New health information standards proposed

The Department of Health and Human Services (HHS) in Washington, DC, has proposed new standards for protecting individual health information when it is maintained or transmitted electronically.

The standards, published in the Federal Register on August 12,1 were designed to protect all electronic health information from improper access or alteration and to protect against loss of records. HHS Secretary Donna E. Shalala, however, called on Congress at the same time to enact further protections to guarantee the privacy of medical records.

"The proposals we are making today set a national standard for protecting the security and integrity of medical records when they are kept in electronic form," she said. "It is crucial to have these standards, as we move increasingly toward electronic medical records. But it is also not enough. In addition, we urgently need new legal protections to safeguard the privacy of medical records in all forms."

The new electronic data security standards were mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which also called on the secretary of HHS to make recommendations to Congress on how to protect the privacy of health information. Under HIPAA, Congress is given until August 1999 to enact privacy protections. If Congress fails to act by that time, HIPAA authorizes the HHS secretary to implement privacy protections by regulation.

The proposed regulations include technical guidance as well as administrative requirements for those who use electronic health information medical records of individuals. All health care providers that maintain or transmit health information electronically will be required to establish and maintain responsible and appropriate safeguards to ensure the integrity and confidentiality of the information.

All providers that transmit or maintain electronic health information will need to develop a security plan, provide training for employees, and secure physical access to records. Health information about individuals must be protected during transmission and where maintained in electronic form. Other administrative procedures, physical safeguards, and technical security measures will also be needed.

"This is not a one size fits all security plan," said Nancy-Ann Min DeParle, administrator of the Health Care Financing Administration in Baltimore, "but a carefully developed set of standards. They should ensure that individual records are secure while providing the flexibility for each health care business."

The rule allows for a 60-day period during which interested parties may comment by mail and e-mail. The final rule will be effective 60 days after being published in the Federal Register.


1. 63 Fed Reg 43,241 (Aug. 12, 1998). n

· The American Medical Informatics Association (AMIA) 1998 Annual Symposium will be held Nov. 7-11 in Lake Buena Vista, FL. This year's meeting, "A Paradigm Shift in Health Care Information Systems: Clinical Infrastructures for the 21st Century," will examine the impact of information technology on the health care delivery process.

In addition, the AMIA '98 Scientific Program features scientific papers, panels, theater-style demonstrations, posters, tutorials, and workshops. AMIA will also introduce the colloquium, detailed overviews on such topics as terminology, cognitive science, bio-informatics, and global information perspective.

For more information, call (301) 657-1296. Or visit the Web site at

· Medicare Billing for the Prospective Payment System: A Practical Guide for Hospitals to Implement the Balanced Budget Act will be held Nov. 16-17 in Arlington, VA. Sponsored by AiC Worldwide, the seminar also offers a post-conference workshop, "Designing Joint Outpatient Coding Programs for the Physician and the Hospital."

For more information, call (800) 409-4242. Fax: (212) 714-9815. Web site: