Current

INFORMATION POLICY FOR THE U.S. HEALTH SECTOR: ENGINEERING, POLITICAL ECONOMY, AND ETHICS

CURRENT NORMATIVE, LEGAL AND REGULATORY PROTECTIONS

Professional norms and codes

Providers’ "information obligations" are routinely traced back to the Hippocratic oath, constructed sometime between the sixth century BCE and the first century CE. It enjoins that what is seen or heard in the course of treatment be kept to oneself and not "spread abroad." Ethical codes of the nineteenth century such as Thomas Percival’s continue the Hippocratic tradition, promulgating a physician’s obligation of "secrecy and delicacy" regarding information obtained in the "familiar and confidential intercourse" of a professional visit (Etziony, 1973). The current American Medical Association (AMA) Code of Medical Ethics requires that patient disclosures be safeguarded "to the greatest possible degree’; confidential communications or information are not to be revealed "without the express written consent of the patient" unless required by law (American Medical Association, 1994). The American Hospital Association (AHA) Patient Bill of Rights states that patients may expect "all communications and records" to be treated as confidential by the hospital "and any other parties entitled to review" such information (American Hospital Association, 1992).

Strictly speaking, the Hippocratic oath and its progeny apply only to physicians. Most of the other health care professions, however, such as nursing, have analogous professional norms and codes (see Etziony, 1973). Regardless of the specific formulation, in a world where medical information exchange is common, and providers have little control over downstream data uses, the difficulty lies in sorting out confidentiality rules in actual practice. Some areas of legally mandated disclosure are clear, particularly those related to public health and safety (for example, communicable diseases, gunshot and knife wounds). Ethical practices are less well defined for the vast array of disclosures to secondary users – such as managed care evaluators, insurance companies, and professional review bodies – who by constraints of law, custom or contractual arrangement are "entitled to review." (Reflecting the complexities, the AMA annotated ethics code provides abstracts of more than fifty legal cases and journal articles "clarifying" confidentiality. American Medical Association, 1994.)

Given the individual practitioner’s difficulties in controlling information practices, professional norms targeted at an institutional level may come to be important. The Joint Commission on the Accreditation of Healthcare Organizations now has an information practices component to its certification processes. The National Committee on Quality Assurance has indicated it plans to promulgate institutional information standards as well (NCVHS Hearings, 1997). Whether such regulation can or will be a credible substitute for government oversight remains to be seen.

State law and policy Although it remains the principal mechanism of control, legal protections at the state level present a variable and inconsistent patchwork, characterized by one of the many recent federal studies as "a morass of erratic law, both statutory and judicial" (Workgroup for Electronic Data Interchange, 1992). Almost every state makes some statutory provision for medical privacy. However, these protections are contained primarily in medical and other professional practice acts, in hospital and other institutional licensure laws, and only rarely in comprehensive medical information statutes (Gostin, 1993). Coverage and sanctions vary widely across states. Statutory dictates not uncommonly conflict even within the same state (Goldman, 1995). Statutes may specify different levels of obligation and protection held by different classes of health provider, may vary according to the institution or setting of treatment, and may haphazardly mix disease- and condition-specific protections with mandatory reporting requirements (see e.g., Wolowitz, 1995).

Most states do recognize a common-law duty of confidentiality applying to health professionals. In some cases, this duty has been interpreted as extending to a direct nondisclosure requirement on the provider, and also as requiring institutional policies and procedures to prevent unauthorized disclosures by others (Gostin, 1993). Some state courts have been willing to enforce professional standards of confidentiality, such as those in the AMA ethical code, as part of the contractual relationship between physicians and patients (Office of Technology Assessment, 1993). Even in the rare instances where duties of one class of provider are clearly established, and extend consistently to other types of health professional, important gaps can remain. Nonpractitioners – such as researchers, insurance and other payers’ employees, and provider institutions own administrative staff – present significant disclosure risks.

State statutes still usually provide -- at best -- minimal regulation of the information practices of insurers (Gostin, 1994). Consequently, the evolving information strategies of managed care are unlikely to be well addressed. Only about two-thirds of the states currently allow patients access to their medical records, with varying provisions for what may be withheld. Many of these laws do not specify the ability to copy one’s records or procedures to submit amendments or corrections (Bennett, 1995). While providing inadequate confidentiality and security specifications, many state laws also create obstacles to legitimate sharing of health information. For example, some limit the use of computerized record systems by requiring that orders be written in ink (referred to as "quill pen" laws), or restrict the permissible "official" health records storage media to paper or microform (Roberts, 1995). The protections and status afforded to electronic records in such jurisdictions are uncertain. Such state legal deficiencies are widely perceived by proponents as slowing the development of health care information networks. Conflicting state laws are particularly problematic where large populations receive care in states different from the ones in which they work or reside.

Federal law and policy The Privacy Act of 1974 protects individuals against disclosure of information held by federal agencies in any "system of records." It also limits data collection to objects "relevant and necessary" to the agency mission(s). Release of personally identifiable data requires consent, unless the disclosure is "compatible" with the purposes for which it was collected or serves a public policy need for which statutory authority exists. Over the years since the measure’s enactment, the notions of compatibility and public policy need have been expanded to justify a very broad range of uses and transfers of information, particularly in areas such as law enforcement (Schwartz, 1995a). Under the Act, agencies must permit individuals to determine what records are kept on them, and must provide a procedure whereby inaccurate information can be corrected or amended. However, individuals are in general poorly positioned to police the myriad government information practices affecting them (Flaherty, 1989).

In the 1988 Computer Matching and Privacy Protection Act, which amended the 1974 Act, Congress addressed federal agency data sharing for purposes of comparing and linking records. The amendment requires agencies to formulate procedural agreements to control information exchange. It also mandates establishment of agency "Data Integrity Boards" (DIBs) to oversee information practices. Weak supervision by DIBs and agency use of "routine practice" exemptions have limited the amendment’s effects (Schwartz 1995). Other Federal legislation has extended to narrow categories of data in the private sector – education records, credit records – but not health records. (See the "Other Documents" section for a listing of Federal statutes.)

Hospitals operated by the federal government are subject to the Privacy Act, as are a small number of private health care and research facilities maintaining medical records under federal contracts (Office of Technology Assessment, 1993). Federal statutes and regulations also prescribe confidentiality rules for patient records at federally funded drug and alcohol treatment facilities, providing a greater degree of protection than the 1974 Act’s general coverage. Section 1106 of the Social Security Act, covering records held by the US Department of Health and Human Services, provides additional protection for information derived from Medicare and Medicaid participation. No federal statute currently defines an individual’s rights regarding personally identifiable health information held by state and local governments (though there are some restrictions on the use of social security numbers). Private-sector health care entities not under federal contract are also largely beyond the reach of federal law. Thus only a small fraction of the health databanks in the US are reached.

International codes. International convention has not commonly proved a strong constraint on national conduct, and data protection so far provides no exception to the rule. However, several international conventions are of interest, in only for indications of the promise and limits of such approaches. As noted elsewhere, most European nations, and indeed most industrialized nations around the world, have or are moving to comprehensive data protection legislation that reaches to both the public and private sectors. There are also several important trans-national agreements. The Council of Europe (CE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, both emerged in the late 1970s. As they were developed in concert, there are strong similarities, though the former is, by virtue of the membership body, "Euro-centric," and, as it’s title implies, applies only to automated data. Recently the European Union (EU) has adopted its Directive on the Protection of Individuals With Regard to the Processing of Personal Data, intended to harmonize existing European data law and provide a common level of protection while removing obstacles to inter-member data flows (Schwartz, 1995b).

Both the CE Convention (1981) and the OECD Guidelines (1980) are based on the general principles of "fair information practices" (see discussion in "Ethical Issues" section). Both operate at a fairly high level of generality, and neither provide specific details on application of standards or provisions for enforcement. The CE Convention is binding on its signatories, who are required to establish compliant data protection legislation, including appropriate procedural remedies and sanctions for violations. The OECD Guidelines are, as its name implies, voluntary. The US is a member of the OECD, and since the Reagan administration voluntary adoption of it by American corporations has been encouraged from time to time. However, despite endorsement by hundreds of US multinationals and trade associations, there is little evidence that information practices have changed as a result (Gellman, 1993).

The EU Directive may prove more relevant for US practice when it assumes full effect in 1998. Unlike the OECD and CE agreements, it includes constraints on transfer of personal data to "third countries" which do not have compliant data protection laws. The US would clearly seem to fall into such a category, absent new Federal legislation; however, given the economic consequences, substantive restrictions on US-European data traffic may still be unlikely. Some interpretations of the Directive suggest that sector-by-sector, company-by-company compliance is also possible, rather than requiring that a country be assessed in total (Gellman, 1996). If so, this provides the means for compromise. However, since the health care sector is widely considered to have an inadequate data protection regime, it would still likely be singled out for attention. The EU Directive also endorses use of industry codes, giving the private sector a role in constructing the details of its own data protection.