Focusing public attention on emerging privacy and civil liberties issues

Medical Record Privacy

Whatsoever things I see or hear concerning the life of men, in my attentance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets.

- Oath of Hippocrates, 4th Century, B.C.E.

Top News

  • EPIC Urges Federal Health Agency to Safeguard Mental Health Records: In comments to the Department of Health and Human Services, EPIC underscored the importance of medical privacy, particularly concerning mental illness. In response to President Obama's plan to reduce gun violence, the federal agency is considering allowing states to report certain mental illness information to the FBI for inclusion in National Instant Criminal Background Check System. EPIC warned that the proposal could result in incorrect determinations and may also discourage people from receiving medical care. EPIC recommended that the federal agency: (1) require that states be held accountable for disclosing excess medical information; (2) requires that states notify the FBI of incorrect or outdated mental illness record; and (3) encourage states to maintain mental health record accuracy. For more information, see EPIC: Medical Privacy and EPIC: Gun Owners' Privacy . (Jun. 11, 2013)
  • Presidential Commission Urges Privacy Protections for DNA Data: Noting the rapid advances in the use of genetic data, the report of the Presidential Commission for the Study of Bioethical Issues recommended "a consistent floor of privacy protections covering whole genome sequence data regardless of how they were obtained. These policies should protect individual privacy by prohibiting unauthorized whole genome sequencing without the consent of the individual from whom the sample came." The Commission further said "Only in exceptional circumstances should entities such as law enforcement or defense and security have access to biospecimens or whole genome sequence data for non health-related purposes without consent." The Presidential Commission offered additional recommendations on "Ethical Principles," "Policy and Governance," and "Analysis and Recommendations." Earlier this year, EPIC provided comments to the Commission, and proposed new safeguards for genetic data and limit law enforcement access. EPIC also recommended that the Commission build upon existing genetic privacy and medical laws to enhance individual control over their genetic information. For more information, see EPIC: Genetic Privacy and EPIC: Medical Record Privacy. (Oct. 15, 2012)
  • EPIC Calls for Genetic Privacy Protections: EPIC submitted comments to the Presidential Commission for the Study of Bioethical Issues, urging the advisory panel to protect genetic privacy in large-scale human genome sequence data. The Commission requested comments pertaining to the "privacy of individuals, research subjects, patients, and their families" as the government moves closer to large-scale human genome sequencing. EPIC Advisory Board member, Professor Anita L. Allen serves as a Commissioner for the Presidential advisory panel. EPIC recommended that the Commission build upon genetic privacy and medical laws such as the Genetic Information Nondiscrimination Act("GINA") and the Health Insurance Portability and Accountability Act Privacy Rule to protect genetic data. EPIC also recommended that individuals should be given property rights over their genetic data. For more information, see EPIC: Genetic Privacy and EPIC: Medical Record Privacy. (May. 29, 2012)
  • Federal Agency Settles Health Privacy Case with Blue Cross for $1.5 Million: The Department of Health and Human Services announced a settlement with Blue Cross Blue Shield after the company’s inadequate security measures allowed 57 unencrypted hard drives containing private health information to be stolen from a facility in Tennessee. The agency cannot issue a fine greater than $1.5 million, but it could have filed criminal charges or requires Blue Cross to mitigate future patient harms. For more information, see EPIC: Medical Privacy. (Mar. 14, 2012)
  • Institute of Medicine: "To Improve Patient Safety, Health Information Technology Needs Better Oversight, Accountability": According to a study conducted by the Institute of Medicine, software errors and defects in electronic health records pose threats to patient safety, and can even result in death. To combat the problem, the Institute recommends the establishment of an investigative agency, to be charged with examining and charting the safety performance of electronic health records in use, according to a press release from the National Academies panel. The Institute also recommends that clauses purported to "hold harmless" electronic health record suppliers be removed from their sales contracts. Although experts in the medical field acknowledge that this study is a positive step in regulating health information technology, the New York Times reports that some experts believe the Food and Drug Administration should regulate electronic health records safety. EPIC participated in a 2009 IOM study on Privacy and Medical Research. For more information, see EPIC: Medical Record Privacy. (Nov. 9, 2011)
  • Supreme Court Strikes Down Prescription Privacy Law: In a 6-3 decision, the Supreme Court struck down Vermont's prescription privacy law. IMS Health, Inc. v. Sorrell held that the Vermont statute, which bars disclosure of prescription data for marketing purposes, violates data mining firms' free speech rights. Vermont "burdened a form of protected expression that it found too persuasive. At the same time, the State has left unburdened those speakers whose messages are in accord with its own views. This the State cannot do." the Court wrote. The Court suggested that a more privacy-protective statute might have withstood Constitutional scrutiny, writing "the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances. A statute of that type would present quite a different case than the one presented here." EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell. (Jun. 23, 2011)
  • Cignet Fined 4.3 Million for Privacy Violations: The Department of Health and Human Services has determined that Cignet Health violated the privacy rule of the Health Insurance Portability and Accountability Act of 1996. The agency fined Cignet 4.3 million for denying patients access to their medical records and for failing to cooperate with the investigation. This is the first time that the agency has used its legal authority to penalize a company for privacy violations. For more information, see EPIC: Medical Privacy. (Feb. 23, 2011)
  • Federal Appeals Court Overturns Vermont Medical Privacy Law: The Second Circuit Court of appeals has ruled that a Vermont privacy law violates the First Amendment. The law regulated data mining companies that sell or use doctors' prescribing records containing personal information on patients. EPIC, and several privacy technology experts, had filed a "friend of the court" brief in support of the law. Writing in dissent and siding with EPIC, Judge Debra Ann Livingston said that the majority reached the "wrong result," creating "precedent likely to have pernicious broader effects" on medical privacy case law. A similar medical privacy law was upheld by the First Circuit Court of Appeals. For more information, see EPIC: IMS Health v. Sorrell and EPIC: IMS Health v. Ayotte (Nov. 29, 2010)
  • Agency Reconsiders Medical Breach Notification Rule: The Department of Health and Human Services has withdrawn its previously issued interim medical privacy rule after facing substantial criticism from privacy advocates. The old rules required that health-care providers and insurers report privacy breaches to patients only if the provider or insurer felt that there was a "significant risk" of harm. Privacy advocates criticized this language on the basis that it granted too much discretion to the firms responsible for safeguarding patient data. In previous comments to the FTC, EPIC recommended that notification of health data breaches be enhanced, that additional breach notification through means such as text messages and social networking sites be developed, and that companies obtain verification of receipt of notifications. EPIC has also testified in Congress that the "significant harm" standard, favored by the HHS for breach notification, is unfair to consumers. For more information, see EPIC: Medical Record Privacy. (Aug. 25, 2010)
  • Federal Appeals Court Upholds Maine Prescription Privacy Law: The First Circuit Court of Appeals has upheld a Maine law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. Data mining companies had challenged the law, claiming that the privacy measure violated their free speech rights, an argument that the court rejected because "the statute regulates conduct, not speech, and even if it regulates commercial speech, that regulation satisfies constitutional standards." The decision in IMS Health v. Mills followed a decision by a panel of the same court in IMS Health v. Ayotte, upholding a similar law in New Hampshire. In that case, as well as in a similar case regarding a Vermont law, EPIC and several privacy and technology experts filed "friend of the court" briefs arguing that there is a substantial state interest in privacy protection and that the data miners' de-identification practices do not, in fact, protect patient privacy. A decision in the Vermont case is expected soon. For more information, see IMS Health v. Ayotte, IMS Health v. Sorrell. (Aug. 9, 2010)
  • Google "Flu Trends" Raises Privacy Concerns. Google announced this week a new web tool that may make it possible to detect flu outbreaks before they might otherwise be reported. Google Flu Trends relies on individual search terms, such as "flu symptoms," provided by Internet users. Google has said that it will only reveal aggregate data, but there are no clear legal or technological privacy safeguards to prevent the disclosure of individual search histories concerning the flu, or related medical concerns, such as "AIDS symptoms," "ritalin," or "Paxil." Privacy and medical groups have urged Google to be more transparent and publish the algorithm on which Flu Trends data is based so that the public can determine whether the privacy safeguards are adequate. (Nov. 12)
  • Coalition for Patient Privacy Urges Privacy Controls In Electronic Prescriptions.The Coalition for Patient Privacy (25 privacy and civil liberty groups) today sent a letter (pdf) to Congress urging members “to include privacy protections in any measures supporting or mandating electronic prescribing.” The coalition also recommended members “prohibit the use of prescription data for purposes other than prescription filling.” EPIC previously detailed the substantial privacy interest in prescription information and the harm caused by corporations who mined the data for marketing purposes in a “friend of the court” brief (pdf) in a New Hampshire case. See EPIC page on IMS Health v. Ayotte. (May 11)
  • Virginia Tech Shooting Report Released. A panel of experts who were asked to investigate the April 16, 2007 shooting deaths of dozens of students and faculty at Virginia Tech released their final report a little over four months following the tragedy. The report cited misinterpretations of information privacy laws as the reason why action was not being taken to inform the parents of the shooter on his mental health history at the school, nor preventative measures taken to prevent the tragedy. (Aug. 30)
  • EPIC Urges Appellate Court to Consider SubstantialPrivacy Interest in De-Identified Patient Data. EPIC and 16 experts in privacy and technology today filed a "friend of the court" brief (pdf) in a case concerning a New Hampshire state lawb anning the sale of prescribe-identifiable prescription drug data formarketing purposes. The experts urged the First Circuit Court of Appeals to reverse the ruling (pdf) of the lower court, which held that the NH Prescription Confidentiality Act violated the free speech rights of data mining companies. The experts said the lower court should be reversed because there is a substantial privacy interest in de-identified patient data that the lower court failed to consider. This privacy interest, in part flows from the reality that data may not be, in fact, truly de-identified, and also because de-identified data does impact actual individuals. See EPIC's IMS Health v. Ayotte page. (Aug. 20)
  • U.S. Company Implants Chips Into Two Employees. An Ohio video surveillance company, CityWatcher.com, has embedded silicon chips into two of its employees. The chips are planted in the person's upper right arm and "read" by a device similar to a card reader. The company says it is testing the technology as a way to limit access to a security area. In 2004, the Food and Drug Administration approved the use of an implantable computer chip for health care information applications. Called the VeriChip, it is a radio frequency identification (RFID) device about the size of a grain of rice. For more information, see EPIC's radio frequency identification (RFID) and VeriChip pages. (Feb. 13)
  • VeriChip RFID Implant Is Cloned. Programmer Jonathan Westhues has recently proved that the VeriChip implantable RFID chip can be easily copied. Anybody capable of purchasing off the shelf electronics equipment and reading the description below can now impersonate the bearer of the chip and gain access to their medical records, among other things. As VeriChip has marketed their chip as a means of managing access control to buildings and medical records, this represents a significant threat to the bearer's privacy and security. Formore information, see EPIC's VeriChip page. (Feb. 10)
  • EPIC Urges CDC to Limit Passenger Data Collection. EPIC said in comments (pdf) to the Centers for Disease Control and Prevention that it should limit a proposed rule that would require airline and shipping industries to gather passenger information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request. EPIC urged the CDC to narrow the scope of data collected to that which is necessary and set strict security standards to keep passenger data secure from unauthorized access and misuse. The CDC also should require the clear and open disclosure that travelers can refuse to submit their information without facing penalties, EPIC said. (Jan. 31)

Overview

Since the creation of the Hippocratic oath about 400 B.C., protecting the privacy of patients has been an important part of physicians' code of conduct. Over time, health information has come into use by many organizations and individuals who are not subject to medical ethics codes, including employers, insurers, government program administrators, attorneys and others. As uses of medical information multiplied, so have regulatory protections for this highly sensitive and deeply personal information.

The regulatory regime for protecting privacy of health information is complex and fragmented. Some protections apply only to information held by government agencies. Some protections apply to specific groups, such as federal employees or school children. Some protections apply to specific medical conditions or types of information, such as information related to HIV/AIDS or substance abuse treatment. The first comprehensive set of federal regulation of health information, the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), came into effect in April 2003. The Security Rule, also required under HIPAA, was issued in final form on February 20, 2003 and will become effective in 2005.

News Items

Federal Law

HIPAA

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the "federal floor" of privacy protection for health information in the United States, while allowing more protective ("stringent") state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation.

The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. The complementary Security Rule includes standards for protection of health information in electronic form.

Rights Under the Privacy Rule

The individual, who is the subject of Protected Health Information (PHI), has the following rights under the Privacy Rule:

  • Right to access, inspect and copy PHI held by hospitals, clinics, health plans and other "covered entities," with some exceptions
  • Right to request amendments to PHI held by "covered entities"
  • Right to request an accounting of disclosures that have been made without authorization to anyone other than the individual for purposes other than treatment, payment and health care operations
  • Right to receive a Notice of Privacy Practices from doctors, hospitals, health plans and others in the health care system
  • Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
  • Right to request restrictions on uses or disclosures, although the "covered entity" receiving the request is not obligated to accept it
  • Right to complain about privacy practices to the "covered entity" and to the Secretary of Health and Human Services
Limits on uses and disclosures

"Covered entities" that hold PHI may use it without an individual's consent for the purposes of providing treatment to the individual, for payment activities such as claims adjudication and premium setting, and for operating their businesses. They are also permitted to use and disclose PHI as required or permitted by other laws, e.g., laws related to reporting of child or elder abuse, public health oversight and national security investigations. However, those who have PHI must obtain an individual's signed authorization for use of PHI in marketing, research, fundraising, or any other activities that are not part of treatment, payment, health care operations, and other categories specifically identified under the Privacy Rule. A few types of disclosures require that the individual be given an opportunity to agree or object to the disclosure, e.g., whether information should be included in a hospital directory or given to clergy. Based on the professional judgment of a health care professional, some disclosures may be made to friends and family who are involved in an individual's care if such disclosures are found to be in the best interest of the individual.

In addition to specific restrictions on uses and disclosures, the Privacy Rule imposes a general "minimum necessary" requirement on those who hold and use PHI. Except for disclosures to the individual who is the subject of PHI or disclosures for treatment purposes, organizations must limit their uses and disclosures to "minimum necessary" information required to perform a task. They must have policies and procedures that specify what PHI can be viewed by different classes of employees within their workforces, what PHI should be released in response to routine inquiries, and must have a process in place for deciding what PHI should be released in response to non-routine requests.

"Covered entities" must also have formal contracts with their business associates, which use PHI to perform functions on their behalf. Examples of business associates include law firms, accounting firms, accreditation organizations, credentialing services, billing services and third-party administrators. Business associate agreements must stipulate that the business associate will safeguard PHI and will assist the "covered entity" in complying with its obligations with regard to individual rights and oversight by the Secretary of Health and Human Services.

Penalties for violations of privacy

The Privacy Rule includes both civil and criminal penalties for violations of privacy. Generally, penalties are expected to be assessed in cases where organizations or individuals act with willful neglect or intent to cause harm. Civil penalties are specified at $100 per violation, not to exceed $25,000 per person per year for identical violations. Criminal penalties for wrongful disclosure of PHI can go up to $250,000 and/or 10 years imprisonment if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Security standards

Requirements for safeguarding protected health information (PHI) are found in two separate but complementary Rules under HIPAA. The Privacy Rule requires "covered entities" to have in place "appropriate administrative, physical and technical measures" to safeguard PHI. This obligation must be passed on to business associates in business associate agreements and to researchers in limited data use agreements. The Security Rule, published in final form on February 20, 2003, contains considerably more detail about the meaning of appropriate safeguards.

Although the Privacy Rule applies to PHI in any form, including oral communication, the Security Rule applies only to PHI in electronic form. The standards are divided into three groups: administrative safeguards, physical safeguards, and technical safeguards. Administrative standards include risk analysis and management, assigning security responsibilities, policies and procedures, training of the workforce and contract requirements. Physical safeguards include access to facilities and workstations, as well as device and media controls. Technical safeguards include access controls and audits, authentication and transmission security.

The basic principles for security standards can be found in the HIPAA legislation. The law specifies, among other things, that standards must take into account technical capabilities of systems that contain PHI, cost of security measures and scalability issues, particularly as these might affect small and rural providers. The Department of Health and Human Services (HHS) translated these principles into regulation by creating standards (what must be done) and implementation specifications (how the standard can be met). Implementation specifications are further divided into two groups: those that are required (e.g., risk analysis) and those that are "addressable" (e.g., encryption for transmission of PHI). If an entity chooses not to implement an addressable specification, it must document its reasons why the specification would not be reasonable or appropriate, and implement alternative equivalent measures if reasonable and appropriate.

With the compliance date in April 2005, it is too early at this time to know how doctors, health plans and other entities will interpret and implement the Security Rule. The Rule does require that "covered entities" think about and document the risks they identify and measures they take to ensure protection of PHI. These records are likely to be used for both enforcement and legal actions.

Substance Abuse Confidentiality Requirements

Information related to substance abuse and chemical dependency treatment is protected by section 543 of the Public Health Service Act, and its implementing regulation, 42 CFR, Part 2. This regulation, which supercedes both HIPAA and all more permissive state laws, requires that any disclosure of information related to substance abuse and chemical dependency treatment be accompanied by the individualÃs signed authorization. There are no exceptions for disclosures related to treatment, payment or health care operations. The only exception relates to movement of information between different components of the Armed Services, including Veterans Administration. Although the regulation applies only to "federally-assisted" specialized alcohol or drug abuse program, it is widely interpreted as applying to any federally conducted or funded program, any federally licensed or certified program, programs that are tax exempt, and programs that receive federal funds in any form, e.g., via the Medicaid program.

Other Federal Laws

In addition to being subject to HIPAA and Substance Abuse Confidentiality Requirements, health care organizations may be subject to several federal laws that touch in some way on privacy of health information. The Preamble to the Privacy Rule lists the following applicable laws: Privacy Act of 1974, Family Educational Rights and Privacy Act, Freedom of Information Act, Employee Retirement Income Security Act of 1974 (ERISA), Gramm-Leach-Bliley Act, federally funded health programs regulations, Food, Drug and Cosmetic Act, Clinical Laboratory Improvement Amendment, federal disability and non-discrimination laws, and U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection). In addition, many federal regulations require disclosure of specific PHI for specific purposes in specific circumstances.

In the Preamble to the Privacy Rule, HHS states that there should be few instances of conflict between HIPAA regulations and other federal laws because HIPAA permits but does not require many disclosures. Therefore, when disclosures are required under other federal law, PHI may be disclosed as required by other law. If a disclosure is not required but only permitted under other law, an entity must determine whether the disclosure is permissible under HIPAA and then follow HIPAA requirements for making such a disclosure. If another federal law prohibits disclosure that is permitted but not required under HIPAA, entities must comply with the other federal law.

Genetic Information

Genetic information is generally considered protected health information (PHI) under the Privacy Rule. However, given the sensitive nature of such information and the potential harm that might be caused by misuse or disclosure, special legislation for the protection of genetic information has been introduced in Congress since 1997. The latest activity in Congress took place in May 2003. The Senate Committee on Health, Education, Labor and Pensions passed the Genetics Nondiscrimination Act of 2003, S.1053 (pdf). The bill prohibits health insurance plans from denying enrollment or charging premiums on the basis of an individual's or family members' genetic information. It also prohibits health insurers from basing premiums of a group health plan on the basis of genetic information of plan members or their families. The bill prohibits disclosures or collection (requesting, requiring or purchasing) of genetic information for underwriting purposes. In addition, it prohibits the use of genetic information in employment decisions and applies the same procedures and remedies as apply to other forms of employment discrimination. Following the model of the HIPAA Privacy Rule, the Genetic Nondiscrimination Act provides basic protections for genetic information while permitting greater protection under other federal and state measures. The language of the Senate bill has been introduced in the House as HR 1910.

State Law

State laws cover several areas related to privacy of health information. These include regulation of health insurance, regulation of organizations that perform certain administrative functions such as utilization review or third-party administration, licensure requirements for various medical specialties and medical organizations (including requirements for record-keeping and disclosure), access to medical records by patients, guardians and other interested parties, reporting of information to the state and local authorities, e.g., birth and death or disease incidence, use of information for quality assurance and health care operations, issuance of notices of privacy practices, and reporting and providing access to law enforcement authorities. In recent years many states have also passed confidentiality laws related to specific conditions or types of health information. Examples include laws related to mental health records, HIV/AIDS, reproductive rights and genetic testing.

The HIPAA legislation explicitly addresses interaction between federal and state law. Generally, "covered entities" are required to comply with both HIPAA and state law whenever possible. If it is not possible to comply with both, HIPAA preempts any contrary provision of state law, including state law provisions that require written records rather than electronic ones. State law is not preempted in the following circumstances:

  • When state law is necessary for regulation of insurance or health plans, prevention of fraud and abuse, or reporting on health care system operations and costs
  • When state law addresses controlled substances
  • When a state law relates to reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention
  • When a provision of state law is more stringent than the requirements of the federal Privacy Rule

The most difficult of these exceptions is the stringency exception. A provision of state law is defined to be more stringent if it prohibits or restricts use or disclosure of PHI that would be permitted under the Privacy Rule. Specifically, a more stringent state law:

  • Permits greater rights of access and amendment to the individual who is the subject of the PHI
  • Provides more information about use, disclosure, rights and remedies to the individual
  • Narrows the scope or duration of express legal permission required from the individual for use or disclosure or reduces the coercive effect of the requirement for legal permission for use or disclosure of PHI
  • Increases the duration or requires more detailed accounting of disclosures
  • Provides greater privacy protection to the individual
  • Permits greater rights of access and amendment to the individual who is the subject of the PHI
  • Provides more information about use, disclosure, rights and remedies to the individual
  • Narrows the scope or duration of express legal permission required from the individual for use or disclosure or reduces the coercive effect of the requirement for legal permission for use or disclosure of PHI
  • Increases the duration or requires more detailed accounting of disclosures
  • Provides greater privacy protection to the individual

In many cases it is not clear whether a particular state law provision is contrary to HIPAA and, if it is, whether or not it is more stringent. An example of such a provision is a state law that requires a review of PHI by the treating physician prior to release of PHI to the individual. The Privacy Rule allows PHI to be withheld if, in the professional opinion of a licensed health care professional, releasing the information would endanger the life or physical safety of the individual or another person. This implies that PHI would be reviewed by a health care professional prior to release. If the review by the treating physician is conducted for this purpose, the state law provision would not be contrary to HIPAA and, therefore, the state law would not be preempted. However, if a review by the treating physician is conducted in addition to a review conducted by another licensed professional, e.g., one employed by a health insurer, it might be viewed as a way of reducing access and, therefore, contrary to HIPAA. In that case, the provision would be preempted.

Although many analyses of interaction between HIPAA and state law (called "preemption analyses") have been performed on behalf of health care companies and professional associations, these analyses are advisory in nature. There is general agreement that final decisions about the applicability of specific provisions of state and federal law will be made by the courts.

Health Information and Employment

Generally, the Privacy Rule prohibits disclosure of health information for employment-related decisions without the explicit authorization of the individual. Employers that have self-funded health plans regulated under ERISA (Employee Retirement Income Security Act of 1974) must build "firewalls" around these plans to ensure that health information received by plans as part of their operations is adequately safeguarded and not used for other purposes. Employer-sponsors must provide a certification to their group health plans that any PHI they receive from the group health plan will not be used for employment-related decisions. However, once an employer obtains health information, it is not obliged to protect this information under the Privacy Rule.

There are several instances when an employer may be able to obtain health information without individual authorization. Information related to pre- and post-employment drug testing is not considered PHI under the Privacy Rule. The Privacy Rule does not apply to workers' compensation programs, so information obtained by an employer as part of a workers' compensation claim is not protected under the Privacy Rule. If a credit report obtained during a background check contained explicit or implied health information, that information would not be considered PHI. In addition, Department of Transportation regulations, the Federal Aviation Administration, and the Federal Highway Administration rules, contain provisions that require doctors and others to disclose health information to employers. Such disclosures are permitted when required by law and become part of an employee's employment file which is not subject to the Privacy Rule.

Use of Health Information in Marketing

The Privacy Rule explicitly addresses the concern that health information, which was collected for the purposes of providing treatment or paying claims, will be sold or used to market products and services. The 2002 version of the Rule contains a two-part definition of marketing:

  • "to make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service"; or
  • "to disclose PHI to another entity for direct or indirect payment so the other entity can market its own products or services."

In order to use protected health information (PHI) for marketing, covered health care providers, health plans or other entities need to obtain an individual's signed authorization except when the communication occurs face-to-face or involves a gift of nominal value. When an authorization is required, it must explicitly state whether the entity is receiving payment from third parties to engage in a marketing communication.

Although the definition of marketing seems quite broad, several categories of activities and communications are explicitly excluded from being considered marketing. Under the Privacy Rule, an organization is not engaged in marketing:

  1. When a communication is about a health-related product or service that is included in the individuals plan of benefits provided by the entity making the communication, including information about participating network providers, services offered by participating providers, replacement or enhancement to a health plan, or value-added health-related products or services available only to participants of the plan, even if these products or services are not part of the plan;
  2. When the communication is related to the individual's treatment; or
  3. When the communication involves case management or care coordination for an individual, or directions or recommendations for alternative treatments, therapies, health care providers or settings of care for the individual.

Excluded communications are not considered marketing whether a doctor, hospital, health plan or another covered entity delivers them directly or engages a business associate, such as a mailing house or a telemarketer. The Privacy Rule notes that it does not change any restrictions that may exist in other federal or state laws, such as anti-kickback statutes or substance abuse regulations.

The exclusions from the definition of marketing have raised concerns that some consumers may receive unwanted communications or be misled about the nature of the information contained in communications they receive. Below are some examples of such communications:

  • A drug manufacturer can pay a physician or a pharmacy to send refill reminders to patients, or to send information about a drug to all patients identified with a particular condition or taking particular medications. Although the drug manufacturer would not get PHI from the physician or pharmacy, it would accomplish the same marketing goals by paying someone else to promote its products. Furthermore, because the communication would come from an individual's physician or pharmacist, the information in the communication might be viewed as more trustworthy than it would be if it came from a drug manufacturer.
  • An individual may find that PHI related to a condition such as diabetes or HIV/AIDS is being used to send her information regarding services or products related to the condition. An exception for case management or coordination of care could be used to exclude such offers from a requirement for written authorization.
  • A doctor or a health plan may send information about health-related products such as health club memberships, massage therapy or herbal supplements, as long as these products, services or discounts are health-related and not available to the general public.
  • A dentist may continue give patients toothbrushes, floss and toothpaste samples because these are considered to have nominal value.

When the Privacy Rule was being revised in early 2002, privacy advocates objected to excluding these types of communications from the definition of marketing. The Department of Health and Human Services agreed that there may be some confusion about the appropriate scope of activities that fall under "treatment" and "marketing", and that abuses may occasionally occur. Nevertheless, it decided that differentiating between various communications from a covered entity would be too difficult and confusing and might even be seen as an attempt to interfere with the ability to provide high quality health care. Therefore, all communications that fall under the exceptions are permitted without individual's authorization. Although an individual has a right to ask for a restriction on uses and disclosures of his or her PHI, including uses and disclosures for treatment, the covered entity is not obligated to comply with the request. As a result, an individual may have no recourse with respect to communications that fall under the marketing exception.

Disclosure of Health Information for Law Enforcement and National Security

The HIPAA Privacy Rule permits but does not require disclosures of PHI required by other laws. Such disclosures must be limited to meet the compliance requirements of those other laws. Substance abuse regulations, which are more stringent than the Privacy Rule, prohibit some disclosures that would otherwise be permitted.

Disclosures to law enforcement officials

The Privacy Rule includes a standard for disclosures to law enforcement officials. The standard permits the following types of disclosures:

  • Pursuant to a legal process or otherwise required by law, including disclosures of certain types of wounds, and disclosures in response to court orders, subpoenas, and administrative requests. Administrative requests must be specific and limited, relevant to a legitimate ongoing investigation, and must demonstrate that de-identified information (that is, information without individual identifiers) cannot be used.
  • Limited information disclosures for the location of a fugitive, suspect, material witness or missing person.
  • Information about an individual who is or is believed to be a victim of crime if the individual agrees to the disclosure or, under specific rules, if the individual is unable to agree or object.
  • Information about decedents.
  • Information about crime on the premises of the covered entity if there is a good faith belief that the disclosed PHI is evidence of a crime.
  • Limited disclosure in emergencies in order to alert law enforcement about the commission of a crime.

Additional disclosures to law enforcement officials are permitted under other parts of the Privacy Rule. For example, disclosure is permitted if a covered entity believes that an individual may pose serious threat to health and safety and the disclosure may help law enforcement authorities reduce the harm or apprehend the individual.

Although disclosures to law enforcement authorities may be made without individual authorization and, in some cases, without giving the individual an opportunity to agree or object, such disclosures generally become part of Accounting for Disclosures that an individual can request from a covered entity. If a law enforcement official requests that law enforcement-related disclosures not be listed in the Accounting for a specified period of time, the entity providing the Accounting must suspend the individual's right to see a listing of such disclosures.

PHI of inmates and detainees in correctional institutions is generally subject to protections under the Privacy Rule, with some exceptions. The Rule permits covered entities to share inmates' PHI for specified health care and custodial purposes without authorization. Once individuals are released from custody, their PHI becomes subject to all protections under the Privacy Rule.

Some concerns have been raised that health oversight agencies may lawfully obtain PHI under the Privacy Rule and then re-disclose the information to law enforcement authorities. In its comments on the December 2000 Privacy Rule, HHS acknowledged that potentially such re-disclosures could take place, but stated that is does not have statutory authority to regulate health oversight agencies.

Regulations dealing with substance abuse are more stringent then the Privacy Rule when it comes to disclosures related to law enforcement. Information related to substance abuse may not be disclosed to law enforcement officials without individual authorization.

Disclosures for National Security

Covered entities are permitted to disclose PHI to authorized federal representatives for conduct of intelligence, counter-intelligence, and other national security activities, as well as to provide protective services to the President and others. These disclosures do not require individual authorization and do not become part of the Accounting for Disclosures. HHS states in the Preamble to the December 2000 Privacy Rule that the Rule does not confer any new authority with regard to disclosures related to national security or protective services because it does not compel covered entities to release information for these purposes. Of course, if new law is passed that requires disclosures of PHI for national security purposes, these disclosures would fall under provisions for disclosures required by law, and covered entities would have to comply with these requirements.

Consumer Advice to Safeguard Your Medical Records

What's In Your Medical Records?

Besides information about physical health, these records may include infomation about family relationships, sexual behavior, substance abuse, and even the private thoughts and feelings that come with psychotheraphy. This information is often keyed to a social security number. Because of a lack of consistent privacy protection in the use of Social Security Numbers, the information may be easily accessible.

Information from your medical records may influence your credit, admission to educational institutions, and employment. It may also affect your ability to get health insurance, or the rates you pay for coverage (OTA report). More importantly, having others know intimate details about your life may mean a loss of dignity and autonomy.

Maintaining Medical Record Privacy

  • Threats to the privacy of your medical information.
  • Protect the privacy of your social security number.
  • Tell your physician everything necessary for proper treatment, but "think twice before disclosing information that has no bearing on your health." (Consumer Reports, Oct. 1994, p. 629).
  • Ask your doctor if any of the records can be accessed from outside the office. If so, ask for what purpose they may be accessed.
  • Before the office sends your medical records to another party, such as an insurance company, ask to view the record.
  • Ask for a notification if your medical records are ever subpoenaed.
  • Controlling access to other personal information.

Resources

Medical Privacy Law and Policy

EPIC Overview
  • EPIC review of medical privacy issues (AHIMA 1994)
    • "Privacy protection is critical for delivery of health care services"
  • Marc Rotenberg's review of Institute of Medicine report on medical privacy in Journal of Health, Law, and Public Policy
    • From an administrative viewpoint, a single national law would clearly be preferable. But from a privacy viewpoint, the desirability of that outcome is less clear. A weak national law that preempts a strong state statute will leave some persons with less protection than they previously enjoyed. A single federal law can also stifle innovative state initiatives."
  • Public support for real privacy safeguards for medical records.
    • "75% percent are concerned a "great deal" or "fair amount" about health insurance companies putting medical information about them into a computer information bank that others have access to." (ACLU 1994)
    • "85% believe that protecting the confidentiality of medical records is "absolutely essential" or "very important" in health care reform." (Lou Harris 1993)
  • Principles for a good medical privacy bill.
    • Scope
    • Patient Access
    • Enforcement and oversight
    • Third Party Access
    • National Databases
    • Research Records
    • Security
    • Identification Numbers
    • Preemption
  • Massachusetts Medical Society Policy, Patient Privacy and Confidentiality, as adopted by the MMS House of Delegates, November 8, 1996.
  • INFORMATION POLICY FOR THE U.S. HEALTH SECTOR: ENGINEERING, POLITICAL ECONOMY, AND ETHICS by F. Reid Cushman, Ph.D. and Don E. Detmer, M.D, The Milbank Quarterly, September 1997.

Documents

Laws
  • Health Insurance Portability And Accountability Act of 1996 (HIPAA), PL 104-191. Includes the Administrative Simplification provision that requires standards for health care transactions and code sets, privacy, security, and national identifiers for employers, health plans, health care providers and individuals.
  • HHS Recommendations to Congress, Sept 11, 1997. Donna Shalala, the Secretary of the Department of Health and Human Services, recently urged Congress to pass medical privacy legislation. But some lawmakers and the ACLU say that the Administration's proposal does not go far enough to restrict law enforcement access to personal medical information.
  • The Privacy Act of 1974, which states that no federal agency may disclose information without the consent of the person. Agencies must also meet certain requirements for protecting the information
  • Other Federal Laws. These laws only cover federal agencies, such as Medicare and Medicaid. The bulk of medical records are covered by various, inconsistent and often ineffectual state laws.
  • State Laws. This document allows you to look at the privacy laws, including medical privacy laws, for each state. Only about half of the states guarantee patients the right to see their medical records (CR, Oct. 1994, p. 629). You can obtain more information by looking in your state code or by contacting Privacy Journal.
  • Lawrence Gostin, et al., "Legislative Survey of State Confidentiality Laws", Feb. 1997.
Cases
  • Pachowitz v. LeDoux, No. 02-2100 (Wis. Ct. App. May 28, 2003): Wisconsin Court of Appeals upheld a jury verdict, agreeing that, Ms. LeDoux, an Emergency Medical Technician, violated Ms. Pachowitz's privacy by disclosing Pachowitz's medical information to Pachowitz's co-worker. The appeals court agreed with the lower court that disclosing such information is not permitted under the state "invasion of privacy" law, and that it does not matter whether the information is disclosed to one person or many.
  • Citizens for Health et al. vs. Tommy G. Thompson, Complaint for Declaratory and Injunctive Relief April 10, 2003 USDC ED PA Plaintiffs seek invalidation of those parts of the HIPAA Administrative Privacy Rule eliminating any requirement for consent to be obtained prior by a covered entity prior to using or disclosing protected health information for treatment, payment, or health care operations.
  • United States of America ex rel. Mary Jane Stewart et al., v. The Louisiana Clinic, et al., Civil Action No. 9901767, Section "N" (2), U. S. District Court, E. D. Louisiana, December 11, 2002 Decision about preemption of Louisiana law by provisions of the Privacy Rule.
  • United States of America v. Franklin Sutherland, Defendant, Case No. 1:00CR00052, Case No. 1:00CR00093, Opinion and Order (pdf). Although the HIPAA Privacy Rule was not effective for enforcement at the time the decision was handed down, the existence of a federal standard was considered sufficient for the application of that standard to the governmentÌs request for health information.
  • Jaffee v. Redmond established privilege for communications between a psychotherapist and a patient. Summary - opinion - dissent ç additional information
  • Merck & Co forced to settle with Minnesota Attorney General after violating privacy rights of consumers in disclosure of pharmeceutical records.
    • "The settlement requires significant managed care reforms and measures to protect consumers' privacy rights."

Research

Security Issues

Identification Number

  • Letter from privacy advocates to Hillary Clinton urging that the Social Security Number not be used as the Health Identification Number (April 1993).
    • "It is our belief that the SSN should not be used for medical record identification and that an alternative identification scheme must be developed."

Genetic Information

  • Bloodsaw v. Lawrence Berkeley Labs, 9th Circuit Court of Appeals, Feb . 3, 1998.
  • The Icelantic Parliament approved the creation of a genetic database of all residents of Iceland in December. Association for Ethics in Science and Medicine pages. CNN story on the controversy.

History of the Privacy Rule

  • Health Insurance Portability And Accountability Act of 1996 (HIPAA), PL 104-191 included a three year window for Congress to pass legislation to protect privacy of health information. Several bills were introduced during that period.
    • H.R.1815 : To protect the privacy of health information in the age of genetic and other new technologies, and for other purposes, introduced by Rep Jim McDermott 6/5/1997
    • H.R.3900 : To establish Federal penalties for prohibited uses and disclosures of individually identifiable health information, to establish a right in an individual to inspect and copy their own health information, and for other purposes, introduced by Rep. Christopher Shays 5/19/1998
    • H.R.4312 : To repeal sections 1173(b) and 1177(a)(1) of the Social Security Act, to prohibit Federal agencies from constructing Federal law as authorizing the establishment of a national medical identification card, and for other purposes, introduced by Rep. Bob Barr 7/22/1998
    • H.R.1057 : To provide individuals with access to health information of which they are a subject, ensure personal privacy with respect to health-care-related information, impose criminal and civil penalties for unauthorized use of protected health information, to provide for the strong enforcement of these rights, and to protect States' rights, introduced by Rep Edward J. Markey 3/10/1999
    • H.R.1941 : To protect the privacy of personally identifiable health information, introduced by Rep. Gary Condit 5/25/1999
    • H.R.2404 : To protect the privacy of individuals by ensuring the confidentiality of information contained in their medical records and health-care-related information, and for other purposes, introduced by Rep. John P. Murtha 6/30/1999
    • H.R.2878 : To protect the privacy of health information in the age of genetic and other new technologies, and for other purposes, introduced by Rep. Jim McDermott 9/15/1999
    • S.1368 : A bill to provide individuals with access to health information of which they are the subject, ensure personal privacy with respect to personal medical records and health care-related information, impose criminal and civil penalties for unauthorized use of personal health information, and to provide for the strong enforcement of these rights, introduced by Sen. Patrick Leahy 11/4/1997
    • S.573 : A bill to provide individuals with access to health information of which they are a subject, ensure personal privacy with respect to health-care-related information, impose criminal and civil penalties for unauthorized use of protected health information, to provide for the strong enforcement of these rights, and to protect States' rights, introduced by Sen. Patrick Leahy 3/10/1999
    • S.578 : A bill to ensure confidentiality with respect to medical records and health care-related information, and for other purposes, introduced by Sen. James M. Jeffords 3/10/1999
  • Proposed Privacy Rule issued by the Department of Health and Human Services on November 3, 1999
  • Final Privacy Rule issued on December 20, 2000 with February 20, 2003 compliance date
  • Report to Congress, required under 5 U.S.C. 801(a)(1), was not received at the time the Final Rule was published, so the compliance date was extended to April 14, 2003
  • Final Rule re-opened for comments on February 28, 2001
  • Modifications to Final Rule issued in March 2002, keeping April 14, 2003 compliance date
  • Additional modifications (pdf) to the Final Rule issued on August 14, 2002

Previous News

  • EPIC Urges Appeals Court to Protect Prescription Data: EPIC filed a friend of the court brief in the Court of Appeals for the Second Circuit today, urging the judges to uphold a Vermont law that regulates companies that sell or use prescriber-identifiable data for marketing. Several data-mining companies challenged the law after it was upheld by a district court. EPIC's amicus brief supports the district court's conclusion. The EPIC brief argues that Vermont has a substantial state interest in privacy protection and that the data miners' de-identification practices do not, in fact, protect patient privacy. For more, see IMS Health v. Sorrell and EPIC Medical Privacy. (Sep. 15, 2009)
  • Supreme Court Lets Stand New Hampshire Prescription Privacy Law : The Supreme Court refused to hear a challange to the Prescription Confidentiality Act, which prohibits the sale of prescription information. The First Circuit had upheld the ban on the sale of such information. EPIC and 16 experts in privacy and technology filed a "friend of the court" brief, in support of the law, detailing the substantial privacy interests in de-identified patient data. The petitioners claimed that the law infringed on their free speech rights. See EPIC IMS Health v. Ayotte. (Jun. 29, 2009)
  • EPIC Submits Comments on Health Breach Notification to the FTC: The Federal Trade Commission proposed a rule requiring notification when the security of medical information is compromised. EPIC recommends that all entities handling health records be subject to standard security; tightening exemptions for de-identified data, enhancing media notification of health data breaches, ensuring additional breach notification through means such as text messages and social networking sites, and verification of receipt of notifications. See also EPIC's Page on Medical Privacy. (Jun. 1, 2009)
  • American Recovery Act Includes Strong Medical Information Safeguards: President Obama signed the American Recovery & Reinvestment Act, which includes comprehensive safeguards for medical information. The Act prohibits the unauthorized sale of medical records and provides exceptions for research, public health and treatment. The Act also limits marketing, requires covered entities and business associates to keep an audit trail of personnel having access to the information, mandates policies setting standards for technology systems to restrict sensitive information, use data encryption and directs breach notifications. The new law prescribes monetary penalties for violations and requires monitoring of contracts and reporting on compliance. Patient Privacy Rights led the campaign for strong medical privacy protection. For more information, see EPIC's page on Medical Privacy. (Feb. 18, 2009)
  • National Academies Report Calls for New Approach to Medical Privacy : As the Congress considers establishing a national network for electronic health records, a report from the Institute of Medicine recommends a new approach to medical record privacy. "Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research" finds that the current medical privacy regulations do not protect privacy and unnecessarily impede health research. The expert panel recommends revising research guidance, enhancing security for personally identifiable information, establishing trusted third parties for clearly defined research purposes, and developing new techniques that enable deidentification. The report also said it was vital to "Apply privacy, security, transparency, and accountability obligations to all health records used in research." EPIC Director Marc Rotenberg participated in the study project. More information, see EPIC Medical Privacy page. (Feb. 4, 2009)
  • House Economic Recovery Bill Includes Privacy Safeguards for Medical Information : The American Recovery and Reinvestment Act of 2009, adopted by the House this week, includes strong privacy provisions ("Subtitle D - Privacy") for the proposed medical health network. Among the key provisions: a ban on the sale of health information, audit trails, encryption, rights of access, improved enforcement mechanisms, and support for advocacy groups to participate in the regulatory process. Patient Privacy Rights has expressed support for the legislation. A similar bill, S. 336, is pending in the Senate. Senator Leahy has called for strong safeguards to protect America's health privacy. For more information, see EPIC's page on Medical Privacy. (Jan. 29, 2009)
  • Medical Privacy Legislation Moves Forward in Congress: On Thursday, the House Committee on Energy and Commerce approved Economic Recovery legislation that includes provisions for the adoption of health information technology and establishes standards for interoperability and privacy. Patient Privacy Rights is leading a coalition effort to establish strong privacy safeguards for American consumers. A hearing is scheduled for next Tuesday in the Senate Judiciary Committee. (Jan. 23, 2009)
  • EPIC, Patient Advocates Urge Congress to "ACT" on Privacy : EPIC and more than 25 members of the Coalition for Patient Privacy at a news conference today in Washington, DC urged Congress to include critical privacy safeguards for the medical record network that may be included in the economic stimulus plan. The Coalition partners are recommending that lawmakers "ACT" on privacy and provide Accountability for access to health records, Control of personal information, and Transparency to protect medical consumers from abuse. For more information, see Patient Privacy Rights and EPIC's page on Medical Privacy. (Jan. 14, 2009)
  • Government Agency Seeks New Power to Track Airline Passengers. The Centers for Disease Control and Prevention has proposed a rule that would greatly expand the powers of the federal government to track travelers. Airline and shipping industries would be required to gather passenger contact and health information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request. The public has 60 days to comment on this rule. EPIC and Patient Privacy Rights are calling for strong medical privacy protections in an online petition. (Nov. 23)
  • Medical Records Privacy Important to Americans, Survey Finds. Sixty-seven percent of adults are concerned about the privacy of their personal medical records, according to a poll by the California HealthCare Foundation and the Health Privacy Project. Also, 52 percent fear that their health insurance information might be used by employers to limit job opportunities. Congress is considering a proposal to build a national Health Information Network, which does not yet include adequate privacy safeguards. EPIC and Patient Privacy Rights are calling for strong medical privacy protections in an online petiton. (Nov. 9)
  • EPIC and Patient Privacy Rights Urge Stronger Security for Medical Records. EPIC and Patient Privacy Rights launched a joint campaign to strengthen protections for patients' medical information. Congress is rushing to pass legislation to establish a national Health Information Network without patient privacy safeguards. Yet a recent poll found that 69 percent of adults do not believe strong enough data security will be installed. In an online petition, EPIC and Patient Privacy Rights call for strong medical privacy protections. (Oct. 27)
  • NCVHS Publishes Recommendations on HIPAA and Banks. The National Committee on Vital and Health Statistics (NCVHS) published its recommendations on the privacy of health information in the banking system based on the hearings conducted in February 2004. The Committee urged clarification of banks' status under the Health Insurance Portability and Accountability Act. In addition the Committee urged HHS to consider whether health information flowing through the ACH network should be encrypted to ensure that only intended recipients have access to it. (July 1)
  • British Physicians Concerned About National Patient Records Database. A group of British physicians has expressed opposition to the creation of a national database of patient records unless patients first provide their consent. The $11 billion national health IT initiative by the British National Health Service envisions a regionally based system that will permit doctors and nurses all over the country to access patient records and will enable patients to view a summary of their records and schedule appointment electronically. The current design would give patients the ability to opt out of the national system, but would still include their data in the national database in de-identified form for access in emergencies. The opposition of British physicians comes shortly after President Bush formally announced a major Department of Health and Human Services initiative on the National Health Information Infrastructure for the US. (June 9)
  • Coalition Urges Restricted Use of Medical Data in Credit Decisions. EPIC and a coalition of privacy advocacy organizations filed comments (pdf) with five federal agencies which issued a proposed regulation under the Fair and Accurate Credit Transactions Act (FACT Act). The FACT Act, an amendment to the Fair Credit Reporting Act, creates new restrictions on the manner in which creditors, such as banks and credit unions, can obtain and use medical information. Generally, the FACT Act prohibits creditors from obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. The Act also defines fairly narrow exceptions under which creditors may obtain and use medical information. The coalition supported the regulation's general prohibition on creditors obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. We urged that financial institutions not be permitted to routinely request consent to obtain medical information and that affiliate sharing be limited. (May 25)