|
The following reprints the Department of Health & Human
Service's summary of its privacy regulations, promulgated
December 20, 2000. For a complete reprint of the new regulations,
visit the HHS web site at http://www.hhs.gov/ocr/hipaa.
Or contact the HHS Press Office at (202) 690-6343.
____
PROTECTING THE PRIVACY OF PATIENTS' HEALTH
INFORMATION
SUMMARY OF THE FINAL REGULATION
Overview: Each time a patient sees a doctor, is admitted
to a hospital, goes to a pharmacist or sends a claim to
a health plan, a record is made of their confidential health
information. For many years, the confidentiality of those
records was maintained by our family doctors, who kept our
records sealed away in file cabinets and refused to reveal
them to anyone else. Today, the use and disclosure of this
information is protected by a patchwork of state laws, leaving
large gaps in the protection of patients' privacy and confidentiality.
There is a pressing need for national standards to control
the flow of sensitive patient information and to establish
real penalties for the misuse or disclosure of this information.
President Clinton and Congress recognized the need for national
patient record privacy standards in 1996 when they enacted
the Health Insurance Portability and Accountability Act
of 1996 (HIPAA). That law gave Congress until August 21,
1999, to pass comprehensive health privacy legislation.
After three years of discussion in Congress without passage
of such a law, HIPAA provided HHS with the authority to
craft such privacy protections by regulation. Following
the principles and policies laid out in the recommendations
for national health information privacy legislation the
Administration submitted to Congress in 1997, the Administration
drafted regulations to guarantee patients new rights and
protections against the misuse or disclosure of their health
records and the President and Secretary Donna E. Shalala
released them in October of last year. During an extended
comment period, HHS received, electronically or on paper,
more than 52,000 communications from the public.
This final rule provides the first comprehensive federal
protection for the privacy of health information. However,
because of the limitations of the HIPAA statute, these protections
do not fully achieve the Administration's goal of a seamless
system of privacy protection for all health information.
Members of both parties in Congress will need to pass meaningful,
comprehensive privacy protection for American patients that
would extend the reach of the standards being finalized
today to all entities that hold personal health information.
COVERED ENTITIES
As required by HIPAA, the final regulation covers health
plans, health care clearinghouses, and those health care
providers who conduct certain financial and administrative
transactions (e.g., electronic billing and funds transfers)
electronically.
INFORMATION PROTECTED
All medical records and other individually identifiable
health information held or disclosed by a covered entity
in any form, whether communicated electronically, on paper,
or orally, is covered by the final regulation.
COMPONENTS OF THE FINAL RULE
The rule is the result of the Department's careful consideration
of every comment and reflects a balance between accommodating
practical uses of individually identifiable health information
and rendering maximum privacy protection of that information.
CONSUMER CONTROL OVER HEALTH INFORMATION
Under this final rule, patients have significant new rights
to understand and control how their health information is
used.
Patient education on privacy protections. Providers and
health plans are required to give patients a clear written
explanation of how they can use, keep, and disclose their
health information.
Ensuring patient access to their medical records. Patients
must be able to see and get copies of their records, and
request amendments. In addition, a history of most disclosures
must be made accessible to patients.
Receiving patient consent before information is released.
Patient authorization to disclose information must meet
specific requirements. Health care providers who see patients
are required to obtain patient consent before sharing their
information for treatment, payment, and health care operations
purposes. In addition, specific patient consent must be
sought and granted for non-routine uses and most non-health
care purposes, such as releasing information to financial
institutions determining mortgages and other loans or selling
mailing lists to interested parties such as life insurers.
Patients have the right to request restrictions on the uses
and disclosures of their information.
Ensuring that consent is not coerced. Providers and health
plans generally cannot condition treatment on a patient's
agreement to disclose health information for non-routine
uses.
Providing recourse if privacy protections are violated.
People have the right to complain to a covered provider
or health plan, or to the Secretary, about violations of
the provisions of this rule or the policies and procedures
of the covered entity.
BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
With few exceptions, an individual's health information
can be used for health purposes only.
Ensuring that health information is not used for non-health
purposes. Patient information can be used or disclosed by
a health plan, provider or clearinghouse only for purposes
of health care treatment, payment and operations. Health
information cannot be used for purposes not related to health
care - such as use by employers to make personnel decisions,
or use by financial institutions - without explicit authorization
from the individual.
Providing the minimum amount of information necessary.
Disclosures of information must be limited to the minimum
necessary for the purpose of the disclosure. However, this
provision does not apply to the transfer of medical records
for purposes of treatment, since physicians, specialists,
and other providers need access to the full record to provide
best quality care.
Ensuring informed and voluntary consent. Non-routine disclosures
with patient authorization must meet standards that ensure
the authorization is truly informed and voluntary.
ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
The regulation establishes the privacy safeguard standards
that covered entities must meet, but it leaves detailed
policies and procedures for meeting these standards to the
discretion of each covered entity. In this way, implementation
of the standards will be flexible and scalable, to account
for the nature of each entity's business, and its size and
resources. Covered entities must:
Adopt written privacy procedures. These must include who
has access to protected information, how it will be used
within the entity, and when the information would or would
not be disclosed to others. They must also takes steps to
ensure that their business associates protect the privacy
of health information.
Train employees and designate a privacy officer. Covered
entities must provide sufficient training so that their
employees understand the new privacy protections procedures,
and designate an individual to be responsible for ensuring
the procedures are followed.
Establish grievance processes. Covered entities must provide
a means for patients to make inquiries or complaints regarding
the privacy of their records.
ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORDS USE AND RELEASE
Penalties for covered entities that misuse personal health
information are provided in HIPAA.
Civil penalties. Health plans, providers and clearinghouses
that violate these standards would be subject to civil liability.
Civil money penalties are $100 per incident, up to $25,000
per person, per year, per standard.
Federal criminal penalties. There would be federal criminal
penalties for health plans, providers and clearinghouses
that knowingly and improperly disclose information or obtain
information under false pretenses. Penalties would be higher
for actions designed to generate monetary gain. Criminal
penalties are up to $50,000 and one year in prison for obtaining
or disclosing protected health information; up to $100,000
and up to five years in prison for obtaining protected health
information under "false pretenses"; and up to
$250,000 and up to 10 years in prison for obtaining or disclosing
protected health information with the intent to sell, transfer
or use it for commercial advantage, personal gain or malicious
harm.
BALANCING PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
After balancing privacy and other social values, HHS is
establishing rules that would permit certain existing disclosures
of health information without individual authorization for
the following national priority activities and for activities
that allow the health care system to operate more smoothly.
All of these disclosures have been permitted under existing
laws and regulations. Within certain guidelines found in
the regulation, covered entities may disclose information
for:
Oversight of the health care system, including quality assurance
activities
Public health
Research, generally limited to when a waiver of authorization
is independently approved by a privacy board or Institutional
Review Board
Judicial and administrative proceedings
Limited law enforcement activities
Emergency circumstances
For identification of the body of a deceased person, or
the cause of death
For facility patient directories
For activities related to national defense and security
The rule permits, but does not require these types of disclosures.
If there is no other law requiring that information be disclosed,
physicians and hospitals will still have to make judgments
about whether to disclose information, in light of their
own policies and ethical principles.
SPECIAL PROTECTION FOR PSYCHOTHERAPY NOTES
Psychotherapy notes (used only by a psychotherapist) are
held to a higher standard of protection because they are
not part of the medical record and never intended to be
shared with anyone else. All other health information is
considered to be sensitive and treated consistently under
this rule.
EQUIVALENT TREATMENT OF PUBLIC AND PRIVATE SECTOR HEALTH
PLANS AND PROVIDERS. The provisions of the final rule generally
apply equally to private sector and public sector entities.
For example, both private hospitals and government agency
medical units must comply with the full range of requirements,
such as providing notice, access rights, requiring consent
before disclosure for routine uses, establishing contracts
with business associates, among others.
CHANGES FROM THE PROPOSED REGULATION
Providing coverage to personal medical records in all forms.
The proposed regulation had applied only to electronic records
and to any paper records that had at some point existed
in electronic form. The final regulation extends protection
to all types of personal health information created or held
by covered entities, including oral communications and paper
records that have not existed in electronic form. This creates
a privacy system that covers virtually all health information
held by hospitals, providers, health plans and health insurers.
Requiring consent for routine disclosures. The final rule
requires most providers to obtain patient consent for routine
disclosure of health records, in addition to requiring special
patient authorization for non-routine disclosures. The earlier
version had proposed allowing these routine disclosures
without advance consent for purposes of treatment, payment
and health care operations (such as internal data gathering
by a provider or health care plan). However, most individuals
commenting on this provision, including many physicians,
believed consent for these purposes should be obtained in
advance, as is typically done today. The final rule retains
the new requirement that patients must also be provided
detailed written information on privacy rights and how their
information will be used.
Allowing disclosure of the full medical record to providers
for purposes of treatment. For most disclosures, such as
information submitted with bills, covered entities are required
to send only the minimum information needed for the purpose
of the disclosure. However, for purposes of treatment, providers
need to be able to transmit fuller information. The final
rule gives providers full discretion in determining what
personal health information to include when sending patients'
medical records to other providers for treatment purposes.
Protecting against unauthorized use of medical records
for employment purposes. Companies that sponsor health plans
will not be able to access the personal health information
held by the plan for employment-related purposes, without
authorization from the patient.
COST OF IMPLEMENTATION
Recognizing the savings and cost potential of standardizing
electronic claims processing and protecting privacy and
security, the Congress provided in HIPAA 1996 that the overall
financial impact of the HIPAA regulations reduce costs.
As such, the financial assessment of the privacy regulation
includes the ten-year $29.9 billion savings HHS projects
for the recently released electronic claims regulation and
the projected $17.6 billion in costs projected for the privacy
regulation. This produces a net savings of approximately
$12.3 billion for the health care delivery system while
improving the efficiency of health care as well as privacy
protection.
PRESERVING EXISTING, STRONG STATE CONFIDENTIALITY LAWS
Stronger state laws (like those covering mental health,
HIV infection, and AIDS information) continue to apply.
These confidentiality protections are cumulative; the final
rule sets a national "floor" of privacy standards
that protect all Americans, but in some states individuals
enjoy additional protection. In circumstances where states
have decided through law to require certain disclosures
of health information for civic purposes, we do not preempt
these mandates. The result is to give individuals the benefit
of all laws providing confidentiality protection as well
as to honor state priorities.
THE NEED FOR FURTHER CONGRESSIONAL ACTION
HIPAA limits the application of our rule to the covered
entities. It does not provide authority for the rule to
reach many persons and businesses that work for covered
entities or otherwise receive health information from them.
So the rule cannot put in place appropriate restrictions
on how such recipients of protected health information may
use and re-disclose such information. There is no statutory
authority for a private right of action for individuals
to enforce their privacy rights. We need Congressional action
to fill these gaps in patient privacy protections.
IMPLEMENTATION OF THE FINAL REGULATION
The final regulation will come into full effect in two years.
The regulation will be enforced by HHS' Office for Civil
Rights, which will provide assistance to providers, plans
and health clearinghouses in meeting the requirements of
the regulation - including a toll free line to help answer
questions: 1-866-OCR-PRIV (1-866-627-7748). The TTY number
is 1-866-788-4989. A Web site on the new regulation will
also be available at http://www.hhs.gov/ocr.
###
--------------------------------------------------------------------------------
Note: For other HHS Press Releases and Fact Sheets pertaining
to the subject of this announcement, please click here for
our Press Release and Fact Sheet search engine at: http://www.hhs.gov/search/press.html.
|
