Chairman Thomas and Members of the Subcommittee:

Thank you for the opportunity to testify before you today on the issue of health privacy. I am Janlori Goldman, Director of the Health Privacy Project at Georgetown University's Institute for Health Care Research and Policy. In the past week, the Project has issued two reports on health privacy, which we hope will make a significant contribution to the ongoing policy initiatives. We include as our testimony today the top findings and executive summaries of these reports. The full text of both reports is available on our website at www.healthprivacy.org.

Your continued attention to health privacy is greatly appreciated, and we look forward to working with you, as you, and the rest of the Congress, move forward to meet the August deadline for enacting comprehensive health privacy legislation.

I. Best Principles for Health Privacy

Executive Summary

Privacy and confidentiality have long been recognized as essential elements of the doctor-patient relationship. Also essential to optimal care is the compilation of a complete medical record. But that same record is used for a wide variety of purposes -- including insurance functions, coordination of care, and research. The long-standing friction between these two goals -- patient privacy and access to information for legitimate purposes -- has been heightened by the transition to electronic health information and a push toward integrated information in support of integrated health care delivery and health data networks. While these developments are intended to improve health care, they also raise many questions about the role of privacy in the health care environment.

Recent polls demonstrate that the public has significant concern about the lack of privacy protection for their medical records and that it can impact how they engage with health care providers. In order to protect their privacy, some patients lie or withhold information from their providers; pay out-of-pocket for care; see multiple providers to avoid the creation of a consolidated record; or sometimes avoid care altogether. Such "privacy-protective" behavior can compromise both individual care and public health initiatives.

The public has some reason to be concerned. Today, there is little consistency in approaches to patient confidentiality and no national standards or policies on patient confidentiality. The 1996 Health Insurance Portability and Accountability Act provides that if Congress fails to enact comprehensive health privacy legislation by August 1999, the Secretary of Health and Human Services must issue regulations. Therefore, either through legislation, government regulation, or self-regulation, there will be significant developments with regard to health privacy in the next two years.

What has been missing from the debate is a consensus document that offers policy recommendations regarding how best to protect patient confidentiality. To fill this void, the Health Privacy Project, with funding from the Robert Wood Johnson Foundation, created the Health Privacy Working Group in June 1998.⁽¹⁾ Its mission was to achieve common ground on "best principles" for health privacy, while identifying a range of options for putting those principles into practice. The Working Group is comprised of diverse stakeholders, including: disability and mental health advocates; health plans; providers; employers; standards and accreditation representatives; and experts in public health, medical ethics, information systems, and health policy.

The Working Group spent the past year crafting a consensus document that reflects "best principles" for health privacy. This report outlines the 11 principles to which the Working Group agreed and details the rationale behind the recommendations.

The principles represent significant compromises between Working Group members and should be seen as a framework that aims to accommodate the various information needs of diverse interest groups. The principles are designed to establish a baseline of protections that should be considered when implementing comprehensive patient privacy policies and practices.

The Working Group adopted the following 11 principles. Because these principles are intended to establish a comprehensive framework, they should be read and implemented as a whole.

1. For all uses and disclosures of health information, health care organizations should remove personal identifiers to the fullest extent possible, consistent with maintaining the usefulness of the information.

Generally, the use and disclosure of information that does not identify individuals does not compromise patient confidentiality. As such, the use and disclosure of non-identifiable health information should "fall outside" the scope of policies that govern personally-identifiable health information. Health care organizations will need to take into consideration the practicality and cost of using and disclosing non-identifiable information. Ultimately, through the creation and use of non-identifiable health information, more people can have more information, without compromising patient confidentiality.

2. Privacy protections should follow the data.

All recipients of health information should be bound by all the protections and limitations attached to the data at the initial point of collection. Recipients of health information can use or disclose personally-identifiable health information only within the limits of existing authorizations. Any further uses or disclosures require specific, voluntary patient authorization.

3. An individual should have the right to access his or her own health information and the right to supplement such information.

All patients should be allowed to copy their records and to supplement them if necessary. But supplementation should not be implied to mean "deletion" or "alteration" of the medical record. Furthermore, data holders may charge a reasonable fee for copying the records, but they cannot refuse inspection of the records simply because they are owed money by the individual requesting inspection.

In certain cases, patients may be denied access to their medical records. Such instances include if the disclosure could endanger the life or physical safety of an individual; if the information identifies a confidential source; if the information was compiled in connection with a fraud or criminal investigation that is not yet complete; or if the information was collected as part of a clinical trial that is not yet complete and the patient was notified in advance about his or her rights to access information.

4. Individuals should be given notice about the use and disclosure of their health information and their rights with regard to that information.

The notice should tell the patient how information will be collected and compiled, how the collecting organization will use or disclose the information, what information the patient can inspect and copy, steps the patient can take to limit access, and any consequences the patient may face by refusing to authorize disclosure of information.

5. Health care organizations should implement security safeguards for the storage, use, and disclosure of health information.

Security safeguards consistent with the Secretary's standards, whether technological or administrative, should be developed to protect health information from unauthorized use or disclosure and should be appropriate for use with electronic and paper records. Any safeguards should recognize the trade-off between availability and confidentiality and should be tailored to meet needs as organizations adopt more sophisticated technologies.

6. Personally identifiable health information should not be disclosed without patient authorization, except in limited circumstances. Health care organizations should provide patients with certain choices about the use and disclosure of their health information.

Patient authorization should be obtained prior to disclosure of any health information. But, at the same time, some patient information needs to be shared for treatment, payment, and core business functions. With this in mind, the Working Group recommends a two-tiered approach to patient authorization.

The authorization structure allows for a health care organization to obtain a single, one-time authorization for core activities that are considered necessary or routine. These activities -- identified as Tier One -- are directly tied to treatment, payment and necessary business functions in keeping with medical ethics. The health care organization may condition the delivery of care, or payment for care upon receiving authorization for these activities, which can be obtained at the point of enrollment or at the time of treatment.

Any activities that fall outside this core group (sometimes commonly referred to as uses) must be authorized separately by the patient and fall under Tier Two authorization. The patient can refuse authorization for these activities without facing any adverse consequences. Activities in this category include, but are not limited to:

• purposes of marketing;
• disclosure of psychotherapy notes;
• disclosure of personally identifiable information to an employer, except where necessary to provide or pay for care;
• disclosure of personally identifiable health information outside the health care treatment entity that collected the information, if other tier one authorizations do not apply; and
• disclosure of personally identifiable health information, if adequate notice has not been given at the point of the initial authorization.

The Working Group identified a limited number of circumstances in which personally-identifiable health information may be disclosed without patient authorization. These include:

• when information is required by law, such as for public health reporting;
• for oversight purposes, such as in fraud and abuse investigations;
• when compelled by a court order or warrant; and
• for research, as described in Principle 8 below.

7. Health care organizations should establish policies and review procedures regarding the collection, use, and disclosure of health information.

An organization's confidentiality policies and procedures should be coherent, tying together authorization requirements, notice given to patients, safeguards, and procedures for accessing personally identifiable health information. Organizations should also establish review processes that ensure a degree of accountability for decisions about the use and disclosure of personally identifiable health information. During such a process organizations might, for example, wish to determine routine procedures and special procedures for some areas of health care where medical information is considered highly sensitive to the patient.

8. Health care organizations should use an objective and balanced process to review the use and disclosure of personally identifiable health information for research.

For some areas of research, it is not always practical to obtain informed consent and in some cases, a consent requirement could bias results. Recognizing this, the Working Group advises that patient authorization should not always be required for research. However, any waivers of informed consent should only be granted through an objective and balanced process.

Currently, any federally funded research is subject to the "Common Rule," where an Institutional Review Board (IRB) is required to make a determination about the need for informed consent. An IRB can choose to give a researcher access to personally identifiable health information with or without informed consent. But some research falls outside the scope of federal regulations. In such circumstances, health care organizations should use a balanced and objective process before granting researchers access to personally-identifiable health information.

9. Health care organizations should not disclose personally identifiable health information to law enforcement officials, absent a compulsory legal process, such as a warrant or court order.

Federal privacy laws generally require that some form of compulsory legal process, based on a standard of proof, be presented in order to disclose to law enforcement officers. Law enforcement access to health information should be held to similar standards. In some instances, however, government officials may access health information with legal process for the purposes of health care oversight. In these instances, the information obtained should not be used against the individual in an action unrelated to the oversight or enforcement of law nor should the information be re-disclosed, including to another law enforcement agency, except in conformance with the privacy protections that have attached to the data.

10. Health privacy protections should be implemented in such a way as to enhance existing laws prohibiting discrimination.

Currently, there are state and federal laws that prohibit discrimination on the basis of a person's health status in areas such as employment or insurance underwriting. Confidentiality policies should be implemented in such a way as to enhance and complement these protections. In effect, privacy can serve as the first line of defense against discrimination, creating a more comprehensive framework of protection.

11. Strong and effective remedies for violations of privacy protections should be established.

Remedies should be available for internal and external violations of confidentiality. Health care organizations should also establish appropriate employee training, sanctions, and disciplinary measures for employees and contractors who violate confidentiality policies.

The 11 principles outlined above focus on information gathered in the context of providing patient care and are written to establish a broad framework for the use and disclosure of health information. Although the Working Group recognizes that the need for privacy protections in other areas is no less urgent, this consensus document does not address the following areas:

• special considerations about the needs of minors;
• information that locates an individual in a particular health care organization (sometimes referred to as "directory information");
• information provided to spouses, dependents and other next of kin;
• public health reporting;
• fraud and abuse investigations; and
• the appropriate relationship between state and federal law.

These 11 principles are designed to serve as a baseline for establishing patient privacy protections. While we all agree that health information, used in the right hands and with the right safeguards, can lead to improved health and advances in research, this information should not be used with disregard for patient privacy. Patients need to know that adequate protections are in place to protect their health information. Our hope is that these principles will go a long way towards establishing appropriate protections and, in the process, help build public trust and confidence in our health care system.

II. The State of Health Privacy: An Uneven Terrain

Eighteen months ago, the Health Privacy Project launched an initiative to compile and publish a comprehensive survey of state health privacy statutes. As word spread that we had undertaken this effort, we heard two distinct messages, often delivered by the same people in the same breath: First, "Nothing like this exists." Second, "Are you crazy? Do you have any idea what you are getting into?" Over the past year and a half, we have come to appreciate both the importance of this effort, and the near impossibility of the task.

At the outset, it is important to say what this report is, and what it is not. The State of Health Privacy includes a summary of each state's major statutes related to the confidentiality of personal health information. The survey is specifically and exclusively a survey of statutes, not laws. This distinction is important: we did not research or include regulations, or common law, both of which ultimately must be understood in order to appreciate the full range of protections at the state level.

The survey is not exhaustive -- there are many more statutes that address the confidentiality of health information. The summaries speak most directly to the use and disclosure of information gathered and shared in the context of providing and paying for health care. In particular, the condition-specific requirements are meant to be illustrative; we did not do an exhaustive search for mandatory reporting requirements or specific conditions.

Throughout, keep in mind that medical information is used in many different settings, and for many different reasons. There are innumerable state laws that speak to the confidentiality of health information -- such as laws on workers compensation, public health reporting, adoption records, birth and death records, motor vehicle requirements, minor's rights, and so on -- that are not generally addressed in our summaries. For this reason, we have given four states -- Florida, Maryland, New York, and Washington -- a more exhaustive treatment that highlights the breadth and the depth of the state laws that relate to the confidentiality of health records.

To satisfy diligent scholars and the excessively curious, we augment the summaries with a comprehensive list of each health privacy-related law we discovered in the state. (Given the length of these lists, they are only available in the online edition at the Health Privacy Project's website: http://www.healthprivacy.org/resources.) We have also provided a number of overview documents that attempt to pull together the findings and provide a snapshot of how the states compare to each other.

This report is not perfect. We may have missed some laws. Laws may have been repealed or re-interpreted by the courts. Laws may take on a different meaning in their application than they do in the plain reading. States may have issued regulations implementing their laws that amplify, diminish, or otherwise affect the law's impact. However, we determined that you- the reader- would benefit from the timely publication of this report, and would not be offended by our asking your indulgence for what we did not have the time or the resources to accomplish. In fact, we ask your assistance - if you discover a major statute we have overlooked, or if you find we mis-characterize a law, or if there is anything else you would like to contribute to enhance the accuracy and completeness of The State of Health Privacy, contact us. Your input is appreciated.

Finally, and most importantly, this survey is part of a larger body of work undertaken by the Health Privacy Project. Throughout, we have tried to maintain a sense the ultimate goal: to protect the privacy of people's health information.

In the health care arena, maintaining the confidentiality of medical information and communications has been an essential element of the relationship between doctors and their patients. Increasingly, however, major changes in health care -- such as the rise of managed care, the development of electronic health information networks, and reform efforts to improve individual and community health -- all depend on accumulation of and access to complete and reliable patient data.

Protecting privacy and improving health and access to health care are values that have long been viewed as in conflict. Consumer advocates often view public health and research initiatives as threats to individual privacy, whereas public health officials and researchers may treat privacy as a barrier to improving health. In fact, the converse is true - protecting privacy and promoting health are values that must go hand-in-hand.

Without trust that the personal, sensitive information that they share with their doctors will be handled with some degree of confidentiality, patients will not fully participate in their own health care.

The consequences of people not fully participating in their own care are quite troubling, for individual patients as well as the larger community. For instance, incomplete or inaccurate information can hamper a doctor's ability to accurately diagnose and treat a patient, inadvertently placing a person at risk for undetected and untreated conditions. In turn, if doctors are receiving incomplete, inaccurate information, the data they disclose for payment, research, public health reporting, and outcome analysis will be unreliable. Ultimately, information that lacks integrity at the front end will lack integrity as it moves through the health care system. Thus, protecting patient privacy is integral both to improving individual care and to the success of public health initiatives and quality of care.

There is no doubt that the public is deeply concerned about the lack of privacy in the health care environment. A survey released by the California Health Care Foundation in January 1999 found that "public distrust of private and government health insurers to keep personal information confidential is pervasive. No more than about a third of U.S. adults say they trust health plans (35%) and government programs like Medicare (33%) to maintain confidentiality all or most of the time." The consequences of such distrust -- real or perceived -- are significant. The Foundation's survey identified that:

1. One in every five people believe their health information has been used or disclosed inappropriately.
2. One of six people engage in some form of "privacy-protective" behavior when they seek, receive, or pay for health care in this country. Such behavior includes paying out of pocket for care; intentionally seeing multiple providers to avoid the creation of a consolidated record; giving inaccurate or incomplete information on a medical history; asking a doctor to not write down the health problem or record a less serious or embarrassing condition; and even not seeking care to avoid disclosure to an employer.

Currently, there is no comprehensive federal law protecting the privacy of people's medical records. Congress has acknowledged that such a law should be passed and imposed a deadline on itself to do so by August 1999. If Congress fails to meet the deadline, the Secretary of Health and Human Services is required to issue regulations by February 2000.

Health privacy is not a new issue to the U.S. Congress. Each year over the past decade as debate has resumed over how to best craft a health privacy law, the question is inevitably raised, "What have the states done? What are the state health privacy laws? What will be the impact on the states of any federal preemption of state law? What negative and positive models exist for us to learn from?" For the most part, these questions have gone unanswered. Until now, no comprehensive compilation of state health privacy existed.

Bear in mind as you read this report that, in the absence of a comprehensive federal health privacy law, the limited privacy protections people currently enjoy have been put in place by state legislatures. The terrain of state health privacy law may be uneven, but that shaky ground plays a significant role.

This report is the first-ever comprehensive 50-state survey of health privacy statutes. In our experience, the hallmarks of researching state health privacy laws have been that: 1) nothing is simple; and 2) nothing is predictable. In the process of researching, analyzing, and summarizing the statutes, we reached a number of conclusions and made a few surprising discoveries. But in many more ways, the states defy categorization.

State laws relating to health privacy have been enacted at different points in time, over many years, to address a wide variety of uses and public health concerns. One must approach each state on its own terms and attempt to understand the protections as a unique whole within the state. In striving for precision and nuance, our labels of state laws are accompanied by qualifiers and explanations.

Laws relating to health privacy can be found in nearly every nook and cranny of a state's statutes -- in obvious and obscure sections of a state's code, buried in regulations, developed in case law, and detailed in licensing rules. Florida, for example, has more than 60 statutes that address health privacy, and it is not unique.

A number of initial observations emerge from the state summaries:

States legislate and regulate health privacy by entity.

There is little mystery about why state health privacy laws are so extensive, vast, and detailed: the statutes reflect the diverse users of health information. Consider the following four types of users: physicians, schools, insurers, and state agencies. Each has a specific function in the state and a legal and regulatory structure specific to their roles. Thus, the statutory requirements for how they handle medical information are different.

To understand what confidentiality protections do exist at the state level, one must first begin by examining the laws applying to the different entities that collect, use, maintain, and distribute health information. Even states that attempt to handle health privacy in a comprehensive fashion ultimately establish unique rules for different entities. In looking at a state's laws and determining what kind of privacy protections exist, one must always ask, "Who's holding the data?" and "What is the medical condition at issue?"

The end result of this legislating by entity is that state laws -- with a few notable exceptions -- do not extend comprehensive protections to people's medical records. Thus, a state statute may impose privacy rules on hospitals but not dentists. The state may restrict the use and disclosure of information derived from a genetic test but not information obtained in a routine physical. Or just the opposite may be true in a neighboring state.

The cumulative effect of these various statutes might appear erratic, but so many of the laws that do exist provide meaningful protections for consumers and speak to the specific needs of the organizations and citizens of the state. For instance, a nursing home may have different information needs than a public hospital, and state laws attempt to accommodate these differences.

The vast majority of state statutes were never intended to be comprehensive.

Virtually every state has some law aimed at the confidentiality of patient, but very few states have anything approaching a comprehensive health privacy law. Two notable exceptions are Rhode Island and Wisconsin, each of which has comprehensive health privacy laws. Many states have health privacy laws governing certain health care entities, such as hospitals or clinics, but no privacy protections regulating health plans and HMOs.

State confidentiality requirements are part and parcel of larger statutes that provide consumer protections or regulate persons or entities. Many of the statutes, for example, are imbedded within licensing requirements. In this context, the provider is required to maintain health information in confidence in order to obtain and maintain a license to practice from the state. One must read all of the statutes together in order to glean an understanding of how health information is protected as it moves between persons and entities.

An ethical duty to maintain confidentiality is often assumed.

Most states appear to presume an ethical duty on the part of health care providers to keep information confidential. Many statutes, for instance, do not explicitly impose a duty of confidentiality, but they do stipulate a penalty for breaching patient confidentiality. It seems that in these instances, the states did not see a need to legislate the ethical duty. Unfortunately, the users of health information have extended well beyond those who may be bound by a professional codes of ethics.

State laws have not kept pace with changes in health care delivery and technology.

Most state laws do not reflect the dramatic changes in the health care environment or the dramatic changes in information technology. Today, for instance, the majority of health care is not delivered by physicians. Integrated delivery systems (such as HMOs and provider networks) and the establishment of statewide health information databases have created new demands for data that push well beyond the limits originally anticipated by the states. The variety of people and entities collecting, receiving and using health information has also extended far beyond the health care environment. A physician, for example, may be obligated to report a person with epilepsy to the Department of Motor Vehicles, which in turn may revoke a driver's license.

Therefore, in many ways, the state laws defy summarization -- they are detailed, specific, and intricate. Nevertheless, we have attempted to bring some coherence to this report. The summaries are arranged in four broad categories: Patient Right of Access, Restrictions on Disclosure, Privilege and Condition-specific Requirements. Our major findings in each category are listed below.

Key Findings

Patient Access

States vary widely in the rights they grant to patients to receive and copy their own medical records. Some states have no statutory right of access such as Kansas and North Dakota. Three states -- Alabama, Idaho, and New Mexico -- and the District of Columbia only have a statutory right for patients to access their own mental health records.

On the opposite end of the continuum, a few states -- such as Connecticut and Minnesota -- grant access to records maintained by nearly all of the potential sources of patient data, i.e. government agencies and entities, hospitals, physicians, insurers, schools, and even non-traditional health care providers such as natureopaths. Maine and South Dakota, for example, have cast a particularly wide net with respect to providing access to records maintained by health care providers by using broad definitions that anticipate future users and holders of medical information, such as those performing in vitro fertilization and blood banks.

Most states fall somewhere in the middle of these two extremes. Forty-four states provide some right of access, but this figure is a bit misleading. The right of access quickly breaks down:

|| 33 states provide a right of access to hospital records;

|| 13 states provide a right of access to HMO records; and

|| 16 states provide a right of access to insurance records.

Many additional statutes cover specific providers -- such as physicians, psychiatrists, and pharmacists. However limited the right, the impact of providing the right should not be underestimated. For example, in response to the public's desire to utilize alternative sources for contact lenses, Colorado and other states require optometrists to disclose prescriptions to their patients.

All state statutes that grant people a right to see and copy their own medical records limit that right with a set of exceptions. The most common exception is that a patient can be refused access to his or her own medical record if the record holder believes that the release of the information could endanger the life and safety of the subject of the information or another person.

Many states have also granted patients the right to amend or correct their medical information, particularly when the records are held by insurance companies. In Illinois, New Jersey and Ohio, for example, the statute includes a detailed procedure for resolving a patient's challenge to the accuracy or completeness of the record. Where the provider and the patient disagree, for example, the patient may be able to insert a statement of his or her position in the record.

Most states allow a person or entity to charge patients for copies of their medical record. Some states specify a cost in the statute -- in Kentucky, for example, a health care provider or hospital must provide a patient with a free copy of their medical record. A patient may be charged for additional copies, but not more than $1 per page. Other states require that the fee be waived if the patient is contesting an adverse underwriting decision. The most common approach is to stipulate that an entity may charge a "reasonable" fee.

Restrictions on Disclosure

States vary widely in terms of the restrictions or prohibitions they impose on disclosures of medical records and medical information. The restrictions tend to be triggered in two instances: by the entity holding the data, and the kind of information being held.

For the most part, the state statutes prohibit a person or entity from disclosing information unless certain conditions are met. The most notable impact of this approach is that it may limit the actual protections afforded the data. Once the information is disclosed, it may or may not be afforded the same protections by the receiving entity. For instance, the state laws may not place limits on the re-disclosure patient data, or the receiving entity may not be under any legal obligation to adhere the privacy rules imposed on the disclosing entity.

In comparison, a few states -- such as Wisconsin and Rhode Island -- have statutes that prohibit medical information from being disclosed, regardless of the entity holding the record.

Overall, the most common restriction found in state statute is that patient authorization must be secured prior to health information being disclosed. Some states specify the format and content of the authorization form in statute. Many states allow patients to revoke authorizations.

At the same time, these statutes all specify numerous exceptions to this general rule in which a person or entity may disclose information without patient authorization. The most common instances include: for purposes of treatment; to secure payment for healthcare; for auditing; and for quality assurance activities. Most statutes allow access to patient data for research purposes, without any patient notification or authorization. (See later discussion on research.)

Also of note is that some states do prohibit the re-disclosure of medical information. In such instances, an entity that receives medical information is prohibited from re-disclosing the information unless a separate authorization is secured, or the disclosure is in keeping with the statutory requirements. Montana has stated that although it is state public policy that a patient's interest in the proper use of health care information survives, the state is not going to statutorily regulate disclosures because a person' expectation of privacy changes when the information is held by a non-health care provider.

Privileges

A common myth is that the doctor-patient privilege prohibits health care providers from sharing information about their patients. The truth is the law of privilege is a rule of evidence and quite limited in scope. Privilege applies to a patient's (or provider's) right to keep certain communications confidential in a legal proceeding.

We have included a survey of states' statutory privileges for two reasons: 1) to date, all of the proposed federal health privacy legislation leaves state privilege law intact; and 2) many states' statutes governing the confidentiality of health care information maintained by HMOs provide that an HMO is entitled to claim any statutory privilege against disclosure that the provider of the information is entitled to claim. Thus, in order to understand what privilege an HMO might be able to exercise, it is necessary to know what statutory privileges exist.

A common misconception about the physician-patient privilege is that it is a general prohibition against a health care provider sharing information about his or her patients. However, it is important to recognize that in legal terms, there is a distinction between "privilege" and "confidential." The law of privilege is generally seen as a rule of evidence which is limited in scope. It allows a patient in a legal or quasi legal proceeding to refuse to disclose and to prevent others from disclosing certain confidential information (usually communications) obtained during the course of diagnosis and treatment. In contrast, a health care provider's duty of confidentiality to her patients, arising from a code of ethics, by regulation, or otherwise, is a broader duty not to disclose to the public information obtained in a professional capacity.

That being said, it must be noted that even legal professionals often use the terms interchangeably. We have attempted to note where a state has worded its statutory privilege in such a way as to extend it beyond a legal or quasi legal proceeding.

It must be emphasized that this is a summary of statutory rules of privilege. Many more providers and entities may be covered by a state's common law privilege. The summaries do not include a discussion of when privilege may be waived. State law is detailed and voluminous on this subject, and we chose simply to indicate to whom the statutory privilege applies.

Condition-specific Requirements

Nearly all states have laws that impose condition-specific privacy requirements, most often to shield people with mental illness, communicable diseases, cancer, and other sensitive, stigmatized illnesses from broad disclosures. Many of these laws were passed to respond to public fear that certain health information would be widely disclosed and used to deny them benefits or could result in other harm. Where this fear acted as a barrier to seeking health care, treatment, or counseling, states have moved to bolster public trust and confidence in the health care system by enacting heightened privacy rules in these specific areas. The protections tend to attach to the information at the point of collection, before the information is disclosed. These requirements may, for example, direct a provider, hospital, or laboratory to obtain a particular kind of authorization from the patient or more stringently restrict disclosure.

In some circumstances, the condition-specific requirements allow for greater disclosure of the information. Some mental health statutes, for example, explicitly allow family members to access the mental health records of a family member who has been committed. Other statutes allow employers to share medical information about an employee if it affects the performance of her job.

Most of the condition-specific requirements that exist at the state level, however, were enacted hand-in-hand with mandatory reporting laws. While the summaries note the protections afforded the data, it is important not to lose sight of the fact that these privacy laws were enacted on the backend of laws requiring doctors and other health care providers to report to state officials identifiable patient data related to certain illnesses and conditions. Clearly, state lawmakers viewed such privacy protections as a necessary balm to quiet public fears of the government developing health information databases on vulnerable citizens. Our inclusion of the public health reporting requirements and related privacy protections are not comprehensive, but we point out that many states' reporting requirements are aimed beyond communicable or infectious diseases. Many states collect health information to study costs, outcomes, and quality -- all of which rely on extensive patient data. In turn, there is a great demand -- often answered in the affirmative -- for access to this data.

All states have laws designed to control the spread of contagious diseases, which include requirements that named individuals with particular illnesses or conditions be reported to health authorities. Again, in the vast majority of these condition-specific requirements, the privacy protections are linked to the mandatory reporting requirements. In such instances, the confidentiality requirements and protections only apply to the agency collecting the data. Many states, for example, require providers to report birth defects to the state's registry. The statute then limits how the registry can use and disclose the information. These protections, however, do not apply to any other entity holding the same information -- such as a provider, hospital or insurance company.

Remedies and Penalties

Most state health privacy statutes contain some form of remedies and penalties that are triggered by violations of the law. Commonly found are private right of action provisions granting people the ability to bring lawsuits when the statute has been violated, without first having to meet any additional standard of proof, i.e. that the violation was willful or intentional. It is enough that the law was violated. A full range of damages, remedies, and attorney's fees and costs are usually available, however the monetary damages are often set quite low. In some cases, these statutory remedies may be construed as exclusive, thereby barring people from raising other claims, such as privacy torts or other common law claims.

Government-maintained Records

Across the board, records held by government agencies and officials are treated differently -- and are usually more protected -- than the medical information collected and held by the private sector. In some instances, the medical records held by the government are the only records protected in statute. In effect, a state statute may impose confidentiality requirements only on public hospitals, leaving people who are treated in private hospitals without the same legal safeguards. In Oregon, for example, the statutory prohibitions on disclosure, including authorizations, apply only to public providers of health care. Private health care providers are simply "encouraged, but not required to adopt voluntary guidelines limiting the disclosure of medical records..."

Although this legal distinction -- between public and private holders of medical information -- is rooted in the constitutional principle that there must be limits on government action vis-a-vis the individual, it may not be particularly meaningful to health care consumers. Therefore, privacy protections have been extended in a number of federal and state privacy statutes to restrict the private sector's collection and use of personal information.

Research

Again, there is little uniformity in how state statutes regulate researcher access to people's medical information. The vast majority of laws, however, do allow researchers broad access to patient records. As the laws apply to private entities, researcher access is almost always built in as an exception to a statute's patient authorization requirements. What limits do exist usually speak only to specific information -- such as genetic information or HIV/AIDS information.

On the other hand, researcher access to patient data held by government entities, i.e., agencies, registries, is in some instances more detailed. Some registries, for example, have strict conditions that must be met before researchers can access data and may require that personal identifiers be removed before a researcher can access information. Laws applying to government entities are also more likely to prohibit researchers from re-disclosing patient data.

III Conclusion

Again, there is no comprehensive federal law protecting the privacy of people's medical records. Congress has acknowledged that such a law should be passed and imposed a deadline on itself to do so by August 1999. If Congress fails to meet the deadline, the Secretary of Health and Human Services is required to issue regulations by February 2000. We hope these reports are useful to you as you move forward. We are available to work with you.

1. The Health Privacy Working Group Members: Dr. Bernard Lo, University of California-San Francisco; Paul Clayton, Columbia Pesbyterian Medical Center; Jeff Crowley, National Association of People with AIDS; John Glaser, Partners Health Care System, Inc.; Nan Hunter, Brooklyn Law School; Shannah Koss, IBM; Chris Koyanagi, Bazelon Center for Mental Health Law; John Nielsen, Intermountain Healthcare; Linda Shelton, National Committee for Quality Assurance; and Margaret VanAmringe, Joint Commission on Accreditation of Healthcare Organizations.