The trusted source for
healthcare information and
The recommended rule addresses five main areas: consumer control, accountability, public responsibility, boundaries on the use of the data, and security.
Under the Health and Human Services (HHS) rule, patients would have significant new rights to understand and control how their health information is used:
• Providers and health plans would be required to give patients a clear written explanation of how they will use, keep, and disclose information.
• Patients would be able to see and get copies of their records and request corrections.
• A history of most disclosures would have to be maintained and be made accessible to patients.
• A patient’s authorization to disclose information would have to meet specific requirements.
• A provider or payer generally would not be able to condition treatment, payment, or coverage on a patient’s agreement to disclose health information for other purposes.
• Patients would have right to restrict uses of their information.
There would be punishment for covered entities that misuse personal health information. The statute provides the following penalties for misuse of health information:
• There would be federal criminal penalties for health plans, providers, and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain.
• Health plans, providers, and clearinghouses that violate these standards would be subject to civil liability.
• The statute includes new penalties for violations of a patient’s right to privacy. These penalties include, for violations of the privacy standards by the persons subject to them, civil monetary penalties of up to $25,000 per person, per year, per standard. There are also substantial criminal penalties applicable to certain types of violations of the statute that are done knowingly: up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses" and up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm.
Some existing uses of information would not be affected at all, such as reporting births and deaths and reporting abuse such as child abuse. After balancing privacy and other social values, HHS is proposing rules that would permit disclosure of health information without individual authorization for the following national priority activities and for activities that allow the health care system to operate more smoothly:
• Oversight of the health care system, including quality assurance activities
• Public health
• Judicial and administrative proceedings
• Law enforcement
• Emergency circumstances
• Information to next-of-kin
• Identification of the body of a deceased person, or the cause of death
• Governmental health data systems as authorized
• Facility patient directories
• Banks and other financial institutions to process health care payments and premiums
• Activities related to national defense and security
With few exceptions, an individual’s health care information would be used for health purposes only. It would be easy to use health information for health purposes, and difficult to use it for other purposes.
• Patient information could be used by a health plan, provider, or clearinghouse only for purposes of health care treatment, payment, operations, and some limited public policy priorities.
• All disclosures of information would be limited to the minimum necessary for the purpose of the disclosure.
• Disclosures with patient authorization would have to meet standards that would ensure that the authorization is truly informed and voluntary.
• The proposal would permit, but does not require, these types of disclosures. If there is no other law requiring that information be disclosed, physicians and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.
Covered entities that are entrusted with health information would be required to protect the information against deliberate or inadvertent misuse or disclosure. Security measures would be required to establish policies to protect the information against improper use by employees, or threats from outside. The following entities would be covered by the proposed rule:
• Health plans
• Health care providers that transmit health information electronically
• Health care clearinghouses
Impact on Existing Confidentiality Laws
This proposal would not limit or reduce other stronger legal protections for confidentiality of health information. Stronger state laws (such as those covering mental health and HIV infection and AIDS information) would continue to apply except for certain public health activities specified in the statute. The confidentiality protections would be cumulative, and the proposed rule would provide "floor preemption." The aim is to give individuals the benefit of all laws providing confidentiality protection.
Source:Department of Health and Human Services, Washington, DC. November 1999