Summary of HHS Medical Privacy Regulations, December 2000

The medical privacy regulations announced by Health and Human Services Secretary Donna Shalala on Dec. 20, 2000, are an extremely important first step toward protecting people from the unwanted release or misuse of their private medical information.

I was alarmed a few years ago when I learned that up to 16 separate entities may have access to any individual's medical records, and I remain concerned that several additional measures need to be taken to further protect our medical records.

Nonetheless, the new HHS regulations have accomplished the following:

1. Limit the non-consensual use and release of private health information.
2. Give patients new rights to access their medical records to know who else has accessed them.
3. Restrict most disclosure of health information to the minimum needed for the intended purpose.
4. Establish new criminal and civil sanctions for improper use or disclosure.
5. Establish new requirements for access to records by researchers and others.

The regulations cover paper, oral and electronic information.

They require that most providers get their patients' consent even for routine use and disclosure of health records, such as providing information for purposes of treatment, payment and health-care operations, in addition to requiring patients' authorization for non-routine disclosures. Although the authorization for routine release will be requested in advance, it now will be accompanied by a detailed written explanation of your privacy rights and how the information will be used.

The regulations reflect five basic principles outlined by Secretary Shalala.

1. Consumer Control: Consumers receive new rights to control the release of their information, including advance consent for most disclosures; rights to see a copy of their records and request corrections to those records; right to learn who has requested their information; and the right to an explanation of their privacy rights and how their information will be used.

2. Boundaries: With few exceptions, an individual's health-care information should be used for health purposes only, such as treatment and payment. Three specific boundaries are outlined.
   • Employers who sponsor health plans may not obtain information for non-health purposes, such as hiring, firing or determining promotions, without permission from the individual.
   • Insurers may not use information to underwrite other products, such as life insurance.
   • Disclosures are to be kept to the minimum information needed for the purpose of the disclosure.

3. Accountability: Specific penalties are provided for the first time. For non-criminal violations, such as disclosures made in error, civil monetary penalties of $100 per violation up to $25,000 per year are standard. Criminal penalties are up to $50,000 fines and one year in prison for knowingly obtaining and releasing information; up to $100,000 fines and five years in prison for obtaining or disclosing protected information under "false pretenses"; and up to $250,000 and 10 years in prison for obtaining protected information with the intent to sell, transfer or use for commercial or personal gain or malicious harm.

4. Public Responsibility: The standards attempt to balance privacy protection with public responsibilities, such as protecting public health, conducting medical research, improving quality of care, and fighting fraud and abuse.

5. Security: Organizations entrusted with information are responsible to protect it against deliberate or inadvertent misuse or disclosure.

The standards apply to individuals whether they are privately insured, uninsured, or part of public programs such as Medicare or Medicaid.

Areas NOT covered by current federal law or these regulations include:

1. Certain entities not directly regulated include life insurers and worker's compensation programs.
2. No private right of action is provided to enable citizens to hold health plans or providers directly accountable for inappropriate and harmful disclosures.