Access to Medical Records Under Federal Law

93-708 A Access to Medical Records Under Federal Law Gina Marie Stevens Legislative Attorney American Law Division August 3, 1993 CRS ACCESS TO MEDICAL RECORDS UNDER FEDERAL LAW SUMMARY In recent years, our society has come to increasingly rely on medical information to perform basic functions and to make decisions about individuals . However, over the last several decades, a number of fundamental developments have threatened the confidentiality of health-care information. Greater utilization of health-care information coupled with the lessening of confidentiality protections for such information has resulted in increased disclosures of medical information . The Congress, state legislatures, courts, and professional organizations continue to confront issues associated with the confidentiality of health-care information . Today, the confidentiality of health-care information is governed by various federal, state, and local statutes, ordinances, regulations, and case law . Also applicable are private accreditation standards, the internal policies of particular institutions, and other ethical guidelines . There is substantial variation between the individual states on many aspects of medical records law . Federal laws, while providing some confidentiality protections for health-care information controlled by federal agencies in the executive branch of government, do not address the gaps that exist because of the lack of uniformity in state law . As health care reform moves to the forefront of the Congressional agenda, undoubtedly proposals to strengthen the confidentiality of health-care information will emerge in recognition of the fact that health care reform is likely to increase the amount and flow of health-care information . Several organizations have also recommended the adoption of federal confidentiality legislation . This report discusses the principal federal laws which govern access to and disclosure of medical records maintained by agencies in the executive branch of the federal government . In addition this report also examines some other approaches to uniformity advanced in this area . TABLE OF CONTENTS I. INTRODUCTION 1 II. ACCESS RIGHTS UNDER FEDERAL LAW 3 A. Federal Privacy Act of 1974 3 1 . Access to Medical Records under the Privacy Act 6 2. Medical Records Access Litigation under the Privacy Act 8 B. Freedom of Information Act 10 1. Access to Medical Records under the FOIA 12 2 . Medical Records Access Litigation under the FOIA 13 3. Privacy Act/FOIA Interaction 15 C. Alcohol and Drug Abuse Records 15 D. Occupational Safety and Health Act 16 III. OTHER APPROACHES TO ACHIEVING UNIFORMITY 18 A. Uniform Health-Care Information Act 17 IV. CONCLUSION 19 ACCESS TO MEDICAL RECORDS UNDER FEDERAL LAW INTRODUCTION In recent years, our society has come to increasingly rely on medical information to perform basic functions and to make decisions about individuals . However, over the last several decades, a number of fundamental developments have threatened the confidentiality of health-care information . The emergence of third-party payment plans ; the use of health-care information for nonhealthcare purposes ; the growing involvement of government agencies in virtually all aspects of health care ; and the exponential increase in the use of computers and automated information systems for health record information have combined to put substantial pressure on traditional confidentiality protections .' Greater utilization of health-care information coupled with the lessening of confidentiality protections for such information has resulted in increased disclosures of medical information . The potential harm that can occur from unauthorized disclosures of such information can profoundly affect people's lives:2 It affects decisions on whether they are hired or fired ; whether they can secure business licenses and life insurance ; whether they are permitted to drive cars ; whether they are placed under police surveillance or labelled a security risk ; or even whether they can get nominated for and elected to political office .3 Other secondary uses of health-care information, which have the potential to result in harm to the health-care subject if the information is disclosed for unauthorized purposes, include genetic monitoring and screening for employment and insurance purposes and DNA fingerprinting .' 1 Privacy Protection Study Commission, Personal Privacy in an Information Society 283 (1977) . 2 See, J. Rothfeder, Privacy for Sale : How Computerization Has Made Everyone's Private Life an Open Secret 175-95 (1992) . 3 A. Westin, Computers, Health Records, and Citizen's Rights 60 (U.S . Dept. of Commerce) (1976) . ' See, U .S. Congress, Office of Technology Assessment, Genetic Monitoring and Screening in the Workplace 116-120 (1990) ; and U .S. Congress, Office of Technology Assessment, Cystic Fibrosis and DNA Tests : Implications of Carrier Screening 189-207 (1992) . CRS-2 The Congress, state legislatures, courts, and professional organizations continue to confront issues associated with the confidentiality of health-care information . Today, the confidentiality of health-care information is governed by various federal, state, and local statutes, ordinances, regulations, and case law . Also applicable are private accreditation standards, such as those of the Joint Commission on Accreditation of Hospitals (JCAH),' the internal policies of particular institutions, and other ethical guidelines . 6 There is substantial variation between the individual states on many aspects of medical records law . These differences are becoming much more critical in the collection, maintenance, and disclosure of health-care information as it is transmitted through interstate commerce amongst patients, physicians, health-care facilities, employers, federal and state government agencies, and insurers located in different states and subject to different laws . Federal laws, while providing some confidentiality protections for health-care information controlled by federal agencies in the executive branch of government, do not address the gaps that exist because of the lack of uniformity in state law . In 1980, Congress attempted to enact legislation that would strengthen the confidentiality protections for health-care information, and provide uniformity throughout the country . The legislation was not passed . As health care reform moves to the forefront of the Congressional agenda, undoubtedly proposals to strengthen the confidentiality of health-care information will emerge in recognition of the fact that health care reform is likely to increase the amount and flow of health-care information . Representative Gary Condit, Chairman of the Information, Justice, Transportation, and Agriculture Subcommittee of the House Government Operations Committee, has announced that the subcommittee will develop national health care confidentiality legislation to attach to the general health care reform package .' Several organizations, such as the Working Group on Computerization of Patient Records, the American Health Information Management Association, and the National Conference of Commissioner on Uniform State Laws, have also recommended the adoption of federal confidentiality legislation . In addition, the National Conference of The Joint Commission on the Accreditation of Hospitals is a private agency organized in 1952 and sponsored by the American Medical Association, American Hospital Association, American College of Surgeons, and American College of Physicians . It inspects and accredits hospitals on a voluntary, but nearly universal, basis in the United States, and issues standards on hospital operation which must be met by the approved institutions . Among its standards are many provisions connected with the compilation and storage of medical records . See, Joint Commission on Accreditation of Hospitals, Accreditation Manual for Hospitals ch . 9 (1986) . 6 See, American Medical Association's Confidentiality Statement, Current Opinions of the Council on Ethical and Judicial Affairs of the American Medical Association § 5 .05 (1989) . 7 139 Cong . Rec. H3992 (daily ed . June 23, 1993) . CRS- 3 Commissioners on Uniform State Laws [NCCUSL], a non-governmental entity, drafted and approved in 1985, a uniform law on health-care information . This report discusses the principal federal laws which govern access to and disclosure of medical records maintained by agencies in the executive branch of the federal government . In addition this report also examines some other approaches to uniformity advanced in this area . This report does not include a discussion of state laws which regulate access to medical records . For an overview of the present state of the law in this area, see, Congressional Research Service, Patient Access to Medical Records : A Statutory Survey of the United States, Report No . 92-896 A, by John Contrubis . ACCESS RIGHTS UNDER FEDERAL LAW Federal laws addressing access to patient records follow the generally accepted principle that medical records are confidential and that access should be limited to the patient .' Under federal law, the subject of health-care information has certain rights which allow him or her access to the information, as well as a right to prevent its unwarranted disclosure . The subject may also have a cause of action to recover damages when there is unwarranted disclosure . Federal Privacy Act of 1974 The Privacy Act of 1974 was implemented "[iln order to protect the privacy of individuals identified in information systems maintained by Federal agencies ."' To accomplish this, and the purposes desired by Congress, the Act provides : 1) restrictions on disclosure, and redisclosure, of personally identifiable information ; 2) requirements governing the collection, maintenance, and dissemination of records ; 3) a system for access by individuals to records about themselves, with exceptions ; 4) a system for amendment of records about individuals upon a showing that they are not accurate, relevant, timely, or complete ; 5) limitations upon the use of Social Security Numbers for identification ; and 6) a Privacy Protection Study Commission to study the problems addressed by the Act and to make recommendations .'° The Privacy Act prohibits the disclosure of records maintained on individuals by federal government agencies, except under the conditions and subject to the exceptions in the Act . In addition, hospitals operated by federal government agencies (e .g ., Department of Veterans Affairs Medical Centers) are bound by the Privacy Act's requirements with respect to the disclosure of the 8 (1985) . 9 W . Roach, S . Chernoff, & C . Esley, Medical Records and The Law 59 5 U .S .C . § 552a. 10 See, American Civil Liberties Foundation, Litigation under the Federal Open Government Laws 263-301 (A .R. Adler 13th ed . 1991) . CRS- 4 medical records of their patients . Also, medical records maintained in a records system operated pursuant to a contract with a federal government agency are subject to the provisions of the Privacy Act ." For example, hospitals that maintain registers of cancer patients pursuant to a federal government contract are subject to the Privacy Act . The Act, however, does not apply to private hospitals and other private healthcare facilities . 12 In general, the only records subject to the Privacy Act are "records" 13 that are maintained in a "system of records ." 14 Agencies are required to publish descriptions of "systems of records" maintained by the agency, 15 and the "routine use of the records contained in the system ." 16 The general rule under the Act is that no agency shall disclose any record without the written consent of the individual to whom the record pertains . 17 However, records may be disclosed, to the following persons and agencies, without the individual-subject's consent if the record falls under one or more of following 12 statutory exceptions to the general "no disclosure" prohibition : (1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties ; (2) required under the Freedom of Information Act ; "When an agency provides by contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section [the Privacy Act] to be applied to such system ." 5 U .S .C . § 552a(m) . 12 5 U .S .C . § 552a(a)(1) and § 552(e) . 13 The Act defines "record" to include information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual . 5 U .S .C . § 552a(a)(4) . 14 The Act defines a "system of records" as a group of records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual . 5 U .S .C . § 552a(a)(5) . 15 5 U .S .C . § 552a(e)(4)(D) . 16 A "routine use" is defined to mean "with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it is collected ." 5 U .S .C . § 552a(a)(7) . 17 5 U.S .C . § 552a(b) . CRS- 5 (3) for a routine use ; (4) to the Bureau of the Census for purposes of planning or carrying out a census or a survey or related activity ; (5) to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable ; (6) to the National Archives as a record which has sufficient historical or other value ; (7) to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought ; (8) to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual ; (9) to either House of Congress . . . ; (10) to the Comptroller General . . . ; (11) pursuant to the order of a court of competent jurisdiction ; (12) to a consumer reporting agency The Privacy Act requires each agency to "maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or executive order of the President ."" Each agency is required to promulgate rules which shall 1) establish procedures to notify an individual in response to a request if any system of records named by the individual contains a record pertaining to him ; 2) establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him . 20 is 5 U .S .C . § 552a(b) . 19 5 U .S .C . § 552a(e)(1) . 20 5 U .S .C . § 552a(f) . CRS- 6 For the purpose of enabling individuals to correct records about themselves subsection (d) of the Privacy Act provides that an agency must grant to an individual an opportunity to see and copy records concerning him or herself, and permit the individual to request amendment of a record ." Subsection (j) and (k) permit agencies to exempt certain systems of records from such access . 22 Access to Medical Records under the Privacy Act Subsection (f)(3) of the Privacy Act allows agencies to establish special procedures for individuals wishing to access their medical records . That section provides : (f) In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules, in accordance with the requirements (including general notice) of section 553 of this title, which shall -(3) establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedures, if deemed necessary, for the disclosure to an individual of medical records, including psychological records, pertaining to him. . . . The House Government Operations Committee report on the Privacy Act interpreted this provision to mean that : if in the judgment of the agency, the transmission of medical information directly to a requesting individual could have an adverse effect upon such individual, the rules which the agency promulgates should provide means whereby an individual who would be adversely affected by receipt of such data may be apprised of it in a manner which would not cause such adverse effects . An example of a rule serving such purpose would be transmission to a doctor named by the requesting individual ." The Office of Management and Budget, in it guidelines to the Privacy Act, states that "the process by which individuals are granted access to medical records may, at the discretion of the agency, be modified to prevent harm to the individual ."' Under the guidance for general access provisions, subsection (d)(1), OMB pointed out that "while the right of individuals to have access to 21 5 U .S .C . § 552a(d)(1) and (2) . 22 5 U .S .C . § 552a(j) and (k) . 23 H . Rep . No . 1416, 93rd Cong ., 2d Sess . 16-17 (1974) . 40 F .R . 28948, 28967 (July 9, 1975) . CRS- 7 medical and psychological records pertaining to them is clear, the nature and circumstances of the disclosure may warrant special procedures ." 25 The Privacy Protection Study Commission, which was created by Congress as part of the Privacy Act, concluded in its final report that : no solution would be acceptable in the long run so long as it risks leaving the ultimate discretion to release or not to release in the hands of the patient's physician . In situations where the keeper of a medical record believes that allowing the patient to see and copy it may be injurious to the patient, the Commission concluded that it would be reasonable for the record to be given to a responsible person designated by the patient, with that person being the ultimate judge of whether the patient should have full access to it . In no case, however, should the physician or other keeper of the record be able to refuse to disclose the record to the designated responsible person, even where it is known in advance that the designated person will give the patient full access to it . 26 In 1980, the House Government Operations Committee reported out the "Federal Privacy of Medical Information Act ."" The accompanying report noted that there were few instances in which medical records needed to be withheld from an individual and left it to the medical professionals at the treating facility to determine if the records should be released ." The report noted that information may be withheld if the : inspection or copying would cause sufficient harm to the patient so as to outweigh the desirability of permitting access . This very general balancing test recognizes that the judgment about withholding can best be made by a health professional with knowledge of the patient . There must be a reasoned medical judgment that disclosure would cause sufficient harm and not just that some harm is theoretically possible . 29 The report continued, adding that a requester, if denied access, could appoint a third party to review the records ; if the third party agreed with the medical facility, the records would not be released, but if he disagreed, then he would be free to disclose the information . The "Federal Privacy of Medical Information 25 Id . at 28957 . 26 Privacy Protection Study Commission, Personal Information in an Information Society 277, 297-98 (July 1977) . 27 H .R . 5935, 96th Cong ., 2d Sess . (1980) . 28 H . Rep . No . 832, 96th Cong ., 2d Sess . 20-21 (1980) . 29 Id . at 20 . CRS- 8 Act" never became law primarily as a result of disagreements on the standard to be applied to unauthorized disclosures of medical information to law enforcement agencies (primarily the CIA and FBI) seeking access for purposes of gathering foreign intelligence and counterintelligence data ." Medical Records Access Litigation under the Privacy Act In practice, agencies have interpreted (f)(3) as requiring an individual to designate a third party to review the records to determine whether the individual may have the records . The Department of Health and Human Services requires the individual-subject to designate a representative who may be "a physician, other health professional, or other responsible individual" to review the records and determine if the records should be released ." The regulations permit direct access if the agency official determines that direct access is not likely to have an adverse effect on the subject individual . If the official is unable to determine, or if he does determine, that direct access is likely to have an adverse effect, the record will be released to the designated representative . The Department of Veterans Affairs provides for review by an agency physician ." If that physician believes release would have an adverse effect on the individual, the department will disclose the records to "a physician or other professional person selected by the requesting individual for such redisclosure as the professional person may believe is indicated,"33 or the Department will arrange with the individual to visit a Veterans facility where the records will be explained and then released . The Defense Department authorizes the disclosure of medical records to the individual to whom they pertain, even if a minor, unless a judgment is made that access to such records could have an adverse effect on the mental or physical health of the individual .' If it is determined that the release may be harmful to the individual, the regulations require the individual to designate a physician to receive the records . If the individual refuses or fails to designate a representative the record shall not be released . Courts have generally denied access when an individual has not designated a representative, ruling that the requester has failed to exhaust his administrative remedies ." This remains the thrust of court cases on (f)(3), but 30 Id . at 99-100 . 31 45 C .F .R . § 5 .b6 . 32 38 C .F .R. § 1 .577(d) . 33 Id. 32 C .F .R . § 310 .30(f) . 35 See, (individuals denied access to medical records for failure to exhaust administrative remedies) : Allard v . HHS, Civ . No . 4 :90-156 (W.D . Mich . 1992) ; Benny v. Bureau of Prisons, Civ . No . 86-01212 (D .D .C . 1986) ; Cowsen-El v . Dept. CRS- 9 in recent years several district court judges have begun to note certain inconsistencies in the subsection . In Hammie v . Social Security Administration, 36 a judge observed that the ability of a representative to deny access without review might be challenged as inconsistent with the Privacy Act . He also noted that "whether or not plaintiff has perfected his right to indirect access, by naming a `representative' to receive and review the records for him, would not appear to be relevant to whether plaintiff has a right to direct access ."" In Hammie, a prisoner brought suit challenging the agency's refusal to disclose his medical records directly to him . More recently, in Waldron v. Social Security Administration 38 a judge found that, while a requirement to appoint a third party to review the records was not a violation of the Privacy Act, the ability of the third party to deny access might be . The judge in Waldron was concerned, as was the judge in Hammie, " about allowing a third party to decide whether an individual should have access to his or her own medical record . The third party is subject to no control or regulation by a responsible agency, and the decision to deny access maybe immune from judicial review because review under the Privacy Act extends only to agency action ." 39 While upholding the Bureau of Prisons' regulations on access to medical records, the judge in Smith v . Quinlan 40 disagreed with the assessment in Hammie that a third party's decision to deny access may be immune from judicial review. In Smith, 41 the judge found that "a federal inmate who, after complying with the regulation by designating a physician, believes that his medical records are unlawfully withheld may file suit in the district court pursuant to 5 U .S .C . 552a(g)(1)(D) and obtain review de novo, including in camera examination of the contents of the agency records ."" In this case, the plaintiff, a participant in a witness protection program, refused to appoint a medical representative . He argued that subsection (f)(3) clearly stated that disclosure was to be made to the requesting individual, that there was no legal of Justice, Civ . No . 91-0401-RCL (D .D .C . 1992) ; Keil v . HHS, Civ . No . 88-C-0360 (E .D . Wis . 1989) ; Manfredi v . Seifert, Civ . No . 89-D-1001-N (M .D . Ala . 1990) ; Smith v . Secretary of the Army, 2 GDS 4 81,059 (M .D . Ala . 1979) ; Sweatt v . United States Navy, 2 GDS T 81,038 (D .D .C . 1980), affd 683 F .2d 420 (D .C . Cir . 1982) ; Vanhoose v . VA, Civ . No . 86-86-OC-12 (M .D . Fla . 1988) . 36 765 F . Supp . 1224 (E .D . Pa . 1991) . 37 Id. 38 Civ . No . 92334-JLQ, (E .D . Wash ., Mar . 8, 1993) . 39 Id. 40 Civ. No . 91-1187, (D .D .C ., Jan . 13, 1992), 1992 WL 25689 (D .D .C .) . 41 Id. 42 1992 WL 25689, *2 (D .D .C .) . at 1226 . CRS- 1 0 recourse against a physician who decided not to release the records, and that FOIA provided an independent basis for disclosure . The judge observed that "by permitting the Department of Justice, among other agencies, to determine even the necessity of using some special procedure in disseminating personal health records, Congress intended the agency to enjoy relatively broad discretion in its implementing regulation . . .[T]he Court believes that the requirement of review by an outside physician, chosen by the inmate, is reasonable both as an accommodation to legitimate security concerns of the federal penal authorities and as a method to ensure confidentiality fostering medical and psychological treatment .,,43 The judge in Smith indicated that there was review of a physician's decision not to disclose since the plaintiff could file a Privacy Act action for failure to disclose the records . He also rejected the argument that subsection (t)(2), which clarifies that the Privacy Act is not a basis to withhold records under the Freedom of Information Act, implied that an agency could not use (f)(3) as a withholding provision . He pointed out that "the Court does not find section 552a(f)(3) as implemented and section 552a(t)(2) to be incompatible and agrees with the government that, if Congress had intended section 552a(t) to disallow or narrow the scope of special procedures that agencies may deem necessary in releasing medical and psychological records, it would have so indicated by legislation ."" A notice of appeal has been filed with the D .C . Circuit in the Smith case, and a ruling will represent the first appellate decision in this area . Clearly (f)(3) specifically indicates that special procedures are permitted "for the disclosure to an individual of his medical records ." In other words, while some kind of review procedure is almost certainly permissible, which probably includes the need to designate a third party for review purposes in cases where release would have an adverse effect on the individual, the ability of a third party, whether an agency physician or an outsider, to deny access to the subject does not appear anywhere in the language of the provision . Freedom of Information Act The Freedom of Information Act (FOIA), 4 J originally enacted in 1966 and amended several times thereafter, established a statutory right of access to government information, and provided judicial and administrative remedies for those denied access to records . The FOIA applies only to "records" maintained by "agencies" within the executive branch of the federal government . 43 1992 WL .25689, *2-3 (D .D .C .) . 44 Id. 45 5 U .S .C . § 552 at 25689, *3 . et seq. CRS-i1 In general, the FOIA does not apply to entities that "are neither chartered by the federal government [n]or controlled by it ." 46 In Forsham v . Harris, 47 the United States Supreme Court held that a private grantee of the Department of Health, Education and Welfare (HEW) was not subject to the FOIA, and that information in the grantee's reports was not required to be disclosed under the FOIA . The Court did, however, describe circumstances that would require disclosure . In Forsham, a private organization of physicians sought to obtain the raw data underlying the report of the University Group Diabetes Program (UGDP), which had received substantial funding from HEW to conduct a long-term study of certain diabetes treatment regimens . When the UGDP refused to release the data, the physicians initiated a series of FOIA requests seeking access to the information and claiming that the UGDP data were agency records within the meaning of the act because (1) the UGDP received its funds from the federal government, (2) HEW had under its grant a right of access to the data, and (3) the information was the basis of reports on which the federal government took action in regulating drugs used in the treatment of diabetes . The United States Supreme Court rejected the petitioner's claims, holding that : written data generated, owned, and possessed by a privately controlled organization receiving federal study grants are not "agency records" within the meaning of the Act when copies of those data have not been obtained by a federal agency subject to the FOIA . Federal participation in the generation of the data by means of a grant from Department of Health, Education and Welfare (HEW) does not make the private organization a federal "agency" within the terms of the Act . Nor does this federal funding in combination with a federal right of access render the data "agency records" of HEW, which is a federal "agency" under the terms of the Act ." The Court held that the grantee's data would become agency records if it could be shown that the agency directly controlled the day-to-day activities of the grantee 4 9 Thus, if the holder of the medical information is a private business or corporation that is not subject to day-to-day control by a federal agency, there are no access rights for individuals under current federal law . 46 See, e.g., Forsham v . Harris, 445 U .S . 169, 179-80 (1980) (private grantee of federal agency not subject to FOIA) ; Public Citizen Health Research Group v. HEW, 668 F .2d 537, 543-44 (D .C . Cir . 1981) (medical peer review committees not "agencies" under FOIA) ; Irwin Memorial Blood Bank v . American Nat'l Red Cross, 640 F .2d 1051, 1057 (9th Cir . 1981) (American Red Cross not an "agency" under FOIA) . 47 445 U .S . 169 (1980) . 48 Id. at 171 . 49 Id. at 180 . CRS- 1 2 The FOIA requires agencies to (1) publish ; and (2) make available for public inspection and copying (without the formality of a written request) several types of information ; 50 and (3) to disclose to the public all other reasonably described "records" of federal agencies," if the "records" do not fall within certain statutory exemptions . Although the FOIA makes disclosure the general rule, it permits specifically exempted information to be withheld . An agency may refuse to disclose an agency record that falls within any of FOIA's nine statutory exemptions : (1) classified documents ; (2) internal personnel rules and practices ; (3) information exempt under other laws ; (4) confidential business information ; (5) internal government communications ; (6) personal privacy ; (7) law enforcement ; (8) financial institutions; and (9) geological information . b 2 An agency is required to provide reasonably segregable nonexempt portions of an otherwise exempt record to any person requesting such record ." Access to Medical Records under the FOPA One specifically exempt category of information permitted to be withheld under the FOIA, commonly referred to as Exemption 6, is "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy ."54 The House and Senate Reports provide guidance as to the intended scope of the phrase "clearly unwarranted invasion of personal privacy ." The House Report states : The limitation of a "clearly unwarranted invasion of personal privacy" provides a proper balance between the protection of an individual's rights of privacy and the preservation of the public's right to Government information by excluding those kinds of files the disclosure of which might harm the individual ." The Senate Report states : J0 Including : (1) descriptions of agency organization and office addresses ; (2) statements of the general course and method of agency operation ; (3) rules of procedure and descriptions of forms ; (4) substantive rules of general applicability and statements of general policy ; (5) final opinions and orders made in the adjudication of cases ; and (6) administrative staff manuals that affect the public . 5 U .S .C . § 552(a)(1) and (2) . 51 5 U .S .C . § 552(a)(3) . 52 5 U .S .C . § 552(b) . 53 5 U .S .C . § 552(b) . 54 5 U.S .C . § 552(b)(6) . 55 H . Rep . No . 1497, 89th Cong., 2d Sess . (1966) at 11 . CRS- 1 3 The phrase "clearly unwarranted invasion of personal privacy" enunciates a policy that will involve a balancing of interests between the protection of the individual's private affairs from unnecessary public scrutiny, and the preservation of the public's right to governmental information . The application of this policy should lend itself particularly to those Government agencies where persons are required to submit vast amounts of personal data usually for limited purposes 56 Clearly, the legislative history of Exemption 6 indicates that Congress contemplated the balancing of individual privacy interests with the public's right to government information to determine whether the disclosure of personal records would result in a "clearly unwarranted invasion of personal privacy ." Medical Records Access Litigation under FOIA Agencies, in deciding whether to release records under the FOIA, have interpreted Exemption (6) as requiring a balancing of individual privacy interests with the public's right to government information . The Department of Health and Human Services regulations state that "we weigh the foreseeable harm of invading that person's privacy against the public benefit that would result from disclosure ." 57 Examples of the types of information HHS frequently withholds under Exemption 6 includes medical information about individuals participating in clinical research studies ; and earning records, claim files, and other personal information maintained by the Social Security Administration, the Public Health Service, and the Health Care Financing Administration . The Department of Veterans Affairs (VA) states that Exemption (b)(6) provides authority to withhold medical files which if disclosed would constitute a clearly unwarranted invasion of personal privacy ." The VA regulations specifically list requesters authorized to receive medical records : the Defense Department and departments, civilian physicians, veterans except if the release would have an adverse effect, family or legal representatives of the requester, health and social agencies, and law enforcement agencies . 59 The Department of Defense (DOD) recognizes that medical records may be withheld from disclosure, under Exemption (b)(6), if disclosure to the requester would result in a clearly unwarranted invasion of personal privacy . 60 The regulations also provide that "individuals' personnel, medical, or similar files 66 S . Rep . No . 813, 89th Cong ., 1st Sess . (1965) at 9 . 57 45 C .F .R . § 5 .67 . 58 38 C .F .R . § 1 .544(a)(6) . 59 Id. 60 32 C .F .R . § 286 .13(a)(6) . at § 1 .513 . CRS- 1 4 may be withheld from them or their designated legal representative only to the extent consistent with other DOD directives ." 61 Courts, when performing the balancing required by Exemption 6, must determine whether the disclosure of the requested information would be an invasion of privacy, and if so, how significant . If it is determined that no invasion of privacy will result, then Exemption 6 is not applicable and FOIA mandates disclosure . Because the FOIA permits an agency to provide reasonably segregable nonexempt portions of an otherwise exempt record to any person requesting such record, &2 often the issue in Exemption (6) litigation is whether the deletion of identifying information will protect the subject of the record from the invasion of his or her privacy if the records are disclosed . In Department of the Air Force v. Rose, 63 the Supreme Court upheld an order requiring the government to produce records for an in camera inspection to determine whether deletion of identifying information would protect against privacy invasions . The Court viewed the phrase "clearly unwarranted invasion of personal privacy" as requiring "threats to privacy interests more palpable than mere possibilities" of identifying the subject ." Based upon an examination of the legislative history of Exemption 6, the Court concluded that Congress did not intend to bar "disclosure in any case in which the conclusion could not be guaranteed that disclosure would not trigger recollection of identity in any person whatever ." 65 Congress therefore did not intend any per se exemption for personnel and medical files, but intended that their contents be subject to the balancing process ." Thus, the language, "clearly unwarranted invasion of personal privacy," has been interpreted by the courts as an expression of a congressional policy that favors disclosure and an instruction to the courts to tilt the balance in favor of disclosure . If a court establishes that an invasion of privacy will occur as a result of disclosure, it then weighs the extent of the invasion against the benefits of public disclosure to determine of there is a "clearly unwarranted" invasion . In Department of Justice v . Reporters Committee for Freedom of the Press, 61 the Supreme Court narrowed the scope of the "public interest" to be considered under Exemption (6) and (7)(C) . The Court concluded that the "public interest" 61 32 C .F .R . § 286 .13(a)(6)(iv) . 62 5 U .S .C . § 552(b) . 63 425 U .S . 352 (1976) . 64 Id. at 380 n .19 . 65 Id . at 378-379 . 66 Id. at 370 . 67 489 U .S . 749 (1989) . CRS- 1 5 is limited to the purpose for which Congress enacted the FOIA -- "to shed light on an agency's performance of its statutory duties ." 68 More recently, in United States Department of State v. Ray, 69 the Supreme Court elaborated on the scope of the "public interest ." In Ray, the Supreme Court denied a request for additional identifying information that was redacted from interview summaries prepared by the agency . The Court remarked that " . . . mere speculation about hypothetical public benefits cannot outweigh a demonstrably significant invasion of privacy ." 70 In Ray, the Court recognized a legitimate public interest in whether the State Department was adequately monitoring Haiti's promise not to prosecute repatriated Haitians, but it determined that the public interest had been served by the release of redacted interview summaries, and that the relief sought, the release of the redacted information, "would not shed any additional light on the Government's conduct of its obligation ." 71 Thus, under Exemption 6 if the balance favors the privacy element, the agency is justified in withholding the data ; if the interests of the public in full revelation are stronger, the information must be released ; and if the weights are approximately equal, the court must tilt the balance in favor of disclosure, the overriding policy of the Act ." Privacy ActIFOIA Interaction An issue that has been raised in some of the medical records access cases but that has not been fully resolved is to what extent the interaction of the Privacy Act and the FOIA affects the disclosure of medical records . Some litigants have argued that while subsection (f)(3) of the Privacy Act can be used to withhold or deny access to the individual, there remains a possibility that a third party could gain access through the FOIA . 73 To bolster their argument, they have cited subsection (t)(2) of the Privacy Act which states that the Privacy Act cannot be used as a justification to withhold information that would otherwise be available under the Freedom of Information Act . The trouble with the argument is that third party access to medical files is a remote possibility under the FOIA because Exemption 6 provides that records need not be released when to do so would cause "a clearly unwarranted invasion of personal privacy ." 68 Id. at 773 . 69 112 S . Ct . 541 (1991) . 70 Id. at 549 . 71 Id . 72 Board of Trade of City of Chicago v . Commodity Futures Trading Comm'n, 627 F .2d 392, 398 (D .C . Cir . 1980) . 73 Smith v . Quinlan, Civ . No . 91-1187, (D .D .C ., Jan . 13, 1992), 1992 WL 25689 (D .D .C .) . CRS- 1 6 Furthermore, the court in Smith v. Quinlan 74 dismissed an identical argument in that case, the plaintiff argued that a third party requester might be able to gain access to the plaintiff's records under the FOIA while the plaintiff might not be permitted such access . On the other hand, some have suggested that the ability of the individual-subject to gain access to his or her medical records under the FOIA in the context of a first-person FOIA request is a much more compelling argument because there is no invasion of privacy (an individual cannot invade his or her own privacy) exemption that would prevent release of the information . Because the Privacy Act requires an agency to identify an applicable exemption under both the Privacy Act and the FOIA in order to withhold the requested information, even if the requested information is exempt under the Privacy Act it could be disclosed under the FOIA . Therefore, if the Privacy Act requires the information to be withheld under (f)(3) (based upon a finding that disclosure would have an adverse effect on the requester), but the FOIA does not, the individual-subject should be granted access under the FOIA . However, if one views subsection (f)(3) of the Privacy Act not as an exemption, but rather as a provision allowing a "special procedure" for the disclosure, and FOIA exemption (b)(6) is not available as a basis to withhold medical records under a first-person request for access, an agency could handle the release through "special procedures" implemented under the Privacy Act . This conclusion would seem to be supported by the Smith case where the Court did not find sections (f)(3) and (t)(2) to be incompatible . 75 Alcohol and Drug Abuse Records Other types of medical records are also provided specific confidentiality protection under federal law in order to further public policies designed to encourage people to seek medical treatment when they need it . For example, the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 and the regulations promulgated thereunder prohibit States from enacting statutes to compel disclosure of patient records made during treatment for alcoholism . 76 Similarly, patients receiving treatment for drug abuse are protected by the Drug Abuse Office and Treatment Act of 1972 which establishes strict confidentiality requirements for patient records maintained in federally assisted treatment centers . 77 Both statutes establish 74 Civ . No . 91-1187 (D .D .C . Jan . 13, 1992), 1992 WL 25689 (D .D .C) . 75 Id, 76 42 U .S .C . § 290dd-3 and 42 C .F .R . 2 .1 - .67 . 77 42 U .S .C . § 290ee-3 . at 25689, *3 . CRS- 1 7 standards for disclosure of medical records of drug abusers ." Violating patients' confidentiality may result in criminal penalty . Under either statute, unless you have the patient's express consent, you may only disclose patient records to medical personnel as needed to meet an emergency, to qualified personnel conducting medical research if you delete any patient identifiers, or by authority of a court order based on a showing of good cause . The regulations require public, nonprofit, and for-profit private entities conducting, regulating, or assisting alcohol or drug abuse programs to maintain records showing patient consent to disclosure and documenting disclosure to medical personnel in a medical emergency from confidential alcohol and drug abuse patient records ." Alcohol, drug abuse, and mental health researchers are required to maintain confidentiality certificates showing the Secretary of Health and Human Services has authorized the researcher to withhold the identity of research subjects in legal proceedings to compel disclosure of the identity of research subjects . 80 Occupational Safety and Health Act A significant access right bestowed upon certain employees is a rule promulgated under the Occupational Safety and Health Act of 1970 (OSHA) which authorizes the Secretary of Labor, along with the Secretary of Health and Human Services, to issue regulations requiring employers to maintain and disclose information regarding work-related deaths, injuries, and illnesses .81 OSHA mandates the maintenance of records relating to employee exposure to potentially toxic materials or harmful agents .82 Employee exposure records include : (1) company environmental and biological monitoring records ; (2) material safety data ; and (3) any other record identifying a toxic substance or harmful physical agent to which the employee was exposed ." Employee exposure files must be preserved and maintained for at least thirty years .84 78 This could be especially significant since under the American with Disabilities Act (ADA) current drug users are not protected from discrimination . 42 U .S .C . §§ 12101 et seq. 79 42 C .F .R . § 2 . so 42 C .F .R. § 2a . 81 29 U .S .C . § 657(c)(1) and (2) . 82 Id. at § 657(c)(3) . 83 29 C .F .R . § 1910 .20(c)(5)(i-iv) . 84 29 C .F .R . § 1910 .20(d)(1)(ii) . CRS- 1 8 Employers, in both the private and public sector, are required to provide reasonable access to employees within 15 days of a request ." OTHER APPROACHES TO ACHIEVING UNIFORMITY Frequently, uniformity in state law in a given area has been achieved through the influence of the National Conference of Commissioners on Uniform State Laws (NCCUSL), a nongovernmental entity formed in 1882 "to promote uniformity in state laws on all subjects where uniformity is deemed desirable and practical, by voluntary action of the states ."" Currently, there are approximately 99 uniform acts, 12 model acts, and 12 other recommended acts drafted and approved by the Conference ." These proposals have met with varying degrees of success in terms of enactment by states . However, even when a state does not enact a model act in its entirety, it often adopts substantial parts or uses its own approach to reach substantially similar results . Thus the fact that only a small number of states have adopted a particular proposal does not necessarily indicate that its influence has not been more widespread . One author, in a review of widely adopted acts, has commented that, These acts generally involve transactions between citizens of different states, business activities running across state lines, or lawenforcement procedures ; and they make general national laws unnecessary, which in many cases could not be constitutionally enacted anyway. 88 The NCCUSL has been involved in the formulation of laws to protect the confidentiality of health-care information . Uniform Health-Care Information Act The Uniform Health-Care Information Act (UHCIA), drafted and approved by NCCUSL in 1985, addresses issues of confidentiality and release of patient information ." The UHCIA has not gained widespread acceptance, and only 85 86 Id. at § 1910 .20(e)(1)(i) . National Conference of Commissioners on Uniform State Laws, Uniform Laws Annotated, vol . 9, part 1 (West, 1988), p .III . 87 W. Armstrong, A Century of Service: A Centennial History of the National Conference of Commissioners on Uniform State Laws 130 (1991) . 88 89 Id. at 131 . National Conference of Commissioners on Uniform State Laws, Uniform Laws Annotated, vol . 9, part 1 (West Supp ., 1993), p .68 . CRS- 1 9 Montana has enacted this act into law ." Article II of the UHCIA addresses the disclosure of health-care information, and establishes rules for disclosures by health-care providers, patient authorizations for disclosure, patient revocation of authorization, disclosure without patient authorization, and compulsory process . CONCLUSION As health care reform moves to the forefront of Congressional agenda, undoubtedly proposals to strengthen the confidentiality of health-care information will emerge . A variety of factors and stressors on the health care system suggest that Congress will focus on strengthening the privacy of healthcare information . These factors include : advances in computer technologies and information systems, demands for increased cost efficiencies in the administration and delivery of health care through the implementation of a computer-based patient record, increases in the amount and flow of health-care information, gaps in federal laws related to the confidentiality of health-care information, the lack of uniformity in state laws and problems caused by the interstate transmission of health-care information, increases in the numbers and types of secondary users of health care information (patients, physicians, healthcare facilities, employers, federal and state government agencies, law enforcement, and insurers), and recognition of the potential harms that can occur from unauthorized disclosures of such information . Gina Marie Stevens Legislative Attorney crsphpgw 90 Mont . Code . Ann . § 50-16-501 to 50-16-553 .