PRESIDENT CLINTON ISSUES STRONG NEW CONSUMER PROTECTIONS
TO ENSURE THE PRIVACY OF MEDICAL RECORDS
December 20, 2000
Today, President Clinton will release a final regulation establishing
the first-ever federal privacy protections for the personal health
information of all Americans. This rule, which applies to health
insurers, virtually all health care providers and clearinghouses, will
give consumers more control over and access to their health information;
set boundaries on the use and release of health records; safeguard that
information; establish accountability for inappropriate use and release;
and balance privacy protections with public safety. The final
regulation improves on the proposed rule by strengthening several key
protections, including: extending protections to personal medical
records in all forms--including paper records and oral communications;
providing for written consent for routine use and disclosure of health
records; protecting against unauthorized use of medical records for
employment purposes; and ensuring that health care providers have all
the information necessary to appropriately treat their patients.
THE PRIVACY OF INDIVIDUAL MEDICAL RECORDS IS NOT CURRENTLY PROTECTED.
Today, despite the increase in the collection and dissemination of
personal data, there is no comprehensive federal requirement to provide
patients with basic privacy protections.
- Americans are increasingly concerned about losing their privacy.
Recent studies show a rising level of public concern about privacy; in
1999, over 80 percent of people surveyed agreed with the statement that
they had "lost all control over their personal information."
- Personal health information can be distributed without consent for
reasons that are unrelated to treatment. Under the current loose
patchwork of state laws, information held by an insurer can be passed on
to a lender who can then deny that patient's application for a home
mortgage or a credit card, or to an employer who uses it in personnel
decisions. Personal health information may be disclosed for insurance
underwriting purposes, for market research, or any other reason without
any safeguards to protect it against misuse.
- Patients are often unable to access their own medical records. In
addition, patients wishing to access or control the release of such
records may be unable to do so because of overwhelming barriers
established by their insurance company, health care provider, or anyone
else who holds their records.
PRESIDENT CLINTON TAKES FINAL ACTION NECESSARY TO IMPLEMENT NEW NATIONAL
SAFEGUARDS FOR SENSITIVE HEALTH INFORMATION. The final regulation,
which will be fully implemented within two years, is being issued under
the authority of the bipartisan Health Insurance Portability and
Accountability Act (HIPAA). This regulation, which underscores the
Administration's commitment to safeguarding the security of personal
health information, will:
GIVE CONSUMERS CONTROL OVER THEIR HEALTH INFORMATION
- Inform consumers how their health information is being used. This
new regulation requires health plans and providers to inform patients
about how their information is being used and to whom it is disclosed.
It also gives each individual patient a right to a "disclosure history,"
listing the entities that received information unrelated to treatment or
payment, that must be provided within 60 days.
- Limit the release of private health information without consent.
This rule establishes a new federal requirement for doctors treating
patients and hospitals to obtain patients' written consent to use their
health information even for routine purposes, such as treatment and
payment. Other, non-routine disclosures would require separate,
specific patient authorization.
- Give patients access to their own health file and the right to
request amendments or corrections. The regulation gives patients the
right to see and copy their own records as well as the right to request
correction of potentially harmful errors in their health files. These
access and amendment rights are a core part of efforts to protect
individual privacy. Without them, a person with an improper diagnosis
in his or her medical file could be denied health insurance and left no
SET BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
- Restrict the amount of information used and disclosed to the
"minimum necessary." Currently, health care providers and plans often
release a patient's entire health record even if an employer or other
entity only needs specific information, such as the information
necessary to process a worker's compensation claim. This new regulation
restricts the information that is used and disclosed to the minimum
ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
- Require the establishment of privacy-conscious business practices.
The regulation requires the establishment of internal procedures to
protect the privacy of health records. They include: training employees
about privacy considerations in the workplace; receiving complaints from
patients on privacy issues; designating a "privacy officer" to assist
patients with complaints; and ensuring that appropriate safeguards are
in place for the protection of health information. Many responsible
doctors, hospitals and health plans already provide these common-sense
services for their patients, and were instrumental in advocating for a
ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORD USE AND RELEASE
- Create new criminal and civil penalties for improper use or
disclosure of information. In the past, there often has not been any
legal basis to prosecute individuals who inappropriately disclose
private medical information. This rule applies the standards included
in HIPAA to create new criminal penalties for intentional disclosure --
up to $50,000 and up to a year in prison. Disclosure with intent to
sell the data is punishable with a fine of up to $250,000 and up to 10
years in prison. The regulation also establishes new civil penalties of
$100 per person for unintentional disclosures and other violations (up
to $25,000 per person per year). Although these enforcement provisions
will be helpful, they are no substitute for a private right of action,
which makes it possible for patients to be compensated for harmful plan
BALANCE PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
- Require that information be disclosed only for public health
priorities and other responsible research. The regulation balances the
need to protect the public health and support carefully monitored
medical research against the need to protect personal medical records
from misuse and abuse. The regulation recognizes that threats to public
health, such as life-threatening and easily transmitted infectious
diseases, will require appropriate monitoring by public health
authorities. The regulation encourages health professionals to use
de-identified records whenever possible.
- Limit the disclosure of information without sacrificing public
safety. The rule strikes the proper balance between protecting privacy
and meeting the needs of law enforcement. Medical records are often
important to the investigation and prosecution of serious criminal
activity. At the same time, Americans must not be discouraged from
seeking health care because of concerns about having their information
inappropriately given to others.
FINAL REGULATION INCLUDES KEY CHANGES TO STRENGTHEN PRIVACY PROTECTIONS.
In response to over 50,000 comments submitted by the public, the final
regulation being released today strengthens patient protection and
control over their health information by:
- Extending coverage to personal medical records in all forms --
including paper records and oral communications. The proposed
regulation released last year was limited to electronic records and any
paper records that previously existed in electronic form. The final
regulation provides protection for paper and oral in addition to
electronic information, creating a privacy system that covers all
personal health information created or held by covered entities.
Comments received on the proposed regulation affirmed that the
Administration had the authority to extend coverage to paper records and
overwhelmingly supported broadening the regulation to these records
because it would be impractical to have two separate sets of privacy
standards for different sets of records.
- Requiring consent for routine use and disclosure of health records.
The proposed regulation released last year allowed routine disclosure of
health information without advance consent for purposes of treatment,
payment, and health care operations. The final regulation ensures that
written consent for disclosures by front line providers' even routine
ones -- be obtained in advance. This new requirement was strongly
supported by physician and patient advocacy groups.
- Protecting against unauthorized use of medical records for
employment purposes. The proposed regulation did not clearly explain
the regulation's limits on large self-insured employers' access to
personal health information for employment or other purposes unrelated
to health care without consent. The final regulation clarifies that
these employers cannot access medical information for purposes unrelated
to health care.
- Ensuring that health care providers have all the information
necessary to appropriately treat their patients. For most disclosures
of health information, such as health information submitted with bills,
providers may send only the minimum information needed for the purpose
of the disclosure. However, when treating patients, health care
providers often need to be able to share more complete information with
other providers. The final rule gives providers full discretion in
determining what personal health information to include when sending
patient records to other providers for treatment purposes.
Financial Impact of Implementation of Privacy Regulation. Recognizing
the savings and cost potential of standardizing electronic claims
processing and protecting privacy and security, the Congress required
that the overall financial impact of the HIPAA regulations reduce costs.
As such, the financial assessment of the privacy regulation includes the
ten-year $29.9 billion savings HHS projects for the recently released
electronic claims regulation and the projected $17.6 billion in costs
over 10 years projected for the privacy regulation. This produces a net
saving of approximately $12.3 billion over 10 years for the health care
delivery system while improving the efficiency as well as privacy
PRESIDENT CLINTON CALLS ON THE CONGRESS TO ENACT PRIVACY LEGISLATION TO
FINISH THE JOB. Today, President Clinton will once again call on
Congress to finish the job on privacy. The regulation being finalized
today represents a critical step towards protecting patient privacy that
became necessary after Congress failed to act in the three-year
timeframe it gave itself in 1996. However, the President's
administrative authority is limited by statute and there remains an
urgent need for federal privacy protections to: strengthen penalties and
to create a private right of action so citizens can hold health plans
and providers accountable for inappropriate and harmful disclosures of
information; extend privacy protections to cover other entities that
routinely handle sensitive medical information, such as life insurers
and worker's compensation programs; and to place appropriate limits on
the re-use of medical information by other entities. Today the
President is doing what he can in this area. He is issuing an Executive
Order to limit the re-use and re-disclosure of certain medical records
within the Federal government, but new legislation would be needed to
extend these protections more broadly.