patient Privacy Rights Urge Stronger Security for Medical Records. EPIC and Patient Privacy Rights launched a joint campaign to strengthen protections for patients' medical information. Congress is rushing to pass legislation to establish a national Health Information Network without patient privacy safeguards. Yet a recent poll found that 69 percent of adults do not believe strong enough data security will be installed. In an online petition, EPIC and Patient Privacy Rights call for strong medical privacy protections. (Oct. 27)

  • NCVHS Publishes Recommendations on HIPAA and Banks. The National Committee on Vital and Health Statistics (NCVHS) published its recommendations on the privacy of health information in the banking system based on the hearings conducted in February 2004. The Committee urged clarification of banks' status under the Health Insurance Portability and Accountability Act. In addition the Committee urged HHS to consider whether health information flowing through the ACH network should be encrypted to ensure that only intended recipients have access to it. (July 1)

  • British Physicians Concerned About National Patient Records Database. A group of British physicians has expressed opposition to the creation of a national database of patient records unless patients first provide their consent. The $11 billion national health IT initiative by the British National Health Service envisions a regionally based system that will permit doctors and nurses all over the country to access patient records and will enable patients to view a summary of their records and schedule appointment electronically. The current design would give patients the ability to opt out of the national system, but would still include their data in the national database in de-identified form for access in emergencies. The opposition of British physicians comes shortly after President Bush formally announced a major Department of Health and Human Services initiative on the National Health Information Infrastructure for the US. (June 9)

  • Coalition Urges Restricted Use of Medical Data in Credit Decisions. EPIC and a coalition of privacy advocacy organizations filed comments (pdf) with five federal agencies which issued a proposed regulation under the Fair and Accurate Credit Transactions Act (FACT Act). The FACT Act, an amendment to the Fair Credit Reporting Act, creates new restrictions on the manner in which creditors, such as banks and credit unions, can obtain and use medical information. Generally, the FACT Act prohibits creditors from obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. The Act also defines fairly narrow exceptions under which creditors may obtain and use medical information. The coalition supported the regulation's general prohibition on creditors obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. We urged that financial institutions not be permitted to routinely request consent to obtain medical information and that affiliate sharing be limited. (May 25)

  • Justice Dept. Withdraws Records Subpoena. The Department of Justice has ended its efforts to obtain abortion records from New York-Presbyterian Hospital by withdrawing its subpoena for these records. The DOJ was seeking the records for its defense of the Partial Birth Abortion Ban Act in a trial taking place in the federal court for the Southern District of New York. The presiding judge, Judge Richard C. Casey, approved the subpoena, saying that records are relevant to the determination of whether partial-birth abortions are ever medically necessary. The hospital had appealed the subpoena to the 2nd Circuit Court of Appeals, and the appeal was pending while the trial was in progress. The 2nd Circuit Court expressed doubts about the DOJ's need for the requested records, but sent the case back to Judge Casey to allow him to find the hospital in contempt and, thereby, give the Circuit court jurisdiction to hear the dispute. By withdrawing its subpoena, DOJ has cleared the way for closing arguments in the trial. (Apr. 27)

  • Pennsylvania Judge Dismisses Suit on Privacy Rule. On April 2 U.S. District Judge Mary A. McLaughlin ruled (pdf) that Tommy G. Thompson, secretary of the U.S. Department of Health and Human Services, had not acted arbitrarily when he let go forward the version of the Privacy Rule that did not include a provision in which patients have to give consent for routine uses of their health information. The ruling stated that the provisions did not violate patients' constitutional rights to privacy and due process. The suit was brought on behalf of Citizens for Health and 17 other individuals and groups representing about 750,000 consumers and medical professionals. The plaintiffs are considering an appeal of the ruling. (Apr. 2)

  • NY Judge Orders Release of Abortion Records. Judge Richard Conway Casey of the Federal District Court in Manhattan has ordered New York-Presbyterian Hospital to turn over to the Justice Department records on abortions performed there. This decision highlights the disagreement within the federal judiciary about the privacy rights of patients. Judges in San Francisco and Chicago have ruled that the release of abortion records would violate women's privacy without providing much useful information to the government. As a result of the San Francisco judge's decision, the Justice Department dropped its efforts to obtain records from Planned Parenthood clinics. A judge in Detroit ruled that records held by the University of Michigan Health System should be released to him for determination of relevance. Three simultaneous trials on the constitutionality of the Partial Birth Abortion Ban Act are scheduled for March 29 in San Francisco, New York and Omaha, Nebraska. (Mar. 23)

  • New York Attorney General Weighs in on DOJ Subpoenas. The office of New York Attorney General Elliot Spitzer submitted a brief (pdf) as amicus curiae to urge the U.S. District Court for the Southern District of New York to quash Department of Justice subpoenas for abortion records at New York Presbyterian Hospital. The brief asked the Court to recognize physician-patient privilege that has existed under New York state law for over 150 years. It also makes the argument that the United States Constitution protects the privacy of medical records as demonstrated by several decisions of the Supreme Court. (Mar. 18)

  • DOJ Ends Efforts to Obtain Medical Records. The Department of Justice has dropped its efforts to obtain medical records from Planned Parenthood clinics after US District Court Judge Phyllis J. Hamilton denied the motion to compel production of the records. DOJ claimed that the medical records were necessary for its defense in a suit brought by several abortion providers alleging that the Partial Birth Abortion Ban Act of 2003 is unconstitutional. The judge agreed with the privacy advocates who opposed the release of records, even with the patients' names removed, because the release would violate the privacy of the women involved. (Mar. 11)

  • NCVHS Recommends Changes to Privacy Rule. On March 5 the National Committee on Vital and Health Statistics (NCVHS) wrote a letter to Secretary Thompson with concerns and recommendations resulting from the NCVHS November hearings. The recommendations include a request that the Department continue and expand its education effort, particularly with regard to permissibility of disclosures for public health activities. The letter also includes a recommendation for modifications applicable to disclosure of immunization information to school officials, interaction between the Privacy Rule and rules for the protections of human subjects in research, and notices of privacy practices given in non-traditional settings such as health fairs. (Mar. 5)

  • EPIC Testifies on Medical Privacy and Banking. In testimony before the National Committee on Vital and Health Statistics, the official advisory body to the Secretary of Health and Human Services, EPIC Senior Fellow Anna Slomovic discussed the need to improve protection for health information as it moves through the banking system. She stated that banks should not be exempt from the requirements of the HIPAA Privacy Rule and that health information flowing through the banking transaction network should be encrypted. (Feb. 12)

  • Federal Court Quashes Justice Department Subpoena for Medical Records. The United States District Court for the Northern District of Illinois has quashed a subpoena from the United States Justice Department seeking to gain medical information in the records of women who received late-term abortions at Northwestern Memorial Hospital. The opinion (pdf) by Chief District Judge Charles P. Kocoras bases the Court's decision on the preemption provisions of the HIPAA Privacy Rule. Under these preemption provisions, a hospital must comply with the "more stringent" of either federal or state privacy law if it cannot comply with both. Although the release of requested records would be permissible under the federal privacy regulation, the Court found that the more stringent Illinois law does not permit such disclosure. (Feb. 12)

  • Supreme Court Declines to Review Challenge to Medical Privacy Rule.  The Supreme Court has refused to hear an appeal in a suit brought by the South Carolina Medical Association against the Department of Health and Human Services. The Association sought to have the Privacy Rule promulgated under HIPAA declared unconstitutional. As a result of the Supreme Court's refusal to hear the case, the lower court ruling stands, affirming that the Congress acted within its constitutional authority when it delegated the writing of the Rule to the Department of Health and Human Services. (Nov. 3)

  • Coalition Alerts HHS to Data Mining of Health Information. EPIC, the Health Privacy Project and 28 other health care advocacy, labor, consumer, disability rights, and health care provider groups sent a letter to Health and Human Services Secretary Tommy Thompson urging him to affirm that protected health information sent through the banking network must be accessible only to providers and health plans for whom it is intended. Financial institutions have expressed interest in data mining electronic transactions that flow through the banking system in order to gain information for use in marketing and credit risk evaluation. The Privacy Rule includes guidance that requires protection of health information in banking transactions, but the banking industry has been asking the Office for Civil Rights to revise or retract this earlier guidance. (Sept. 10)

  • EPIC Testifies on Medical Privacy, FCRA, Preemption. In testimony (pdf) before the House Financial Services Subcommittee on Credit, EPIC Executive Director Marc Rotenberg urged the Congress to increase protections for medical privacy in the Fair Credit Reporting Act. EPIC called for opt-in protections for affiliate sharing of personal information, and for an end to preemption of state law in the FCRA. Rotenberg concluded, "As we enter the twenty-first century, it is clear that privacy protection is one of great issues facing the nation and that the states have a central role to play." For more information, see the EPIC FCRA and Preemption Pages. (Jun. 17)
  • President Unveils Final Medical Privacy Regulations. On December 20, 2000, President Clinton presented the final version of medical privacy regulations drafted by the Department of Health and Human Services (HHS). The regulations are the first federal privacy protections for medical information and will apply to both paper and electronic health records. More information about the regulations is available from the Office for Civil Rights within HHS

  • Draft Medical Privacy Regulations Released. This morning, the President announced a new set of proposed federal regulations protecting the privacy of electronically stored medical records. The regulations (also available in PDF) -- produced by the Department of Health and Human Services in concert with multiple federal agencies -- are the first federal protections of medical privacy. The Department of Health and Human Services began drafting the regulations when Congress failed to pass federal legislation concerning medical privacy on August 21, 1999.

  • Final Draft of Model State Public Health Privacy Act Available. The Model State Public Health Privacy Project has completed a final version (also available in PDF) of a Model State Public Health Privacy Act. The project sought to develop a model state law addressing privacy and confidentiality issues arising from the collection, use, and dissemination of health information by public health departments at the state and local levels, with special consideration of HIV/AIDS status. For more information about the protection of health records, see the EPIC page on medical privacy.

  • GAO Releases Report on Medical Privacy. The General Accounting Office released a report "Medical Records Privacy: Access Needed for Health Research, but Oversight of Privacy Protections is Limited" on February 25, 1999 examining the use of personally identifiable medical information for research purposes. The GAO said that the information is important for research but called for greater oversight of Review Boards.

  • Michigan medical records accidentally posted on Web, Detroit Free Press, February 12, 1999. Patient records exposed on Web, Ann Arbor News, Feb 10, 1999.

  • Clinton Calls for Medical Privacy Law. In his State of the Union speech on January 21, 1999, President Clinton called for the enactment of medical privacy laws this year.

  • Iceland Approves National Genetic Database. The Icelandic Parliament approved the creation of a genetic database of all residents of Iceland in December. Association for Ethics in Science and Medicine pages.
EPIC Privacy Page | EPIC Home Page

Last Updated: September 13, 2007
Page URL: http://www.epic.org/privacy/medical/default.html