Privacy Traditions in the U.S.: A Legal Overview of Federal Information Privacy Protections

Posted on: June 14, 2007  |   Author: Michelle
Filed Under: Health Information   |   Leave a Comment

Protecting health information privacy is not a new concept, and policymakers have sought to address the evolving concept of balancing privacy and public health for decades through legislative and regulatory proposals. Various policies address a long tradition of sharing private health information with an array of public and private sector entities for a variety of reasons, with or without informed consent. Because the Constitution does not explicitly grant individuals a right to health information privacy, and case law does not support an individual’s broad expectation of privacy, federal and state statutes and regulations have been the basis for health information privacy protections in the United States (Gostin, 1995, 451-490). The result is a myriad of privacy laws and policies that apply to selective health data at varying levels of government in specific settings, reflecting the fragmented nature of legal protections of health information privacy (Gostin, 1995, 514). Many view theses provisions as unsatisfactory to fully protect the privacy of health data that are increasingly digitized within a national electronic health information infrastructure (Gostin, 1995, 528), while public health professionals complain of cumbersome regulatory environment. As a national regulatory standard, thus, the HIPAA Privacy Rule is submerged within this existing universe of legal and ethical privacy protections that make public health practices more time consuming and complex.

Federal Privacy Protections

The federal government collects and maintains identifiable health information for many purposes, such as the direct provision of health care, biomedical research, health-related statistics, and public health. Yet, prior to HIPAA, there was no comprehensive federal health information privacy law. Rather, federal privacy laws applied to certain types of health information collected and maintained through its specific agencies (e.g., Centers for Medicare and Medicaid, National Institutes of Health, Center for Disease Control). These laws contribute to and reflect the emerging American ideal of autonomy, exemplified by privacy and informed consent.

One of such laws is the Freedom of Information Act of 1966 (FOIA) (5 U.S.C. [section] 552, 1988), which was designed to give the public broad access to federal government records. It allows individuals access to records kept by the federal Executive Branch unless an exemption applies. One or more of these exemptions may be invoked to protect an individual’s health information privacy. For example, the government routinely withholds identifiable health information from public dissemination under what is known as the FOIA (b)(6) exemption. This exemption covers information that, if released, would constitute a “dearly unwarranted invasion of personal privacy.” Such information may be completely withheld from information requests, or released with identifiers removed so that the remaining information alone or in combination with other available data does not reveal individual identities.

Another notable example is the federal Privacy Act of 1974 (5 U.S.C. [section] 552a, 1988). It applies whenever information is collected and maintained by a federal agency in a system of records in which the information is retrieved by a personal identifier. It safeguards privacy by specifying the situations in which information may be disclosed without the individual’s consent (and requiring it in all other cases), proscribing governmental maintenance of identifiable health information which is not relevant and necessary to accomplish the agency’s purposes, requiring agencies to publish a notice about each record system, and requiring agencies to inform individuals of the statutory basis for collecting health information, purposes for which it is used, and consequences for not supplying the information.

While FOIA and the Privacy Act apply to all federal agencies, other federal privacy laws relate to particular government programs or agencies. For example, the Common Federal Policy for the Protection of Human Subjects, or the Common Rule, requires that the privacy of research subjects be reviewed in research proposals, and that subjects be informed of existing confidentiality protections. (45 C.F.R. [subsection] 46.111 a 7 and 46.116 a 5). It mandates the inclusion of informed consent forms for “a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained” (10 C.F.R [section] 745.116). Additional privacy protections for research and other health data are found in the Public Health Service Act (PHSA). Sections 308(d) and 301(d), respectively, authorize the execution of assurances and certificates of confidentiality to protect research and statistical data. Specifically, these sections allow Public Health Service agencies (like CDC) and outside researchers to assure human research participants and others that the recipients of their health data will protect their confidentiality. Assurances of confidentiality under Section 308(d) (42 U.S.C.A. [section] 242m d, 1997) apply to statistical data collections conducted by federal public health agencies. Section 308(d) provides that no identifiable information may be used for any purpose other than that for which it was supplied, unless the agency or person has consented. Certificates of confidentiality, available to researchers within and outside government, are authorized under Section 301(d). (42 U.S.C.A [section] 241 d, 1997) to protect research participants from legally compelled, non-consensual disclosures of identifiable information not connected with the research. This confidentiality protection is generally sought by researchers for sensitive health data, such as information on sexually transmitted diseases, where subjects might be reluctant to participate in research.

The HIPAA Privacy Rule
The Health Insurance Portability Act was developed in 1996 by the federal Department of Health and Human Services (DHHS) (Pub. L. No. 104-191,110 Stat. 1936 1996). It passed, in part, to improve the efficiency of the delivery of health care by encouraging the development of standardized communications systems between health care entities. It was not until August 14, 2002, that the Department of Health and Human Services (DHHS) issued its final version of the Privacy Rules, which failed to pass in the original HIPAA legislation (Frank-Stromborg, 2004, 13).

Implementation of the Rule began on April 14, 2003 for most “covered entities,” including health plans (e.g., health insurance companies, managed care entities, and specifically-named government health programs), health-care clearinghouses (e.g., billing services, re-pricing companies, or community health information systems), and health-care providers (e.g., doctors, hospitals, clinics) that conduct transactions electronically (45 C.F.R. [section] 160.103). DHHS carried forward the application of the Rule to their business associates (e.g., claims processors, billing managers, data analyzers, and others through contracting requirements (45 C.F.R. [section] 160.103).

The Privacy Rule protects most individually-identifiable health information transmitted by electronic media, maintained in an electronic medium, or transmitted or maintained in any other form or medium (Jackson, 2003, 29). “Protected health information” (PHI) includes individually-identifiable data that relates to past, present, or future physical or mental health, a condition of a person, the provision of health care to a person, or the past, present, or future payment for the provision of health care to a person (45 C.F.R [section] 164.501). It does not include aggregate health statistics or any other health information that does not identify the individuals for which it pertains. The Rule further addresses how and under what circumstances covered entities may disclose PHI outside their organizations. In general, a covered entity may not disclose PHI without individual written authorization (45 C.F.R. [section] 164.508 a1), but the Rule does provide a series of exceptions.

The contemporary paradigm of health information privacy that is seen in the HIPAA Privacy Rule, and which includes the perception that individuals have the right to regulate the use of personal information, is derived outside of the historic tradition of public health data practices. Shifting balances in individual and communal goods and notions of informed consent dually impact the flow and quality of identifiable health data to public health authorities. Consequently, public health authorities may find that the flow of some PHI is questioned or discontinued by covered entities conservatively interpreting the Privacy Rule. Even where PHI flows as usual, public health agencies may believe that the Rule prevents them from using it in some contexts. Finally, because the Rule can apply to public health authorities performing covered functions, some heath data must now be treated differently within the agency than other data. Collectively, these consequences of the Rule may reshape the practice of public health in the years ahead absent favorable explanations, interpretations, or potential editions to the Rule.
References

Code of Federal Regulations. (2005). 4.5 C.F.R. [sections] 46.111(a)(7) and 46.116(a)(5), 154.512 (a) and (b), 160.103, 160.203(c), 164.501,164.502(a)(1),
164.508,164.508(a)(1). Standards for privacy of individually identifiable health information. Retrieved June 28, 2007, from http://www.hhs.gov/ocr/hipaa/privacy.html.
Code of Federal Regulations. (2005). 10 C.F.R. [section] 745.116 (1991) and 745.116 (5) (1991). Federal Policy for the Protection of Human Subjects. Retrieved June 28, 2007, from http://www.fda.gov/oc/gcp/preambles/56fr.html.

Frank-Stromborg, Marilyn. (2004). They’re real and they’re here: the new federally
regulated privacy rules under HIPAA. Dermatology Nursing, 16(1): 13.
Gostin, Lawrence O. (1995). Health information privacy. Cornell Law Review, 80: 451-528.

Jackson, John Zen. (2003). Getting and altering medical records under the HIPAA
Privacy Rule: New federal patient privacy rule impacts lawyers gathering medical
evidence. New Jersey Law Journal, 172(4): 29.

Pub. L. No. 104-191, 110 Stat. 1936 (1996).

5 U.S.C. [section] 552, 1988.

42 U.S.C.A. [section] 242m(d) (1997).

42 U.S.C.A. [section] 241(d) (1997).