This report contains recommendations on standards for the protection of the privacy of individually identifiable health information. The Committee recommended that the Secretary of Health and Human Services and the Administration assign the highest priority to the development of a strong position on health privacy that provides the highest possible level of protection for the privacy rights of patients. The Committee also unanimously recommended that the 105th Congress enact a health privacy law before it adjourned in the fall of 1998.
The Committee called for a law that would require creators and users of identifiable health information to —
- ensure a full range of fair information practices, including a patient's right of access to records, the right to seek amendment of records, and the right to be informed about uses of health information;
- accept reasonable restrictions and conditions on access to and use of identifiable health information;
- maintain protections for health information as it passes into the hands of secondary and tertiary users so that there are no loopholes that allow health information to escape from privacy controls;
- provide adequate security for health data no matter what media are used to create, transmit, or store data;
- accept accountability for actions that affect the privacy interests of patients;
- use non-identifiable, coded, or encrypted information when a function can be fully or substantially accomplished without more specific identifiers.