The trusted source for
healthcare information and
The new federal privacy regulation, issued in December by the Department of Health and Human Services (HHS) will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.
The regulation, mandated by Congress when it failed to pass comprehensive privacy legislation, includes these standards, according to a fact sheet released by HHS:
• limit the nonconsensual use and release of private health information;
• give patients new rights to access their medical records and to know who else has accessed them;
• restrict most disclosure of health information to the minimum needed for the intended purpose;
• establish new criminal and civil sanctions for improper use or disclosure; and establish new requirements for access to records by researchers and others.
The standards extend coverage to personal medical records in all forms, including paper records and oral communications. The earlier proposal had applied to electronic records and to any paper records that had at some point existed in electronic form. The final regulation provides protection for paper, oral, and electronic information, creating a privacy system that covers all personal health information created or held by covered entities.
The final rule also requires that most providers get their patients’ consent for routine use and disclosure of health records, in addition to requiring their authorization for nonroutine disclosures. The earlier version had proposed allowing routine disclosures — disclosures for purposes of treatment, payment and health care operations (such as internal data gathering by a provider or health care plan) — without advance consent.
Advance written consent for routine purposes will be similar to the practice most patients are accustomed to when they visit a doctor or hospital today. However, the regulation will provide additional protection by requiring that patients must also be given detailed written information on their privacy rights and how their information will be used.
Other changes from the proposed rule include:
• Allowing disclosure of the full medical record to providers for purposes of treatment.
For most disclosures, such as health information submitted with bills, providers may send only the minimum information needed for the purpose of the disclosure. The final rule gives providers full discretion in determining what personal health information to include when sending patients’ medical records to other providers for treatment purposes.
• Protecting against unauthorized use of medical records for employment purposes.
Companies that sponsor health plans will not be able to access personal health information from the sponsored plan for employment-related purposes, without authorization from the patient.
The bipartisan Health Insurance Portability and Accountability Act of 1996 (HIPAA) called on Congress to enact comprehensive national medical record privacy standards by Aug. 21, 1999. When Congress was unable to enact standards by this deadline, HIPAA required that HHS issue regulations. Proposed regulations were published Nov. 3, 1999. The issuance in December 2000 of final regulations completes the regulatory process of HHS on health information privacy under the HIPAA provision. The regulation will be enforced by the HHS Office for Civil Rights.
The new regulation reflects these five basic principles:
1. Consumer control
The regulation provides consumers with critical new rights to control the release of their medical information, including: advance consent for most disclosures of health information; the right to see a copy of their health records; the right to request a correction to their health records; the right to obtain documentation of disclosures of their health information; and the right to an explanation of their privacy rights and how their information may be used or disclosed.
With few exceptions, an individual’s health care information should be used for health purposes only, including treatment and payment. For example, a hospital may use personal health information to provide care, teach, train, conduct research, and ensure quality. However, employers who also sponsor health plans may not obtain information for nonhealth purposes like hiring, firing, or determining promotions, without permission from the individual. Similarly, insurers may not use such information to underwrite other products, such as life insurance. Disclosure is to be kept to the minimum information needed for the purpose of the disclosure.
Under HIPAA, for the first time, there will be specific federal penalties if a patient’s right to privacy is violated. For noncriminal violations of the privacy standards by the persons subject to the standards, including disclosures made in error, there are civil monetary penalties of $100 per violation up to $25,000 per year, per standard.
In addition, criminal penalties are provided in HIPAA for certain types of violations of the statute that are done knowingly: up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under "false pretenses" and up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm.
4. Public responsibility
The new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse. For example, when there is an infectious disease outbreak, public health agencies need to obtain important information to better protect the public. The new regulation provides standards for how such information should be released to balance privacy and public health needs.
It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures to protect patients’ privacy, including designating an official to establish and monitor the entity’s privacy practices and training.