President Clinton Issues
Strong New Consumer Protections to Ensure the Privacy of Medical
Records
December 20,
2000
Today, President Clinton will release a final regulation establishing the
first-ever Federal privacy protections for the personal health information of
all Americans. This rule, which applies to health insurers, virtually all health
care providers and clearinghouses, will give consumers more
control over and access to their health information; set boundaries on the use
and release of health records; safeguard that information; establish
accountability for inappropriate use and release; and balance privacy
protections with public safety. The final regulation improves on the proposed
rule by strengthening several key protections, including: extending protections
to personal medical records in all forms – including paper records and oral
communications; providing for written consent for routine use and disclosure of
health records; protecting against unauthorized use of medical records for
employment purposes; and ensuring that health care providers have all the
information necessary to appropriately treat their patients.
THE PRIVACY OF INDIVIDUAL MEDICAL RECORDS ARE NOT CURRENTLY
PROTECTED. Today, despite the increase in the collection and
dissemination of personal data, there is no comprehensive Federal requirement to
provide patients with basic privacy protections.
- Americans are increasingly concerned about losing their privacy.
Recent studies show demonstrate a rising level of public concern about
privacy; in 1999, over 80 percent of people surveyed agreed with the statement
that they had "lost all control over their personal information."
- Personal health information can be distributed without consent for reasons
that are unrelated to treatment.
Under the current loose patchwork of
state laws, information held by an insurer can be passed on to a lender who
can then deny that patient’s application for a home mortgage or a credit card,
or to an employer who uses it in personnel decisions. Personal health
information may be disclosed for insurance underwriting purposes, for market
research, or any other reason without any safeguards to protect it against
misuse.
- Patients are often unable to access their own medical records.
In
addition, patients wishing to access or control the release of such records
may be unable to do so because of overwhelming barriers established by their
insurance company, health care provider, or anyone else who holds their
records.
PRESIDENT CLINTON TAKES FINAL ACTION NECESSARY TO IMPLEMENT NEW NATIONAL
SAFEGUARDS FOR SENSITIVE HEALTH INFORMATION. The final regulation, which
will be fully implemented within two years, is being issued under the authority
of the bipartisan Health Insurance Portability and Accountability Act (HIPAA).
This regulation, which underscores the Administration's commitment to
safeguarding the security of personal health information, will:
GIVE CONSUMERS CONTROL OVER THEIR HEALTH INFORMATION
- Inform consumers how their health information is being used. This new
regulation requires health plans and providers to inform patients about how
their information is being used and to whom it is disclosed. It also gives
each individual patient a right to a "disclosure history," listing the
entities that received information unrelated to treatment or payment, that
must be provided within 60 days.
- Limit the release of private health information without consent.
This
rule establishes a new Federal requirement for doctors treating patients and
hospitals to obtain patients’ written consent to use their health information
even for routine purposes, such as treatment and payment. Other, non-routine
disclosures would require separate, specific patient authorization.
- Give patients access to their own health file and the right to request
amendments or corrections.
The regulation gives patients the right to see
and copy their own records as well as the right to request correction of
potentially harmful errors in their health files. These access and amendment
rights are a core part of efforts to protect individual privacy. Without them,
a person with an improper diagnosis in his or her medical file could be denied
health insurance and left no redress.
SET BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
- Restrict the amount of information used and disclosed to the "minimum
necessary." Currently, health care providers and plans often release a
patient's entire health record even if an employer or other entity only needs
specific information, such as the information necessary to process a worker’s
compensation claim. This new regulation restricts the information that is used
and disclosed to the minimum amount necessary.
ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
- Require the establishment of privacy-conscious business practices. The
regulation requires the establishment of internal procedures to protect the
privacy of health records. They include: training employees about privacy
considerations in the workplace; receiving complaints from patients on privacy
issues; designating a "privacy officer" to assist patients with complaints;
and ensuring that appropriate safeguards are in place for the protection of
health information. Many responsible doctors, hospitals and health plans
already provide these common-sense services for their patients, and were
instrumental in advocating for a national standard.
ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORD USE AND RELEASE
Create new criminal and civil penalties for improper use or disclosure of
information. In the past, there often has not been any legal basis to
prosecute individuals who inappropriately disclose private medical
information. This rule applies the standards included in HIPAA to create new
criminal penalties for intentional disclosure – up to $50,000 and up to a year
in prison. Disclosure with intent to sell the data is punishable with a fine
of up to $250,000 and up to 10 years in prison. The regulation also
establishes new civil penalties of $100 per person for unintentional
disclosures and other violations (up to $25,000 per person per year). Although
these enforcement provisions will be helpful, they are no substitute for a
private right of action, which makes it possible for patients to be
compensated for harmful plan actions.
BALANCE PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
- Require that information be disclosed only for public health priorities
and other responsible research. The regulation balances the need to
protect the public health and support carefully monitored medical research
against the need to protect personal medical records from misuse and abuse.
The regulation recognizes that threats to public health, such as
life-threatening and easily transmitted infectious diseases, will require
appropriate monitoring by public health authorities. The regulation encourages
health professionals to use de-identified records whenever possible.
- Limit the disclosure of information without sacrificing public safety.
The rule strikes the proper balance between protecting privacy and meeting the
needs of law enforcement. Medical records are often important to the
investigation and prosecution of serious criminal activity. At the same time,
Americans must not be discouraged from seeking health care because of concerns
about having their information inappropriately given to others.
FINAL REGULATION INCLUDES KEY CHANGES TO STRENGTHEN PRIVACY PROTECTIONS.
In response to over 50,000 comments submitted by the public, the final
regulation being released today strengthens patient protection and control over
their health information by:
- Extending coverage to personal medical records in all forms – including
paper records and oral communications.
The proposed regulation released
last year was limited to electronic records and any paper records that
previously existed in electronic form. The final regulation provides
protection for paper and oral in addition to electronic information, creating
a privacy system that covers all personal health information created or held
by covered entities. Comments received on the proposed regulation affirmed
that the Administration had the authority to extend coverage to paper records
and overwhelmingly supported broadening the regulation to these records
because it would be impractical to have two separate sets of privacy standards
for different sets of records.
- Requiring consent for routine use and disclosure of health records.
The proposed regulation released last year allowed routine disclosure of
health information without advance consent for purposes of treatment, payment,
and health care operations. The final regulation ensures that written consent
for disclosures by front line providers– even routine ones – be obtained in
advance. This new requirement was strongly supported by physician and patient
advocacy groups.
- Protecting against unauthorized use of medical records for employment
purposes.
The proposed regulation did not clearly explain the regulation's
limits on large self-insured employers' access to personal health information
for employment or other purposes unrelated to health care without consent. The
final regulation clarifies that these employers cannot access medical
information for purposes unrelated to health care.
- Ensuring that health care providers have all the information necessary to
appropriately treat their patients.
For most disclosures of health
information, such as health information submitted with bills, providers may
send only the minimum information needed for the purpose of the disclosure.
However, when treating patients, health care providers often need to be able
to share more complete information with other providers. The final rule gives
providers full discretion in determining what personal health information to
include when sending patient records to other providers for treatment
purposes.
Financial Impact of Implementation of Privacy Regulation. Recognizing the
savings and cost potential of standardizing electronic claims processing and
protecting privacy and security, the Congress required that the overall
financial impact of the HIPAA regulations reduce costs. As such, the financial
assessment of the privacy regulation includes the ten-year $29.9 billion savings
HHS projects for the recently released electronic claims regulation and the
projected $17.6 billion in costs over 10 years projected for the privacy
regulation. This produces a net savings of approximately $12.3 billion over 10
years for the health care delivery system while improving the efficiency as well
as privacy protections.
PRESIDENT CLINTON CALLS ON THE CONGRESS TO ENACT PRIVACY LEGISLATION TO
FINISH THE JOB. Today, President Clinton will once again call on Congress to
finish the job on privacy. The regulation being finalized today represents a
critical step towards protecting patient privacy that became necessary after
Congress failed to act in the three-year timeframe it gave itself in 1996.
However, the President's administrative authority is limited by statute and
there remains an urgent need for Federal privacy protections to: strengthen
penalties and to create a private right of action so citizens can hold health
plans and providers accountable for inappropriate and harmful disclosures of
information; extend privacy protections to cover other entities that routinely
handle sensitive medical information, such as life insurers and worker's
compensation programs; and to place appropriate limits on the re-use of medical
information by other entities. Today the President is doing what he can in this
area. He is issuing an Executive Order to limit the re-use and re-disclosure of
certain medical records within the Federal government, but new legislation would
be needed to extend these protections more broadly.
Click here to submit a Question to the
Privacy Response Line via e-mail.
Disclaimers
| Privacy Notice | FOIA | Contact Us
OCR
MailDate revised: December
20, 2000