For the Record Protecting Electronic Health Information (1997) / Chapter Skim
Currently Skimming:
2 The Public Policy Context
2 The Public Policy Context
Pages 37-53
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 37... ...
At the federal level, data protection measures are found in constitutional law, the Privacy Act of 1974, and a few statutes that regulate narrow areas of data use. State health record laws generally define the types of information considered confidential and the circumstances under which health information can be shared without patient consent (Table 2.1~.
|
From page 38... ...
United States Code, Establish special rules of Limited in scope to Sections 290dd-3 and confidentiality for records of information about drug 290ee-30 patients who seek treatment and alcohol abuse; apply for drug or alcohol abuse at only to federally funded federally funded facilities. facilities.
|
From page 39... ...
Other federal statutes that regulate health data processing focus on even narrower sectors of information use. As a result, most health data are entirely outside the protections of either constitutional or federal law, although with the passage of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
|
From page 40... ...
Federal Statutes and Regulations Federal statutes provide one framework for protecting health information. The primary vehicle for existing protections is the Privacy Act of 1974.2 The Privacy Act was designed to provide private citizens some control over the information about them collected by the federal government.
|
From page 41... ...
Medical files, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy, are specifically exempted from the act. Two federal statutes establish special rules to protect the records of patients who seek drug or alcohol abuse treatment at federally funded facilities.4 These statutes apply to oral and written communication of information containing the identity, diagnosis, prognosis, or treatment of patients enrolled in programs for education, rehabilitation, research, training, or treatment.
|
From page 42... ...
Federal alcohol and drug abuse regulations apply only to federal or federally funded facilities that offer treatment for alcohol or drug abuse.6 The Privacy Act, perhaps the most comprehensive of the federal protections, for example, applies only to information collected by government agencies. Federal agencies, primarily the Department of Defense and HCFA, do collect considerable amounts of personal health information, but the majority of health records in the United States are collected and maintained by nongovernment entities and fall outside the jurisdiction of the Privacy Act.
|
From page 43... ...
The decision balanced the social interest in informational privacy against the state's "vital interest in controlling the distribution of dangerous drugs." Finding New York's program to be narrowly tailored and replete with security provisions designed to reduce the danger of unauthorized disclosure, the Supreme Court held that the constitutional balance tilted in favor of the statute. Despite upholding the mandatory compilation and disclosure of prescription data, the Court left the door open to future restrictions in light of technical change, noting that it was "not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files." In so doing, the Court set the stage for claims that the Constitution embodies a right to informational privacy, although the Court has yet to expand on this idea in any significant way.9 Despite the considerable power of the decision, lower courts have not capitalized on this constitutional doctrine's promise for improving health care privacy.l° Weaknesses also exist in the Americans with Disabilities Act (ADA)
|
From page 44... ...
Constitutional law has sometimes been interpreted as setting limits on the collection and dissemination of health data.l4 Statutory measures establish doctor-patient confidentiality and common law tort remedies.l5 More than a dozen states have enacted laws that place limitations on the use of genetic information by health insurers.l6 States have specific laws that govern how open the records of the state will be, and many state agencies have agency-specific statutes governing confidentiality, access, and use of their data. However, little uniformity exists among state statutes and regulations protecting health information.
|
From page 45... ...
In recent years, the National Conference of Commissioners on Uniform State Laws developed the Uniform Healthcare Information Act in an attempt to stimulate uniformity among states on health care information management issues. As of 1996, only two states, Montana and Washington, had enacted this model legislation.l7 Clearly, efforts must be directed toward developing national standards of confidentiality and security to support the development of computer-based patient record systems and to instill trust by consumers in the use of technology.
|
From page 46... ...
One branch of this interest has been found to prevent public disclosure of private records.20 Most courts have, however, found that such a claim requires widespread disclosure to the public, which will not occur in most cases involving the release of health information.21 Another restrictive element of the public disclosure tort is that most courts define disclosure as the release of information to someone without a "legitimate interest" in the information. Some courts have found employers to have a legitimate interest in their employees' health information.22 A second branch of the tort right of privacy prevents intentional intrusions on the private affairs or concerns of an individual.23 Such intrusion must be "highly offensive"; moreover, something in the nature of "prying or intrusion" must occur.24 Courts have failed to find that disclosure of sensitive health information by an employer to an individual's coworkers creates such an intrusion; the employee had, after all, "voluntarily" provided the information to her employer.25 State protection of health information is further limited by the federal Employee Retirement and Income Security Act (ERISA)
|
From page 47... ...
These efforts span a wide range of topics, from attempts to develop technical standards for security, to models for evaluating existing practices, to educational initiatives. They are being conducted by a large number of organizations, including the American National Standards Institute, the Computer-based Patient Record Institute, and the Joint Commission on Accreditation of Healthcare Organizations.
|
From page 48... ...
is an organization of public and private entities that promotes the use of electronic health records. CPRI has recognized the importance of providing for information security in the implementation of computer-based patient records and has established the Work Group on Confidentiality, Privacy, and Security.
|
From page 49... ...
The lack of uniform national standards for the privacy and security of health information creates particular problems for health care organizations that serve constituents in multiple states and creates additional confusion for patients regarding their rights.
|
From page 50... ...
In particular, an individual whose information has been compromised generally lacks recourse for a specific incident and cannot receive compensation or ensure that those responsible for the incident are punished. Conflicting views of data ownership and a lack of patient understanding of health data flows and of their rights to privacy and confidentiality also need to be addressed at a national rather than an institutional or organizational level.
|
From page 51... ...
The processing of personal information already plays a critical role in the provision, regulation, and financing of health services by government and private entities. Beyond the traditional doctor-patient relationship and the provision of health services in hospitals, a variety of public and private organizations now use personal health data.
|
From page 52... ...
Of these, only HIPA has been signed into law. HIPA contains several provisions regarding health data standards and health information privacy.
|
From page 53... ...
HIPA requires that each person who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information; to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information; and to ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures that isolate its activities with respect to processing information in a manner that prevents unauthorized access to such information. By August 1997, the Secretary is required to submit to Congress detailed recommendations on standards with respect to the privacy of individually identifiable health information.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.