Note to reader: This is Chapter 7 of Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission transmitted to President Jimmy Carter on July 12, 1977. The full Table of Contents is listed below.

1.  Introduction
2.  The Consumer-Credit Relationship
3.  The Depository Relationship
4.  Mailing Lists
5.  The Insurance Relationship
6.  The Employment Relationship
7.  Record Keeping in the Medical-Care Relationship
8.  Investigative-Reporting Agencies
9.  Government Access to Personal Records and "Private Papers"
10.  Record Keeping in the Education Relationship
11.  The Citizen as Beneficiary of Government Assistance
12.  The State Role in Privacy Protection
13.  The Relationship Between Citizen and Government: The Privacy Act of 1974
14.  The Relationship Between Citizen and Government: The Citizen as Taxpayer
15.  The Relationship Between Citizen and Government: The Citizen as Participant in Research and Statistical Studies
16.  The Social Security Number

Chapter 7
Record Keeping in the Medical-Care Relationship

Americans made an estimated one billion, 56 million visits to physicians during 1975, an average of 5.1 visits for each person in the country. Approximately 720 million of these visits occurred in physicians' private offices, while another 136 million took place in the clinics and emergency rooms of hospitals. Inpatient admissions accounted for a large percentage of the remainder.1 In addition, in 1974, more than a million individuals, approximately five percent of the U.S. population aged 65 and over, resided in nursing homes.2 Each of these contacts with a medical-care provider generated a new medical record,3 or added information to an already existing record. Considering that the recommended minimum retention period for a medical record today is 10 to 25 years,4 these numbers seem staggering. Yet, even more staggering is the realization of how many people besides the medical-care providers5 who create a medical record have access to it at the same time that the patient himself is by and large denied access to it.

Indeed, the way in which medical records are created and used has undergone radical change in the last 50 years,6 a change that is both a result and a cause of significant alterations in the character of the medical-care relationship itself. This chapter explores the nature of the transformation and its implications for the protection of personal privacy.

The first section briefly identifies the keepers and users of medical records and medical-record information.7 The second section shows why medical record-keeping practices are making the medical-care relationship progressively more fragile, underscoring the need for better statutory and regulatory protections. The third section contains general and specific recommendations that seek a proper balance among the various interests that come to focus in the medical care relationship today.


In the early part of this century, physicians, most of them practicing alone, delivered 85 percent of all medical services in the country. Today less than five percent of the providers of medical-care services are physicians.8 It has been estimated that in most hospitals today only a third of a patient's hospital medical record is created by the attending physician.9 In addition, there have been major changes in the way medical care is paid for, and these changes, together with corollary efforts to monitor and improve the quality of medical care, have had and continue to have profound effects both on the flow of medical-record information and on the way medical records are maintained.

Private health-insurance coverage has risen steadily over the last 25 years. In 1950, third-party payment covered about a third of personal health expenses; in 1975, two-thirds, including almost 90 percent of hospital expenses and 61 percent of physicians' services was covered.10 So many of these payments are now made under group policies that employers either administer or finance, or both,11 that employers have begun to rival insurance companies as major keepers and users of medical-record information. Tax revenues also cover an increasing share of the nation's health-care bill. In 1974 Medicare and Medicaid together accounted for three-fifths of the total government expenditure for medical services, with 71 percent and 37 percent of their funds, respectively, going for services provided by hospitals.12

The magnitude of these public and private expenditures has focused attention on controlling the cost and monitoring the quality of medical services with the medical record becoming the primary instrument for cost control and quality assessment. Today, third-party payers not only want to know whether services billed to them are wholly or partially covered, but also whether they were consistent with the medical problem stated on the claim form, or indeed have been performed at all. To answer those questions in any particular instance the third-party payer may need copies of the entire record when only a particular episode of treatment is at issue. In 1972, the Congress in P.L. 92-603 authorized the formation of Professional Standards Review Organizations (PSROs) to monitor the appropriateness, quality, and outcome of the services provided to beneficiaries of the Medicare, Medicaid, and Maternal and Child Health Programs. The professional review mandated by the PSRO legislation depends upon information in the medical record being precisely documented, and in standardized form so that it can readily be retrieved. Since the program is not yet fully operational, its effectiveness cannot yet be evaluated, but if the PSRO program succeeds in controlling medical care costs, private-sector third-party payers will undoubtedly develop similar programs or use the PSRO. The Congress, too, is watching PSRO performance with an eye to its implications for proposed legislation to create a universal health insurance program, covering all aspects of medical care.

It must be understood, of course, that these impositions on the presumed confidentiality of the physician-patient relationship are not without precedent. Mandatory filing of birth and death certificates is a form of intrusion into the physician-patient relationship that has long been accepted as socially justified by the need for population statistics and epidemiological research. Today vital statistics records provide a vast data resource for many research and statistical activities. When communicable diseases were a major cause of death, legislation was enacted requiring that medical-care providers report information about individual cases to publichealth authorities. Many States now also require medical-care providers to report cases of cancer and other diseases in which an environmental or occupational factor is suspected, and some require reports on drug addiction, gunshot wounds, child abuse, and other violence-related injuries. The justification for each of these intrusions into the medical-care relationship is that society's need for information outweighs the individual's claim to personal privacy in that particular case.

Through expenditures in support of medical research, both government and the private sector indirectly contribute to third-party intrusions into the medical-care relationship. As Chapter 15 points out, government funding supports most of the organized research and statistical activities in this country and medical research accounts for a high proportion of the research expenditures of government and many of the large private foundations. Federal rules governing the funding of medical research require the informed consent of the individuals who participate in it as research subjects, but do not require their consent when medical records are reviewed and abstracted for retrospective epidemiological research studies.

Epidemiological research was originally concerned with the cause and prevention of infectious diseases,13 but during the last two decades the focus of the discipline has expanded to include the chronic, noninfectious diseases, such as emphysema and cancer, which have emerged as primary causes of illness and death in this country. Because these conditions typically cluster in time and place at a rather low level of intensity; because their progression may be slow; and because their causes are frequently insidious, studying them often requires medical surveillance of a substantial population at widely disparate points in time. For example, an epidemiologist who wants to know whether a particular chemical employed in certain industrial processes was causally associated with bladder cancer might well be required to survey a large number of employees who have been exposed to the chemical at five-year intervals for at least 20 years. Such a task, however, would be impractical, if not impossible, without recourse to the medical records of the population being studied.

There are few statistics indicating the number of requests for medicalrecord information that are not directly related to the delivery of medical care, but testimony before the Commission suggests that the number is high. For example, the director of the medical record department at a 600-bed university teaching hospital testified that he receives an estimated 2700 requests for medical-record information each month, some 34 percent of them from third-party payers, 37 percent from other physicians, eight percent in the form of subpoenas and 21 percent from other hospitals, attorneys, and miscellaneous sources.14 The attorney for a large and well known medical clinic testified that the clinic receives an estimated 300,000 requests for medical-record information a year, some 88 percent of them patient-initiated requests relating to claims for reimbursement by health insurers.15 Representatives of a California photocopying firm told the Commission that in 1975, their firm photostated 365,000 medical records for the State disability insurance program. This same firm, which acquires medical-record information pursuant to patient authorization for use primarily by lawyers and insurers, has amassed a microfilm library of approximately 780,000 records. 16

The results of a 1970 survey of requests directed to the offices of California psychiatrists are equally revealing. Of the 346 respondents, 89 percent reported that they had been asked for medical-record information by insurance companies, 56 percent by schools, and 49 percent by employers.17

These figures give some idea of how heavily a variety of institutions in our society have come to depend upon the information in medical records in order to perform their basic functions. They also suggest that medical record information is now the key to many societal gatekeeping functions.18 This is clearly revealed when the individual with venereal disease is denied a marriage license; when the person with heart disease is denied life insurance; when the epileptic is denied employment; or when a convicted felon is sent to a mental hospital instead of to prison. There are, however, many less dramatic and thus less visible examples. Chapter 6, on record keeping in the employer-employee relationship, describes some of the ways in which medical-record information figures in assignment and promotion decisions. The chapter on public assistance and social services takes special note of how medical-record information influences eligibility determinations. An incident recounted later in this chapter illustrates that much harm can come to an individual when medical-record information being used for research is casually disclosed to another. Indeed, as Westin has observed:

. . . the outward flow of medical data . . . has enormous impact on people's lives. It affects decisions on whether they are hired or fired; whether they can secure business licenses and life insurance; whether they are permitted to drive cars; whether they are placed under police surveillance or labelled a security risk; or even whether they can get nominated for and elected to political office.19

The Commission agrees that the secondary use of medical records "raises the sharpest clash between society's interest in protecting medical confidentiality and its interest in a wide variety of other important functions . . . 20 Yet this clash is not easy to resolve or even mitigate. From a privacy protection point of view, however, the confidentiality of the medical-care relationship has been seriously eroded and clearly needs to be restored. Simply blocking third-party access to medical-record information is not the answer. New balances must be struck, recognizing not only that existing law and public policy on the subject are inadequate but also that many of the gatekeeping and credentialling functions that depend on information derived from medical records are essential.


The physician-patient relationship is an inherently intrusive one in that the patient who wants and needs medical care must grant the doctor virtually unconstrained discretion to delve into the details of his life and his person. As a practical matter, because so much information may be necessary for proper diagnosis and treatment, no area of inquiry is excluded. In addition to describing the details of his symptoms, the patient may be asked to reveal what he eats, how much he drinks or smokes, whether he uses drugs, how often he has sexual relations and with whom, whether he is depressed or anxious, where and how long he has worked, and perhaps what he does for recreation. Moreover, he is expected to submit to as much direct observation and recording of what is observed as his condition suggests and as the confines of the medical-care setting permit. As the Executive Director of the American Medical Record Association observed to the Commission, "a complete medical record [today] may contain more intimate details about an individual than could be found in any single document."21

Like all records, the medical record is in part a memory aid. It serves to remind the physician of conditions discovered, drugs prescribed, tests and treatments administered, and the charges levied. Earlier in this century, when most medical professionals were family physicians in solo practice, the typical medical record was simply a small ledger card with entries showing the dates of the patient's visits, the medications prescribed, and the charges. The physician was usually able to file the intimate details of a patient's medical or emotional condition in the "safe crevices of his mind."22 In contrast, a modern hospital medical record may easily run to a hundred pages. The records of a family physician may still hold information on ailments and modes of treatment, but also now note the patient's personal habits, social relationships, and the physician's evaluation of the patient's attitudes and preferences, often in extensive detail.

A great many factors contributed to this marked transformation in medical record-keeping practices. The information needs of third-party users have already been mentioned. Other factors include the progress of medical knowledge and the professional specialization it has fostered; the propensity of the American public to move around, making the medical record the principal instrument for assuring continuity of medical care; and the increasing use of medical records in judicial proceedings, especially in malpractice suits, where the content of a medical record is often the physician's only real defense.23 Today's physician, in short, must learn more and remember more about his patients than his predecessors. To aid memory and to meet the demands for precise documentation, he incorporates more and more of what he learns about patients in their medical records.

Many argue that the efficacy of the medical-care relationship is directly related to the patient's confidence that the information recorded in the course of the relationship will go no further. As one witness told the Commission,

Patients would be reluctant to tell their physicians certain types of information which they need to know in order to render appropriate care, if patients did not feel that such information would remain confidential.24

This may well be true; certainly it has the ring of common sense. If it is true, however, one can only conclude that patients are poorly informed about the information flows that often stem from their relationships with medical professionals.

Physicians have recognized their duty to keep information about patients to themselves since time immemorial. The following clause of the Hippocratic Oath merely acknowledged a principle already rooted in the ethos of ancient Greece:

Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken abroad, I will not divulge, as reckoning that all such should be kept secret.25

Physicians still subscribe to that oath, but in practice modern society requires of them frequent and sometimes substantial departures from it. The ethical code of the American Medical Association, for example, acknowledges that physicians must abandon their duty of confidentiality when required by law to disclose information about a patient, and when in the physician's judgment, he must do so in order to protect the welfare of the patient or of the community.26 Yet, even these major exceptions do not adequately convey the idea of the outward flow of information generated within the context of the medical-care relationship today. They take no note, for instance, of the breadth of many of the authorization statements patients are now routinely asked to sign or of the complex balances that must be struck in deciding when the welfare of the community should take precedence over the welfare of a patient. As a set of ethical precepts, moreover, they do not reach beyond the intimate physician-patient relationship which in today's world constitutes only one segment of the medical-care relationship.

In making these observations, the Commission is aware that the physician's ethical duty to protect the records he keeps about his patients is also established in law. Nineteen States have regulations, statutes, or case law recognizing medical records as confidential and limiting access to them.27 In 21 States, a physician's license may be revoked for willful betrayal of professional secrets.28 These statutes, however, do not generally apply to medical-care providers other than physicians, and although the codes of ethics of most allied health professions reaffirm the principle of confidentiality, the codes can impose only a. moral, not a legal, obligation. Moreover, although a few courts have recognized that a patient has a cause of action against the physician who discloses information about him without his permission, as Westin notes, there is no reported U.S. case in which a physician or hospital had to compensate a patient for an injury resulting from breach of confidentiality.29

More important, the typical statutory prohibition against the disclosure of medical-record information by medical professionals is focused on protecting the professional, not the patient. It prevents the professional from being compelled to testify or to produce records about a patient in court proceedings and before grand juries, and in the 43 States that have some form of testimonial privilege, the protections have gradually been extended from oral communications to records such as medical reports, X-rays, and laboratory tests. With this broadening of the privilege has also come an increasing number of exceptions to it, justified in large part by the belief that the privilege has all too frequently been invoked merely to conceal information that would be neither embarrassing to the patient, nor countertherapeutic, nor destructive of the physician-patient relationship if it were disclosed.30

The most important thing to remember about the testimonial privilege is that it has virtually nothing to do with normal, everyday use and disclosure of records maintained by a medical-care provider. The discretion to disclose or not to disclose, in most circumstances, resides solely with the provider. The courts by and large uphold that autonomy.31

It is true that physicians customarily obtain a patient's authorization before revealing information about him to someone who is not in a position to compel such disclosure legally, but evidence presented to the Commission suggests that this safeguard, too, is weak. As described in Chapters 5 and 8, an investigation by a team of television reporters in late 1975 prompted a Denver, Colorado, grand jury to look into the local activities of a Chicago firm that specialized in obtaining medical-record information on individuals without authorization. The firm, then called "Factual Service Bureau" and now known as "Inner-facts," provides a variety of investigative services, but its speciality appears to have been the surreptitious acquisition of medicalrecord information from hospitals and physicians. Insurance claims investigators and lawyers used this information for a variety of purposes: to estimate how much their companies should reserve to cover particular claims; to assure that a claimant has not exaggerated the gravity of an illness or injury or inflated his lost earning capacity; and to detect other fraud. While in many cases they could have obtained the same information through normal channels, some claims personnel apparently felt there were justifiable reasons for avoiding the normal methods of acquiring it. That a firm like Factual Service Bureau could be successful, at least until it came under scrutiny by the Denver grand jury, appears to have been due in no small measure to the laxity of hospital security measures.

In June, 1976, the Denver grand jury received permission of the Colorado court to issue a special report to the Privacy Protection Study Commission. It said in part:

From the evidence, it is clear that the problem with respect to the privacy of medical records in this jurisdiction exists in many other cities and jurisdictions across the nation . . . [However,] the grand jury believes that there is no one, simple law which can be enacted or action taken to prevent future abuses and unlawful activities concerning medical records. Rather, what is needed is a combination of voluntary self-regulation by institutions, health care provi ders, the insurance industry, and the legal profession. Appropriate state and federal laws . . . should be enacted or amended to better accomplish the goal of protecting medical records.32

The Factual Service Bureau case points up a serious weakness in the protections offered by the authorization procedures used by medical-care providers. Nonetheless, it is not the only weakness, or even the most important for the majority of individuals on whom medical-care providers maintain records. Other Commission witnesses described how the form a patient is now routinely asked to sign authorizing the medical-care provider to disclose medical-record information about him is often so broadly worded that the patient, in effect, signs away all control over what is disclosed and what may be done with it thereafter. A noted authority on the confidentiality of psychiatric records told the Commission that knowing or suspecting that their medical records will be reviewed by outsiders keeps many people from seeking treatment for their illnesses, especially when the illness is psychiatric in character.33

An incident that occurred midway in the Commission's work illustrates how intense this concern can be. In 1976, Blue Cross-Blue Shield, in cooperation with the National Institute of Mental Health, the Civil Service Commission, and the American Psychiatric Association, initiated a study to monitor claims and assess the appropriateness of psychiatric services provided to members of the Blue Cross-Blue Shield Federal Employee Benefit Program. The study required a form containing detailed psychiatric information to be submitted along with the standard claim for reimbursement under the program. The outcry was immediate. Claimants feared that the details of their illness and treatment would find their way into Federal personnel files. Phone calls and letters to local public-interest groups, to the press, to the Congress, and to the Privacy Commission caused Blue Cross-Blue Shield to reconsider the need for some of the most objectionable items of information. Bowing to pressure from Congress and the threat of a lawsuit, Blue Cross-Blue Shield has since developed a new reporting form. Meanwhile, however, some unknown number of Federal employees failed to file such claims for fear of losing jobs or security clearances.

One must ask whether such a public outcry would have resulted from a request for detailed information about disorders other than psychiatric ones. Because of the social stigma attached to mental and nervous disorders in our society, even the fact of admission to a psychiatric hospital or disclosure of the name of the attending physician in a general hospital can have untoward consequences for an individual.

The former Chairman of the American Psychiatric Association Task Force on Confidentiality, told the Commission that his colleagues "are all minimizing the amount of information that goes into the chart to protect the patient."34 The Joint Commission on the Accreditation of Hospitals, in recognition of the extraordinary sensitivity of psychiatric records, has recommended special procedures for filing, storing, and providing authorized access to them.35

Psychiatric records are not the only concern, however; other medical records are also considered to be particularly sensitive. In recent years special Federal statutes have been enacted governing the disclosure of medical-record information pertaining to alcohol and drug abuse.36 The National Center for Health Statistics attributes the unreliability of its data on the incidence of venereal disease to physicians' refusal to make the required reports, fearing, for their patients, the social stigma that attaches to these conditions.37 Nor does this exhaust the list of examples. Still others can be found in the growing literature on medical record-keeping practices and problems.38

Moreover, it is not clear that the nature of a patient's condition is the only factor that arouses anxiety about disclosure and its possible consequences. Because of the deference paid to expert opinion in our society, a physician's offhand comment or speculation about a patient can be taken as an authoritative statement by those making non-medical decisions about the patient. A 1974 article in a journal published by the American Medical Association describes a case in which a physician's discharge report to an employer contained a statement that the patient might have difficulty with money.39 Although hardly a medical judgment, the remark permanently limited the individual's opportunities to advance in his firm. The co-director of a women's health center in Los Angeles gave the Commission still another illustration:

The woman was hospitalized for an acute infection. While in the hospital, she was sent from her own room to the X-ray department, some distance away in the hospital. She was given her medical records, sealed in a manila envelope, and told to walk over to the Xray department. On her way to X-ray, curiosity got the best of her and she opened the envelope to have a look at her condition via the medical record. She was astonished to see more information written in her record about the appearance of the friends who came to visit her in the hospital than about her medical condition.40

Whether such information had been or would be disclosed outside the hospital was not clear. Yet, the fact that it was in the record, the fact that it could have been disclosed, and the fact that the patient would normally have no way of knowing it was there, suggest why the medical-care relationship can be an extremely fragile one today.

One tends to forget that a patient usually has no way of knowing what is in a medical record about him, no way of controlling the accuracy or pertinence of the information it contains, and by and large no alternative but to allow others to have access to it when they ask permission to do so. As indicated earlier, consent to the disclosure of medical-record information about oneself is rarely voluntary. Usually the choice is between signing an authorization statement and foregoing a job or some indispensable service or benefit.41 Under such circumstances an authorization can serve as a means of controlling the disclosure of information about oneself but never as a means of giving voluntary consent, and it can only serve as a means of control if the patient knows what it is he is authorizing to be disclosed. He rarely does, however. Just as custom prescribes an ethical duty of confidentiality for the medical-care provider, so also custom prescribes that the patient shall know nothing that is in the medical record except to the extent that the maker of the record chooses to tell him.

There is, of course, little consensus among medical professionals as to whether a patient should be allowed to learn the contents of his medical record and less as to whether he should be able to see and copy it. Forceful arguments for and against were presented in testimony before the Commission. The fears expressed by private-sector physicians and medical-care institutions were not unlike those of their Federal counterparts before the Privacy Act went into effect-fears which, by and large, have not been supported by experience. For example, one of the most commonly cited arguments in opposition to patient access is that it will lead to tremendous numbers of requests for records and thus greatly increase administrative costs while taking clerical and professional time to search for, prepare, and review records. Yet this has not been the case. A representative of the Health Services Administration of the Public Health Service testified that out of a total estimated patient population of five million, requests for records by patients from the Bureau of Medical Services and the Indian Health Service have so far numbered around 3,000.42 The Deputy Assistant Secretary of Defense for Administration provided no data on the numbers of requests for access to records but noted that only 20 requests for correction of medical records were received in a ten-month period by Department of Defense medical facilities.43 The Administrator of St. Elizabeths Hospital, a large federally run psychiatric facility in Washington, D.C., estimated the number of requests for patient access during the first three months after the Privacy Act took effect at about 63.44

Others argue strongly for allowing an individual to have access to a medical record through a licensed physician designated by him, and still others express concern that patient access would have a detrimental effect on the content of the medical record itself. Nonetheless, the Director of the Public Health Service's Bureau of Medical Services told the Commission that the Privacy Act had the positive effect of encouraging physicians to record only information useful for patient care.45

Indeed, in the final analysis, the most persuasive line of reasoning favoring access turned on the concept of authorization. So long as it is thought acceptable, or even necessary, for an individual's past or present medical condition to be taken into account in making non-medical decisions about him, he will be asked to allow others to have access to his medical records or at least some of the information in them. As a practical matter, however, his authorization allowing such access by a third party will be meaningless so long as he does not know, and cannot find out, what is in the records. Both theoretically and practically, authorization is a meaningless procedure unless the individual knows what he is authorizing to be disclosed.

Finally, although much of the preceding discussion is focused on paper records, it is important to recognize that significant changes are occurring, both in the way information is organized in medical records, and in the way medical records are stored and retrieved. The "problem-oriented medical record" is perhaps the most important and widely accepted of recent attempts to standardize medical-record format. It allows all medical professionals involved in an individual's care to enter data and record observations on the same forms in the same manner. The problem-oriented format is adaptable to all medical-care settings from the physician's private office to the long-term chronic disease facility. More important, its standardized format lends itself easily to computerization and it was, in fact, initially developed with that purpose in mind.

Computerization of medical records in contrast to medical-record information is not a common phenomenon today. As hospitals and other larger medical facilities acquire and use computers for business office functions, however, a move toward computerization of the medical record itself becomes almost inevitable. A survey of some 6,000 hospitals conducted by the American Hospital Association in 1975 indicated that approximately 1,500 had in-house computers,46 and the number undoubtedly has increased in the last two years with the advent of mini-computers and the growing experimentation with hospital information systems. Moreover, as Westin has pointed out in a study conducted for the National Bureau of Standards,47 the flow of medical-record information between hospitals and third-party payers is already heavily automated and likely to become more so.

While this study showed that computerization has not yet led to greater collection of information or wider sharing of confidential records than heretofore prevailed in medical practice, it concluded that the creation of large automated information systems poses new problems and opportunities from a privacy protection viewpoint. The problems are centered around the need to spell out the rules under which personnel within a medical-care institution shall have access to all or part of an automated medical record and the necessary levels of physical security for automated records containing especially sensitive information (such as psychiatric records). The opportunities arise from the fact that an automated record can be adapted to a need-to-know policy more easily than a manual record.

These two trends-changing conceptions of the medical record and increasing automation-are important forces behind the Commission's conviction that now is the proper time to establish privacy protection safeguards for medical records that will enhance the integrity, and thus the efficacy, of the medical-care relationship.


The Commission's inquiry into the creation, maintenance, use, and disclosure of medical records and medical-record information led it to six basic conclusions.

First, medical records now contain more information and are now available to more users than ever before.

Second, the control medical-care providers once exercised over information in medical records has been greatly diluted as a consequence of specialization within the medical profession, population mobility, third party demands for medical-record information, and the increasing incidence of malpractice suits.

Third, the comparative insulation of medical records from collateral uses, normal even a decade ago, cannot be entirely restored. Indeed, it appears that the importance of medical-record information to those outside of the medical-care relationship, and their demands for access to it, will continue to grow. Moreover, owing to the rising demand for access by third parties, coupled with the expense of limiting disclosure to that which is specifically requested by the non-medical user, there appears to be no natural limit to the potential uses of medical-record information for purposes quite different from those for which it was originally collected.

Fourth, as third parties press their demands for access to medicalrecord information, the concept of consent to its disclosure, freely given by the individual to whom the information pertains, has less and less meaning. When an individual must choose between signing an authorization form and foregoing employment or insurance or public assistance, one cannot realistically speak of his signing voluntarily. This is not to say that authorization procedures are useless; to the contrary, they are essential instruments of control over the content and subsequent use of what is disclosed. In many situations, however, they should no longer be construed as evidence of consent freely given.

Fifth, although the content of a medical record is becoming harder to control at the same time that the number and kind of decisions in which it figures is growing, it is still rare for an individual to be allowed to see, much less copy, a medical record pertaining to himself or to check the accuracy, timeliness, or completeness of the information it contains.

Sixth, there are steps that can and should be taken: (a) to improve the accuracy, timeliness, and completeness of the information in a medical record; (b) to enhance the individual patient's awareness of the content and uses of a medical record about himself; and (c) to control not only the amount and type of information that is disclosed to other types of users, but also the conditions under which such disclosures are made.

The recommendations presented below are the Commission's answer to a balanced delineation of these steps. As with the Commission's other recommendations, they have three objectives: (1) to minimize intrusiveness; (2) to maximize fairness; and (3) to create a legitimate, enforceable expectation of confidentiality. Unlike the Commission's other recommendations, however, the recommendations set forth below are expected to have their greatest influence outside the medical-care relationship. For example, the Commission's recommendations are not focused on the intrusiveness of the medical-care relationship per se, but rather on the intrusiveness that can result from others being able to take advantage of the unusual extent of divulgence and recording of observations that the medical-care relationship entails. Similarly, the Commission's recommendations for letting the patient see, copy, and correct or amend his records are not primarily aimed at the consequences of inaccuracies or other deficiences in the records when used by a medical-care provider working within the context of the medical-care relationship.

The Commission has been moved to recommend rights of access and correction for the patient in recognition of the harm that can befall him as a consequence of inaccurate, obsolete, or incomplete medical-record informa tion being available for use in the context of relationships he has with other kinds of record-keeping institutions. While the Commission is aware of the argument that giving a patient the right to review, discuss, audit, and obtain a copy of his medical record can have therapeutic value,48 it does not consider the decision-making uses of medical records within the confines of the medical-care relationship to be within its competence. In fact, only in the confidentiality area do the Commission's recommendations speak directly to the dynamics of the medical-care relationship, but again, only as those dynamics are affected by the lack of a legitimate, enforceable, expectation of confidentiality.


The Commission considered several ways in which its medical-record recommendations might be implemented and enforced. The alternatives considered ranged from a wholly voluntary approach to Federal legislation which, like the 1974 Drug Abuse and Alcoholism statutes,49 would make compliance with the recommendations a requirement attached to the direct or indirect receipt of Federal funds. Ultimately, however, the Commission settled on an intermediate strategy of giving medical-care institutions the responsibility for seeing that the requirements are met as a condition of qualifying for Medicare or Medicaid reimbursement. Private practitioners would not have to meet these requirements, since under current law they are not subject to the qualification standards that apply to medical-care institutions. Nonetheless, as it becomes necessary for private practitioners to qualify for Federal reimbursement, either through expansion of existing regulations, or through other developments looking toward a national health insurance scheme, they, too, would be covered by the recommended measures.

The Commission believes that this strategy allows time and opportunity for the orderly resolution of differences between the institutionalized medical-care relationship and the private practitioner relationship, differ ences that directly affect the content and handling of medical records. Moreover, to begin with the institutional relationship is to begin where the greatest problems appear to exist at the present time.

Accordingly, the Commission recommends:

Recommendation (1):

That the Congress, through amendment of the Social Security Act, authorize the Secretary of Health, Education, and Welfare to promulgate regulations requiring:
(a) that medical-care providers whose services are paid for directly or indirectly under Titles XVIU and XIX of the Social Security Act develop specific procedures for implementing Commission Recommendations (6), (7), (9), (10), (11), (12), (13), and (14);
(b) that such providers be required to show evidence of compliance with these recommendations as a condition of participation in the Medicare and Medicaid programs; and
(c) that all records of surveys of compliance with the procedures developed pursuant to the Commission's recommendations be a matter of public record and open to public inspection, provided, however, that the names or other identifying particulars of patients are deleted prior to public release.

This recommendation builds on existing regulatory mechanisms and current certification and accreditation processes. Subparagraph (c), however, goes beyond current practice regarding surveys carried out by the Joint Commission on the Accreditation of Hospitals (JCAH). Whereas surveys of Federal facilities and of institutions other than JCAH-accredited hospitals are open to public inspection under the Federal Freedom of Information Act, the results of JCAH surveys of medical-care institutions, by law, are not. Thus, unless the law were changed to provide for public inspection of those portions of a survey having to do with Title XVIII and Title XIX privacy protection requirements, the public would have no knowledge of hospital compliance. As repeatedly emphasized throughout this report, openness as to information policies and practices and accountability for such policies and practices are two of the most important protections for personal privacy. Both these protections would be absent if JCAH survey reports were allowed to remain secret.

The need for subparagraph (c) points up the major disadvantage of relying exclusively on the existing Title XVIII and Title XIX regulatory mechanisms; no actionable rights for individuals will be created as a result. Enforcement will depend solely on the effectiveness of certification and accreditation procedures, and the ability of individuals, as individuals, to induce the Department of Health, Education, and Welfare to investigate specific cases and institute sanctions where an institution has failed to discharge its responsibilities. In Chapter 9 on the education relationship, the deficiences of this type of approach are described, from the sanctioning agency's point of view as well as from the individual's. Hence, as a corollary to the action it urges on the Congress, the Commission also recommends:

Recommendation (2):

That each State enact a statute creating individual rights of access to, and correction of, medical records, and an enforceable expectation of confidentiality for medical records consistent with Commission recommendations in these areas.

The Commission strongly urges that the National Commission on Uniform State Laws, or another body of comparable mission and expertise, develop model State statutes that will provide for the individual a right to sue for access to a medical record about himself, to correct or amend erroneous, misleading, or incomplete information in a medical record, and a right to hold a medical-care provider responsible if it can be shown that the provider has not exercised reasonable care in protecting the confidentiality of the medical records it maintains about him. In addition, the Commission would urge that such statutes create a limitation of liability to protect the medical-care provider against actions brought for defamation, invasion of privacy, or negligence when a medical record or medical-record information is released pursuant to the requirements of the statute or to the DHEW regulations proposed in Recommendation (1), above. False information furnished with malice or willful intent to injure an individual would, of course, not be covered by such limitation.

Recognizing that there will be some medical-care providers that will not be subject to Medicare and Medicaid regulations, or, at least for a time, to State statutory requirements, the Commission also recommends:

Recommendation (3):

That any medical-care provider not subject to either of the Commission's two general recommendations on implementation voluntarily establish procedures to comply with the specific recommendations set forth below.

Finally, in light of the evidence presented to the Commission concerning the surreptitious acquisition of medical-record information from medical-care providers, the Commission recommends:

Recommendation (4):

That Federal and State penal codes be amended to make it a criminal offense for any individual knowingly to request or obtain medicalrecord information from a medical-care provider under false pretenses or through deception.

Safeguarding the confidentiality of medical records is properly the responsibility of the medical-care provider maintaining them. Yet, as noted earlier, at least one firm has specialized in obtaining medical-record information through subterfuge and was reported to have been successful in more than 90 percent of its attempts.50 Indeed, the breaches of medicalrecord security which have come to the public's attention in the last few years have been dramatic and unsettling. The break-in at the offices of Daniel Ellsberg's psychiatrist, the publicizing of Senator Eagleton's past medical history, and the recent exposure of the theft of information by Factual Service Bureau are but three examples of blatant disregard for the confidentiality of medical records. Under these circumstances, to place the full onus of responsibility for the protection of medical records on the medical-care provider seems to the Commission to be unrealistic. Its responsibility must be reinforced by sanctions against the deceptive acquisition or theft of medical-record information.


Inasmuch as the Commission has no recommendations that bear directly on the intrusiveness of the medical-care relationship itself, its first set of specific recommendations concerns fairness. The measures recom mended here prescribe procedures for allowing a patient to see, copy, and correct or amend a medical record pertaining to himself, and for placing limits on the circulation of medical-record information within the immediate medical-care setting. Measures are also recommended to reinforce the expectation of confidentiality in the medical-care relationship by placing limits and conditions on those, other than a medical-care provider, who may acquire and use the information contained in a medical record.



As noted earlier, one of the issues on which medical-care providers are least in agreement is whether a patient should be allowed to see and copy a medical record about himself. Nine States currently grant a patient the right to inspect and, in some instances, obtain copies of his medical records. Colorado clearly has the most liberal statutes in that they apply not only to hospital records, but also to records kept by private physicians, psychologists, and psychiatrists. The Colorado statutes grant the patient the right to obtain a copy of his records for a reasonable fee, without resort to litigation, and without the authorization of physicians or hospital officials.51 An Oklahoma statute permits the patient to inspect and copy his medical records in both the hospital setting and the physician's office.52 The difference between the Oklahoma and Colorado laws lies in the status of psychiatric records. Colorado provides for patient access to psychiatric records following termination of treatment, while Oklahoma excludes psychiatric records altogether.

Other States recognize a much narrower right of access. Florida law gives the patient the right to obtain copies of all reports of his examination and treatment, but applies only to records maintained by physicians, with no mention of hospital records.53 By contrast, the statutes of Connecticut, Indiana, Louisiana, and Massachusetts cover only a hospital record, and make no mention of records maintained by physicians.54 Mississippi and Tennessee require the patient to show good cause before he can have access to his hospital records.55 Ten States (Illinois, Maine, Missouri, Montana, Nevada, New Jersey, New Mexico, North Dakota, Utah, and Wisconsin) have vaguely worded statutes or regulations56 that allow a patient, relative, physician, or attorney access to the patient's medical records. Of these 10 states, Nevada and New Mexico apply only to mental-health records. In New York, the patient need be shown only enough of the hospital record to indicate which physicians have attended him,57 and in Ohio the hospital determines how much of the medical record the patient may see.58 In Arizona the administrator or attending physician must consent before a patient can inspect his hospital records 59

In several other States legislation is now pending that would create a right of access for a patient similar to the one provided by the Privacy Act of 1974, i.e., a right to see and copy a medical record about oneself except in special situations.

The subsection of the Privacy Act that specifically refers to medical records states:

In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules . . . which shall . . . establish procedures for the disclosure to an individual, upon his request, of his record or information pertaining to him, including special procedures, if deemed necessary, for the disclosure to an individual of medical records, including psychological records pertaining to him. [5 U.S.C. 552a(f)(3)J

The Office of Management and Budget guidelines for implementing the Privacy Act quote the legislative history of this provision as follows:

If in the judgment of the agency, the transmission of medical information directly to a requesting individual could have an adverse effect upon such individual, the rules which the agency promulgates should provide means whereby an individual who would be adversely affected by receipt of such data may be apprised of it in a manner which would not cause such adverse effects.60

While the Privacy Act recognizes an individual's undeniable right to see and copy a medical record about him maintained by a Federal medicalcare facility, it clearly allows special procedures where direct access could be harmful to him. The guidelines are vague about when special procedures are justified and silent about what they may be. Thus, it should not be surprising that the special procedures developed by the different agencies are not the same.

The Department of Health, Education, and Welfare has the most liberal procedures, providing for indirect access to records through a responsible individual, not necessarily a medical professional, designated by the patient. The Department of Defense procedure requires that arrangements be made for release of the record to a physician of the patient's choice. The Veterans Administration takes a middle ground, requiring that medical records containing "sensitive information" be "referred to a physician or other professional person with the necessary professional qualifications to properly interpret and communicate the information desired." The one caveat provided is that the selectee must either meet VA professional standards or be licensed in the appropriate professional specialty.61

The Commission's hearings failed to produce evidence that one procedure was more effective than another in protecting patients from any adverse consequences that might result from obtaining their medical records. Not one witness was able to identify an instance where access to records has had an untoward effect on a patient's medical condition. While the Department of Defense special procedure is clearly the most restrictive, DOD representatives estimated that the Department had released a record to a physician, rather than to the individual directly, in less than one percent of the cases where access had been requested.

The Commission considered a number of proposals for a special procedure to be followed when direct access might harm the patient. Some of these would stop short of the DHEW procedure allowing release of the record to any responsible person the patient may designate, whether the designee is a medical professional or not. Others would leave the patient's see-and-copy right unrestricted with respect to any information in his medical records that had been or might be disclosed for use in making nonmedical decisions about him, but would prescribe special procedures in specified instances (e.g., psychiatric or terminal illness) when there is no possibility of such disclosure to third parties. In the end, however, the Commission concluded that no solution would be acceptable in the long run so long as it risks leaving the ultimate discretion to release or not to release in the hands of the patient's physician. In situations where the keeper of a medical record believes that allowing the patient to see and copy it may be injurious to the patient, the Commission concluded that it would be reasonable for the record to be given to a responsible person designated by the patient, with that person being the ultimate judge of whether the patient should have full access to it. In no case, however, should the physician or other keeper of the record be able to refuse to disclose the record to the designated responsible person, even where it is known in advance that the designated person will give the patient full access to it. Accordingly, having weighed the evidence before it, and having considered the arguments pro and con, the Commission recommends:

Recommendation (5):

That upon request, an individual who is the subject of a medical record maintained by a medical-care provider, or another responsible person designated by the individual, be allowed to have access to that medical record, including an opportunity to see and copy it. The medical-care provider should be able to charge a reasonable fee (not to exceed the amount charged to third parties) for preparing and copying the record.

Although this recommendation stops short of guaranteeing that the patient will be allowed to see and copy everything in every medical record about him, it leaves the designee the option of giving the patient this guarantee. The Commission believes that the measure will encourage medical-care providers themselves to release records to patients whenever they can possibly do so in good conscience. In some sense, the recommended procedure harkens back to the time when family members and friends played a much larger role in patient care than they normally do today. In any case, it gives most patients a way of finding out what is in their medical records, and of knowing what others can learn about them from those records.

This discussion would be incomplete without a word about access to medical records by patients who are minors. As noted in Chapter 11 on the public assistance and social services relationship, most of the comments submitted to the Commission urged that a minor patient be given access to medical records concerning treatment he has sought on his own behalf, if State law permits him to obtain such treatment without the knowledge or consent of his parents. State laws usually deal with this question in connection with venereal disease, drug or alcohol abuse, pregnancy, and family planning, including abortion. The Commission believes that in these instances only the minors (and not their parents or guardians) should be given access to such records or portions of records so as not to discourage them from seeking necessary treatment.

The fee provision also raises a minor problem. Recommendation (5) would allow the medical-care provider to charge the individual a preparation or copying fee consistent with the fees it charges others for such services. This could mean anything from $1 to several hundred dollars. Obviously, the Commission would not want the right to see and copy a medical record to become a prerogative of the well-to-do, and thus urges medical-care providers to develop fee schedules flexible enough to match the varying financial circumstances of patients.


Elsewhere in this report the Commission recommends measures to assure an individual's right of access to a record maintained about him by an insurer, self-insurer, or insurance-support organization and further, that he be able to obtain on request a copy of all the information that served as the basis for an adverse insurance decision about himself. In another chapter, the Commission recommends that an employer voluntarily establish procedures whereby an individual can gain access to records the employer maintains about him. In the chapter on Public Assistance and Social Services, the Commission recommends enactment of a Federal statute requiring that the States, in turn, enact statutes permitting individuals to have access to records maintained by a public assistance or social service agency.

In all three instances, some of the records to which the individual would be given access are, or contain, medical-record information. The Commission would prefer that such third-party holders of medical-record information not distinguish it from any other information the individual asks to see and copy. The Commission recognizes, however, that as a practical matter an individual may not always find a medical record or a copy of medical-record information informative unless a medical professional interprets its technical language for him, and third-party keepers of medical-record information may not be able to provide such assistance. Thus, with respect to medical-record information, the Commission recommends:

Recommendation (6):

That upon request, an individual who is the subject of medical-record information maintained by an organization which is not a medicalcare provider be allowed to have access to that information either directly or through a licensed medical-care professional designated by him.

It must be noted that this recommendation does not fall within the primary implementation strategy contained in Recommendations (1), (2), and (3) above. In the case of insurance institutions and insurance-support organizations, it would become part of the recommended general and specific rights of access to records to be established by Federal statute. In the private-sector employment situation, it would be implemented voluntarily by the employer. In the public assistance and social services area, it would become a right provided by State statute which, if the Commission's recommendations were followed exactly would have to distinguish between the social-services provider who is a medical-care provider-properly subject to the requirements of Recommendation (5) -and the social-services provider who is not a medical-care provider but who uses medical-record information. As to the latter, the statute should guarantee direct access lest it retreat from the current practice of allowing an individual to see, before or during a hearing, information used to make an adverse eligibility determination about him. (See Chapter 11.)


A main premise of a privacy protection policy is that an individual should be able to review the records made by others of information he has divulged, or has permitted to be divulged, and to correct any errors or amend any inadequacies in them. This premise is no less important for medical records than for other types of records, although much of the information in a medical record is put there by medical professionals. The individual may provide information, but he rarely enters it directly into the record; the medical professional normally does that. Thus, even with the most conscientious record keeping, there are ample opportunities for errors of fact or interpretation to creep into a medical record.

Within the medical-care relationship itself, such errors can usually be corrected before they do any harm. Once information has been disclosed to someone outside the relationship, however, not only is correction or amendment more difficult but the consequences of errors become increasingly difficult to avoid or reverse. This becomes a particular danger when, as previously noted, offhand comments and speculations which are irrelevant to a patient's medical history, diagnosis, condition, treatment, or evaluation are set down in medical records that become available for use in making a non-medical decision about him. Furthermore, while it is true that some portion of the information in a medical record may be beyond the patient's comprehension, not all of it will be. Accordingly, in recognition of the fact that the circulation of erroneous, obsolete, incomplete, or irrelevant medical-record information outside the confines of the medical-care relationship can bring substantial harm or embarrassment to the individual concerned, the Commission recommends:

Recommendation (7):

That each medical-care provider have a procedure whereby an individual who is the subject of a medical record it maintains can request correction or amendment of.the record. When the individual requests correction or amendment, the medical-care provider must, within a reasonable period of time, either:

(a) make the correction or amendment requested; or
(b) inform the individual of its refusal to do so, the reason for the refusal, and of the procedure, if any, for further review of the refusal.

In addition, if the medical-care provider refuses to correct or amend a record in accordance with the individual's request, the provider must permit the individual to file a concise statement of the reasons for the disagreement, and in any subsequent disclosure of the disputed information include a notation that the information is disputed and furnish the statement of disagreement. In any such disclosure, the provider may also include a statement of the reasons for not making the requested correction or amendment.

Finally, when a medical-care provider corrects or amends a record pursuant to an individual's request, or accepts a notation of dispute and statement of disagreement, it should be required to furnish the correction, amendment, or statement of disagreement to any person specifically designated by the individual to whom the medical-care provider has previously disclosed the inaccurate, incomplete, or disputed information.

The requirement to furnish a correction, amendment, or dispute statement to such previous recipients as the individual may designate evolves from a concern that medical-record information disclosed to third parties be as accurate, complete, and timely as possible. To expect a medical-care provider to convey a correction; amendment, or dispute statement to all previous recipients of information from a record would impose an unreasonable burden on the provider; yet the Commission is concerned that some steps be taken to minimize the extent to which medical-record information may become a source of unfairness to an individual. Therefore, it has recommended that only those specifically designated by the individual be furnished with the details of the correction, amendment, or statement of disagreement. The Commission believes this approach represents a reasonable balance. Moreover, because Recommendations (10) and (14) below call for two types of accountings of disclosures (notations and retained authorization statements), the Commission would expect those accountings also to be available to the individual to help him to decide to whom corrections, amendments, or statements of disagreement should be sent.


As with its recommendations on patient access, the Commission also debated the correction, amendment, and dispute issues as they relate to keepers of medical-record information. The problem is largely one of information erroneously or incompletely reported by a medical-care provider, or erroneously copied or interpreted for or by the recipient. For example, an investigative-reporting firm under contract to an insurer may be authorized to acquire information from the physicians and hospitals named on an individual's insurance application. If the investigative firm representative makes a mistake in copying information from a medical record, neither his firm nor the insurer has any way of knowing it unless and until the error precipitates an adverse insurance decision and perhaps not even then. Even if the error is detected later, the information may have been disclosed in the meantime to other insurers (with the- individual's authorization), or to the Medical Information Bureau where it will be retained, and thus constitute a potential problem for the individual for many years.

The Commission recognizes that the number of mistakes of this sort can be minimized by having a medical-care professional review and interpret records for agents of third parties, or by using photocopying techniques. Not all medical records today can be organized to allow easy photocopying, however, and at the same time assure that the inquiring third party receives only as much information as the individual has authorized it to receive. Nor is it always possible to have a professional available when records are reviewed by third parties. Thus, in some unknown number of cases, either a medical professional will have to prepare special reports for the ultimate recipient-in this example, the insurer-or a certain amount of hand copying by persons who are not medically trained will unavoidably continue. Even when a medical record can be photocopied without revealing more information than is meant to be disclosed, there is the danger that the third party representative making the copy will overlook portions of the record which, if known, would alter the insurer's decision.

The simplest solution would, of course, be to allow the individual to correct or amend medical-record information where it rests, in the files of the recipient-user. Yet the simplest solution is not always the most practical one. The insurer (or employer, or whoever the third-party record holder happens to be) may elect not to give the individual direct access to medicalrecord information about himself. Recommendation (6), it will be remembered, gives the third-party record holder the option62 of disclosing medicalrecord information either to the individual to whom it pertains, or to a licensed medical professional whom the individual designates. Hence, there may be no way for the third-party holder to cope with a correction or amendment request without, in effect, giving up its option to deal with the individual through a designated professional.

Moreover, despite what has been said about the tendency of some medical-care providers to record irrelevant information, it must be remembered that the medical record is a document to which unusual attention is given because it is created by persons who have special expertise. If an insurer could have confidence in an individual's own description of his medical situation, there would be no need to acquire information in his medical records. The insurer, however, cannot assume that the individual is either qualified or motivated to give an accurate description. The fact that the insurer cannot rely on the individual in this matter is both the reason why the insurer seeks to acquire medical-record information and the reason why the individual's claim that the information obtained is erroneous or otherwise inadequate cannot be taken at face value.

It may also happen that the medical-care provider who originally provided the contested information can no longer be consulted; for example, a physician may have retired, died, or moved out of reach, or the provider may simply not be willing to acknowledge that an error was made. In such situations, the Commission believes that the third-party holder of the allegedly inaccurate information should afford the individual a way of entering his corrections into the record as long as it also indicated that the changes were made without the concurrence of its original source. Accordingly, the Commission recommends:

Recommendation (8):

That when an individual who is the subject of medical-record information maintained by an organization whose relationship to the individual is not that of a medical-care provider requests correction or amendment of such information, the organization should disclose to the individual, or to a medical-care professional designated by him, the identity of the medical-care provider who was the source of the information; and further,

That if the medical-care provider who was the source of the information agrees that it is inaccurate or incomplete, the organization maintaining it should promptly make the correction or amendment requested.

In addition, a procedure should be established whereby an individual who is the subject of medical-record information maintained by an organization whose relationship to him is not that of a medical-care provider, and who believes that the information is incorrect or incomplete, would be provided an opportunity to present supplemental information, of a limited nature, for inclusion in the organization's record, provided that the source of the supplemental information is also included in the record.


In other chapters of this report, the Commission considers various potential sources of unfairness to the individual when information is being used for the purposes for which it was collected. The Commission does not believe it necessary to do so here because institutional providers of medical care have traditionally given priority to protecting the individual in their own uses of patient records.63 The several organizations in the field of medical records management are far more competent than the Commission to make judgments and recommend rules as to the proper content of a medical record, its proper uses, and the types of users to whom it should or should not be disclosed within the framework of the medical-care relationship. Thus, in this chapter, the Commission confines its examination of information management within the medical-care relationship to one obvious area of concern: the medical-care provider's role in assuring that the patient's legitimate expectations of confidentiality are not breached as a consequence of negligence on the part of medical professionals themselves. The dramatic instance, previously cited, of the Factual Service Bureau's unauthorized access to hospital medical records clearly highlights hospital internal records management as a problem area, although laxity in hospital records-management procedures was only part of the problem in that instance.

Hospital records are routinely available to hospital employees on request. Most of these people are medical professionals who need such access in order to do their jobs, but not all of them are. Besides the physicians, psychologists, nurses, social workers, therapists, and other licensed or certified medical professionals and paraprofessionals, there are nearly always medical students and other people in training programs conducted either by the medical-care institution itself or affiliated with the institution. These people, too, have access to medical records for training or job-related purposes, as do non-professional employees and voluntary workers. In fact, one of the Factual Service Bureau sources was an employee in the administrator's office of a Denver hospital.

The more people there are who have access to a medical record, the more people there are who can be approached by a firm like Factual Service Bureau. Since the patient cannot control access to or use of records about him within a medical-care institution, it follows that the responsibility for protecting the record from such abuse must be assumed by the institution. Thus, the Commission recommends:

Recommendation (9):

That each medical-care provider be required to take affirmative measures to assure that the medical records it maintains are made available only to authorized recipients and on a "need-to-know" basis.

Requiring the patient's authorization each time an employee of the institution needs access to his medical record would be impractical. The team approach to treatment demands that the professional staff have ready access to patient records. Employees whose functions are purely administrative or custodial, however, need access to only some of the information in a patient's record, for example, name, address, and whatever other information may be essential for preparing and submitting bills and claims or statistical and management reports. These employees do not need, and should not have, free access to detailed clinical information about patients.

The Commission urges accrediting bodies, licensing agencies, and professional associations to take the lead in establishing guidelines for affirmative measures to protect hospital medical records from unauthorized access. Affirmative measures might include routine call-back to verify the validity of telephone requests for records, requiring staff members and employees who request information or records from the medical-record department to identify themselves, prompt dismissal of any employee who violates the confidentiality of medical-record information, and a program to instruct new employees in the hospital's confidentiality policies.

Expectation of Confidentiality


The American Hospital Association (AHA), like the American Medical Association (AMA), claims for its membership the right to decide when disclosure of a patient's medical record is necessary to protect the individual or the community. According to Hospital Medical Records, an AHA publication:

The medical record . . . is the property of the hospital, therefore, the hospital, subject to applicable legal provisions, may restrict the removal of the record from the medical-record files or hospital premises, determine who may have access to it, and define the kind of information that may be taken from it.64

Although courts have found the disclosure of medical-record information by a physician to be actionable in a number of different cases, they have also consistently held that such disclosures are justifiable if they are made either in the best interest of the patient or to foster a supervening societal interest. An individual can clearly bring suit against a physician and probably against any other medical-care professional for disclosing information in a medical record about him without his authorization, but he is likely to lose. Indeed, in one case involving the unauthorized disclosure of derogatory psychiatric information, a court went so far as to affirm that . . . the responsibility of the doctor to keep confidences may be outweighed by a higher duty to give out information even though defamatory . . , ."65

Spokesmen for the medical-care professions argue that their discretion in making disclosures of the information in medical records is not a significant source of abuse. While the Commission is inclined to agree, the individual cannot rely on his expectation of confidentiality in any recordkeeping relationship unless the restraints on disclosures are known, as the Commission argues in Chapter 9. As long as record keepers have complete discretion in making disclosures, the individual can have no basis for an expectation of confidentiality. Even if all record keepers were equally aware of their confidentiality obligation and equally conscientious in discharging it, the individual could not tell just what to expect since their perceptions of what the obligation entails would not necessarily be the same. Record keepers need not be denied all discretion in the matter; if enforceable limits are set on their discretion, the individual can build an expectation of confidentiality that corresponds with those limits.

Enforceable limits on voluntary disclosures of confidential information have advantages for the record keeper as well as for the individual. In fact, without them, both are often hard put to refuse demands for disclosure, and virtually helpless when the demand is part of a compulsory process. The Commission believes that the medical-care relationship in America today is becoming dangerously fragile as the basis for an expectation of confidentiality with respect to records generated in that relationship is undermined more and more. A legitimate, enforceable expectation of confidentiality that will hold up under the revolutionary changes now taking place in medical care and medical record-keeping needs to be created and the Commission therefore recommends:

Recommendation (10):

That each medical-care provider be considered to owe a duty of confidentiality to any individual who is the subject of a medical record it maintains, and that, therefore, no medical care provider should disclose, or be required to disclose, in individually identifiable form, any information about any such individual without the individual's explicit authorization, unless the disclosures would be:
(a) to another medical-care provider who is being consulted in connection with the treatment of the individual by the medicalcare provider;
(b) to a properly identified recipient pursuant to a showing of compelling circumstances affecting the health and safety of an individual provided that:
(i) an accounting of any such disclosure is kept; and
(ii) the individual who is the subject of the information disclosed can find out that the disclosure has been made and to whom it has been made;
(c) for use in conducting a biomedical or epidemiological research project, provided that the medical-care provider maintaining the medical record:
(i) determines that such use or disclosure does not violate any limitations under which the record or information was collected;
(ii) ascertains that use or disclosure in individually identifiable form is necessary to accomplish the research or statistical purpose for which use or disclosure is to be made;
(iii) determines that the importance of the research or statistical purpose for which any use or disclosure is to be made is such as to warrant the risk to the individual from additional exposure of the record or information contained therein;
(iv) requires that adequate safeguards to protect the record or information from unauthorized disclosure be established and maintained by the user or recipient, including a program for removal or destruction of identifiers; and (v) consents in writing before any further use or redisclosure of the record or information in individually identifiable form is permitted;
(d) for an audit or evaluation purpose specifically required by law, provided that an accounting of such disclosures is kept and the individual who is the subject of the information being disclosed can find out that the disclosure has been made and to whom;
(e) for an audit or evaluation purpose not specifically required by law, provided that:
(i) any further use or redisclosure of the information in individually identifiable form is prohibited;
(ii) adequate safeguards to protect the medical-record information from unauthorized disclosure are established by the user or recipient including a program for removal or destruction of identifiers;
(iii) an accounting of such disclosures is kept and the individual who is the subject of the information being disclosed can find out that the disclosure has been made and to whom;
(f) pursuant to a statute that requires the medical-care provider to report specific diagnoses to a public-health authority, and the individual is notified of each such disclosure;
(g) pursuant to a statute that requires the medical-care provider to report specified items of information about the individual to a law enforcement authority, and the individual is notified of each such disclosure;
(h) limited to location and status information (such as room number, dates of hospitalization, and general condition) provided that:
(i) the patient or his authorized representative does not object to the disclosure; and
(ii) such disclosure is limited to items specified in the general notice to the individual called for in Recommendation (12); or
(i) pursuant to a lawful judicial summons or subpoena consistent with the recommendations of the Commission on government access.

The recommended duty of confidentiality would be established in the first instance through regulations promulgated by the Department of Health, Education and Welfare. To make the duty fully effective, however, it should be adopted by statutory enactment in each of the 50 States. If this is not done the individual patient will be dependent on the medical-care provider to protect him against compulsory process and other demands for his medical records or he will have to rely on the Department of Health, Education and Welfare to act on his behalf when a provider violates its duty of confidentiality to him.

The Commission recognizes that a duty established by State statute will not in most cases be effective against any conflicting requirements of Federal agencies to disclose medical-record information in individually identifiable form as a condition of participation in a Federal program. Thus, the final test of society's desire to create a viable basis for legitimate expectations of confidentiality in records about individuals generated in the context of the medical-care relationship, as in other contexts examined in this report, will be its willingness to adopt the Commission's recommendations on government access set forth in Chapter 9.

Exceptions to the Duty of Confidentiality

As noted earlier, it is no longer possible to restore the comparative insulation medical records enjoyed even a decade ago. Exceptions allowing disclosure without the individual patient's authorization are necessary here, as elsewhere, in order to strike a balance between the individual's right to personal privacy and society's countervailing needs for information about his medical condition. The rationale for each of the exceptions in Recommendation (10) is explained below.

Disclosures to Other Medical-Care Providers

The first exception the Commission weighed concerns the disclosure of medical-record information between medical-care providers. Currently, it is by no means routine for a provider referring a patient to another provider to ask the patient's written authorization to disclose the pertinent medicalrecord information about him to the second provider. Inasmuch as the second provider is no doubt directly involved in the diagnosis and treatment of the patient, the patient's authorization properly may be assumed. The Commission agrees that this is a proper assumption. It does not, however, find the assumption proper when information in the medical record of a patient is disclosed to a medical-care provider who has not had, or is not being consulted in connection with, a therapeutic relationship with the patient. In such a case, respect for the patient's legitimate expectation of confidentiality demands that disclosure be made only with the patient's written authorization or pursuant to one of the other exceptions in Recommendation (10).

Disclosures to Protect Health or Safety

Exception (b) of Recommendation (10) recognizes that a medical-care provider clearly cannot be bound by a requirement to obtain the patient's authorization before disclosing medical-record information about him if such disclosure is necessary to avert or alleviate a serious threat to an individual's health or safety. Nonetheless, this exception is only justified by a compelling threat to someone's health or safety; a provider's desire to protect individuals' social or economic welfare or peace of mind is not enough. For example, a physician would not ordinarily be permitted to justify telling a patient's employer that the patient has cancer, although he might justify notifying an airline employer that a patient, who is one of its pilots, is suicidal.

Disclosures to Facilitate Research

Most medical-care providers routinely give medical professionals engaged in clinical or epidemiological research access to their patient records along with permission to abstract individually identifiable informa tion and exchange that information with other researchers. Patient authorization for such access by researchers is not usually sought. Although a researcher's obligation to obtain an individual's informed consent to participate in any study that may expose him to physical or psychological harm is widely recognized, the researcher's obligation to obtain the patient's permission to use information in records about him has always seemed less compelling. For one thing, the practical difficulties are considerable. Patients are difficult to locate, and if asked for an authorization might refuse, thereby skewing the results of the study in unknown ways. Insistence on patient authorization would make many important studies impossible. The recent search for the cause of the "Legionnaires' Disease," for example, would have been doomed at the start if the researchers had had to obtain authorizations before reviewing medical records. As it was, some victims were not traced until months after the event. The diethylstilbestrol (DES) follow-up studies described in testimony before the Commission66 are another example of epidemiological research that could hardly have been undertaken had the researchers been required to obtain patients' authorization prior to reviewing their medical records.

The research uses of medical records are not, however, without risk. As one witness told the Commission:

. . . a researcher was doing a follow-up study of people who had been enrolled in a methadone maintenance program . . . . The contractor had the name and address of one particular individual who had been enrolled in the program several years previously, and the contractor went to the individual's residence. It was a Saturday night and the person was having a party and the contractor said, "Hi, I am so-and-so from such-and-such an organization, and we are doing a follow-up study of patients who had been enrolled in the methadone maintenance program."67

Another such incident which came to the Commission's attention involved the recontact of patients who had received treatment at an abortion clinic. In both instances the recontacts were unwelcome, resented, and extremely embarrassing to the persons contacted.

Contacting individuals for follow-up information after reviewing their medical records poses a unique problem, illustrating the need for some minimum conditions on disclosure and use of individually identifiable records for research and statistical purposes. Exception (c) of Recommendation (10) makes the researcher who wants access to this kind of information accountable to the medical-care provider keeping the records and, through the provider, to the individuals concerned. Under this recommendation the researcher who wants access to medical-record information in individually identifiable form must show that he needs it for a worthwhile purpose; that access is vital to the fulfillment of that purpose; and that he can and will protect whatever expectation of confidentiality the patients had when the information was originally recorded. Recommendation (10)(c) comports with the Commission's recommendations in Chapter 15 pertaining to the disclosure and use of records about individuals for statistical or research activities funded in whole or in part by the Federal government.

Disclosures to Auditors and Evaluators

Exceptions (d) and (e) recognize that surveyors and reviewers regularly ask for and get access to medical records for such purposes as certifying the accuracy and adequacy of an institution's financial or administrative records; assessing the effectiveness of their medical, administrative, or financial management; and assuring their faithfulness to medical, legal, financial, and administrative standards. These examinations of records are part of the audits, certifications, accreditations, and licensure reviews and evaluations conducted by organizations like the Joint Commission on the Accreditation of Hospitals, Professional Standards Review Organizations, State and local public health departments, and other government agencies. While such activities clearly serve the interests of the public that receives and subsidizes medical care, the Commission sees no need for the reports of auditors and evaluators to identify any individual patient directly or indirectly, nor does the Commission see any reason why the individual should be deprived of the knowledge that auditors and evaluators have had access to his records, and thus of any recourse in the event he is harmed by the disclosures they may make of information about him. Exception (d) recognizes that when audits and evaluations are specifically required by law, the medical-care provider is in no position to impose conditions on how information obtained from the medical records it maintains will be treated. In such cases, moreover, any subsequent uses and disclosures would be subject to the Commission's government access recommendations in Chapter 9. Exception (e) deals with the situation where the medical-care provider can set conditions for disclosure and recommends what those conditions should be.

Disclosures Pursuant to Compulsory Reporting Statutes

The original purpose of the State statutes that require the reporting of specific diagnoses to public health authorities was to help control the spread of communicable diseases. Today, however, many States require that in addition to communicable diseases, cases of cancer and other environmentally and occupationally related diseases also be reported. Mandatory reporting of births and deaths is universal and, in addition, some States require that gunshot and stab wounds, cases of child abuse, and other violence-related injuries be reported to law enforcement authorities.

While a significant number of States that require the reporting of venereal disease restrict, to some degree, the permissible uses and disclosures of such reports, over half the States provide no statutory protection for them.68 One State which has such a reporting statute leaves it up to local health departments to decide whether such reports shall be open to public inspection, and another gives citizens the right to examine public records, including required reports of communicable diseases.69 Amendment of State statutes governing the use and disclosure of medical-record information obtained pursuant to public-reporting statutes is clearly the best way to prevent the irreparable harm to an individual that can result from misuse of such a report. Strengthening confidentiality protection would still not preclude the possibility that subsequent contact by agents of authorities to whom the information is properly reported will startle or embarrass an individual unnecessarily, particularly if the individual is not aware that a report was made. Thus, exemptions (f) and (g) require medical-care providers to notify an individual whenever information about him is disclosed pursuant to a public-reporting statute.

Disclosures to the Public

Many medical-care institutions that would under no circumstances divulge the details of a patient's diagnosis or treatment are quite comfortable about allowing the fact of admission, or the occurrence of a birth or death, to be publicized. It is normal hospital practice to tell anyone who inquires whether a patient has been admitted to a hospital and to indicate how serious the patient's current condition is.

In its Guide for Cooperation with Communications Media, the American Hospital Association takes the position that: The hospital has the . . . obligation of pointing out to the patient that his hospitalization is likely to become known and . . . public acknowledgement will usually be in his best interests . . . [to assure] that accurate information [about] his condition will come from an authorized source.70

The Commission, however, believes that an individual patient's desire not to have his admission and general condition known should be respected. Exception (h) provides for limited disclosure of location and status information while at the same time giving the individual who objects a way of making his wishes known and binding. Limiting what may be disclosed to items specified in the notice called for in Recommendation (11) not only gives an individual a means of deciding whether he wishes to object to any disclosure at all; it also reassures the individual who, while inclined not to object, is concerned about what may be disclosed if he takes no preventive action.

Disclosures Pursuant to Compulsory Process

A hospital or physician must surrender medical records or medicalrecord information when required by proper judicial process unless the disclosure is prohibited by statute. A psychiatrist testifying before the Commission urged the Commission to recommend a measure to protect patient records from indiscriminate court orders and subpoenas. He argued that information released pursuant to a court order or subpoena becomes a matter of public record; that grounds for issuing a subpoena are not always legitimate; and that not only patients but physicians and hospital officials are often so intimidated by the threatening documents they do not know they have legal rights against them. He recommended that at the very least subpoenas should include notification to the individual that he has a right to contest it, and how to do so.71

The Commission agrees strongly that an individual whose medical records have been subpoened should have an opportunity to be heard in court. It also recognizes that to provide that opportunity, existing Federal and State laws will have to be amended. Exception (i) represents the first step toward that end. Other steps are proposed in the Commission recommendations on government access in Chapter 9.


Medical professionals look upon the medical record as a tool of communication among themselves. It seldom crosses their minds that a patient's record may fall into the hands of someone who is neither trained to interpret it nor bound by the professional's

ethics. Moreover, when a medical professional discloses information in a patient's record outside the medical community, neither he nor the patient who may grant permission for its disclosure can fully anticipate the ways in which the information may figure in non-medical decisions made about the patient.

The Commission, as noted earlier, is neither mandated nor qualified to question a medical-care provider's prerogative of putting into a medical record any item of information whose inclusion is professionally defensible. If medical-care providers are to maintain that prerogative, however, and if others who do not have a medical-care relationship with the individual are to continue to benefit from the extraordinary degree of divulgence and observation the medical-care relationship can entail, it is essential that each disclosure of information from a patient's record, with or without patient authorization, be strictly limited to the particular information needed for the user's particular stated purposes. Medical-care providers breach the confidential nature of the medical-care relationship whenever they send a copy of a patient's entire medical record to an insurer or employer instead of completing the claims form provided, or abstracting the specific information requested. Photocopying technology, in general, and portable copying machines, in particular, make this practice widespread.

When the patient has authorized disclosures, the authorization statement proposed in Recommendation (13) below will encourage the medical-care provider to place limits on the amount of information disclosed. It has also been suggested that a way to control the flow of information into and out of hospitals and physicians' offices is to develop a basic uniform medical record that would make it possible to comply with utilization and quality-care review requirements without disclosing an unnecessary amount of detail. Such a standardized record, however, is a long way off. Therefore, given the individual's inability to be certain that the information disclosed is no more and no less than indicated on the authorization statement he signs, and given the fact that 2 certain number of disclosures will necessarily take place without his authorization, the Commission believes that implicit in the medical-care provider's duty of confidentiality is an affirmative responsibility to limit the disclosure of information in a medical record to only that information which is specified on the authorization form or required by law. Accordingly, the Commission further recommends:

Recommendation (11):

That any disclosure of medical-record information by a medical-care provider, with or without the authorization of the individual to whom it pertains, be limited only to information necessary to accomplish the purpose for which the disclosure is made.


To relieve apprehension about the disclosures that may be made of information in a medical record without the patient's authorization, as well as to inform a patient of the procedures by which he can ascertain whether particular disclosures have been made, the Commission recommends:

Recommendation (12):

That each medical-care provider be required to notify an individual on whom it maintains a medical record of the disclosures that may be made of information in the record without the individual's express authorization.

This recommendation is comparable to the notice recommendations made in other areas the Commission has examined. Ideally, the patient should be notified during his first contact with the medical-care provider and renotified whenever a new category of disclosures without authorization is created. The Harvard Community Health Plan, a health maintenance organization, is one medical-care provider that already provides its members with such a rudimentary form of notice in its service agreement. In the confidentiality provision of the agreement, the member is informed that his medical records will be kept confidential

. . . except for use incident to bona fide medical research, . . . education, . . . use reasonably necessary in connection with the administration of the agreement [and that] such information will not be disclosed without the consent of the member, unless . . . required by law.72

Although this notice is not as specific as the one the Commission recommends, it demonstrates that such a notice requirement could be met.


As indicated in many chapters of this report, each time an individual applies for a job, for life or health insurance, for credit, or for financial assistance or services from the government, he agrees to relinquish some measure of personal privacy in return for the benefit he seeks. This cannot be helped, but all too often he is asked to sign away far more of his privacy than the situation warrants. Some authorization statements are so broadly worded as to require the recipient to "furnish any and all information on request."

The American Psychiatric Association takes the position that any blanket consent for the release of information from a medical record is unacceptable, since all consent for the disclosure of medical-record information should be "informed consent."73 Such a standard appears to the Commission to be impractical. To speak of informed consent is to presuppose that the individual being asked to give it not only knows precisely what is being disclosed, but has the option both of refusing to divulge information about himself and preventing others from doing so. It also assumes that he can predict accurately who shall subsequently have access to the information and precisely how it will be used. In other words, to have given one's informed consent to a particular disclosure of information about oneself is to have fully understood the costs and benefits that will or even might result from such disclosure. Yet the individual who authorizes someone to acquire medical-record information about him rarely has the option of refusing to do so. Technically, most authorization statements are voluntarily signed, but the option of refusing varies inversely with the individual's need for the treatment, job, insurance, or social service he is seeking.

Recognizing these natural limits of informed consent, the Commission recommends an authorization procedure along the lines prescribed in the DREW regulations on the "Confidentiality of Alcohol and Drug Abuse Patient Records" [42 CER. Z] as a working model for all authorization statements presented to and accepted by a medical-care provider. The Commission recommends: 74

Recommendation (13):

That whenever an individual's authorization is required before a medical-care provider may disclose information it collects or maintains about him, the medical-care provider should not accept as valid any authorization which is not:

(a) in writing;
(b) signed by the individual on a date specified or by someone authorized in fact to act in his behalf;
(c) clear as to the fact that the medical-care provider is among those either specifically named or generally designated by the individual as being authorized to disclose information about him;
(d) specific as to the nature of the information the individual is authorizing to be disclosed;
(e) specific as to the institutions or other persons to whom the individual is authorizing information to be disclosed;
(f) specific as to the purpose(s) for which the information may be used by any of the parties named in (e) both at the time of the disclosure and at any time in the future;
(g) specific as to its expiration date, which should be for a reasonable period of time not to exceed one year, except where an authorization is presented in connection with a life or non cancellable or guaranteed renewable health insurance policy, in which case the expiration date should not exceed two years from the date the authorization was signed.

This type of authorization statement provides assurance that an individual will understand what he is allowing to be disclosed, and why, but does not require that the voluntariness of his action be verifiable, nor does it assume that he can recognize every possible consequence of signing it. The medical-care provider should be responsible for having reasonable procedures to assure that authorizations presented to it satisfy the conditions of the recommendation. The medical-care provider should be able to use the exercise of such procedures as a defense where it later is claimed that the authorization is invalid. Subsection (b) of Recommendation (13) raises a small problem when the disclosure of medical-record information is authorized by a minor patient. The Commission feels strongly that where State law permits minors to obtain treatment for specific conditions without the consent of a parent or guardian the presumed confidentiality of the resulting medical-care relationship must be protected. Therefore, it would urge that in these instances, the minor patient alone be permitted to authorize disclosure of such information.

The exceptions to the one-year rule in subsection (g) take account of the two-year "contestable period" (see Chapter 5) in life insurance and the mentioned types of health insurance. It should be noted, however, that the corresponding recommendation in Chapter 5, Insurance Recommendation (18), calls for the signature date on the authorization statement to be the same as the date of the policy, thereby limiting the period of validity to two years.

To enable the individual to verify the fact that an authorized disclosure has been made, the Commission further recommends:

Recommendation (14).

That each time a medical-care provider discloses information about an individual pursuant to a valid authorization, it be required to retain a copy of the authorization and, for the purpose of Recommendation (S) on patient access, treat it as part of the record(s) from which the disclosure was made.

National Health Insurance

Public and political pressure for a Federal health insurance program continues even as this report is issued. The Commission is acutely aware that the process of setting a national health insurance program into motion will open up unparalleled opportunities to reevaluate medical record-keeping policies and practices and hopes its recommendations will assist the public, medical- record keepers, and the Congress to that end.

In exploring the possible effects of such a program on existing use and disclosure of medical records, the Commission's staff reviewed 18 national health insurance proposals presented to the 94th Congress. These varied from the Kennedy-Corman bill (H.R. 21), which proposed a mandatory, government-administered program covering the entire population; to the AMA-supported Fulton bill (H.R. 6222), which proposed a Medicare-like system of private-sector intermediaries to administer premiums and reimbursements; to a voluntary, catastrophic health-insurance plan available only to individuals whose medical expenses exceed a specified amount (H.R. 1373, the so-called "Roe bill").

Of the 18 bills only five contained specific provisions to protect the confidentiality of the records that would be created by the program and even these were vague. Most of the five merely specified that all information collected and maintained for program purposes must be considered confidential. While it is too soon to say which, if any, of these various forms of national health insurance will be enacted into law, or how soon, the Commission sees a clear need to devise specific safeguards to prevent unfairness and protect the confidentiality of the medical-care relationship, whatever form such a program may take.

If current private and publicly funded health-insurance programs are any indication, a universal health-insurance program will likely involve the creation and retention of records beyond the control of the provider with whom the individual has a medical-care relationship. Thus, the Commission urges that the recommendations in this chapter be adopted and that any legislation providing for national health insurance include safeguards covering the acquisition and dissemination of medical records and medical record information.


1 1975 data conveyed to staff of the Privacy Protection Study Commission by staff at the National Center for Health Statistics.

2 National Center for Health Statistics, Health: United States 1975, (Rockville, Maryland: Department of Health, Education, and Welfare, 1975), p. 3.

3 Section 5(c)(2)A) of the Privacy Act of 1974 authorized the Commission to include "medical records" in its examination of governmental and private-sector record-keeping policies and practices.

4 Testimony of the American Hospital Association, Medical Records, Hearings before the Privacy Protection Study Commission, June 10, 1976, p. 83 (hereinafter cited as "Medical Records Hearings").

5 The term medical-care provider has been used throughout the chapter to refer to both medical professionals and medical-care institutions. For the Commission's purposes the term medical professional refers to any person licensed or certified to provide medical services to individuals, including, but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social worker, clinical dietitian or clinical psychologist. The term medical-care institution means any facility or institution that is licensed to provide medicalcare services to individuals, including, but not limited to, hospitals, skilled nursing facilities, home-health agencies, clinics, rehabilitation agencies, and public-health agencies or health maintenance organizations (HMOs).

6 1n a survey conducted in 1918, the American College of Surgeons discovered that only 89 out of 5,323 hospitals registered in the U.S. by the American Medical Association kept . . Accurate and complete case records. . .written for all patients and filed in an accessible manner." Edna K. Huffman, Medical Record Management, (Berwyn, Ill: Physicians Record Co., 1972 p. 21.

7 For the purposes of this study, the Commission has defined a medical record as a record, file, document, or other written material relating to an individual's medical history, diagnosis, condition, treatment or evaluation which is created or maintained by a medical care provider. Conversely, the term medical-record information is used here to refer to information obtained from a medical record or from the individual patient, his spouse, parent, or guardian, for the purpose of making a non-medical decision about him. The circumstances in which medicalrecord information is gathered, maintained, and used to make non-medical decisions are summarized in this chapter, but details will be found in the chapters on insurance, employment, public assistance and social services, and research and statistics. The Commission's detailed recommendations regarding medical-record information held by such third-party users will also be found in those chapters. As in all other aspects of the Commission's inquiry, the attention here is to medical records and medical-record information collected, maintained, used, and disseminated in individually identifiable form.

8 Alfred M. Freedman, "Protection of Sensitive Medical Data," Patient Centered Health Systems, Michael A. Jenkin, ed., (Minneapolis, Minnesota: Society for Computer Medicine, 1975), p. 3.

9 Testimony of the American Hospital Association, Medical Records Hearings, June 10, 1976, p. 84.

10 National Center for Health Statistics, op. cit., p. 3.

11 Ibid, p. 60. By 1970 employers were paying all of the group-health premiums for 39 percent of the families covered by such plans, and at least partially paying the premiums for 53 percent more.

12 Ibid, p. 2.

13 Epidemiology is the medical science responsible for investigating the impact of both man's genetic endowment and his environment on his physical health.

14 Testimony of Andrew Bailey, Director, Medical Record Department, Stanford University Hospital, Medical Records Hearings, June 10, 1976, p. 98.

15 Written statement of Mayo Clinic, Medical Records Hearings, August 25, 1976.

16 Written statement of Micro-Reproduction Services, Inc., Medical Records Hearings, August 26, 1976.

17 Written statement of Maurice Grossman, M.D., Clinical Professor of Psychiatry, Stanford University, Medical Records Hearings, June 11, 1976, p. 4.

18 "Gatekeeping function," as the term is used in this report, connotes the use of recorded information to determine whether individuals should be allowed to enter into different types of social, economic, and political relationships, and if so, under what circumstances.

19 Alan F. Westin, Computers, Health Records, and Citizen's Rights, (Washington, D.C.: United States Department of Commerce, 1976). p. 60.

20 Ibid, p. 60.

21 Medical Records Hearings, June 10, 1976, p. 137.

22 Natalie Davis Spingarn, Confidentiality, (Washington, D.C.: American Psychiatric Association, 1975), p. 1. See also, Carmault B. Jackson, "Guardian of Medical Data," Prism, Vol. 2 (June 1974), pp. 404 1.

23 It has been estimated that medical-record information is used as evidence in about threequarters of all civil cases and in about one-quarter of all criminal trials. Harold L. Hirsch, "Medical Records -Medicolegal Implications," Southern Medicine, Vol. 63, No.4 (August 1975), p. 11.

24 Testimony of the American Medical Association, Medical Records Hearings, June 10, 1976,p.179.

25 Cited in Robert M. Veatch, et. al, The Teaching of Medical Ethics, (New York: Hastings Center Publications, 1973), p. 146.

26 Ibid, pp. 145-46.

27 Richard Henry, ed. "A Summary of Freedom of Information and Privacy Laws of the 50 States," Access Reports (December 1975), p. l.

28 Ann H. Britton, "Rights to Privacy in Medical Records," The Journal of Legal Medicine, Vol. 3, No. 7 (July-August 1975), p. 32.

29 Westin, op. cit., p. 29. Analysis of the relevant case law also indicates that gaining a judgment against a physician for an unauthorized disclosure of medical-record information is no mean feat. There are only 16 jurisdictions in the United States that have adjudicated cases pertaining to a physician's liability for the disclosure of confidential information. In these cases, a cause of action for unauthorized disclosure has been justified under a number of different theories: breach of statutory duty; invasion of privacy; libel; malpractice; breach of trust; and breach of contract. (John J. Fargo), "Medical Data Privacy: Automated Interference with Contractual Relations," 25 Buffalo Law Review 493 (August 1976). See also Judith Lenable Elder, "Physicians and Surgeons: Civil Liability for a Physician Who Discloses Medical Information Obtained Within the Doctor-Patient Relationship in a Nonlitigation Setting," 28 Oklahoma Law Review 658-673, No. 3 (Summer, 1975).

30 In his treatise on evidence, Wigmore argued that the privilege is not justified. Ninety-nine percent of the cases in which it has been invoked, he noted, involve personal injury cases where the patient voluntarily placed the extent of his injury before the court; actions on life insurance policies where the deceased was alleged to have misrepresented his health to the insurer; or actions on wills where the deceased's mental capacity was in question. Thus, in none of these instances could one say that the absence of the privilege would have hindered the individuals involved from seeking medical care, while in all of them the medical-record information sought was necessary to reach a decision. Wigmore, Evidence ? 2380a (McNaughton rev. 1961).

31 For example, in Clark v. Geraci, [208 N. Y.S. 2nd 564 (S. Cc. N. Y. 1960)], an employee, seeking an excuse for his absenteeism, asked his physician to provide a general medical excuse. In doing s0, however, the physician also disclosed that the employee was an alcoholic, thereby causing the employee to be dismissed. According to the court, the employee's request for a general excuse constituted a waiver by estoppel, authorizing the disclosure for an undistorted account of the employee's condition, including his alcoholism. In another case, Hague v. Williams, [181 A.2nd (N.J., 1961)], a court construed an application for life insurance as a waiver of confidentiality. In this case, an infant's pediatrician told an insurance company that the child suffered from a congenital heart defect, even though he had never made this condition known to the baby's parents.

32 Written statement of Dale Tooley, District Attorney, Denver, Colorado, Medical Records Hearings, June 11, 1976.

33 Medical Records Hearings, June 11, 1976, p. 374. For examples of injuries suffered by patients as a result of breaches of confidentiality, see also, Maurice Grossman, Confidentiality and Third Parties, (Washington, D.C.: American Psychiatric Institute, 1975).

34 Testimony of Jerome S. Beigler, M.D., Chairman, American Psychiatric Association Committee on Confidentiality, Insurance Records, Hearings before the Privacy Protection Study Committee, May 20, 1976, p. 37 1.

35 Joint Commission on the Accreditation of Hospitals, Accreditation Manual for Hospitals, 1976 ed. (Chicago, Ill: JCAH, 1976) p. 98.

36 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, as amended by P.L. 93-282, and the Drug Abuse Office and Treatment Act of 1972, as amended by P.L. 93-282.

37 National Center for Health Statistics, op. cit., p. 257.

38 Westin's 1976 study, previously cited, is the most recent contribution to the medical record-keeping literature on practices and problems.

39 Ralph Crawshaw, "Gossip Wears a Thousand Masks," Prism, Vol. 2, No. 6 (June 1974), pp. 45-47.

40 Testimony of Feminist Women's Health Center, Medical Records Hearings, June 11, 1976, p. 323.

41 In testimony before the Privacy Protection Study Commission, Dr. Catherine Elkin Rosen described an experiment she conducted to determine if the manner in which a consent form is presented affects the rate of compliance. From the study she concluded that individuals sign such forms only because they believe it will increase the likelihood of receiving services. Nearly all the clients in four mental health centers agreed to sign the authorization unless they were informed that they had the alternative of refusing. Testimony of Catherine E. Rosen Ph.D., Director, Research and Evaluation, Northeast Georgia Community Mental Health Center, Medical Records Hearings, June 11, 1976, p. 433. The results of this study have also been reported by Dr. Rosen in an article, "Signing Away Medical Privacy," The Civil Liberties Review, Vol. 3, No. 4, (Oct-Nov. 1976), pp. 54-59.

42 Written statement of the Health Services Administration, Public Health Service, DHEW, Medical Records Hearings, July 20, 1976.

43 Testimony of the Department of Defense, Medical Records Hearings, July 21, 1976.

44 Submission of the Public Health Service, DHEW, Medical Records Hearings, June 10, 1976.

45 Testimony of the Health Services Administration, Public Health Service, DHEW, Medical Records Hearings, July 20, 1976, p. 125.

46 Marcia Opp, "The Confidentiality Dilemma," Modern Health Care, (May 1975), p. 52.

47 Westin, op. cit.

48 This argument has been espoused by the staff of the Given Health Care Center in Vermont and is supported by a study reported by them in Applying the Problem Oriented Record. One hundred people were given their medical records and asked to review and audit the "subjective" data in their file. Reportedly, 78 percent of the patients indicated changes in their living, eating, and drinking patterns and 97 percent indicated less worry about their health after review of their record. Richard E. Bouchard, et al. "The Patient and His Problem-Oriented Record," Applying the Problem-Oriented System, H. Kenneth Walker, J. Willis Hurst, and Mary F. Woody, eds. (New York: MEDCOM, 1975).

49 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, as amended by P.L. 93-282, and the Drug Abuse Office and Treatment Act of 1972, as amended by P.L. 93-282.

50 Testimony of Dale Tooley, District Attorney, Denver, Colorado, Medical Records Hearings, June 11, 1976, p. 474.

51 Colo. Rev. Stat. ? 25-1-801.

52 Okla. Stat. Ann. tit. 76, ? 19.

53 Fla. Stat. Ann. ? 458.16.

54 Conn. Gen. Stat. Ann. ? 4.104 (1969); Ind. Code Ann. ? 343-15.5-4; La. Rev. Stat. Ann. ? 44.31(1951); Mass. Gen. Laws Ann. ch. 111 ? 70 (1971).

55 Miss. Code Ann. ? 7146-53 (Supp. 1971); Tenn. Code Ann. ? 53-1322.

56 Ill. Ann. Stat. ch. 51 ? 71; Maine: Letter from Robert B. Calkins, Assistant Attorney General to the Secretary's Commission on Medical Malpractice, June 19, 1972; Missouri Division of Health, Hospital Licensing Law, ch. 197; Montana Board of Health Regulations, ?31.106; Nev. Rev. Stat. ?433.721; N.J. Stat. Ann. ?30:424.3; N. M. Stat. Ann. ?32-2-18; N.D.Rules and Regulations for Hospitals and Related Institutions R. 23-16-8S.1-.3; Utah Code Ann. ?647-50; and Wis. Stat. Ann. ?269.57(4).

57 N.Y. Official Compilation of Codes, Rules and Regulations, ?? 720.20(p)(1971).

58 Wallace v. University Hospital, 171 Ohio St. 487,172 N.E.2d 459 (1961).

59 Arizona Hospital Association Consent Manual, 1969.

60 Office of Management and Budget, Privacy Act Guidelines, issued as a supplement to Circular A-108,40 Federal Register, 132, p. 28957.

61 U.S. Veterans Administration, Manual MP-1, Part 11, Chapter 21, Section 6.d.

62 Except in the case of the social-service provider that uses medical-record information to make an (adverse) eligibility determination.

63 According to the Director of the Professional Services Division of the American Medical Record Association, the total membership of the Association at the beginning of 1977 was approximately 19,500 individuals. It was estimated by the Bureau of Health Manpower of the Department of Health, Education, and Welfare in 1974 that there were 53,000 individuals employed in the management and administration of medical records, 11,000 of whom were working in an administrative capacity. U.S. Department of Health, Education and Welfare, The Supply ofHealth Manpower (Washington, D.C.: DREW, 1974), p. 144.

64 American Hospital Association, Hospital Medical Records (Chicago: AHA, 1972), p. 8.

65 Berry v. Moench, 331 P.2d 814 (Utah 1958).

66 Testimony of the American Public Health Association and Mayo Clinic, Medical Records Hearings, June 10 and 11, 1976, pp. 297 and 567.

67 Testimony of National Institute of Mental Health, Medical Records Hearings, July 20, 1976, p. 83.

68 Dennis Helfman, et al, "Access to Medical Records," Appendix: Report of the Secretary's Commission on Medical Malpractice (Washington, D.C.: Department of Health, Education, and Welfare, 1973), p. 181.

69 Mass. Gen. Laws Ann. ch. 111, ? 111 (1971); Neb. Rev. Stat ? 84712 (1966).

70 Cited in Westin, op. cit., p. 77.

71 Written Statement of Maurice Grossman, M.D., Clinical Professor of Psychiatry, Stanford University, Medical Records Hearings, June 11, 1976, p. 10.

72 Harvard Community Health Plan, "Group Service Agreement," Section XII E.

73 American Psychiatric Association, Confidentiality and Third Parties (Washington, D.C.: APA, 1975), p. 13.

74 Testimony of Dr. Catherine E. Rosen, Medical Records Hearings, June 11, 1976.