President Clinton Issues Strong New Consumer Protections to Ensure the Privacy of Medical Records
Wednesday, December 20, 2000
Today, President Clinton will release a final regulation
establishing the first-ever federal privacy protections for the
personal health information of all Americans. This rule, which applies
to health insurers, virtually all health care providers and
clearinghouses, will give consumers more control over and access to
their health information; set boundaries on the use and release of
health records; safeguard that information; establish accountability
for inappropriate use and release; and balance privacy protections with
public safety. The final regulation improves on the proposed rule by
strengthening several key protections, including: extending protections
to personal medical records in all forms – including paper records and
oral communications; providing for written consent for routine use and
disclosure of health records; protecting against unauthorized use of
medical records for employment purposes; and ensuring that health care
providers have all the information necessary to appropriately treat
their patients.
THE PRIVACY OF INDIVIDUAL MEDICAL RECORDS IS NOT CURRENTLY PROTECTED.
Today, despite the increase in the collection and dissemination of
personal data, there is no comprehensive federal requirement to provide
patients with basic privacy protections.
- Americans are increasingly concerned about losing their
privacy. Recent studies show a rising level of public concern about
privacy; in 1999, over 80 percent of people surveyed agreed with the
statement that they had "lost all control over their personal
information."
- Personal health information can be distributed without
consent for reasons that are unrelated to treatment. Under the current
loose patchwork of state laws, information held by an insurer can be
passed on to a lender who can then deny that patient’s application for
a home mortgage or a credit card, or to an employer who uses it in
personnel decisions. Personal health information may be disclosed for
insurance underwriting purposes, for market research, or any other
reason without any safeguards to protect it against misuse.
- Patients are often unable to access their own medical
records. In addition, patients wishing to access or control the release
of such records may be unable to do so because of overwhelming barriers
established by their insurance company, health care provider, or anyone
else who holds their records.
PRESIDENT CLINTON TAKES FINAL ACTION NECESSARY TO IMPLEMENT NEW NATIONAL SAFEGUARDS FOR SENSITIVE HEALTH INFORMATION.
The final regulation, which will be fully implemented within two years,
is being issued under the authority of the bipartisan Health Insurance
Portability and Accountability Act (HIPAA). This regulation, which
underscores the Administration's commitment to safeguarding the
security of personal health information, will:
GIVE CONSUMERS CONTROL OVER THEIR HEALTH INFORMATION
- Inform consumers how their health information is being used.
This new regulation requires health plans and providers to inform
patients about how their information is being used and to whom it is
disclosed. It also gives each individual patient a right to a
"disclosure history," listing the entities that received information
unrelated to treatment or payment, that must be provided within 60 days.
- Limit the release of private health information without
consent. This rule establishes a new federal requirement for doctors
treating patients and hospitals to obtain patients’ written consent to
use their health information even for routine purposes, such as
treatment and payment. Other, non-routine disclosures would require
separate, specific patient authorization.
- Give patients access to their own health file and the right
to request amendments or corrections. The regulation gives patients the
right to see and copy their own records as well as the right to request
correction of potentially harmful errors in their health files. These
access and amendment rights are a core part of efforts to protect
individual privacy. Without them, a person with an improper diagnosis
in his or her medical file could be denied health insurance and left no
redress.
SET BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
- Restrict the amount of information used and disclosed to the
"minimum necessary." Currently, health care providers and plans often
release a patient's entire health record even if an employer or other
entity only needs specific information, such as the information
necessary to process a worker’s compensation claim. This new regulation
restricts the information that is used and disclosed to the minimum
amount necessary.
ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
- Require the establishment of privacy-conscious business
practices. The regulation requires the establishment of internal
procedures to protect the privacy of health records. They include:
training employees about privacy considerations in the workplace;
receiving complaints from patients on privacy issues; designating a
"privacy officer" to assist patients with complaints; and ensuring that
appropriate safeguards are in place for the protection of health
information. Many responsible doctors, hospitals and health plans
already provide these common-sense services for their patients, and
were instrumental in advocating for a national standard.
ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORD USE AND RELEASE
- Create new criminal and civil penalties for improper use or
disclosure of information. In the past, there often has not been any
legal basis to prosecute individuals who inappropriately disclose
private medical information. This rule applies the standards included
in HIPAA to create new criminal penalties for intentional disclosure –
up to $50,000 and up to a year in prison. Disclosure with intent to
sell the data is punishable with a fine of up to $250,000 and up to 10
years in prison. The regulation also establishes new civil penalties of
$100 per person for unintentional disclosures and other violations (up
to $25,000 per person per year). Although these enforcement provisions
will be helpful, they are no substitute for a private right of action,
which makes it possible for patients to be compensated for harmful plan
actions.
BALANCE PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
- Require that information be disclosed only for public health
priorities and other responsible research. The regulation balances the
need to protect the public health and support carefully monitored
medical research against the need to protect personal medical records
from misuse and abuse. The regulation recognizes that threats to public
health, such as life-threatening and easily transmitted infectious
diseases, will require appropriate monitoring by public health
authorities. The regulation encourages health professionals to use
de-identified records whenever possible.
- Limit the disclosure of information without sacrificing
public safety. The rule strikes the proper balance between protecting
privacy and meeting the needs of law enforcement. Medical records are
often important to the investigation and prosecution of serious
criminal activity. At the same time, Americans must not be discouraged
from seeking health care because of concerns about having their
information inappropriately given to others.
FINAL REGULATION INCLUDES KEY CHANGES TO STRENGTHEN PRIVACY PROTECTIONS.
In response to over 50,000 comments submitted by the public, the final
regulation being released today strengthens patient protection and
control over their health information by:
- Extending coverage to personal medical records in all forms
– including paper records and oral communications. The proposed
regulation released last year was limited to electronic records and any
paper records that previously existed in electronic form. The final
regulation provides protection for paper and oral in addition to
electronic information, creating a privacy system that covers all
personal health information created or held by covered entities.
Comments received on the proposed regulation affirmed that the
Administration had the authority to extend coverage to paper records
and overwhelmingly supported broadening the regulation to these records
because it would be impractical to have two separate sets of privacy
standards for different sets of records.
- Requiring consent for routine use and disclosure of health
records. The proposed regulation released last year allowed routine
disclosure of health information without advance consent for purposes
of treatment, payment, and health care operations. The final regulation
ensures that written consent for disclosures by front line providers–
even routine ones – be obtained in advance. This new requirement was
strongly supported by physician and patient advocacy groups.
- Protecting against unauthorized use of medical records for
employment purposes. The proposed regulation did not clearly explain
the regulation's limits on large self-insured employers' access to
personal health information for employment or other purposes unrelated
to health care without consent. The final regulation clarifies that
these employers cannot access medical information for purposes
unrelated to health care.
- Ensuring that health care providers have all the information
necessary to appropriately treat their patients. For most disclosures
of health information, such as health information submitted with bills,
providers may send only the minimum information needed for the purpose
of the disclosure. However, when treating patients, health care
providers often need to be able to share more complete information with
other providers. The final rule gives providers full discretion in
determining what personal health information to include when sending
patient records to other providers for treatment purposes.
Financial Impact of Implementation of Privacy Regulation.
Recognizing the savings and cost potential of standardizing electronic
claims processing and protecting privacy and security, the Congress
required that the overall financial impact of the HIPAA regulations
reduce costs. As such, the financial assessment of the privacy
regulation includes the ten-year $29.9 billion savings HHS projects for
the recently released electronic claims regulation and the projected
$17.6 billion in costs over 10 years projected for the privacy
regulation. This produces a net saving of approximately $12.3 billion
over 10 years for the health care delivery system while improving the
efficiency as well as privacy protections.
PRESIDENT CLINTON CALLS ON THE CONGRESS TO ENACT PRIVACY LEGISLATION TO FINISH THE JOB.
Today, President Clinton will once again call on Congress to finish the
job on privacy. The regulation being finalized today represents a
critical step towards protecting patient privacy that became necessary
after Congress failed to act in the three-year timeframe it gave itself
in 1996. However, the President's administrative authority is limited
by statute and there remains an urgent need for federal privacy
protections to: strengthen penalties and to create a private right of
action so citizens can hold health plans and providers accountable for
inappropriate and harmful disclosures of information; extend privacy
protections to cover other entities that routinely handle sensitive
medical information, such as life insurers and worker's compensation
programs; and to place appropriate limits on the re-use of medical
information by other entities. Today the President is doing what he can
in this area. He is issuing an Executive Order to limit the re-use and
re-disclosure of certain medical records within the Federal government,
but new legislation would be needed to extend these protections more
broadly.
|
