APsaA is committed to protecting patient privacy in order to safeguard the privacy of our patients, to protecting our ethical standards, and to assuring a future for our profession. These Privacy Principles, essential for quality health care, are based on:
APsaA's legislative counsel, Jim Pyles, has developed the privacy principles based on:
APsaA's ethics standards,
the ethics based medical privacy bill APsaA developed, and
the Privacy Amendment APsaA developed with Congressman Ed Markey.
Federal legislation should include at least the following basic principles to preserve the individuals' right to health information privacy.
Basic Privacy Principles for Quality Health Care
Federal legislation should include at least the following basic principles to preserve the individuals' right to health information privacy.
1. Privacy provisions in federal legislation should recognize that individuals have a right to health information privacy. [1]
2. Individuals should be permitted to exercise their right to health information privacy by choosing whether or not to give their written or electronic informed consent for disclosures and redisclosures of their identifiable health information, unless otherwise mandated by law. [2]
3. Individuals should be allowed to limit the disclosure of certain especially sensitive health information (such as mental health, genetic testing, HIV/AIDS, and drug and alcohol treatment information) to only designated practitioners or for specific purposes. [3]
4. The privacy protections should apply to any individual or entity that handles personal health information. [4]
5. The privacy protections should provide individuals with a right to obtain damages and other relief where a reasonable person would have known that a disclosure was improper.[5]
6. The privacy protections should require notification of actual or suspected privacy breaches to individuals whose privacy has been compromised. [6]
7. Nothing in the privacy protections should be construed as superseding, altering, or affecting (in whole or in part) any statute, regulation, order, or other interpretation in effect in any State or any standard of professional ethics that affords any person privacy and security protections greater than the privacy and security protections in federal law. [7]
8. Health information privileges recognized under federal and state law should not be supplanted or limited by federal law. Any disclosure of health information for the purposes of obtaining health insurance payment or coverage should not result a waiver of any privilege. [8]
9. The terms health information privacy, confidentiality and security should have the following meanings:
Health information privacy should mean an individual's right to control the acquisition, uses, or disclosures of his or her identifiable health data.
Confidentiality should mean that those who receive personal health care information are obliged to respect the privacy interests of those to whom the data relate.
Security means the physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access of disclosure. [9]
Approved June, 2007
References
1 This "reasonable expectation" of privacy for health information has been recognized repeatedly by courts at every level of the federal judiciary. Ferguson v. City of Charleston , 532 U.S. 67 (2001); Whalen v. Roe, 429 U.S. 589 (1977); U.S. v. Scott, 424 F.3d 888 (9th Cir. 2005); Douglas v. Dodds, 419 F.3d 1097 (10th Cir. 2005); Tucson Woman's Clinic v. Eden, 371 F.3d 1173 (9th Cir. 2004).
2 This ability to have some control over the disclosure of one's health information has been identified as the essence of the right to health information privacy. HHS Finding, 65 Fed. Reg. at 82,465; U.S. v. Westinghouse, 638 F.2d 570, 577, n. 5 (3rd Cir. 1980). This ability to have some control over disclosures is the core concept of the right to health privacy recognized in the minimum standards for the ethical practice of medicine in the code of ethics for nearly every segment of the medical profession. See e.g., AMA, Current Opinions of Council on Ethical and Judicial Affairs, E-5.05 (1998). HHS included consent as a requirement for routine disclosures in the Original HIPAA Health Information Privacy Rule (65 Fed. Reg. at 82,474), and the Amended Rule, which dropped the requirement, made clear that nothing in that rule was intended to eliminate or supplant this ethics standard. (67 Fed. Reg. at 53,212). S. 3713, introduced by Senator Hillary Clinton (D-NY) would reinstate the consent requirement.
3 Most states provide special privacy protections for these types of information. The National Committee on Vital and Health Statistics (NCVHS) has found that the individual's right to limit access to certain kinds of health information (such as psychiatric records) is recognized in Australia, Great Britain, Canada, and Denmark. Privacy and Confidentiality in the Nationwide Health Information Network, NCVHS report to Secretary of HHS, p. 6 (June 22, 2006).4 The NCVHS has noted that the HIPAA Privacy Rule is inadequate for a national electronic health information system because it only applies to "covered entities involved in claims processing". NCHVS report to the Secretary of HHS, p. 9. The Joint Position Statement on Health Information Confidentiality by the American Medical Informatics Association and the American Health Information Management Association provides that "health information privacy protections must follow [health information] no matter where it resides." (July 2006).
5 Most states currently provide or permit a right of action for privacy breaches.
6 Such breach disclosure laws have been adopted in at least 33 states. The Joint Position Statement of AMIA and AHIMA also supports this principle.
7 As noted, HHS has taken the position that more stringent state health privacy protections and standards of professional practice should not be supplanted by electronic information standards. 67 Fed. Reg. at 53,212.
8 A psychotherapist-patient privilege is recognized under federal law and the laws of all 50 states and the District of Columbia. Jaffee v. Redmond, 518 U.S. 1 (1996). A physician-patient privilege is recognized in 43 states and the District of Columbia. "The State of Health Privacy", Health Privacy Project (2000).
These definitions have been adopted by the National Institutes of Health and have been recommended by the National Committee on Vital and Health Statistics, report to the Secretary of HHS, p. 2. |