The trusted source for
healthcare information and
The recently released privacy regulation, which will be fully implemented within two years, is being issued under the authority of the bipartisan Health Insurance Portability and Accountability Act (HIPAA) of 1996. These are the primary goals of the new rule:
• Inform consumers how their health information is being used. This new regulation requires health plans and providers to inform patients about how their information is being used and to whom it is disclosed. It also gives each individual patient a right to a "disclosure history," listing the entities that received information unrelated to treatment or payment that must be provided within 60 days.
• Limit the release of private health information without consent. This rule establishes a new federal requirement for doctors treating patients and hospitals to obtain patients’ written consent to use their health information even for routine purposes, such as treatment and payment. Other nonroutine disclosures would require separate, specific patient authorization.
• Give patients access to their own health file and the right to request amendments or corrections. The regulation gives patients the right to see and copy their own records as well as the right to request correction of potentially harmful errors in their health files. These access and amendment rights are a core part of efforts to protect individual privacy. Without them, a person with an improper diagnosis in his or her medical file could be denied health insurance and left no redress.
• Restrict the amount of information used and disclosed to the "minimum necessary." Currently, health care providers and plans often release a patient’s entire health record even if an employer or other entity only needs specific information, such as the information necessary to process a worker’s compensation claim. This new regulation restricts the information that is used and disclosed to the minimum amount necessary.
• Require the establishment of privacy-conscious business practices. The regulation requires the establishment of internal procedures to protect the privacy of health records. They include: training employees about privacy considerations in the workplace; receiving complaints from patients on privacy issues; designating a privacy officer to assist patients with complaints; and ensuring that appropriate safeguards are in place for the protection of health information. Many responsible doctors, hospitals, and health plans already provide these common-sense services for their patients, and were instrumental in advocating for a national standard.
• Create new criminal and civil penalties for improper use or disclosure of information. In the past, there often has not been any legal basis to prosecute individuals who inappropriately disclose private medical information. This rule applies the standards included in HIPAA to create new criminal penalties for intentional disclosure up to $50,000 and up to a year in prison. Disclosure with intent to sell the data is punishable with a fine of up to $250,000 and up to 10 years in prison. The regulation also establishes new civil penalties of $100 per person for unintentional disclosures and other violations (up to $25,000 per person per year).
• Require that information be disclosed only for public health priorities and other responsible research. The regulation balances the need to protect the public health and support carefully monitored medical research against the need to protect personal medical records from misuse and abuse. The regulation recognizes that threats to public health, such as life-threatening and easily transmitted infectious diseases, will require appropriate monitoring by public health authorities. The regulation encourages health professionals to use deidentified records whenever possible.
• Limit the disclosure of information without sacrificing public safety. The rule strikes the proper balance between protecting privacy and meeting the needs of law enforcement. Medical records often are important to the investigation and prosecution of serious criminal activity. At the same time, Americans must not be discouraged from seeking health care because of concerns about having their information inappropriately given to others.
In response to over 50,000 comments submitted by the public, the final regulation was changed in these ways:
• Extending coverage to personal medical records in all forms including paper records and oral communications. The proposed regulation released last year was limited to electronic records and any paper records that previously existed in electronic form. The final regulation provides protection for paper and oral in addition to electronic information, creating a privacy system that covers all personal health information created or held by covered entities. Comments received on the proposed regulation affirmed that the administration had the authority to extend coverage to paper records and overwhelmingly supported broadening the regulation to these records because it would be impractical to have two separate sets of privacy standards for different sets of records.
• Requiring consent for routine use and disclosure of health records. The proposed regulation released last year allowed routine disclosure of health information without advance consent for purposes of treatment, payment, and health care operations. The final regulation ensures that written consent for disclosures by front line providers even routine ones be obtained in advance. This new requirement was strongly supported by physician and patient advocacy groups.
• Protecting against unauthorized use of medical records for employment purposes. The proposed regulation did not clearly explain the regulation’s limits on large self-insured employers’ access to personal health information for employment or other purposes unrelated to health care without consent. The final regulation clarifies that these employers cannot access medical information for purposes unrelated to health care.
• Ensuring that health care providers have all the information necessary to appropriately treat their patients. For most disclosures of health information, such as health information submitted with bills, providers may send only the minimum information needed for the purpose of the disclosure. However, when treating patients, health care providers often need to be able to share more complete information with other providers. The final rule gives providers full discretion in determining what personal health information to include when sending patient records to other providers for treatment purposes.