New health information standards proposed

The Department of Health and Human Services (HHS) in Washington, DC, has proposed new standards for protecting individual health information when it is maintained or transmitted electronically.

The standards, published in the Federal Register on August 12,1 were designed to protect all electronic health information from improper access or alteration and to protect against loss of records. HHS Secretary Donna E. Shalala, however, called on Congress at the same time to enact further protections to guarantee the privacy of medical records.

"The proposals we are making today set a national standard for protecting the security and integrity of medical records when they are kept in electronic form," she said. "It is crucial to have these standards, as we move increasingly toward electronic medical records. But it is also not enough. In addition, we urgently need new legal protections to safeguard the privacy of medical records in all forms."

The new electronic data security standards were mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which also called on the secretary of HHS to make recommendations to Congress on how to protect the privacy of health information. Under HIPAA, Congress is given until August 1999 to enact privacy protections. If Congress fails to act by that time, HIPAA authorizes the HHS secretary to implement privacy protections by regulation.

The proposed regulations include technical guidance as well as administrative requirements for those who use electronic health information medical records of individuals. All health care providers that maintain or transmit health information electronically will be required to establish and maintain responsible and appropriate safeguards to ensure the integrity and confidentiality of the information.

All providers that transmit or maintain electronic health information will need to develop a security plan, provide training for employees, and secure physical access to records. Health information about individuals must be protected during transmission and where maintained in electronic form. Other administrative procedures, physical safeguards, and technical security measures will also be needed.

"This is not a one size fits all security plan," said Nancy-Ann DeParle, administrator of the Health Care Financing Administration in Baltimore, "but a carefully developed set of standards. They should ensure that individual records are secure while providing the flexibility for each health care business."

The final rule will be effective 60 days after being published in the Federal Register.


1. 63 Fed RegJ 43,241 (Aug. 12, 1998).