Summary of HHS Medical Privacy Regulations,
December 2000
The medical privacy regulations announced by Health and Human Services
Secretary Donna Shalala on Dec. 20, 2000, are an extremely important first step
toward protecting people from the unwanted release or misuse of their private
medical information.
I was alarmed a few years ago when I learned that up to 16 separate entities
may have access to any individual's medical records, and I remain concerned that
several additional measures need to be taken to further protect our medical
records.
Nonetheless, the new HHS regulations have accomplished the following:
- Limit the non-consensual use and release of private health information.
- Give patients new rights to access their medical records to know who else
has accessed them.
- Restrict most disclosure of health information to the minimum needed for
the intended purpose.
- Establish new criminal and civil sanctions for improper use or disclosure.
- Establish new requirements for access to records by researchers and
others.
The regulations cover paper, oral and electronic information.
They require that most providers get their patients' consent even for routine
use and disclosure of health records, such as providing information for purposes
of treatment, payment and health-care operations, in addition to requiring
patients' authorization for non-routine disclosures. Although the authorization
for routine release will be requested in advance, it now will be accompanied by
a detailed written explanation of your privacy rights and how the information
will be used.
The regulations reflect five basic principles outlined by Secretary Shalala.
- Consumer Control: Consumers receive new rights to control the release of
their information, including advance consent for most disclosures; rights to
see a copy of their records and request corrections to those records; right to
learn who has requested their information; and the right to an explanation of
their privacy rights and how their information will be used.
- Boundaries: With few exceptions, an individual's health-care information
should be used for health purposes only, such as treatment and payment. Three
specific boundaries are outlined.
- Employers who sponsor health plans may not obtain information for
non-health purposes, such as hiring, firing or determining promotions,
without permission from the individual.
- Insurers may not use information to underwrite other products, such as
life insurance.
- Disclosures are to be kept to the minimum information needed for the
purpose of the disclosure.
- Accountability: Specific penalties are provided for the first time. For
non-criminal violations, such as disclosures made in error, civil monetary
penalties of $100 per violation up to $25,000 per year are standard. Criminal
penalties are up to $50,000 fines and one year in prison for knowingly
obtaining and releasing information; up to $100,000 fines and five years in
prison for obtaining or disclosing protected information under "false
pretenses"; and up to $250,000 and 10 years in prison for obtaining protected
information with the intent to sell, transfer or use for commercial or
personal gain or malicious harm.
- Public Responsibility: The standards attempt to balance privacy protection
with public responsibilities, such as protecting public health, conducting
medical research, improving quality of care, and fighting fraud and abuse.
- Security: Organizations entrusted with information are responsible to
protect it against deliberate or inadvertent misuse or disclosure.
The standards apply to individuals whether they are privately insured,
uninsured, or part of public programs such as Medicare or Medicaid.
Areas NOT covered by current federal law or these regulations include:
- Certain entities not directly regulated include life insurers and worker's
compensation programs.
- No private right of action is provided to enable citizens to hold health
plans or providers directly accountable for inappropriate and harmful
disclosures.