Skip to main content

Advertisement

Log in

Shared expectations for protection of identifiable health care information

Report of a national consensus process

  • Health Policy
  • Published:
Journal of General Internal Medicine Aims and scope Submit manuscript

Abstract

OBJECTIVE: The Ethical Force Program is a collaborative effort to create performance measures for ethics in health care. This report lays out areas of consensus that may be amenable to performance measurement on protecting the privacy, confidentiality and security of identifiable health information.

DESIGN: Iterative consensus development process.

PARTICIPANTS: The program’s oversight body and its expert panel on privacy include national leaders representing the perspectives of physicians, patients, purchasers, health plans, hospitals, and medical ethicists as well as public health, law, and medical informatics experts.

METHODS AND MAIN RESULTS: The oversight body appointed a national Expert Advisory Panel on Privacy and Confidentiality in September 1998. This group compiled and reviewed existing norms, including governmental reports and legal standards, professional association policies, private organization statements and policies, accreditation standards, and ethical opinions. A set of specific and assessable expectations for ethical conduct in this domain was then drafted and refined through seven meetings over 16 months. In the final two iterations, each expectation was graded on a scale of 1 to 10 by each oversight body member on whether it was: (1) important, (2) universally applicable, (3) feasible to measure, and (4) realistic to implement. The expectations that did not score more than 7 (mean) on all 4 scales were reconsidered and retained only if the entire oversight body agreed that they should be used as potential subjects for performance measurement. Consensus was achieved on 34 specific expectations. The expectations fell into 8 content areas: addressing the need for transparency of policies and practices, consent for use and disclosure of identifiable information, limitations on what information can be collected and by whom, individuals’ access to their own health records, security requirements for storage and transfer of information, provisions to ensure ongoing data quality, limitations on how identifiable information may be used, and provisions for meaningful accountability.

CONCLUSIONS: This process established consensus on 34 measurable ethical expectations for the protection of privacy and confidentiality in health care. These expectations should apply to any organization with access to personally identifiable health information, including managed care organizations, physician groups, hospitals, other provider organizations, and purchasers. Performance measurement on these expectations may improve accountability across the health care system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Emanuel L. Professional standards in health care: calling all parties to account. Health Aff (Millwood). 1997;16:52–4.

    Article  CAS  Google Scholar 

  2. Wynia M. Performance measures for ethics quality. Eff Clin Pract. 1999;2:294–8.

    PubMed  CAS  Google Scholar 

  3. Goldman J. Protecting privacy to improve health care. Health Aff (Millwood). 1998;17:47–60.

    Article  CAS  Google Scholar 

  4. Etzioni A. The Limits of Privacy. New York, NY: Basic Books; 1999.

    Google Scholar 

  5. Gostin LO, Hadley J. Health services research: public benefits, personal privacy, and proprietary interests. Ann Intern Med. 1998;129:833–5.

    PubMed  CAS  Google Scholar 

  6. Gostin L. Health information privacy. Cornell Law Review. 1995;80:101–84.

    Google Scholar 

  7. For the Record: Protecting Electronic Health Information. Washington, DC: National Academy Press; 1997.

    Google Scholar 

  8. Monane M, Mathias DM, Nagle BA, Kelly MA. Improving prescribing patterns for the elderly through an online drug utilization review intervention: a system linking the physician, pharmacist, and computer. JAMA. 1998;280:1249–52.

    Article  PubMed  CAS  Google Scholar 

  9. Howell A. Experts address concerns over plans invading medical confidentiality of members. BNA Healthcare Daily Report. 1998;volume 6, issue 37.

  10. Health Privacy and Confidentiality Recommendations. Report of the National Committee on Vital and Health Statistics. Washington, DC: National Committee on Vital and Health Statistics; 1997.

    Google Scholar 

  11. Marwick C. Medical records privacy: a patient rights issue. JAMA. 1996;276:1861–2.

    Article  PubMed  CAS  Google Scholar 

  12. 1998 Harris-Westin Survey on Privacy and the Elements of Self-Regulation. Department of Commerce Privacy Conference. Washington, DC: Department of Commerce; 1998.

    Google Scholar 

  13. Harris-Equifax Consumer Privacy Survey, 20–29 July, 1996. Available at http://www.equifax.com/consumer/parchive/svry96/suvy96a.html. Accessed March 20, 2000.

  14. 2000 Ethics Survey of Consumer Attitutdes about Health Web Sites. California Healthcare Foundation and the Internet Healthcare Coalition. Available at: http://www.chcf.org/press/viewpress.cfm?itemID=1015. Accessed March 20, 2000.

  15. Buckovich SA, Rippen HE, Rozen MJ. Driving towards guiding principles: a goal for privacy, confidentiality and security of health information. J Am Med Inform Assoc. 1999;6:122–33.

    PubMed  CAS  Google Scholar 

  16. The State of Health Privacy: An Uneven Terrain. Washington, DC: Health Privacy Project; 1999.

    Google Scholar 

  17. O’Brien DG, Yasnoff WA. Privacy, confidentiality and security in information systems of state health agencies. Am J Prev Med. 1999;16:351–8.

    Article  PubMed  CAS  Google Scholar 

  18. Westin A, Louis Harris and Associates. Health Care Information Privacy. A Survey of the Public and Leaders. Equifax, Inc. Study no. 934009; 1993.

  19. American worry about the privacy of their computerized medical records; health plans, drug companies and government health programs are least trusted. BW Healthwire. January 29, 1999.

  20. Goldman J, Hudson Z. Exposed: A Health Privacy Primer for Consumers. Washington, DC: Health Privacy Project, Institute for Health Care Research and Improvement, Georgetown University; 1999.

    Google Scholar 

  21. Alpert S. Smart cards, smarter policy. Medical records, privacy, and health care reforms. Hastings Cent Rep. 1993;23:13–23.

    PubMed  CAS  Google Scholar 

  22. Studdert D. Direct contracts, data sharing and employee risk selection: new stakes for patient privacy in tomorrow’s health insurance markets. Am J Law Med. 1999;25:233–65.

    PubMed  CAS  Google Scholar 

  23. Etzioni A. Medical records. Enhancing privacy, preserving the common good. Hastings Cent Rep. 1999;29:14–23.

    PubMed  CAS  Google Scholar 

  24. Moore J. Confidentiality casualty: patient billing printouts released in Kansas fraud case. Crain Modern Health Care Magazine. 1998;28(37):3.

    Google Scholar 

  25. O’Harrow R Jr. Survey not stifled by privacy concerns. Washington Post. December 15, 1998:C18.

  26. Protecting Privacy in Computerized Medical Information. U.S. Congress Office of Technology Assessment. Washington, DC: US Government Printing Office; 1993. OTA-TCT-576.

    Google Scholar 

  27. Duncan G, Jabine T, Wolf VD. Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics. Committee on National Statistics, Commission on Behavioral and Social Sciences and Education, National Research Council and the Social Science Research Council. Washington, DC: National Academy Press; 1993.

    Google Scholar 

  28. Sweeney L. Weaving technology and policy together to maintain confidentiality. J Law Med Ethics. 1997;25:98–110.

    Article  PubMed  CAS  Google Scholar 

  29. Armstrong MP, Rushton G, Zimmerman DL. Geographically masking health data to preserve confidentiality. Stat Med. 1999;18:497–525.

    Article  PubMed  CAS  Google Scholar 

  30. Ohrn A, Ohno-Machado L. Using Boolean reasoning to anonymize databases. Artif Intell Med. 1999;15:235–54.

    Article  PubMed  CAS  Google Scholar 

  31. Gostin L, Hodge J. Balancing individual privacy and communal uses of health information. Model State Health Privacy Project. Available at: http://www.critpath.org/msphpa/docs.htm. Accessed October 25, 2000.

  32. Finkelstein K. The computer cure. The New Republic. 1998;219:28–33.

    Google Scholar 

  33. Barrows RC Jr, Clayton PD. Privacy, confidentiality, and electronic medical records. J Am Med Inform Assoc. 1996;3:139–48.

    PubMed  Google Scholar 

  34. Campbell SG, Gibby GL, Collingwood S. The Internet and electronic transmission of medical records. J Clin Monit. 1997;13:325–34.

    Article  PubMed  CAS  Google Scholar 

  35. Duncan G, Pearson R. Enhancing access to microdata while protecting confidentiality: prospects for the future. Stat Sci. 1991;6:219–39.

    Google Scholar 

  36. Parsi KP, Winslade WJ, Corcoran K. Does confidentiality have a future? The computer-based patient record and managed mental health care. Trends Health Care Law Ethics. 1995;10:78–82.

    PubMed  CAS  Google Scholar 

  37. Rind D, Szolovits P, Kohane I. Confidentiality and electronic medical records. Ann Intern Med. 1998;128:510–1.

    Google Scholar 

  38. Melton L. Privacy and medical records research. N Engl J Med. 1998;338:1076–8.

    Article  Google Scholar 

  39. Coughlin S. Ethics in Epidemiology and Public Health Practice: Collected Works. Columbus, Ga: Quill Publications; 1997.

    Google Scholar 

  40. McCarthy DB, Shatin D, Drinkard CR, Kleinman JH, Gardener JS. Medical records and privacy: empirical effects of legislation. Health Serv Res. 1999;34:417–25.

    PubMed  CAS  Google Scholar 

  41. Cost and Impact Analysis: Common Components of Confidentiality Legislation. Chicago, Il: Blue Cross Blue Shield Association of America; 1999.

    Google Scholar 

  42. Statement for the Record on the Confidentiality of Health Information. Washington, DC: The Washington Business Group on Health; 1999.

  43. Pimley D. Maine experience shows potential snag as public grapples with patient privacy. BNA’s Health Law Reporter. 1999;8:No. 5.

  44. Vukadinovich DM, Coughlin SS. State confidentiality laws and restrictions on epidemiologic research: a case study of Louisiana Law and proposed solutions. Epidemiology. 1999;10:91–4.

    Article  PubMed  CAS  Google Scholar 

  45. Hodge JG Jr, Gostin LO, Jacobson PD. Legal issues concerning electronic health information: privacy, quality, and liability. JAMA. 1999;282:1466–71.

    Article  PubMed  Google Scholar 

  46. Naser C, Alpert S. Protecting the Privacy of Medical Records: An Ethical Analysis. Boston, Mass: National Coalition for Patient Rights; 1999.

    Google Scholar 

  47. Doyal L. Human need and the right of patients to privacy. J Contemp Health Law Policy. 1997;14:1–21.

    PubMed  CAS  Google Scholar 

  48. Kremer T, Gesten E. Confidentiality limits of managed care and clients’ willingness to self-disclose. Prof Psychol Res Pract. 1998;28:553–8.

    Article  Google Scholar 

  49. Goldman J, Muligan D. Privacy and health information systems: A guide to protecting patient confidentiality. Washington, DC: Center for Democracy and Technology; 1996.

    Google Scholar 

  50. Winslade W. Privileged Communications. In: Reich W, ed. Encyclopedia of Bioethics. New York, NY: Simon and Schuster MacMillan; 1995:2073–6.

    Google Scholar 

  51. Seigler M. Confidentiality in medicine — a decrepit concept. N Engl J Med. 1982;307:1518–21.

    Article  Google Scholar 

  52. Allen A. Privacy in Health Care. In: Reich W, ed. Encyclopedia of Bioethics. New York, NY: Simon and Schuster MacMillan; 1995:2064–73.

    Google Scholar 

  53. Emanuel LL. A professional response to demands for accountability: practical recommendations regarding ethical aspects of patient care. Working Group on Accountability. Ann Intern Med. 1996; 124:240–9.

    PubMed  CAS  Google Scholar 

  54. Litwin M. How to Measure Survey Reliability and Validity. In: Fink A, ed. The Survey Kit. Vol 7. Thousand Oaks, Calif: Sage Publications; 1995.

    Google Scholar 

  55. Aday L. Designing and Conducting Health Surveys: A Comprehensive Guide. San Francisco, Calif: Jossey-Bass Publishers; 1996.

    Google Scholar 

  56. Alpert S. Privacy and the Analysis of Stored Tissues. Research Involving Human Biological Materials: Ethical Issues and Policy Guidance, Volume II, Commissioned Papers. Washington, DC: National Bioethics Advisory Commission; 1997;A1-A36.

    Google Scholar 

  57. Chapman A. Developing Health Information Systems Consistent with Human Rights Criteria In: Chapman A, ed. Health Care and Information Ethics: Protecting Fundamental Human Rights. Kansas City, Mo: Sheed & Ward; 1997.

    Google Scholar 

  58. Ethical Issues and Patient Rights: Across the Continuum of Care. Oakbrook Terrace, Il: Joint Commission on Accreditation of Healthcare Organizations; 1998.

    Google Scholar 

  59. Starr P. Health and the right to privacy. Am J Law Med. 1999;25:193–201.

    PubMed  CAS  Google Scholar 

  60. Records, Computers, and the Rights of Citizens: Report of the Advisory Committee on Automated Personal Data Systems. United States’ Secretary of Health Education and Welfare. Washington, DC; 1973.

    Google Scholar 

  61. Flaherty D. Protecting Privacy in Surveillance Societies. Chapel Hill, NC: University of North Carolina Press; 1989.

    Google Scholar 

  62. Model Code for the Protection of Personal Information. Etobicoke, Ontario: National Standards Association of Canada; 1996.

    Google Scholar 

  63. Guidelines for the Protection of Privacy and Transborder Data Flows of Personal Data. Paris: Organisation for Economic Cooperation and Development; 1981.

  64. Janes G, Clutter G, Greenberg M. The Health Insurance Portability and Accountability Act: new standards for health data systems. J Reg Mgmt. 1998:86–90.

  65. Dahm L. The Health Insurance Portability and Accountability Act of 1996. Health Law News. 1999;13:8, 15.

    Google Scholar 

  66. Brittin A, Brown A, Tedesco J. Privacy: Understanding HHS’s Proposed Health Information Privacy Standard. Washington, DC: McKenna and Cuneo, LLP; 1999.

    Google Scholar 

  67. Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment. Washington, DC: National Committee for Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations; 1998.

    Google Scholar 

  68. Accreditation 2000: Draft Standards for Managed Care Organizations and Managed Behavioral Healthcare Organizations. Washington, DC: National Committee for Quality Assurance; 1999.

    Google Scholar 

  69. Model State Health Privacy Project. Sponsored by the U.S. Centers for Disease Control and Prevention, the Council of State and Territorial Epidemiologists, the Association of State and Territorial Health Officials, the National Conference of State Legislatures, and the Georgetown University Law Center (GULC). 1999. Available at: http://www.critpath.org/msphpa/docs.htm. Accessed October 25, 2000.

  70. Best Principles for Health Privacy. Washington, DC: Health Privacy Project; 1999.

  71. Pomeroy G. NAIC News: message from the officers. September 1998. Available at: http://www.naic.org/1news/news/naicnews/september_1998_naic_news.htm. Accessed October 25, 2000.

  72. Interim Report of the Inter-Council Task Force on Privacy and Confidentiality — Board of Trustees Report 36-A-99. Chicago, Il: American Medical Association; 1999.

    Google Scholar 

  73. Final Report of the Inter-Council Task Force on Privacy and Confidentiality — Board of Trustees Report 16-I-99. Chicago, Il: American Medical Association; 1999.

    Google Scholar 

  74. Electronic Communications and Privacy Interest Group. American Bar Association; 1999. Available at http://www.abanet.org/health/electronic/home.html. Accessed 1/5/01.

  75. AAHP’s Board of Directors Adds New Protections to Industry-Wide, Patient-Centered Initiative. January 7, 1999. Available at: www.aahp.org. Accessed October 25, 2000.

  76. ASHG statement. Professional disclosure of familial genetic information. The American Society of Human Genetics Social Issues Subcommittee on Familial Disclosure. Am J Hum Genet. 1998;62:474–83.

    Article  Google Scholar 

  77. American College of Epidemiology. Statement on health data control, access, and confidentiality. Available at: http://acepidemiology.org/data.html. Accessed July 12, 1999.

  78. Chilton L, Berger JE, Melinkovich P, et al. American Academy of Pediatrics. Pediatric Practice Action Group and Task Force on Medical Informatics. Privacy protection and health information: patient rights and pediatrician responsibilities. Pediatrics. 1999;104:973–7.

    Article  PubMed  CAS  Google Scholar 

  79. Bluml BM, Crooks GM. Designing solutions for securing patient privacy—meeting the demands of health care in the 21st century. J Am Pharm Assoc. 1999;39:402–7.

    CAS  Google Scholar 

  80. Information for Health: An Information Strategy for the Modern NHS 1998–2005. London England: British National Health Service; 1998.

    Google Scholar 

  81. Protecting Data Privacy in Health Services Research. Washington, DC: Institute of Medicine Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection; 2000.

  82. Protecting the Confidentiality of Patient Information in a Rapidly Changing Health Care System: Summary of a National Conference. Protecting the Confidentiality of Patient Information in a Rapidly Changing Health Care System. Washington, DC: Health Systems Research, Inc.; 1998.

    Google Scholar 

  83. Emanuel EJ, Emanuel LL. What is accountability in health care? Ann Intern Med. 1996;124:229–39.

    PubMed  CAS  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Matthew K. Wynia MD, MPH.

Additional information

The views expressed in this article represent the consensus of the Ethical Force Program’s Oversight Body members as interpreted by the writing group of authors listed. The report may not reflect the positions of the members’ or authors’ affiliated organizations. Members of the Ethical Force Program’s Expert Advisory Panel on Privacy and Confidentiality served in an advisory capacity to the Oversight Body. Neither their own nor their affiliated organizations’ endorsement of the report should be inferred.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wynia, M.K., Coughlin, S.S., Alpert, S. et al. Shared expectations for protection of identifiable health care information. J GEN INTERN MED 16, 100–111 (2001). https://doi.org/10.1111/j.1525-1497.2001.00515.x

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1111/j.1525-1497.2001.00515.x

Key words

Navigation