Back | WP 6.1 Version |
ASCII Version | PDF
Version
The Committee that acted for the National Conference of Commissioners on Uniform State Laws in preparing the Uniform Health-Care Information Act was as follows:
K. KING BURNETT, P.O. Box 910, Salisbury, MD 21801, Chairman
HARVEY BARTLE, III, 3400 Centre Square West, 1500 Market Street, Philadelphia,
PA 19102
GEOFFREY D. CANT, Department of Legislative Reference, 90 State Circle, Annapolis,
MD 21401, Drafting Liason
TIMOTHY J. CONIN, JR., New England School of Law, 154 Stuart Street, Boston,
MA 02116
MICHAEL FRANCK, 306 Townsend Street, Lansing, MI 48933
CHARLES W. JOINER, P.O. Box 7880, Ann Arbor, MI 48107
JOHN W. WAGSTER, 8th Floor, Third National Bank, Nashville, TN 37219
WILLIAM H. WOOD, 208 Walnut Street, Harrisburg, PA 17108
ROBERT R. BELAIR, 1900 M Street, N.W., Washington, DC 20036, Reporter
ALAN R. BENNETT, 1575 Eye Street, N.W., Washington, DC 20005, Reporter
CARLYLE C. RING, JR., Room 322-D, 5390 Cherokee Avenue, Alexandria,
VA 22312, President (Member Ex Officio)
PHILLIP CARROLL, 120 East Fourth Street, Little Rock, AR 72201,
Chairman, Executive Committee
WILLIAM J. PIERCE, University of Michigan, School of Law, Ann Arbor, MI 48109,
Executive Director
ELMER R. OETTINGER, 58 Oakwood Drive, Chapel Hill, NC 27514, Chairman,
Division F (Member Ex Officio)
HOWARD J. SWIBEL, 75th Floor, 233 South Wacker Drive, Chicago, Il 60606,
Chairman
RANDALL P. BEZANSON, University of Iowa, College of Law, Room 242, Iowa City,
IA 52242
JOAN G. POULOS, 1723 Oak Avenue, Davis, CA 95616
SUSAN N. CHERNOFF, ESQ. and WILLIAM H. ROACH, JR., ESQ., American Society
of Law and Medicine
MICHAEL O. CONNELLY, ESQ., American Bar Association
JILL CALLAHAN DENNIS and CHARLES R. MORGAN, American Medical Record
Association
JOHN P. FANNING, ESQ., United States Department of Health and Human Services
ROBERT M. GELLMAN, ESQ., Counsel to Subcommittee on Government Information,
Justice and Agriculture of the House of Representatives and the Committee on
Government Operations
MARCIA K. GOIN, M.D. and GEORGE J. McMAHON, M.D., American Psychiatric
Association
KENNETH A. PELKER, Metropolitan Life Insurance Company and American Council
of Life Insurance
RICHARD N. PETERSON, American Hospital Association
SHIRLEY D. RIVERS, ESQ., American Medical Association
Final, approved copies of this Act and copies of all Uniform and Model Acts and other printed matter issued by the Conference may be obtained from:
The critical role that confidentiality plays in the provision of health care has been recognized almost from the inception of the medical profession. It is well accepted that confidentiality is essential to a patient's trust in a health-care provider and to a patient's willingness to supply information candidly for his or her benefit. See, generally, Gellman, Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy, 62 N.C.L. Rev. 255 (1984) (hereinafter cited as Gellman).
Over the last several decades, a number of fundamental developments have increased the threat to confidentiality of health-care information. The emergence of third-party payment plans; the use of health-care information for nonhealth-care purposes; the growing involvement of government agencies in virtually all aspects of health care; and the exponential increase in the use of computers and automated information systems for health-care record information have combined to put substantial pressure on traditional confidentiality protections. Privacy Protection Study Commission, Personal Privacy in an Information Society, 283 (1977) (hereinafter cited as Privacy Commission Report).
To make matters worse from a privacy standpoint, the sheer amount of personal data kept in health-care records, and the number of individuals who monitor those records have mushroomed over the same period. It goes without saying that much of the information in health-care records is highly personal and, if disclosed improperly, may cause emotional, psychological, and physical harm to the patient. The Privacy Commission (1975-1977) and the National Commission on the Confidentiality of Health Record (1976-1979) received hundreds of complaints from patients describing harms they suffered as a result of the misuse of their health records. The Canadian "Krever Commission" (Report of the Commission of Inquiry into the Confidentiality of Health Information (1980)) documented several hundred instances of abuse of medical records.
For all of these reasons Congress, state legislatures, courts, and health professional organizations have struggled over the last 20 years to develop law and policy that restore patient privacy and confidentiality protections. Nevertheless, the great majority of states have not yet adopted comprehensive statutes that regulate the record-keeping practices of health-care providers.
In almost one-fifth of the states, comprehensive privacy acts - based more or less on the 1974 federal Privacy Act, 5 U.S.C. § 552(a) - provide some assurance that state-held medical records will not be disclosed to third parties without first obtaining the patient's consent. E.g., Ark. Stat. Ann. § 16-802 et seq.; Conn. Gen. Stat. Ann. § 4-190 et seq., Ind. Code Ann. § 4-1-6-1; Mass. Gen. Laws ch. 30 § 63, ch. 66A §§ 1-3, ch. 214 § 3B; Minn. Stat. Ann. § 15.162 et seq., Ohio Rev. Code Ann. 1347.01 et seq.; Utah Code Ann. § 63-50-1 et seq.; Va. Code § 2.1-377 et seq.
However, only two types of health-record legislation are common to virtually every state. First, statutes in every state require health-care providers to report certain types of patient information to state agencies. Typically, these statutes require providers to report health data concerning their patients who have: violent injuries (gunshot and knife wounds are most common); contagious or infectious diseases; tuberculosis; venereal disease; occupational illnesses or injuries; certain congenital defects; and injuries from child abuse.
Secondly, almost every state recognizes some type of provider-patient privilege. The privilege permits the patient to restrict his physician (and occasionally other types of health professionals) from disclosing in many types of judicial proceedings, information received in confidence from the patient about the patient's health. Because a physician-patient privilege did not exist at common law, courts do not recognize a privilege in states without statutory provisions. (South Carolina, Texas, and Vermont do not have health-care provider-patient privilege statutes and are thus the exception to the rule.)
Most privilege statutes expressly provide that the privilege belongs to the patient and thus can be waived by the patient. Other circumstances in which physicians can be compelled to provide information to a court include court-ordered examinations, where child abuse is at issue, where involuntary hospitalization is at issue, and where the patient relies upon his medical condition as a defense.
It is difficult to generalize about privilege case law since it involves statutory, common law, and occasionally constitutional doctrines. However, privilege decisions seem increasingly to narrow the circumstances under which privilege can be claimed, and to expand exceptions requiring providers to provide health-record information. This trend confirms the opinion of many health-care professionals that the privilege doctrine is an increasingly fragile shield to protect the confidentiality of the health-care relationship. Gellman, supra, p. 3, at 272.
Virtually all major health professional groups, including the American Medical Association, the American Hospital Association, the American Nurses' Association, the American Psychiatric Association, the American Medical Record Association, and the American Psychological Association, have adopted formal codes, guidelines, or policies regarding the handling of health records. For legislative audiences, the American Psychiatric Association, the American Medical Records Association, and the American Medical Association, among others, developed model health-record confidentiality statutes.
In drafting this Act, the Conference took into account the proposed standards and model statutes written by these health professional groups and national commissions. The Act embodies many of the standards and all of the principles found in the recommendations of the federal Privacy Protection Study Commission. Existing and proposed state and federal statutes were also reviewed and utilized.
Many of the organizations with a direct interest in the subject of this Act participated directly in the Conference's drafting process. These included the American Medical Association, the American Hospital Association, the American Medical Records Association, the American Psychiatric Association, the Health Insurance Association, the United States Department of Health and Human Services, the United States Department of Justice, and the American Bar Association. In addition, the Conference sought and received written input from numerous other interested organizations and individuals including the National Blood Bank Association, the Hospital Pharmacists Association, the American Society of Internal Medicine, the American Society of Law and Medicine, and others. Although such assistance is gratefully acknowledged, the Conference is solely responsible for the final product which was the subject of three years of effort by the Drafting Committee and was debated by the entire Conference in two separate years.
The contents of Article I address more specifically the underlying reasons for the Act, as Legislative Findings.
SECTION 1-101. LEGISLATIVE FINDINGS. The [Legislature] finds that:
(1) Health-care information is personal and sensitive information that if improperly used or released may do significant harm to a patient's interests in privacy, health-care, or other interests.
(2) Patients need access to their own health-care information as a matter of fairness to enable them to make informed decisions about their health care and correct inaccurate or incomplete information about themselves.
(3) In order to retain the full trust and confidence of patients, health-care providers have an interest in assuring that health-care information is not improperly disclosed and in having clear and certain rules for the disclosure of health-care information.
(4) Persons other than health-care providers obtain, use, and disclose health-record information in many different contexts and for many different purposes. It is the public policy of this State that a patient's interest in the proper use and disclosure of the patient's health-care information survives even when the information is held by persons other than health-care providers.
(5) The movement of patients and their health-care information across state lines, access to and exchange of health-care information from automated data banks, and the emergence of multi-state health-care providers creates a compelling need for uniform law, rules, and procedures governing the use and disclosure of health-care information.
The inclusion of a statement of legislative findings is a common practice in privacy legislation. These findings aid agency officials, courts, and the public in identifying and properly applying the Act's purposes. For example, the Conference's Uniform Information Practices Code contains a statement of "General Provisions" which sets forth the purposes to be served by the Information Practices Code.
The first statement recognizes the extraordinary sensitivity of health-care information. The second expresses the Act's view that patients should have access to their own health-care information and an opportunity to correct inaccurate or incomplete information. The Act seeks to give patients more control over their health-care information by giving them a right to see and copy their own records and to correct and amend their records when these records are in the hands of health-care providers.
The third statement expresses the view that health-care providers have an interest in assuring the confidentiality of health-care information and in being able to rely upon clear and certain rules to govern disclosure decisions. In this regard the Act permits patients to approve or disapprove disclosures by health-care providers to third parties in most instances. Moreover, the Act seeks to restrict and regulate the flow of health-care information to third parties by carefully limiting disclosures that can be made without patient consent; by restricting the acquisition of health-care information by compulsory process; and by imposing security requirements on health-care providers maintaining such data.
The fourth statement makes the point that many nonhealth-care providers obtain, use, and disclose health-care information for innumerable nonhealth-care purposes. It is the public policy of the state that a patient has an interest in the proper use and disclosure of the patient's health-care information even when the information is held by nonhealth-care providers. The statement recognizes that such rights exist as a matter of case law and other expressions of public policy and to assure that enactment of the Act - notwithstanding its general limitation to health-care providers - does not undercut health-record privacy rights that may exist under other law and in other contexts.
There are two reasons why the Act does not attempt to regulate the use or redisclosure of health-care information once such information is held by nonhealth-care providers (except in those limited circumstances set forth in Article II where a health-care provider makes health-care information available to third parties without the patient's consent and in order to meet the provider's needs or interests). First, the expectations that a patient and society can rightfully have concerning the use and disclosure of health-care information must necessarily change when health-care information is held by nonhealth-care providers. The type of relationship that nonhealth-care providers have with patients is inevitably different than the relationship that health-care providers have with patients. The interests that will be advanced or deterred by confidentiality are different; the needs of the nonhealth-care providers to use and disclose the information are different; and the threat to patient privacy interests is different. These issues are complex, and require different responses, depending on the identity of the particular holder of the record and the reasons for which the records are held.
Second, in recognition of these differing interests and needs Congress and state legislatures have already adopted, or are well along in the process of adopting, statutes that regulate the handling of personal information, including health-care information, when held outside of the health-care relationship. For example, the Fair Credit Reporting Act regulates the handling of health-care information by consumer reporting agencies. The Privacy Act of 1974 regulates the handling of health-care information by federal agencies. Over a dozen states have adopted statutes which regulate the handling of health-care information by state agencies. A model privacy protection act, promulgated by the National Association of Insurance Commissioners, and thus far adopted in some ten states, addresses the handling of health-care information by insurance carriers. Several states have adopted statutes which regulate the handling of health-care information by private employers.
These legislative developments indicate as an empirical matter that a health-care information statute should not cover the handling of health-care information by nonhealth-care providers. As a conceptual matter a health-care information statute should not attempt to cover health-care information in other record-keeping settings because the expectations, interests, needs, and threats posed by the use and disclosure of health-care information in these different record-keeping relationships vary so significantly.
No doubt for these reasons, virtually every record-keeping and privacy statute that has been adopted, including the Conference's Uniform Information Practices Code, regulates personal information according to the type of record-keeper holding the information, and not according to the type of personal information being held. In taking this approach Congress, state legislatures, and other legislative authors are acting in a manner that is consistent with the recommendations of the Privacy Protection Study Commission.
The fifth and final statement in the Findings section explains that a uniform law is necessary due to the movement of patients and their health-care information across state lines; the use of automated information systems; and the emergence of multi-state health-care providers.
It is increasingly common for patients to have health-care information created in one state but used in another state. Given the mobility of patients, and the patients' use of providers located in different states, it is important for patients to be able to rely on uniform rules for patient access and confidentiality. Moreover, health-care information is increasingly maintained and communicated via automated information systems. The effective operation of these systems and their operation in a manner protective of patient interest is advanced by uniform confidentiality standards.
Furthermore, health care increasingly is provided by many different types of providers. In the early part of this century roughly 85 percent of all health professionals were physicians. Today physicians make up only about five percent of the total. Dilemma, A Report of the National Commission on the Confidentiality of Health Records (1977), at p. 2. Thus, physician's ethical tradition of confidentiality plays a diminishing role in assuring health-record privacy.
Moreover, not only are health-care occupations changing, so too is the corporate status of health-care providers. Increasingly, health care is provided by national corporations with health-care operations in many different states. Some of these corporations have begun to centralize their record-keeping operations. As a result of these changes in the health-care industry, it is of growing importance that providers be able to rely upon uniform confidentiality standards.
SECTION 1-102. DEFINITIONS. As used in this [Act], unless the context otherwise requires:
(1) "Audit" means an assessment, evaluation, determination, or investigation of a health-care provider by a person not employed by or affiliated with the provider to determine compliance with:
(i) statutory, regulatory, fiscal, medical, or scientific standards;
(ii) a private or public program of payments to a health-care provider; or
(iii) requirements for licensing, accreditation, or certification.
(2) "Directory information" means information disclosing the presence and the general health condition of a particular patient who is an in-patient in a health-care facility or who is currently receiving emergency health care in a health-care facility.
(3) "General health condition" means the patient's health status described in terms of "critical," "poor," "fair," "good," "excellent," or terms denoting similar conditions.
(4) "Health care" means any care, service, or procedure provided by a health-care provider:
(i) to diagnose, treat, or maintain a patient's physical or mental condition, or
(ii) that affects the structure or any function of the human body.
(5) "Health-care facility" means a hospital, clinic, nursing home, laboratory, office, or similar place, where a health-care provider provides health care to patients.
(6) "Health-care information" means any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and relates to the patient's health care. The term includes any record of disclosures of health-care information.
(7) "Health-care provider" means a person who is licensed, certified, or otherwise authorized by the law of this State to provide health care in the ordinary course of business or practice of a profession. The term does not include a person who provides health care solely through the sale or dispensing of drugs or medical devices.
(8) "Institutional review board" means any board, committee, or other group formally designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects.
(9) "Maintain," as related to health-care information, means to hold, possess, preserve, retain, store, or control that information.
(10) "Patient" means an individual who receives or has received health care. The term includes a deceased individual who has received health care.
(11) "Person" means an individual, corporation, business trust, estate, trust, partnership, association, joint venture, government, governmental subdivision or agency, or any other legal or commercial entity.
This section contains the Act's definitions.
Subsection (1) defines the term "audit." The definition of audit is important because the Act allows nonconsensual disclosure for the purpose of an "audit." See Section 2-104(a)(8). Audit is defined broadly to include government and private assessments, evaluations, determinations, or investigations relating to compliance with statutory, regulatory, fiscal, medical, or scientific standards, or compliance with a private or public program of payments to health-care providers. Thus, audit may include traditional governmental auditing as well as private health program auditing, including rate setting and rate review, where applicable.
Audits also include assessments and investigations for licensing, accreditation, or certification of health-care facilities or providers by such organizations as the Joint Commission on Accreditation of Hospitals.
Organizations, such as hospital management companies, Blue Cross/Blue Shield and commercial insurers, which evaluate utilization, financial, or management practices under contractual arrangements with health-care facilities or providers also are included in this definition. These organizations, however, may not use their audit authority to obtain information to make decisions about payment of a particular patient's claim. Insurers can obtain information for claim purposes only by first obtaining the patient's consent, pursuant to Section 2-102.
Subsection (2) defines "directory information" as the disclosure of the presence and general health condition of an in-patient in a health-care facility or one who is receiving emergency treatment in a health-care facility. Under the terms of Section 2-104(b)(1), a health-care provider may disclose directory information without the patient's consent, unless the patient has instructed the health-care provider not to make the disclosure.
Disclosure of a patient's presence can include sufficient information to identify the patient and his location, including room and telephone numbers within the facility. While a facility is expected to exercise appropriate discretion to minimize the extent to which the disclosure of directory information jeopardizes patient privacy, disclosure of such information is common, absent instructions from the patient.
Subsection (3) defines "general health condition" to mean a generic description of the patient's health status such as "critical," "fair," "good," etc. The term "general health condition" does not include information about the diagnosis, symptomatology, or prognosis for the patient.
Subsection (4) defines "health care" broadly to include any type of service to diagnose, treat, or maintain a patient's physical or mental condition. The second part of the definition is included to make clear that medical procedures performed on one patient to help another, such as the withdrawal of blood by a bloodbank or a kidney transplant, are included.
Subsection (5) defines "health-care facility" to mean any physical location, such as a hospital, clinic, laboratory, or office which is maintained to permit a health-care provider to dispense health care.
Subsection (6) defines "health-care information" as any information in any form which relates to the patient's health care and can identify the patient. This definition is broad and includes all provider-maintained information, including a patient's personal health history, that both relates to health care and can be used to identify the patient. Health-care information does not include information which cannot be linked to a particular patient. Health-care information includes the record of disclosures of health-care information (the disclosure log). Providers are required to maintain such a log under Section 2-101(b) of the Act. If a state has an act which makes birth and death certificates public information, this Act would not affect that if an appropriate reference is made in Section 9-106.
Subsection (7) defines "health-care provider" to mean any person licensed, certified, or otherwise authorized by state law to provide health care as a business or a profession. The term "otherwise authorized" connotes some kind of formal recognition by appropriate authorities that the person is entitled to provide health care as a business or profession. Thus, family members providing health care are not covered, whereas licensed laboratories are covered.
However, this definition does not include pharmacists (except pharmacists that are employed by health-care providers, such as hospitals and those who perform services in addition to dispensing prescriptions) or others who provide health care solely through the sale or dispensing of drugs or medical devices. Persons who dispense health care exclusively through the sale of drugs and medical devices - pharmacists primarily - are excluded because they traditionally have a different relationship with their patients than do health-care providers. The relationship more closely resembles a seller-customer relationship than a provider-patient relationship. In addition, pharmacists and drug companies have an information relationship that should not be disturbed in an Act designed to address problems in the provider-patient relationship.
Subsection (8) defines "institutional review board" (IRB) to mean any board, committee, or other group designated by an institution to protect the rights of human research subjects. The definition includes IRB's established under Section 474 of the Public Health Service Act and state law.
In the last few years, IRB's have become a familiar part of the medical landscape. Federal health-care facilities and most other medium to large health-care facilities have created IRB's to review requests for the conduct of human experimentation research. IRB's are used in this Act as the necessary approval mechanism for research projects which are authorized to obtain access, in the provider's discretion, to health-care information, without patient consent. If a particular facility does not have an IRB, it is expected that researchers will find an appropriate IRB. The Act authorizes providers to rely on a finding by any qualified IRB, even if that IRB is not affiliated with the provider.
Subsection (9) defines "maintain" broadly to mean any act of holding or controlling health-care information. A provider who maintains health-care information is subject to the requirements of the Act.
Subsection (10) defines "patient" to include both living and deceased individuals who receive or have received health care. The right of privacy survives death because reputation may be substantially harmed by the release of health-care information. When this occurs, family members, the deceased's estate, and others may be hurt or damaged. The personal representative of the deceased (by whatever name known in the particular state), as set out in Section 6-102, has the right to exercise this surviving right of privacy. See Boggess v. Aetna Life Insurance Co., 196 S.E.2d 172 (Ga. 1973).
Subsection (11) defines "person" broadly to include any natural person or organizational entity, including trusts, partnerships, and corporations.
SECTION 2-101. DISCLOSURE BY HEALTH-CARE PROVIDER.
(a) Except as authorized in Section 2-104, a health-care provider, an individual who assists a health-care provider in the delivery of health care, or an agent and employee of a health-care provider may not disclose health-care information about a patient to any other person without the patient's written authorization. A disclosure made under a patient's written authorization must conform to the authorization.
(b) A health-care provider shall maintain, in conjunction with a patient's recorded health-care information, a record of each person who has received or examined, in whole or in part, the recorded health-care information during the next preceding [three] years, except for a person who has examined the recorded health-care information under paragraph (1) or (2) of Section 2-104(a). The record of disclosure must include the name, address, and institutional affiliation, if any, of each person receiving or examining the recorded health-care information, the date of the receipt or examination, and, to the extent practicable, a description of the information disclosed.
This section prohibits a health-care provider from disclosing any health-care information about a patient without the patient's written authorization, unless the disclosure is permitted by Section 2-104 of this Act. An authorization must comply with the requirements of Section 2-102. Disclosures made pursuant to an authorization must be limited to the terms of that authorization.
Subsection (b) requires the health-care provider to maintain for three years a record of disclosures of written or otherwise recorded health-care information that the provider makes to any person who is providing the health-care provider with certain specified services. The subsection does not require that a record of oral disclosures be established or maintained. The disclosure record must contain the name and address of each recipient, the date of disclosure, and a description of the disclosed information (e.g., "x-rays," "full chart," or "all records relating to hospitalization for pneumonia"). The record of disclosure is to be maintained with the patient's health-care information where possible; however, if the records are kept in a form where that is not possible, the disclosure record should be readily accessible.
Nothing in this subsection requires a health-care provider to keep the underlying health-care records for a specific period of time, or indeed, to keep them at all. Indeed, the same is true for the rest of the Act, except for the provisions of Section 7-102, which requires retention of records while either a request for access by a patient or a request for disclosure pursuant to a disclosure authorization is pending. The purpose of this Act is to protect patient confidentiality; record retention practices raise a different set of considerations and are governed by another body of law.
The categories of persons to whom disclosure can be made without the need for a disclosure record include independent contractors performing services for a health-care provider, such as data processing, as well as students or faculty of health-professional schools affiliated with a health-care facility. Persons who are not employees of a health-care provider, however, are subject to the special restrictions on redisclosure provided in Section 2-104(a)(2).
SECTION 2-102. PATIENT AUTHORIZATION TO HEALTH-CARE PROVIDER FOR DISCLOSURE.
(a) A patient may authorize a health-care provider to disclose the patient's health-care information. A health-care provider shall honor an authorization and, if requested, provide a copy of the recorded health-care information unless the health-care provider denies the patient access to health-care information under Section 3-102.
(b) A health-care provider may charge a reasonable fee, not to exceed the health-care provider's actual cost for providing the health-care information, and is not required to honor an authorization until the fee is paid.
(c) To be valid, a disclosure authorization to a health-care provider must:
(1) be in writing, dated, and signed by the patient;
(2) identify the nature of the information to be disclosed;
(3) identify the person to whom the information is to be disclosed.
(d) Except as provided by this [Act], the signing of an authorization by a patient is not a waiver of any rights a patient has under other statutes, the rules of evidence, or common law.
(e) A health-care provider shall retain each authorization or revocation in conjunction with any health-care information from which disclosures are made.
(f) Except for authorizations to provide information to third-party health-care payors, an authorization may not permit the release of health-care information relating to future health care that the patient receives more than six months after the authorization was signed.
(g) An authorization in effect on the effective date of this [Act] remains valid for 30 months after the effective date of this [Act] unless an earlier date is specified or it is revoked under Section 2-103. Health-care information disclosed under such an authorization is otherwise subject to this [Act]. An authorization written after the effective date of this [Act] becomes invalid after the expiration date contained in the authorization, which may not exceed 30 months. If the authorization does not contain an expiration date, it expires six months after it is signed.
This section provides the mechanism by which a patient may authorize the disclosure of health-care information. It is important to note that all of a patient's rights under this section, and indeed under this Act, can be exercised by a person authorized to act on behalf of the patient under Article 6. Under subsection (a), the recipient of such an authorization must honor the patient's request.
Subsection (b) provides that the person making a disclosure pursuant to an authorization may charge the person seeking the record a reasonable fee, not to exceed actual cost, for providing copies of documents. Thus, the provider would be able to recover a reasonable fee for providing copies or actual expenses, whichever is less. See also Comment to Section 3-101.
To be valid, an authorization must meet the criteria set forth in subsection (c).
A patient should have wide latitude in executing an authorization form. It can be very specific (e.g., "x-rays of my broken leg, disclosed by ABC Hospital to EKG Insurance Company") or very general (e.g., "all my health-care information to any life insurance company"), depending on the patient's wishes.
A patient will often have a right to privacy or confidentiality, pursuant to the physician-patient privilege, under other statutory or common law. Common law rights may arise under either tort law or a theory of implied contract. Subsection (d) provides that the signing of an authorization under this law does not, by itself, constitute a waiver of any of these privileges or rights.
Subsection (e) requires health-care providers to maintain authorizations in conjunction with the patient's health-care information.
Subsection (f) limits authorizations to information that already exists or will exist within six months, and prohibits general releases for any information that may be thereafter created. However, an exception is made for authorizations given to third-party payors (for example, insurance companies and employers who are self-insurers) in order to avoid disrupting and delaying patient reimbursement. It should be noted that Article VI provides for a similar exception where under state law, a second individual is authorized to "stand in the shoes" of a patient who may be incompetent or who has provided a general power of attorney.
Subsection (g) provides a "grandfather" clause for authorizations in effect prior to the passage of this Act. It would create considerable confusion to nullify those authorizations that do not meet the technical requirements of Section 2-102. Therefore, any authorization in effect prior to the passage of this Act will remain in effect for a period of 30 months unless an earlier date was specified or the patient elects to revoke the authorization by written notice pursuant to Section 2-103. Except for the technical requirements of the authorization, health-care information created prior to the effective date of this Act is fully subject to its requirements.
The subsection also provides for a 30-month cap on the length of authorizations signed after the effective date of the Act, although the patient would of course be free to specify a shorter period. The Privacy Protection Study Commission recommended a one-year authorization period; however, it was felt that such a short limit could create logistical problems for patients and providers without an accompanying increase in patient protection. The 30-month period was chosen to permit life insurers access to patient records, pursuant to a disclosure authorization, during the two-year contestability period found in most life insurance policies, and to provide them with a short grace period thereafter to initiate legal action.
The time limits in subsections (f) and (g) must be read together to determine the validity of a particular authorization. For 30 months after an authorization is signed, the holder may obtain access to any records in existence on the date the authorization was signed, or which were created within six months thereafter. Health-care information created more than six months after an authorization is signed cannot be obtained without a new authorization.
SECTION 2-103. PATIENT'S REVOCATION OF AUTHORIZATION FOR DISCLOSURE. A patient may revoke a disclosure authorization to a health-care provider at any time unless disclosure is required to effectuate payments for health care that has been provided or other substantial action has been taken in reliance on the authorization. A patient may not maintain an action against the health-care provider for disclosures made in good-faith reliance on an authorization if the health-care provider had no notice of the revocation of the authorization.
A patient may, as a general rule, revoke any prior disclosure authorization. The form of revocation and the effective date of any revocation is left to existing state law. There is an exception to this rule when health care has been provided or other action taken in reliance on a prior authorization.
In this context, "action" means substantial or significant action and not trivial or incidental action. This limitation might be operative, for example, when a claim under a life insurance policy is made or when a patient on public assistance has signed an authorization permitting disclosure of information to the state Medicaid authority that will pay for the treatment. It would be inequitable to permit the patient to revoke the authorization upon completion of treatment but prior to submission of the claim by the hospital.
When a health-care provider maintaining a patient's records is presented with an authorization form by an insurance company or other party, it generally has no independent means of determining whether the authorization has been revoked. A health-care provider who relies in good faith on an authorization that conforms on its face to the requirements of this Act is not liable under this Act for improper disclosure that arises from that reliance.
SECTION 2-104. DISCLOSURE WITHOUT PATIENT'S AUTHORIZATION.
(a) A health-care provider may disclose health-care information about a patient without the patient's authorization to the extent a recipient needs to know the information, if the disclosure is:
(1) to a person who is providing health-care to the patient;
(2) to any other person who requires health-care information for health-care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the health-care provider, or for assisting the health-care provider in the delivery of health care and the health-care provider reasonably believes that the person:
(i) will not use or disclose the health-care information for any other purpose; and
(ii) will take appropriate steps to protect the health-care information.
(3) to any other health-care provider who has previously provided health care to the patient, to the extent necessary to provide health care to the patient, unless the patient has instructed the health-care provider not to make the disclosure;
(4) to any person if the health-care provider reasonably believes that disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual;
(5) to immediate family members of the patient, or any other individual with whom the patient is known to have a close personal relationship, if made in accordance with good medical or other professional practice, unless the patient has instructed the health-care provider not to make the disclosure;
(6) to a health-care provider who is the successor in interest to the health-care provider maintaining the health-care information;
(7) for use in a research project that an institutional review board has determined:
(i) is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure;
(ii) is impracticable without the use or disclosure of the health-care information in individually identifiable form;
(iii) contains reasonable safeguards to protect the information from redisclosure;
(iv) contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project; and
(v) contains procedures to remove or destroy at the earliest opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for purposes of another research project;
(8) to a person who obtains information for purposes of an audit, if that person agrees in writing to:
(i) remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the patient to be identified; and
(ii) not to disclose the information further, except to accomplish the audit or report unlawful or improper conduct involving fraud in payment for health-care by a health-care provider or patient, or other unlawful conduct by the health-care provider;
(9) to an official of a penal or other custodial institution in which the patient is detained.
(b) A health-care provider may disclose health-care information about a patient without the patient's authorization if the disclosure is:
(1) directory information, unless the patient has instructed the health-care provider not to make the disclosure;
(2) to federal, state, or local public-health authorities, to the extent the health-care provider is required by law to report health-care information or when needed to protect the public health;
(3) to federal, state, or local law enforcement authorities to the extent required by law;
(4) pursuant to compulsory process in accordance with Section 2-105.
Subsection (a) enumerates certain circumstances under which disclosure can be made without patient consent. Disclosure under this subsection is on a need-to-know basis only.
Paragraph (a)(1) permits consultation within a health-care facility and with other health-care providers who are currently treating a patient. Such disclosures are often necessary to permit proper treatment.
Paragraph (a)(2) allows disclosure to persons who are not themselves health-care providers for planning, financial, administrative, or legal purposes. Thus billing services, outside laboratories, independent x-ray facilities, and other outside persons performing functions on behalf of the health-care facility can obtain records without patient authorization. Under this subsection records might be used by or disclosed to staff doctors, research fellows, student doctors and nurses, hospital accountants, and the hospital legal staff. Similarly, records would also be available to an attorney or insurance company acting on behalf of a health-care facility. Although subject to the need-to-know limitation, this paragraph adds restrictions on use and redisclosure of records by nonemployees performing services for a facility. Health-care providers must be satisfied that recipients have agreed to refrain from using the information for any purpose other than for the reason it was disclosed, and to take appropriate steps to protect its confidentiality. Thus, this provision, like other provisions in this Act which authorize nonconsensual disclosures, imposes restrictions on redisclosure. Such restrictions are appropriate and conceptually consistent with other provisions in the Act in that when disclosure is authorized by the patient the Act leaves the question of redisclosure to be worked out by the patient and the recipient or by other law. However, when the disclosure is not authorized by a patient, limits on redisclosure are appropriate because the patient does not have a basis to impose redisclosure limitations on the recipient.
Paragraph (a)(3) permits a health-care provider to consult with other health-care providers who have previously treated the patient. Under this provision, for example, a specialist might consult with the patient's general practitioner to help establish a diagnosis or recommended course of treatment. The patient is given the option of prohibiting such disclosures.
Paragraph (a)(4) permits a health-care provider to disclose information from a patient's record where the health-care provider has reason to believe that disclosure will avoid or minimize imminent danger to the health or safety of the patient or any other individual. Once it is apparent that an individual's health or safety is in imminent jeopardy, privacy concerns can become secondary. In some instances, such as after a serious accident, a patient may be unconscious and unable to consent to the release of information. This subsection would thus permit disclosure to a physician for purposes of emergency treatment. In other cases, such as where the patient is threatening the lives of hostages, the patient will obviously refuse to authorize disclosure. In such cases, immediate access to health-record information by appropriate personnel may be vital. For example, if a psychotic patient tells a physician he will kill another person as soon as he leaves the offices of the physician, that physician should disclose this threat of imminent danger to the threatened person or to the authorities. See Tarasoff v. Regents of the University of California, 17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 (1976) (physician has duty to exercise reasonable care to protect third persons who may be injured by a patient's actions; thus physician may be liable for failure to warn victim of patient's violent threats).
Paragraph (a)(5) permits a disclosure in those instances where it now generally occurs. For example, if a patient is in a coma or in intensive care after surgery, generally the patient's family is informed of the patient's condition, even if an authorization was not completed beforehand.
There are two restrictions on such disclosures. First, they must be in accordance with good health-care practice. This means that the patient's health-care provider must believe that such a disclosure is appropriate under the circumstances of each individual case. Secondly, the patient may prohibit any disclosure by so informing the health-care provider.
Even where a relative objects to disclosure to another relative, the person seeking information still has the option of going to court to seek release under Section 2-105(a)(9). This might be necessary, for example, if a mother denies her daughter access to records concerning the mother's use of DES or other drugs that could affect descendants.
Paragraph (a)(6) is intended to deal with those situations in which a health-care facility or health-care practice is sold. Such sales normally include a transfer of existing patient files. This practice would be permitted to continue, without the need to obtain consent from each individual patient.
Paragraph (a)(7) permits disclosure to health researchers provided that the research project has first been reviewed and approved by an institutional review board (IRB). IRB's established pursuant to Section 474 of the Public Health Service Act or other federal or state law already review all medical research subject to FDA approval to determine, inter alia, whether patient confidentiality has been sufficiently protected. See 21 C.F.R. § 56.111(7). This Act extends the concept of the IRB to all medical research utilizing individually identifiable health-record information and instructs the review board to make a number of determinations before it can approve the release of identifiable health-record information to a researcher. This requires a decision that the research is sufficiently important to outweigh the patient's privacy interests; is impractical to conduct without health-record information in individually identifiable form; and that the research plan contains adequate safeguards to protect against disclosure of patient identities and other unauthorized redisclosure. While subparagraph (a)(7)(v) permits a researcher to retain health-record information, the researcher must obtain IRB approval before undertaking the project.
Recognizing the importance of medical research to society, the subsection authorizes researchers to redisclose health-record information under certain carefully circumscribed conditions. For example, this provision will permit routine disclosure of health-record information to "registries" established to monitor various diseases such as cancer. Before any such disclosure can be made, however, the registry, like any other research project, would have to be reviewed by an IRB. Registries, which in large measure exist to provide a database for other research, would also be able to redisclose health-record information, provided that the redisclosure is first approved by an IRB.
There are many other situations in which redisclosure of health-record information to other researchers may be necessary. For example, when results of a medical study are published and then reviewed by other researchers and scholars, questions about the conduct of the research or adequacy of the data may arise. If the data may not be redisclosed, there may be no way to verify its accuracy. Further, some studies require that medical records be checked many years after treatment. In a recent example, the link between vaginal cancer and the drug DES was established only after researchers were able to check the records of the victims' mothers, and learned that the mothers had taken DES 20 years before. Indeed, the term "research project" should be broadly construed, and may encompass a series of linked projects. The need to retain information or redisclose it, and the adequacy of the security safeguards should be determined by the IRB on a case-by-case basis.
At the same time, this subparagraph prevents researchers from becoming information resources for law enforcement personnel or for others who might be curious about such data. Health-care providers and patients must be confident that information supplied to researchers will not be used to make decisions directly affecting patients. Thus, the Act permits redisclosure only to other researchers in conformity with a researcher's plan approved by an appropriate institutional review board.
Paragraph (a)(8) is intended to strike a balance between the individual's right of privacy and society's interest in controlling and managing health-care programs, including third-party payment programs. It permits disclosure for purposes of an audit, provided that the auditor not publicly release patient-identifiable information, unless it is essential to do so and, in any event, removes or destroys such information from any copies of the original material that are retained by the auditor at the earliest opportunity consistent with the purposes of the audit.
Paragraph (a)(9) permits a health-care provider to release patient records to a prison or other custodial facility while an individual is in custody, regardless of whether the health care was provided by the custodial facility or any other health-care facility. Once an individual is released from custody, the individual will have all of the rights accorded by this Act, regardless of whether the records were compiled while the individual was in custody.
Subsection (b) also permits certain disclosures without patient consent. However, it recognizes that there are certain situations in which disclosures should be made without the "need-to-know" restriction of subsection (a), either because that restriction is impractical or because disclosure is legally mandated.
Paragraph (b)(1) provides that the health-care provider may release directory information without a patient's express consent. Directory information is limited to the name and general medical status (e.g., good, fair, stable, poor, or critical condition) of a patient currently receiving treatment on an in-patient or emergency basis. As is the case with disclosure to family members under paragraph (a)(5), the patient may object to the release of such information, in which case the information cannot be released. Additionally, as with all paragraphs in this section, the Act does not require a health-care facility to release any information; it merely permits it to do so. Thus, if a psychiatric hospital has a policy of refusing to release directory information, this Act does not require it to change that policy.
Paragraphs (b)(2) and (b)(3) recognize that many states have adopted statutes or regulations that require the reporting of particular kinds of health-care information to public health or law enforcement authorities. See, e.g., Cal. Lab. Code § 6409 (West 1979) (physician reporting of occupational injuries and illnesses); Ark. Stat. Ann. § 42-615 (1979) (reporting deaths from violence or unusual circumstances; Mass. Gen. Laws Ann. ch. 111, § 191 (West 1979) (reporting of lead poisoning cases). In some instances, for example, health-care providers are required to report information about individuals with highly communicable diseases, such as diptheria, so that appropriate countermeasures can be taken. See, Ala. Code § 22-11-2 (1979); Ariz. Rev. Stat. Ann. § 36-623 (1979); N.J. Stat. Ann. §§ 26:4-15, 26:4-19 (West 1979). Such disclosures not always have to be made in individually identifiable form. However, laws vary from state to state, and many such laws require disclosure of individually identifiable information. Similarly, a number of states require that health-care providers report conditions such as gunshot or knife wounds or child abuse. See Ind. Code Ann. § 35-23-11-1 (Burns 1979); Mich. Comp. Laws § 750.411 (1970); Va. Code § 54-276.10 (1979); Colo. Rev. Stat. § 19-10-104 (1979); Ohio Rev. Code Ann. § 2151.421 (Page 1979); Wis. Stat. Ann. § 48.981 (West 1979). This provision recognizes these statutes which often also restrict redisclosure.
Only the information necessary to meet the needs of the compulsory reporting statute should be released. See Minnesota v. Andring, 342 N.W.2d 128 (Minn. 1984) (state child abuse reporting law does not totally abrogate the physician-patient privilege). It should be noted that, even though this subsection is narrowly drafted, paragraph (a)(4) permits complete disclosure to law enforcement personnel in emergency situations. Recognizing that society has a larger interest in rapid investigation of public health problems, such as Acquired Immune Deficiency Syndrome (AIDS), paragraph (b)(2) dealing with public-health investigations is more permissively drafted, permitting disclosure where authorized by law. This section does not require specific statutory authority for a specific piece of information; it is enough if a public-health agency has general statutory authority to request information, and believes it has a need for the information it is requesting.
Paragraph (b)(4) permits disclosure of health-care information pursuant to compulsory process in those situations where compulsory process is permitted under Section 2-105.
SECTION 2-105. COMPULSORY PROCESS.
(a) Health-care information may not be disclosed by a health-care provider pursuant to compulsory legal process or discovery in any judicial, legislative, or administrative proceeding unless:
(1) the patient has consented in writing to the release of the health-care information in response to compulsory process or a discovery request;
(2) the patient has waived the right to claim confidentiality for the health-care information sought;
(3) the patient is a party to the proceeding and has placed his [or her] physical or mental condition in issue;
(4) the patient's physical or mental condition is relevant to the execution or witnessing of a will;
(5) the physical or mental condition of a deceased patient is placed in issue by any person claiming or defending through or as a beneficiary of the patient;
(6) a patient's health-care information is to be used in the patient's commitment proceeding;
(7) the health-care information is for use in any law enforcement proceeding or investigation in which a health-care provider is the subject or a party; but, health-care information so obtained may not be used in any proceeding, against the patient, unless the matter relates to payment for the patient's health care, or unless authorized under paragraph (9).
(8) the health-care information is relevant to a proceeding brought under Article 8; or
(9) a court has determined that particular health-care information is subject to compulsory legal process or discovery because the party seeking the information has demonstrated that the interest in access outweighs the patient's privacy interest.
(b) Unless the court, for good cause shown, determines that the notification should be waived or modified, if health-care information is sought under paragraph (2), (4), or (5) of subsection (a) or in a civil proceeding or investigation under paragraph (9) of subsection (a), the person seeking discovery or compulsory process shall mail a notice by first-class mail to the patient or the patient's attorney of record of the compulsory process or discovery request at least [ten] days before presenting the certificate required under subsection (c) to the health-care provider.
(c) Service of compulsory process or discovery requests upon a health-care provider must be accompanied by a written certification, signed by the person seeking to obtain health-care information, or his [or her] authorized representative, identifying at least one paragraph of subsection (a) under which compulsory process or discovery is being sought. The certification must also state, in the case of information sought under paragraph (2), (4), or (5) of subsection (a), or in a civil proceeding under paragraph (9) of subsection (a), that the requirements of subsection (b) for notice have been met. A person may sign the certification only if the person reasonably believes that the paragraph of subsection (a) identified in the certification provides an appropriate basis for the use of discovery or compulsory process. Unless otherwise ordered by the court, the health-care provider shall maintain a copy of the process and the written certification as a permanent part of the patient's health-care information.
(d) Production of health-care information under this section, in and of itself, does not constitute a waiver of any privilege, objection, or defense existing under other law or rule of evidence or procedure.
Many of the protections contained in this Act would be of little value if government agencies or others were free to obtain health-care information from health-care providers through the unconditional use of compulsory process or discovery. A hospital or other health-care provider faced with a subpoena, search warrant, or discovery request is now generally required to turn over sensitive health-record information about a patient before the patient who is the subject of the record even knows the information has been requested. See Gellman, supra, at 287-292; Note, Privacy in Personal Medical Information: A Diagnosis, U. Fla. L. Rev. 394, 396-400 (1981). And, under current law in most jurisdictions, since the patient does not have possession of the documents sought through compulsory process or discovery, there is little he can do to contest their release, even when he does have knowledge. Cf. United States v. Miller, 425 U.S. 435 (1976) (customer has no right to challenge subpoena issued to a financial institution to produce the customer's records, which were in the possession of the financial institution).
There are several different ways that this problem can be addressed. The traditional physician-patient privilege, which exists in some form in nearly every state, precludes testimony by a health-care provider about a patient's health-care information. See Gellman, supra, at 272-274. The privilege does not, however, shield health-care information from disclosure pursuant to legal process, and the recipient is free to use information so obtained to pursue investigatory leads. See, e.g., Idaho Code § 9-203 (1982) (physician-patient privilege applies only where physician is subject to examination as a witness in litigation). Thus, the privilege, while it does protect a patient from some potential adverse consequences, does little to protect a patient's privacy interests.
The Federal Right to Financial Privacy Act attempted to address this problem as to bank records by requiring the notification of the subject of records sought through compulsory process before his or her records were released. See 12 U.S.C. §§ 3401-3422 (1982). The subject was then given the right to go to court to bring an action to block release of the records. This approach has not worked well in practice. Few individuals have the knowledge or resources necessary to pursue a legal action, and it would place a considerable burden on the patient. Further, such actions could potentially clog the courts and are cumbersome, requiring a number of expedited procedures and exceptions.
Section 2-105 embodies a different approach, which has already been adopted by some states. See, e.g., Cal. Evid. Code § 994 (West 1980); Mont. Code Ann. § 50-16-314 (1980); R.I. Gen. Laws § 5-37.3-6 (1980). Under this section, production of health-care information can be compelled in legal proceedings only in conformity with the section. It thus extends a physician-patient type privilege to encompass investigations and discovery. In a few states, this Act would create, for the first time, a comprehensive physician-patient type privilege. The general prohibition on the use of compulsory process or discovery in investigatory proceedings represents a major change in policy, modifying long-standing state privilege rules.
This general restriction on compulsory process and discovery does not apply where one of the exceptions contained in subsection (a) apply. Subsection (a) authorizes the use of discovery and compulsory process in nine specified situations. These situations generally include cases where a patient has consented to release of information, litigation, such as malpractice cases, where the patient is a party to a lawsuit, litigation involving a will or a deceased patient, health-care information obtained pursuant to a court-ordered examination, health-care fraud investigations, or pursuant to court order in cases where the interest in access outweighs the patient's privacy interest. In such cases, a patient may assert any of the usual procedural rules or defenses that existed prior to the passage of this Act. Nothing in this Act is intended to reduce current patient rights or to provide any new grant of subpoena authority.
It is important to note that this section in no way supersedes or modifies a state's rules of evidence. While the section does provide a new threshold test that must be met before health-care information is subject to discovery or subpoena, that test is an easier one to meet than the requirements of the rules of evidence. Thus, once health-care information has been discovered or produced under this section, the normal rules of evidence govern its use at trial. There should be no situation in which health-care information would be admissible at trial, but shielded from discovery by this section; on the other hand, it may often be the case that discoverable health-care information will prove inadmissible at trial.
Subsection (a)(2) is intended to permit discovery or compulsory process where the patient has waived confidentiality. It would make little sense, for example, to protect a patient's records from compulsory process where the patient has already granted a newspaper interview about his health condition.
Subsection (a)(3) permits the use of a patient's health-care information where the patient is a party to a lawsuit and has placed his health at issue. This section should be narrowly interpreted, however. If a patient has placed his physical condition at issue, there should not be automatic access to his mental-health records. Where broader access is desired, or where the patient is a witness or a party that has not placed his health information at issue, the party seeking access must proceed under subsection (a)(9), which permits a patient to raise his privacy interests.
Subsection (a)(4) allows for patient records to be used where mental or physical condition is relevant to execution or witnessing of a will. In litigation over testamentary capacity, for example, the best evidence of whether the testator had a "sound mind" may be the testator's medical record at the time of execution of the will. Subsection (b)(4) allows compulsory process as to that evidence. See Mont. Code Ann. § 50-16-314(2)(a) (1980) (adopting the same exception to a general ban on compulsory process or discovery of health-care information).
Subsection (a)(6) allows disclosure of relevant health-care information in civil or criminal commitment proceedings. The purpose of such a proceeding is for the court to assess a patient's health to determine whether that patient is in need of treatment. Without access to the patient's health-care record, a commitment proceeding would be meaningless. See R.I. Gen. Laws § 5.37.3-6(2)(B) (1980).
Subsection (a)(7) recognizes that patient records are often the only evidence available to investigate and prosecute health-care providers or researchers who may have violated the law. A privacy statute intended to protect patients must not shield illegal behavior by providers. Therefore, this subsection permits the use of compulsory process or discovery to obtain information as part of an investigation or proceeding in which a health-care provider is suspected of a violation of law, is a defendant, or is otherwise a party. However, no information obtained under this section can be used in an investigation of, or action against, a patient, unless the action or investigation directly relates to payment by third-party payors for a patient's health care. However, this section does not prohibit use of information obtained by law enforcement personnel that, coincidentally, was also obtained independently under this subsection.
Subsection (a)(9) permits the use of compulsory process or discovery to obtain health-care information where the party seeking access establishes, in an individual case, that its interests outweigh the privacy interests of the patient involved. This section, with its balancing test, should be used wherever patient health-care information is sought to challenge the competency or credibility of a witness, or a party who has not placed his health-care information at issue. This test is also applicable to a case where the subject of information receives notice that his or her records are being sought and has the opportunity to contest access.
This subsection will also permit the use of ex parte or in camera proceedings to obtain a patient's health-care information. Such proceedings should be rarely used, but might be necessary, for example, where a prosecutor is seeking a search warrant and does not want the patient to know.
Subsection (b) provides that a person seeking compulsory process for discovery purposes under subsections (a)(2), (4), (5), or in a civil action under (a)(9) must notify the patient by first-class mail. Obviously, this requirement will also be satisfied by personal service. In the case of access under the other paragraphs of subsection (a), the patient will either know, or should not be told, that his records are being sought, and no notice is necessary.
Subsection (c) provides that the use of compulsory process or discovery must be accompanied by a written certification, signed by the person seeking to enforce such process or that person's representative, identifying the specific paragraph of subsection (a) under which compulsory process or discovery is being sought. The person making the certification must have a reasonable basis for believing that the paragraph of subsection (a) relied upon is applicable. A copy of the certification must be made a permanent part of the patient's health-care information.
Subsection (d) is included to make clear that nothing in the Act is intended to waive any rights that any person might have under existing state law or procedural rules to challenge the disclosure of health-care information through compulsory process or discovery, or its admissibility into evidence. By the same token, nothing in the Act should be construed so as to restore any privilege or right that has otherwise been waived.
SECTION 3-101. REQUIREMENTS AND PROCEDURES FOR PATIENT'S EXAMINATION AND COPYING.
(a) Upon receipt of a written request from a patient to examine or copy all or part of the patient's recorded health-care information, a health-care provider, as promptly as required under the circumstances, but no later than ten days after receiving the request shall:
(1) make the information available for examination during regular business hours and provide a copy, if requested, to the patient;
(2) inform the patient if the information does not exist or cannot be found;
(3) if the health-care provider does not maintain a record of the information, inform the patient and provide the name and address, if known, of the health-care provider who maintains the record;
(4) if the information is in use or unusual circumstances have delayed handling the request, inform the patient and specify in writing the reasons for the delay and the earliest date, not later than 21 days after receiving the request, when the information will be available for examination or copying or when the request will be otherwise disposed of; or
(5) deny the request, in whole or in part, under Section 3-102 and inform the patient.
(b) Upon request, the health-care provider shall provide an explanation of any code or abbreviation used in the health-care information. If a record of the particular health-care information requested is not maintained by the health-care provider in the requested form, the health-care provider is not required to create a new record or reformulate an existing record to make the health-care information available in the requested form. The health-care provider may charge a reasonable fee, not to exceed the health-care provider's actual cost, for providing the health-care information and is not required to permit examination or copying until the fee is paid.
In recent years a consensus has emerged that patients should be allowed to inspect their health-care information. In 1945 Massachusetts become the first state to adopt a statute giving patients a right to see their health-care information. Mass. Gen. Laws, ch. 111, § 70. By the early 1980's the number of states which had adopted patient access statutes had grown to approximately 25. Auerbach & Boque, Medical Records: Getting Yours, Public Citizen Health Research Group (1980). That number continues to increase due, in some measure, to a recommendation by the Privacy Protection Study Commission in 1977 that states adopt patient access statutes. Privacy Commission Report at 295.
The consensus supporting patient access to health-care information is also illustrated in the federal Privacy Act, 5 U.S.C. § 552a, which gives patients in federal health-care facilities a right of access to their health-care information, subject to certain limitations.
In addition to statutory patient access requirements, medical licensing boards in several states have adopted rules which require physicians to allow patients to inspect or copy their records in at least most circumstances. Moreover, courts in a number of states have held, even in the absence of a statute, that patients have a common-law right of access to their health-care information. In Hutchings v. Texas Rehabilitation Commission, 544 S.W.2d 802 (Tex. 1976), for example, a former patient sought to compel the Texas Rehabilitation Commission to provide him with access to his medical records. The court held that patients in Texas have a common-law right to inspect their health records. (For other cases holding that patients have a right of access to their records, see National Commission on the Confidentiality of Health Records, Judicial Decisions in Health Record Confidentiality, at 6 (1979).)
In recent years, health-care organizations have joined the chorus of those who support patient access to health-care information. The American Hospital Association and most other major health associations are now on record as supporting patient access. See American Hospital Association, A Patient's Bill of Rights (1972).
There are several reasons for the emergence of a consensus supporting patient access. There is the recognition that patient health-care information is widely shared with parties outside of the health community. Accordingly, basic fairness and patients' needs to assess the impact of such sharing demands that patients be given access to their records.
Other reasons often cited in support of patient access include its positive effect on patients' trust in health-care providers; its positive effect on patients' recovery; its positive effect on both the quality of care and the quality of record-keeping; and the fact that patients, in one way or another, pay for the care and thus should be able to see records documenting the care. Kaiser, "Patients Rights of Access to Their Own Medical Records: The Need for New Law," 24 Buf. L. Rev. 317-30 (1975). For all of these reasons, this section gives patients a right, upon written request, to examine or copy their health-care information.
This section relies on the definition of the term "patient" as defined in Section 1-102 and includes health-care representatives pursuant to Section 6-101 and representatives of deceased patients pursuant to Section 6-102. Any reference to patients in this section refers to those persons authorized to act on behalf of patients under Sections 6-101 and 6-102. However, where patients direct providers to disclose their health-care information to third parties the provisions of this section do not apply. Instead, the patient must proceed under the authorization procedures in Section 2-102.
One of the continuing controversies concerning patient access to health-care information is whether patients should be entitled to obtain a copy of their record or merely be allowed to inspect the record. Subsection (a)(1) opts to give patients the right to obtain copies of their records, if requested. If patients are to have access, there does not seem to be any policy reason why patients should not enjoy the more complete and effective right to obtain a copy of their record.
Subsection (a) also provides that when a health-care provider receives a written request from a patient to examine or copy the patient's health-care information the provider must, as promptly as possible, but in any event within 10 days after receiving the request, respond to the patient by making the record available, by denying access to the record on one of the grounds permitted by Section 3-102, or by informing the patient that the record, for one of the reasons authorized by this section, cannot be provided to the patient or provided within the 10-day time period. The effect of this section is to ensure that patients will receive a timely and complete response to their access request.
A second controversy which continues to simmer relates to whether access rights should apply exclusively to health-care information maintained by institutional health-care providers or should extend, as well, to health-care information maintained by physicians and other kinds of health-care professionals. Access statutes in just over a dozen states apply to health records maintained by providers other than institutions.
This section takes the view that a patient's interest in examining and obtaining a copy of health-care information is just as compelling when the information is maintained by a professional health-care provider as it is when the information is maintained by an institutional health-care provider. Accordingly, this section does not make a distinction between professional and institutional health-care providers. In so doing, this section is consistent with the approach taken throughout the Act.
However, Section 3-101 does contain several provisions that are designed to minimize the burden of complying with patient access requests.
In addition to the extension period permitted under subsection (a), subsection (b) includes two provisions designed to ease any burden for providers. First, the subsection provides that if the patient makes a request for the production of his records in a particular format, a health-care provider need not create a new record or reformulate an existing record in order to comply. Thus, if a patient seeks his record arranged by hospital, and instead his record is arranged chronologically, the provider is under no obligation to reformulate the record. Similarly, if the record is maintained on microfiche, the patient must accept the copy in that form. The provider's obligation is discharged if the provider provides the record in readable form.
Second, subsection (b) gives providers a right to charge patients making examination and copying requests a reasonable fee not to exceed the health-care provider's actual cost for providing the requested information. Health-care providers may be reimbursed for reproduction costs and staff time for searching for, and otherwise producing, records. However, this formulation does not include indirect costs for general overhead. To avoid potential abuse or dispute over what constitutes "actual cost," the fee must also be "reasonable." Examples of fees for locating and copying other kinds of information are not difficult to locate (e.g., government charges for copies of files pursuant to Freedom of Information Act requests, bank charges for copies of customer information, etc.) and should serve as already comparable, in addition to those charged by various medical facilities.
The provider may require that the fee be paid in advance.
SECTION 3-102. DENIAL OF EXAMINATION AND COPYING.
(a) A health-care provider may deny access to health-care information by a patient if the health-care provider reasonably concludes that:
(1) knowledge of the health-care information would be injurious to the health of the patient;
(2) knowledge of the health-care information could reasonably be expected to lead to the patient's identification of an individual who provided the information in confidence and under circumstances in which confidentiality was appropriate;
(3) knowledge of the health-care information could reasonably be expected to cause danger to the life or safety of any individual;
(4) the health-care information was compiled and is used solely for litigation, quality assurance, peer review, or administrative purposes; or
(5) access to the health-care information is otherwise prohibited by law.
(b) If a health-care provider denies a request for examination and copying under this section, the provider, to the extent possible, shall segregate health-care information for which access has been denied under subsection (a) from information for which access cannot be denied and permit the patient to examine or copy the disclosable information.
(c) If a health-care provider denies a patient's request for examination and copying, in whole or in part, under paragraph (1) or (3) of subsection (a), the provider shall permit examination and copying of the record by another health-care provider, selected by the patient, who is licensed, certified, or otherwise authorized under the laws of this State to treat the patient for the same condition as the health-care provider denying the request. The health-care provider denying the request shall inform the patient of the patient's right to select another health-care provider under this subsection.
Undoubtedly, the sharpest continuing controversy about patient access to health-care information concerns whether a health-care provider should have a right to deny access to a patient if the provider believes that access would be injurious to the patient's health. This question is most sharply focused in instances where mental-health patients seek access to their records. In these circumstances, both the volitional quality of the patient's access request and the potential effect of the access on the patient is a matter of acute concern. Strassburger, "Problems Surrounding 'Informed Voluntary Consent' and Patient Access to Records," Psychiatric Opinion, 30 (Feb. 1975).
Most state patient access statutes do not apply to mental-health records. Those statutes which do apply usually limit the access right so that the provider maintaining the record can opt to give the record to a third party - often another physician of the patient's choosing. Medical Records: Getting Yours, at 32. In addition, most of the courts that have considered whether mental-health patients have a common-law or a statutory right of access to mental-health information have ruled in the negative. Gotkin v. Miller, 514 F.2d 125 (2d Cir. 1975); Bain v. Spencer, 393 F.2d 108 (1st Cir. 1968), cert. denied, 400 U.S. 866 (1970); Turner v. Reed, 538 P.2d 373 (Or. 1975).
There are instances when a patient's access to his own records should be limited, denied, or circumscribed. Consistent with the other provisions of this Act, these exceptions are set out in this section without distinction as to whether the records relate to mental or physical health, although they will be applicable most often as to mental-health patients.
Subsection 3-102(a) identifies three circumstances when a health-care provider may deny a patient's request to examine or copy his own health-care information. The first is where the health-care provider concludes that patient examination would be injurious to his or her health.
The second, included primarily because of real concerns of the mental-health community, is to encourage third persons, primarily family and friends, to assist the mental-health professional with information helpful in treating the patient. Health-care providers occasionally need to be able to receive information about a patient on a confidential basis, and their confidential sources should be able to provide such information without fear of being identified by the patient.
Thus, if the health-care information could reasonably be expected to enable the patient to identify a person who has provided information to the health-care provider on a confidential basis, and with an expectation that it would be retained in confidence, then, under subsection (a)(2), the patient does not have a right to examine or copy that part of the health-care information.
If the provider determines that the examination or copying could reasonably be expected to cause danger to the life or safety of any person, subsection (a)(3) provides that a patient does not have the right to examine or copy that information. Reasonable expectation of danger is sufficient; this subsection does not adopt the imminent danger standard of Section 2-104(4).
Subsection (a)(4) permits a provider to withhold health-care information compiled and used solely for litigation purposes, administrative purposes, quality assurance, or peer review. For example, attorney-client communications and so-called "incident reports" needed for efficient operations of a medical facility are exempt from the subject access requirements. These reports are usually not retrievable by patient name. Moreover, these reports are not compiled for health-care purposes but, rather, to document unusual or significant events that affect a provider's future health-care operation or involve matters of administrative planning or legal exposure. If patients could use this Act to examine and copy such information, much of the health-care provider's quality control activities would be disrupted. Furthermore, since this information has not been compiled for health-care purposes the Act's interests would not be furthered by providing access rights.
If a health-care provider denies a request for examination and copying pursuant to subsection 3-102(a), then under subsection 3-102(b) the provider must identify the portions of the health-record information which are not covered by a provision authorizing withholding and must make that portion available for examination and copying. For example, the deletion could be of the confidential source and some or all of the information furnished by the source if it might identify him or her.
Finally, if a provider denies an access request on the grounds that access would be injurious to the patient's health or could be expected to cause danger to the life or safety of any person, then under subsection 3-102(c), the provider must permit examination and copying by another health-care provider selected by the patient provided that this health-care provider is licensed, certified, or otherwise authorized under the laws of the state to treat the patient for the same condition as the original health-care provider. Further, the original health-care provider must inform the patient, in writing, of the patient's right to select another provider to exercise his examination and copying rights. The health-care provider selected by the patient is free to make the health-record information available to the patient. This formulation is relatively common, having been adopted in a number of state statutes, and, as well, by a number of agencies operating under the federal Privacy Act.
SECTION 4-101. REQUEST FOR CORRECTION OR AMENDMENT.
(a) For purposes of accuracy or completeness, a patient may request in writing that a health-care provider correct or amend its record of the patient's health-care information to which a patient has access under Section 3-101.
(b) As promptly as required under the circumstances, but no later than ten days after receiving a request from a patient to correct or amend its record of the patient's health-care information, the health-care provider shall:
(1) make the requested correction or amendment and inform the patient of the action and of the patient's right to have the correction or amendment sent to previous recipients of the health-care information in question;
(2) inform the patient if the record no longer exists or cannot be found;
(3) if the health-care provider does not maintain the record, inform the patient and provide the patient with the name and address, if known, of the person who maintains the record;
(4) if the record is in use or unusual circumstances have delayed the handling of the correction or amendment request, inform the patient and specify in writing, the earliest date, not later than 21 days after receiving the request, when the correction or amendment will be made or when the request will otherwise be disposed of; or
(5) inform the patient in writing of the provider's refusal to correct or amend the record as requested, the reason for the refusal, and the patient's right to add a statement of disagreement and to have that statement sent to previous recipients of the disputed health-care information.
This section gives a patient a right to submit, in writing, a request to correct or amend the patient's health-care information to which the patient has access under Section 3-101. The purpose of the correction or amendment request must be to improve the accuracy or completeness of the record. Furthermore, the Privacy Protection Study Commission recommended that state health-care record statutes give patients a right to correct or amend their records together with a right to examine and copy their records. Privacy Commission Report at 295. Indeed, one of the principal purposes of most subject access schemes is to permit a record subject to verify the accuracy and completeness of his record. Accordingly, most state statutes which give patients a right of access to their health-care records also give patients a right to correct or amend their records. The federal Privacy Act takes the same approach. The Uniform Information Practices Code permits individuals to request agencies to correct or amend incomplete or inaccurate information about them maintained in agency records.
Accurate health-care information is not only important to the delivery of health care, but for patient applications for life, disability and health insurance, employment, and a great many other issues that might be involved in civil litigation (e.g., Workmen's Compensation, child custody, personal injury).
Section 4-101(b) parallels Section 3-101(a) in setting out conditions which apply to a provider's handling of a correction or amendment request. Under subsection (b), the provider must respond to each request as promptly as possible and, in any event, within 10 days after receiving the request.
This subsection, like the parallel provision in Section 3-101, gives the provider five possible options for response. The provider can respond by: (1) making the requested correction or amendment and so informing the patient and further informing the patient of the patient's right to have the correction or amendment disseminated to previous recipients of the uncorrected or unamended health-care information; or (2) if the record no longer exists or cannot be located, so informing the patient; or (3) if the health-care provider does not maintain the record, providing the patient with the name and address of the provider or person who it is believed does maintain the record, if known; or (4) in the event of unusual circumstances, or if the record is in use, so informing the patient and specifying a time, not to exceed 21 days from receipt of the request, when the record will be corrected or amended or the request otherwise disposed of; or (5) denying the correction or amendment request and so informing the patient, in writing, including the provider's reason for refusing the request and the patient's right to add a statement of disagreement and to have that statement disseminated to previous recipients of the disputed information.
SECTION 4-102. PROCEDURE FOR ADDING CORRECTION OR AMENDMENT OR STATEMENT OF DISAGREEMENT.
(a) In making a correction or amendment, the health-care provider shall:
(1) add the amending information as a part of the health record; and
(2) mark the challenged entries as corrected or amended entries and indicate the place in the record where the corrected or amended information is located, in a manner practicable under the circumstances.
(b) If the health-care provider maintaining the record of the patient's health-care information refuses to make the patient's proposed correction or amendment, the provider shall:
(1) permit the patient to file as a part of the record of the patient's health-care information a concise statement of the correction or amendment requested and the reasons therefor; and
(2) mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete and indicate the place in the record where the statement of disagreement is located, in a manner practicable under the circumstances.
Section 4-102 sets out the procedures that apply to adding corrections or amendments or patient statements of disagreement. Subsection (a)(1) provides that if a health-care provider accepts a proposed correction or amendment, the provider must add this information to the record and mark the corrected record or amended entries and indicate the place in the record where the corrected or amended information can be found, in whatever manner is practicable. The inaccurate or incomplete information should not be expunged but merely marked as inaccurate or incomplete. Where microfiche records are used, it may not be possible to mark old entries as inaccurate or incomplete and, in this circumstance, marking the cover page or adding a supplemental record may be the most practicable procedure and will satisfy the statutory standard.
Many state statutes or industry model codes permit patients to add a rebuttal statement when providers refuse to make a requested correction. Subsection (b) provides that if a health-care provider denies a patient's correction or amendment request, the provider must permit the patient to file with his record a brief statement of the patient's reasons for believing that the record should be corrected or amended, and/or his reasons for disagreement with the provider's refusal. The rebuttal statement should be brief and to the point and, where practicable, the challenged entries should be so marked and the place in the record where the rebuttal statement can be found should be indicated. Section 4-102 is not intended to replace the judgments of health-care professionals who create the health-care information with the lay opinions of patients. However, if a patient disputes the accuracy or completeness of health-care information it is fair to permit the patient's view to be included in the record.
SECTION 4-103. DISSEMINATION OF CORRECTED OR AMENDED INFORMATION OR STATEMENT OF DISAGREEMENT.
(a) A health-care provider, upon request of a patient, shall take reasonable steps to provide copies of corrected or amended information or of a statement of disagreement to all persons designated by the patient and who are identified in the health-care information as having examined or received copies of the information sought to be corrected or amended.
(b) A health-care provider may charge the patient a reasonable fee, not exceeding the provider's actual cost, for distributing corrected or amended information or the statement of disagreement, unless the provider's error necessitated the correction or amendment.
Subsection (a) requires a health-care provider who accepts a patient's correction or amendment, as well as a provider who has been required to add a patient statement to the record, to take all reasonable steps upon request by the patient to distribute the corrected information or the patient statement to all parties designated by the patient who have previously received the information which is the subject of the correction or amendment attempt. The distribution requirement is made dependent on a patient's request because some patients may not want to encourage the dissemination of the corrected or amended information or the patient's statement, because any reference to the matter, even an alleged accurate reference, may be damaging to the patient.
Subsection (b) permits a health-care provider to charge patients the lesser of a reasonable fee or the provider's actual cost in distributing the corrected or amended information or the statement of disagreement if the correction or amendment was not caused by the provider's error. See Comment to Section 3-101 for an explanation of this formulation.
It is expected that patients will use the disclosure record, which Section 2-101(b) of the Act requires providers to maintain, to identify persons who have previously received the information in question.
SECTION 5-101. CONTENT AND DISSEMINATION OF NOTICE.
(a) A health-care provider who provides health care at a health-care facility that the provider operates and who maintains a record of a patient's health-care information shall create a "notice of information practices" that contains substantially the following:
"We keep a record of the health-care services we provide you. You may ask us to see and copy that record. You may also ask us to correct that record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at ____________________."
(b) The health-care provider shall post a copy of the notice of information practices in a conspicuous place in the health-care facility and, upon request, provide patients or prospective patients with a copy of the notice.
This section requires health-care providers to make available to patients a description of the basic information rights accorded to patients whose health-care information is maintained by health-care providers. It also sets forth an easy-to-read model notice. Although this model notice need not be used verbatim, any notice must include a brief reference to the fact that the provider maintains health-care records; that patients have a right to see and copy those records; that patients have a right of correction concerning those records; that the provider will keep the patient's records confidential, subject to certain qualifications; and an identification of the person or office from whom the patient can obtain the patient's records or get additional information.
The Privacy Commission's recommendations include a similar proposal that health-care providers explain their information dissemination policies to patients and prospective patients. Privacy Commission Report at 313.
SECTION 6-101. HEALTH-CARE REPRESENTATIVES.
(a) A person authorized to consent to health care for another may exercise the rights of that person under this [Act] to the extent necessary to effectuate the terms or purposes of the grant of authority. If the patient is a minor and is authorized to consent to health care without parental consent under the laws of this State, only the minor may exercise the rights of a patient under this [Act] as to information pertaining to health care to which the minor lawfully consented.
(b) A person authorized to act for a patient shall act in good faith to represent the best interests of the patient.
Section 6-101(a) states that an individual who is authorized under state law to consent to health care for a patient has the right to exercise all of the rights of a patient under this Act but only to the extent necessary to discharge his or her responsibility to consent to health care. It contemplates two types of authority: (1) an authorization by law under which, for example, parents and guardians may consent to health care; and (2) an authorization by instrument under which, for example, persons operating under a power of attorney or "health-care representatives" in states which have adopted the Model Health Care Consent Act may consent to health care.
Once a minor has come of age, parents no longer have a right to consent to the minor's health care and at that point their rights under the Act are extinguished because the exercise of these rights is no longer necessary to discharge their responsibilities. This means that parents of an adult child would not be able, absent their child's consent, to inspect records of his or her child's health care, as to which consent was given when the child was a minor.
Subsection 6-101(a) also provides that if a minor is authorized by law to consent to his or her own health care without parental consent, then the minor may exclusively exercise all of the rights of a patient under the Act as to information about the health care to which the minor lawfully consented. Many states have adopted laws permitting minors to consent to certain kinds of health care, but not to other kinds. See, e.g., Iowa Code Ann. § 125.33, 140.9 (1982) (minor can consent to treatment for venereal disease and drug dependency); Md. Ann. Code art. 43, § 135, 135A (1982) (minor can consent to treatment for venereal disease, drug abuse, alcoholism, pregnancy, contraception, emotional disorders, or sexual assault); Minn. Stat. Ann. § 144.342 (1982) (minor can consent to treatment for pregnancy, venereal disease, alcohol, and other drug abuses). Thus, if a minor can consent and has consented to treatment for venereal disease, the minor enjoys all of the rights of a patient under this Act as to information pertaining to the venereal disease and its treatment. Accordingly, the minor can control access to this health-care information, including access by his parents.
Under subsection (b) a person authorized to act for a patient must make a good-faith effort to act in the best interests of the patient. This subsection attempts to insure that a person acting for a patient will act in a fiduciary manner and will not deliberately misuse or mishandle the patient's health-care information. This subsection does not attempt to define the "best interests" of a patient. However, fiduciary standards are well defined in case law, and issues relating to the handling of health-care record information pertaining to a guardian or ward has received increased attention. See Wals, "State Intervention on Behalf of 'Neglected' Children: A Search for Realistic Standards," 27 Stan. L. Rev. 985, 1031-33 (1975); In re Guardianship of Pescinski, 226 N.W.2d 180 (Wis. 1975). At a minimum, this subsection requires the person acting for the patient to make decisions about the handling of the patient's records that approximate the decisions that a reasonable person would make about the handling of his own records.
SECTION 6-102. REPRESENTATIVE OF DECEASED PATIENT. A [personal representative] of a deceased patient may exercise all of the deceased patient's rights under this [Act]. If there is no [personal representative], or upon discharge of the [personal representative], a deceased patient's rights under this [Act] may be exercised by persons who are authorized by law to act for the deceased patient.
This section follows from the Act's definition of patient in Section 1-102(11) in that it recognizes the possibility of substantial harm or embarrassment to the family, estate, or reputation of a deceased patient by the release of health-care information. Therefore, representatives of deceased patients are granted the authority to exercise all of the deceased patient's rights under the Act. See Boggess v. Aetna Life Insurance Co., 196 S.E.2d 172 (Ga. 1973); Lorde v. Guardian Life Insurance Co., 300 N.Y.S. 721 (N.Y. Sup. Ct. 1937) (both decisions recognize that the physician-patient privilege does not expire upon the death of the patient).
The deceased patient's rights may be exercised by the decedent's personal representative and, in the absence of a personal representative, by those authorized to act for the decedent under state law.
SECTION 7-101. DUTY TO ADOPT SECURITY SAFEGUARDS. A health-care provider shall effect reasonable safeguards for the security of all health-care information it maintains.
Section 7-101 requires health-care providers to implement reasonable security safeguards for all health-care information which they maintain. The Act does not define "reasonable security safeguards." What are reasonable safeguards will vary depending upon the content of the health-care information; the type and location of the health-care provider; and other factors that are specific to the particular record-keeping environment.
Accordingly, reasonable security safeguards may include personnel security standards for record room personnel (e.g., personnel background checks); administrative security standards (rules concerning who may enter a record room or a nurses station); physical security safeguards (locked doors and file cabinets, for example); and in automated records systems, technological security standards (user unique access codes, for example).
Health-care information is sensitive and often commercially valuable information which may be the target of theft or improper inspection or acquisition. There are numerous examples of the theft or improper inspection or acquisition of health-care information. Perhaps the most notorious example concerned the indictment brought by a Denver grand jury against a private investigative firm alleging, among other things, the use of investigators dressed as hospital personnel to obtain and subsequently sell health-care information. "U.S. Probes Sale of Confidential Medical Records," Washington Star, Dec. 9, 1976, at 1.
SECTION 7-102. RETENTION OF RECORD. A health-care provider shall maintain a record of existing health-care information for at least one year following receipt of an authorization to disclose that health-care information under Section 2-102, and during the pendency of a request for examination and copying under Section 3-101 or a request for correction or amendment under Section 4-101.
This section requires a health-care provider to maintain health-care information for at least one year after a provider receives an authorization to disclose health-care information and for the period of time while a request for examination or copying or a request for correction or amendment is pending. Since the Act does not require providers otherwise to retain health-care information, this provision is necessary in order to prevent providers from avoiding the disclosure obligations or the examination and copying and correction and amendment requirements merely by destroying or transferring the health-care information in question.
SECTION 8-101. CRIMINAL PENALTY.
(a) A person who willfully discloses health-care information in violation of this [Act], and who knew or should have known that disclosure is prohibited, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.
(b) A person who, by means of (i) bribery, (ii) theft, (iii) misrepresentation of identity, purpose of use or entitlement to the information, [or (iv) trespass,] examines or obtains, in violation of this [Act], health-care information maintained by a health-care provider, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.
(c) A person who, knowing that a certification under Section 2-105(c) or a disclosure authorization under Section 2-102 is false, willfully presents the certification or disclosure authorization to a health-care provider, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year] or both.
Subsection (a) makes it a misdemeanor (or equivalent in states using other terms) for a health-care provider to willfully disclose health-care information if the person knew, or should have known, that such disclosure is in violation of this Act. It is up to each state to set the terms of punishment for this crime. However, the section recommends a misdemeanor citation with a fine not to exceed $10,000 and a period of imprisonment not to exceed one year.
Subsection (b) makes it a crime to willfully misrepresent one's identity or purpose (false pretenses) or to use bribery or theft to examine health-care information in violation of this Act. Access to an automated information system by willfully using a password or code to misrepresent one's identity or purpose would be covered by this subsection. So too would other types of related crimes such as wiretapping. The section recommends a penalty structure that is identical to the penalties for willful disclosure.
Subsection (c) makes it a crime to willfully provide a disclosure or authorization under Section 2-102 a certification under Section 2-105(c) (compulsory disclosures) knowing that the certification is false or that the authorization is false. In order to come within this section an individual must know that the certification or authorization is false in a material respect and must willfully present that certification or authorization to a health-care provider.
It is important to emphasize that the Act's criminal penalties only attach to violations of this Act. Thus, redisclosure by nonhealth-care providers does not provide a basis for a criminal action unless such redisclosure is expressly prohibited in this Act. For example, if a family member obtains health-care information under Section 2-104 and subsequently rediscloses that information to a news reporter, neither the family member nor the reporter has criminal exposure under this Act.
SECTION 8-102. CIVIL ENFORCEMENT. The [Attorney General or appropriate local law enforcement official] may maintain a civil action to enforce this [Act]. The court may order any relief authorized by Section 8-103.
This section permits the appropriate law enforcement official to bring a civil action to enforce the terms of the Act and permits the court to provide any of the remedies available to a patient in a private right of action under Section 8-103. Actions under this section are limited to actions to enforce the Act and thus redisclosure by nonhealth-care providers does not provide a basis for civil enforcement except in very limited circumstances as provided in this Act.
SECTION 8-103. CIVIL REMEDIES.
(a) A person aggrieved by a violation of this [Act] may maintain an action for relief as provided in this section.
(b) The court may order the health-care provider or other person to comply with this [Act] and may order any other appropriate relief.
(c) A health-care provider who relies in good faith upon a certification, pursuant to Section 2-105(c), is not liable for disclosures made in reliance on that certification.
(d) In an action by a patient alleging that health-care information was improperly withheld under Article III the burden of proof is on the health-care provider to establish that the information was properly withheld.
(e) If the court determines that there is a violation of this [Act], the aggrieved person is entitled to recover damages for pecuniary losses sustained as a result of the violation; and, in addition, if the violation results from willful or grossly negligent conduct, the aggrieved person may recover not in excess of [$5,000], exclusive of any pecuniary loss.
(f) If a plaintiff prevails, the court may assess reasonable attorney's fees and all other expenses reasonably incurred in the litigation.
(g) Any action under this [Act] is barred unless the action is commenced within [ ] year[s] after the [cause of action] [claim for relief] accrues.
Subsection (a) allows any person (defined in Section 1-102) who is aggrieved by a violation of this Act to file an action in a court of appropriate jurisdiction against the responsible health-care provider or other party. This is a standard formulation for standing. For example, this formulation is found in the Uniform Information Practices Code (§ 3-112). The burden of proof is always on the aggrieved party, except where specifically indicated otherwise. Although a person must be aggrieved in order to maintain a private right of action under this Act, it is worth noting that in many states a provider's violation of law, even if no harm to a patient results, is grounds for administrative sanctions by the state licensing board or other similar authority.
Subsections (b), (e), and (f) authorize three types of relief for the aggrieved party: (1) equitable relief in the form of an injunction ordering the health-care provider or other responsible party to comply with the Act (including, where appropriate, an expungement order or an order to enjoin prospective violations); (2) actual damages suffered by the aggrieved party, plus a suggested $5,000 limit on recovery for nonpecuniary loss if the violation arises out of willful or grossly negligent conduct; and (3) reasonable court costs and attorney's fees where the aggrieved party substantially prevails. Because the Act relies on self-enforcement by aggrieved persons as its principal enforcement mechanism, only a liberal provision for the award of attorney's fees will permit this self-enforcement mechanism to work effectively.
A health-care provider who discloses information in good-faith reliance on a certification is not liable for disclosures made pursuant to that certification. See Section 2-103.
Subsection (c) provides that in an action brought by a patient seeking access to his own record, the health-care provider has the burden of proof if it contends that the health-care information should not be disclosed.
Subsection (f) establishes a statute of limitations for civil actions brought pursuant to this section. States should insert the appropriate time period for their jurisdiction.
The civil remedies provided under this section - like their criminal counterparts - are only available for violations of this Act. Thus, redisclosure by family members, newspaper reporters, or others not covered by the redisclosure provisions in Section 2-104 are not violations of this Act and do not provide a basis for a civil action.
SECTION 9-101. UNIFORMITY OF APPLICATION AND CONSTRUCTION. This [Act] shall be applied and construed to effectuate its general purpose to make uniform the law with respect to the subject of this [Act] among states enacting it.
SECTION 9-102. SHORT TITLE. This [Act] may be cited as the Uniform Health-Care Information Act.
SECTION 9-103. SEVERABILITY. If any provision of this [Act] or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this [Act] which can be given effect without the invalid provision or application, and to this end the provisions of this [Act] are severable.
This is a standard severability provision and mirrors a provision in the Uniform Information Practices Code, § 1-103.
SECTION 9-104. REPEALS. The following acts and parts of acts are repealed:
(1)
(2)
(3)
SECTION 9-105. SAVING CLAUSE. This [Act] does not affect other law restricting, to a greater extent than does this [Act], the disclosure of specific types of health-care information to any person other than the patient to whom it relates.
Because the overriding purpose of the Act is to protect patient privacy, if prior legislation covers a specific type of health-record information and provides greater privacy protection for that information than would be provided under the Act, this prior, specific legislation is not affected by the Act.
SECTION 9-106. CONFLICTING LAWS.
[(a) This [Act] does not restrict a health-care provider from complying with obligations imposed by federal health-care payment programs or federal law.]
[(b) In the event of a conflict between this [Act] and the Uniform Information Practices Act, the provisions of this [Act] apply.]
Subsection (a) is included to make clear to persons affected by this Act that, under the Supremacy Clause of the Constitution, no state law can take precedence over federally-imposed requirements. To the extent that federal agencies require access to health-care information under federal laws or regulations, the obligations of the health-care provider are determined by that law and not by this Act.
Subsection (b) recognizes that the Uniform Information Practices Act or similar legislation in effect in the state may affect a number of state institutions, such as hospitals, nursing homes, and prisons, which are also health-care providers. Since the provisions of this Act were drafted specifically with health-care providers in mind, they should take precedence over the earlier Act, which treats all state instrumentalities in the same manner.