In the most significant federal "e-privacy" initiative to date, the Clinton Administration has proposed a set of safeguards to protect the privacy of electronic health records. The proposed rules and the accompanying explanation run for hundreds of pages, illustrating the complexity of e-commerce and Internet privacy issues and the sensitive balance between individual rights and the efficient flow of information.
Until now, state governments have been primarily responsible for providing legal protections against the inappropriate use of health information. In light of the health care industry's increasing reliance on Internet technologies and other types of electronic data transfers, in 1996 Congress determined that the patchwork of state privacy laws should be supplemented by a clear set of minimum national health data privacy standards.
In accordance with Congressional instructions, the new rules would restrict the use and disclosure of individually-identifiable health information transmitted or maintained in electronic form by health care providers, health plans, health data processors or "clearinghouses," and contractors or "business partners" of these entities. Once a health record is transmitted or stored electronically, the proposed restrictions would apply even if the information is later converted into a non-electronic form.
In general, the proposed rules would require written, revocable patient consent in order to use or disclose individually-identifiable health information for purposes other than treatment, payment or related "health operations." Protected information would also be available for use without consent for additional "national priority activities" which are considered essential to the health care system. These permissible uses include, for example, public health, research, legal proceedings, law enforcement, medical emergencies, investigating a death or notifying next-of-kin, and processing of health care payments and premiums.
Since the proposed rules would cover only "individually-identifiable" health information, the Government has struggled to distinguish between "identifiable" and "anonymous" information. The proposed rule would presume that a record is anonymous when key identifying fields – such as the patient's name, address, birth date, photograph, fingerprint and social security number – are omitted. However, the rules would continue to apply if there is "reason to believe" that the patient could still be identified from the remaining information, whether alone or in combination with other information. Recognizing that sophisticated users could apply external databases and statistics to "re-identify" anonymous health records, the proposed rules would apply a flexible standard which varies according to the statistical tools and expertise available to the user of a health record.
The rules would give all individuals a right to review the information policies of health plans and providers, to inspect and copy all information about themselves, to correct inaccurate information, and to receive an accounting showing when protected information has been disclosed. Health providers, plans and clearinghouses would be required to implement formal privacy programs to ensure compliance. Violations would be punishable by both criminal and civil penalties, depending upon the nature of the violation. However, the rules would not create any new private right of action; private lawsuits would have to rely on traditional invasion-of-privacy doctrines.
The proposed rules will be open for public comment for 60 days following official publication in the Federal Register. A final rule will address the comments received and is expected to be issued by February 2000.