December 20, 2000
HHS Press Office (202) 690-6343
Overview: Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. For many years, the confidentiality of those records was maintained by our family doctors, who kept our records sealed away in file cabinets and refused to reveal them to anyone else. Today, the use and disclosure of this information is protected by a patchwork of state laws, leaving large gaps in the protection of patients' privacy and confidentiality. There is a pressing need for national standards to control the flow of sensitive patient information and to establish real penalties for the misuse or disclosure of this information.
President Clinton and Congress recognized the need for national patient record privacy standards in 1996 when they enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). That law gave Congress until August 21, 1999, to pass comprehensive health privacy legislation. After three years of discussion in Congress without passage of such a law, HIPAA provided HHS with the authority to craft such privacy protections by regulation. Following the principles and policies laid out in the recommendations for national health information privacy legislation the Administration submitted to Congress in 1997, the Administration drafted regulations to guarantee patients new rights and protections against the misuse or disclosure of their health records and the President and Secretary Donna E. Shalala released them in October of last year. During an extended comment period, HHS received, electronically or on paper, more than 52,000 communications from the public.
This final rule provides the first comprehensive federal protection for the privacy of health information. However, because of the limitations of the HIPAA statute, these protections do not fully achieve the Administration's goal of a seamless system of privacy protection for all health information. Members of both parties in Congress will need to pass meaningful, comprehensive privacy protection for American patients that would extend the reach of the standards being finalized today to all entities that hold personal health information.
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.
All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation.
The rule is the result of the Department's careful consideration of every comment and reflects a balance between accommodating practical uses of individually identifiable health information and rendering maximum privacy protection of that information.
Under this final rule, patients have significant new rights to understand and control how their health information is used.
With few exceptions, an individual's health information can be used for health purposes only.
The regulation establishes the privacy safeguard standards that covered entities must meet, but it leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity. In this way, implementation of the standards will be flexible and scalable, to account for the nature of each entity's business, and its size and resources. Covered entities must:
Penalties for covered entities that misuse personal health information are provided in HIPAA.
After balancing privacy and other social values, HHS is establishing rules that would permit certain existing disclosures of health information without individual authorization for the following national priority activities and for activities that allow the health care system to operate more smoothly. All of these disclosures have been permitted under existing laws and regulations. Within certain guidelines found in the regulation, covered entities may disclose information for:
The rule permits, but does not require these types of disclosures. If there is no other law requiring that information be disclosed, physicians and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.
Psychotherapy notes (used only by a psychotherapist) are held to a higher standard of protection because they are not part of the medical record and never intended to be shared with anyone else. All other health information is considered to be sensitive and treated consistently under this rule.
The provisions of the final rule generally apply equally to private sector and public sector entities. For example, both private hospitals and government agency medical units must comply with the full range of requirements, such as providing notice, access rights, requiring consent before disclosure for routine uses, establishing contracts with business associates, among others.
Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress provided in HIPAA 1996 that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the ten-year $29.9 billion savings HHS projects for the recently released electronic claims regulation and the projected $17.6 billion in costs projected for the privacy regulation. This produces a net savings of approximately $12.3 billion for the health care delivery system while improving the efficiency of health care as well as privacy protection.
Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule sets a national "floor" of privacy standards that protect all Americans, but in some states individuals enjoy additional protection. In circumstances where states have decided through law to require certain disclosures of health information for civic purposes, we do not preempt these mandates. The result is to give individuals the benefit of all laws providing confidentiality protection as well as to honor state priorities.
HIPAA limits the application of our rule to the covered entities. It does not provide authority for the rule to reach many persons and businesses that work for covered entities or otherwise receive health information from them. So the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information. There is no statutory authority for a private right of action for individuals to enforce their privacy rights. We need Congressional action to fill these gaps in patient privacy protections.
The final regulation will come into full effect in two years. The regulation will be enforced by HHS' Office for Civil Rights, which will provide assistance to providers, plans and health clearinghouses in meeting the requirements of the regulation - including a toll free line to help answer questions: 1-866-OCR-PRIV (1-866-627-7748). The TTY number is 1-866-788-4989. A Web site on the new regulation will also be available at http://www.hhs.gov/ocr.
Note: For other HHS Press Releases and Fact Sheets pertaining to the subject of this announcement, please click here for our Press Release and Fact Sheet search engine at: http://www.hhs.gov/search/press.html.