President Clinton Issues Strong New Consumer Protections to Ensure the Privacy of Medical Records
Wednesday, December 20, 2000
Today, President Clinton will release a final regulation establishing the first-ever federal privacy protections for the personal health information of all Americans. This rule, which applies to health insurers, virtually all health care providers and clearinghouses, will give consumers more control over and access to their health information; set boundaries on the use and release of health records; safeguard that information; establish accountability for inappropriate use and release; and balance privacy protections with public safety. The final regulation improves on the proposed rule by strengthening several key protections, including: extending protections to personal medical records in all forms – including paper records and oral communications; providing for written consent for routine use and disclosure of health records; protecting against unauthorized use of medical records for employment purposes; and ensuring that health care providers have all the information necessary to appropriately treat their patients.
THE PRIVACY OF INDIVIDUAL MEDICAL RECORDS IS NOT CURRENTLY PROTECTED. Today, despite the increase in the collection and dissemination of personal data, there is no comprehensive federal requirement to provide patients with basic privacy protections.
- Americans are increasingly concerned about losing their privacy. Recent studies show a rising level of public concern about privacy; in 1999, over 80 percent of people surveyed agreed with the statement that they had "lost all control over their personal information."
- Personal health information can be distributed without consent for reasons that are unrelated to treatment. Under the current loose patchwork of state laws, information held by an insurer can be passed on to a lender who can then deny that patient's application for a home mortgage or a credit card, or to an employer who uses it in personnel decisions. Personal health information may be disclosed for insurance underwriting purposes, for market research, or any other reason without any safeguards to protect it against misuse.
- Patients are often unable to access their own medical records. In addition, patients wishing to access or control the release of such records may be unable to do so because of overwhelming barriers established by their insurance company, health care provider, or anyone else who holds their records.
PRESIDENT CLINTON TAKES FINAL ACTION NECESSARY TO IMPLEMENT NEW NATIONAL SAFEGUARDS FOR SENSITIVE HEALTH INFORMATION. The final regulation, which will be fully implemented within two years, is being issued under the authority of the bipartisan Health Insurance Portability and Accountability Act (HIPAA). This regulation, which underscores the Administration's commitment to safeguarding the security of personal health information, will:
GIVE CONSUMERS CONTROL OVER THEIR HEALTH INFORMATION
- Inform consumers how their health information is being used. This new regulation requires health plans and providers to inform patients about how their information is being used and to whom it is disclosed. It also gives each individual patient a right to a "disclosure history," listing the entities that received information unrelated to treatment or payment, that must be provided within 60 days.
- Limit the release of private health information without consent. This rule establishes a new federal requirement for doctors treating patients and hospitals to obtain patients' written consent to use their health information even for routine purposes, such as treatment and payment. Other, non-routine disclosures would require separate, specific patient authorization.
- Give patients access to their own health file and the right to request amendments or corrections. The regulation gives patients the right to see and copy their own records as well as the right to request correction of potentially harmful errors in their health files. These access and amendment rights are a core part of efforts to protect individual privacy. Without them, a person with an improper diagnosis in his or her medical file could be denied health insurance and left no redress.
SET BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
- Restrict the amount of information used and disclosed to the "minimum necessary." Currently, health care providers and plans often release a patient's entire health record even if an employer or other entity only needs specific information, such as the information necessary to process a worker's compensation claim. This new regulation restricts the information that is used and disclosed to the minimum amount necessary.
ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
- Require the establishment of privacy-conscious business practices. The regulation requires the establishment of internal procedures to protect the privacy of health records. They include: training employees about privacy considerations in the workplace; receiving complaints from patients on privacy issues; designating a "privacy officer" to assist patients with complaints; and ensuring that appropriate safeguards are in place for the protection of health information. Many responsible doctors, hospitals and health plans already provide these common-sense services for their patients, and were instrumental in advocating for a national standard.
ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORD USE AND RELEASE
- Create new criminal and civil penalties for improper use or disclosure of information. In the past, there often has not been any legal basis to prosecute individuals who inappropriately disclose private medical information. This rule applies the standards included in HIPAA to create new criminal penalties for intentional disclosure – up to $50,000 and up to a year in prison. Disclosure with intent to sell the data is punishable with a fine of up to $250,000 and up to 10 years in prison. The regulation also establishes new civil penalties of $100 per person for unintentional disclosures and other violations (up to $25,000 per person per year). Although these enforcement provisions will be helpful, they are no substitute for a private right of action, which makes it possible for patients to be compensated for harmful plan actions.
BALANCE PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
- Require that information be disclosed only for public health priorities and other responsible research. The regulation balances the need to protect the public health and support carefully monitored medical research against the need to protect personal medical records from misuse and abuse. The regulation recognizes that threats to public health, such as life-threatening and easily transmitted infectious diseases, will require appropriate monitoring by public health authorities. The regulation encourages health professionals to use de-identified records whenever possible.
- Limit the disclosure of information without sacrificing public safety. The rule strikes the proper balance between protecting privacy and meeting the needs of law enforcement. Medical records are often important to the investigation and prosecution of serious criminal activity. At the same time, Americans must not be discouraged from seeking health care because of concerns about having their information inappropriately given to others.
FINAL REGULATION INCLUDES KEY CHANGES TO STRENGTHEN PRIVACY PROTECTIONS. In response to over 50,000 comments submitted by the public, the final regulation being released today strengthens patient protection and control over their health information by:
- Extending coverage to personal medical records in all forms – including paper records and oral communications. The proposed regulation released last year was limited to electronic records and any paper records that previously existed in electronic form. The final regulation provides protection for paper and oral in addition to electronic information, creating a privacy system that covers all personal health information created or held by covered entities. Comments received on the proposed regulation affirmed that the Administration had the authority to extend coverage to paper records and overwhelmingly supported broadening the regulation to these records because it would be impractical to have two separate sets of privacy standards for different sets of records.
- Requiring consent for routine use and disclosure of health records. The proposed regulation released last year allowed routine disclosure of health information without advance consent for purposes of treatment, payment, and health care operations. The final regulation ensures that written consent for disclosures by front line providers– even routine ones – be obtained in advance. This new requirement was strongly supported by physician and patient advocacy groups.
- Protecting against unauthorized use of medical records for employment purposes. The proposed regulation did not clearly explain the regulation's limits on large self-insured employers' access to personal health information for employment or other purposes unrelated to health care without consent. The final regulation clarifies that these employers cannot access medical information for purposes unrelated to health care.
- Ensuring that health care providers have all the information necessary to appropriately treat their patients. For most disclosures of health information, such as health information submitted with bills, providers may send only the minimum information needed for the purpose of the disclosure. However, when treating patients, health care providers often need to be able to share more complete information with other providers. The final rule gives providers full discretion in determining what personal health information to include when sending patient records to other providers for treatment purposes.
Financial Impact of Implementation of Privacy Regulation. Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress required that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the ten-year $29.9 billion savings HHS projects for the recently released electronic claims regulation and the projected $17.6 billion in costs over 10 years projected for the privacy regulation. This produces a net saving of approximately $12.3 billion over 10 years for the health care delivery system while improving the efficiency as well as privacy protections.
PRESIDENT CLINTON CALLS ON THE CONGRESS TO ENACT PRIVACY LEGISLATION TO FINISH THE JOB. Today, President Clinton will once again call on Congress to finish the job on privacy. The regulation being finalized today represents a critical step towards protecting patient privacy that became necessary after Congress failed to act in the three-year timeframe it gave itself in 1996. However, the President's administrative authority is limited by statute and there remains an urgent need for federal privacy protections to: strengthen penalties and to create a private right of action so citizens can hold health plans and providers accountable for inappropriate and harmful disclosures of information; extend privacy protections to cover other entities that routinely handle sensitive medical information, such as life insurers and worker's compensation programs; and to place appropriate limits on the re-use of medical information by other entities. Today the President is doing what he can in this area. He is issuing an Executive Order to limit the re-use and re-disclosure of certain medical records within the Federal government, but new legislation would be needed to extend these protections more broadly.