Friday, Oct. 29 1999
Contact: HHS Press Office
(202) 690-6343

HHS Proposes First-Ever National Standards
To Protect Patients' Personal Medical Records

HHS Secretary Donna E. Shalala proposed today the first-ever set of national standards to protect the privacy of Americans' personal health records. The standards will apply to medical records created by health care providers, hospitals, health plans and health care clearinghouses that are either transmitted or maintained electronically, and the paper printouts created from these records.

"The privacy of Americans is protected in their bank transactions, their credit card statements, and even their video rentals. Yet, until today, Americans had no federal privacy protections for their medical records," Secretary Shalala said. "These proposed standards are an important step forward in protecting the privacy of some of our most personal information."

Shalala noted that Americans are increasingly worried that the privacy of their medical information will be violated. Some have even taken action to avoid creating a medical record, including withholding information from their doctors, changing doctors, or even avoiding care altogether. "We cannot allow the absence of privacy protections to compromise the quality of care in our nation," Secretary Shalala said. "Our proposals will provide Americans with greater peace of mind as they seek care, yet they are balanced with the need to protect public health, conduct medical research and improve the quality of health care for the nation."

The bipartisan Health Insurance Portability and Accountability Act of 1996 (HIPAA) -- also known as the Kassebaum-Kennedy law -- called on Congress to enact comprehensive national medical record privacy standards by Aug. 21, 1999. If Congress was unable to meet that deadline, HIPAA required the Secretary of HHS to issue final regulations by Feb. 21, 2000. Today's proposal marks the beginning of that regulatory process.

The proposal reflects the five principles outlined by Secretary Shalala in September 1997 as part of her Recommendations for Protecting the Confidentiality of Individually Identifiable Health Information:

The proposed standards would enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws are in conflict, the stronger privacy protection would prevail. The proposed privacy standards would apply to consumers whether they are privately insured, uninsured or participants in public programs such as Medicare or Medicaid.

While the privacy standards proposed today are a significant step toward protecting patients' confidentiality, HHS does not currently have the authority to protect all medical records. Under HIPAA, HHS does not have the authority to protect records that are maintained in paper form only. HIPAA also does not allow HHS to issue standards for records that are maintained by other insurers, or by employers for worker's compensation purposes. The proposed rule does not establish appropriate restrictions on the use or redisclosure of such information by likely recipients, such as researchers, life insurance issuers, marketing firms, or administrative, legal and accounting services.

HHS also lacks the authority to provide Americans with the right to take action in court when their medical information is used inappropriately -- a critical consumer protection that only Congress can provide. The Clinton Administration has called upon Congress to close these important gaps and enact comprehensive national legislation to ensure that all medical records are protected.

The proposed rule will be open for comment from the public for 60 days.


Note: For other HHS Press Releases and Fact Sheets pertaining to the subject of this announcement, please visit our Press Release and Fact Sheet search engine at: