FOR IMMEDIATE RELEASE
HHS Press Office (202) 690-6343
HHS Secretary Donna E. Shalala today released the nation's first-ever standards for protecting the privacy of Americans' personal health records. This new regulation will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.
"For the first time, all Americans -- no matter where they live, no matter where they get their health care -- will have protections for their most private personal information, their health records," Secretary Shalala said. "Gone are the days when our family doctor kept our records sealed away in an office file cabinet. Patient information is now accessed and exchanged quickly. With these standards, all Americans will be able to have confidence that their personal health information will be protected."
The regulation was mandated by Congress when it failed to pass comprehensive privacy legislation. The new standards: limit the non-consensual use and release of private health information; give patients new rights to access their medical records and to know who else has accessed them; restrict most disclosure of health information to the minimum needed for the intended purpose; establish new criminal and civil sanctions for improper use or disclosure; and establish new requirements for access to records by researchers and others.
HHS received more than 52,000 comments on its proposed privacy rule published last year. The standards announced today further strengthen patients' protection and control over their health information by extending coverage to personal medical records in all forms -- including paper records and oral communications. The earlier proposal had applied to electronic records and to any paper records that had at some point existed in electronic form. The final regulation provides protection for paper, oral and electronic information, creating a privacy system that covers all personal health information created or held by covered entities.
"Comprehensive protection of personal medical records is what Congress called for in the law, and it's what American patients and their providers want and need," Shalala said. "Protection for all records is the most logical, workable and understandable approach for patients and providers alike."
The final rule also requires that most providers get their patients' consent for routine use and disclosure of health records, in addition to requiring their authorization for non-routine disclosures. The earlier version had proposed allowing routine disclosures without advance consent -- disclosures for purposes of treatment, payment and health care operations (such as internal data gathering by a provider or health care plan). But most of those commenting on this provision, including many physicians, believed consent even for these routine purposes should be obtained in advance.
Advance written consent for routine purposes will be similar to the practice most patients are accustomed to when they visit a doctor or hospital today. However, the regulation will provide additional protection by requiring that patients must also be given detailed written information on their privacy rights and how their information will be used.
Other changes from the proposed rule include:
Allowing disclosure of the full medical record to providers for purposes of treatment: For most disclosures, such as health information submitted with bills, providers may send only the minimum information needed for the purpose of the disclosure. However, for purposes of treatment, health care providers need to be able to transmit fuller information to other providers. The final rule gives providers full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes.
Protecting against unauthorized use of medical records for employment purposes: Companies that sponsor health plans will not be able to access personal health information from the sponsored plan for employment-related purposes, without authorization from the patient.
The bipartisan Health Insurance Portability and Accountability Act of 1996 (HIPAA) called on Congress to enact comprehensive national medical record privacy standards by Aug. 21, 1999. When Congress was unable to enact standards by this deadline, HIPAA required that HHS issue regulations. Proposed regulations were published Nov. 3, 1999. Today's issuance of final regulations completes HHS' regulatory process on health information privacy under the HIPAA provision. The regulation will be enforced by the HHS Office for Civil Rights.
The final regulation retains the approach originally outlined by Secretary Shalala in September 1997 in her "Recommendations for Protecting the Confidentiality of Individually Identifiable Health Information."
The new regulation reflects the five basic principles outlined at that time:
The new regulation is designed to enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws are in conflict, the stronger privacy protection would prevail. The standards apply to all consumers whether they are privately insured, uninsured or participants in public programs such as Medicare or Medicaid. Most covered entities will have two years to come into compliance.
Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress provided in HIPAA 1996 that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the 10-year $29.9 billion savings HHS projects for the recently released electronic claims regulation and the projected $17.6 billion in costs projected for the privacy regulation. This produces a net savings of approximately $12.3 billion for the health care delivery system.
While the regulation announced today significantly strengthens protections for patients' confidentiality, Secretary Shalala said Congress still needs to act in areas not covered by existing federal law. Under current law, the final regulation does not directly regulate many entities, including life insurers and worker's compensation programs - thus allowing unlimited use and reuse of information by such entities. Federal legislation is also needed to fortify the penalties and to create a private right of action so that citizens can hold health plans and providers directly accountable for inappropriate and harmful disclosures of information.
A fact sheet on this subject is available at: http://www.hhs.gov/news/press/2000pres/00fsprivacy.html
An actuality of Secretary Donna E. Shalala announcing the new Medical Recordf Privacy Regulation is available on the Internet at: http://www.hhs.gov/news/broadcast/. In addition, a photograph from this announcement is available at: http://www.hhs.gov/news/photos/.
Note: For other HHS Press Releases and Fact Sheets pertaining to the subject of this announcement, please visit our Press Release and Fact Sheet search engine at: http://www.hhs.gov/search/press.html.