Balancing Communal Goods and Personal Privacy Under a National Health Informational Privacy Rule
Posted: 8 Apr 2002
Abstract
The newly-introduced Standards for Privacy of Individually Identifiable Health Information represent the first systematic national privacy protections of health information. Flowing from a Congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the regulations protect the privacy of individually-identifiable health records in any form (including electronic, paper and oral) through disclosure and use limitations, fair information practices, and privacy and security policies that apply to covered entities (meaning health providers, health insurance plans and health care clearinghouses) and their business associates.
Privacy safeguards are needed because of the personal nature of health data, the rapid shift from paper to electronic records, and actual and perceived risks of unwarranted disclosures. Existing health information privacy legal protections at the federal and state levels are fragmented, inconsistent, and variable. The new standards endeavor to protect patient privacy by limiting disclosures of individually-identifiable medical information (or protected health information (PHI)). Disclosure and use of PHI can only occur upon patient consent, subject to several exceptions outside the health care transaction setting. The regulations also implement fair information practices, which have long been a feature of existing federal laws. Fair information practices allow patients to (1) inspect and amend their records, (2) receive notice of covered entities privacy practices and potential uses and disclosures of health information, and (3) request confidential communications and an accounting of actual disclosures.
Through the regulations, HHS attempts to protect individual privacy while recognizing legitimate needs for such data to process health claims and deliver medical care as well as provide for communal goods (including public health and health research).
Many of these provisions leave significant gaps in privacy protection. At times the regulations promote inappropriate trade-offs between the public welfare and individual privacy. The regulations inadequately protect privacy in certain contexts, including consent requirements for use and disclosure of PHI for health care purposes and some fair information practices provisions. In contrast, the regulations sometimes fail to assure that information can be used when necessary for significant communal benefits or require substantial burdens on the health care industry without providing meaningful protection for patients.
Suggested Citation: Suggested Citation