THE WHITE HOUSE
Office of the Press Secretary
Immediate Release December 20, 2000
SECRETARY OF HEALTH AND HUMAN SERVICES DONNA SHALALA,
DEPUTY DIRECTOR FOR MANAGEMENT AT OMB, SALLY KATZEN
DEPUTY ASSISTANT SECRETARY FOR PLANNING AND EVALUATION,
DEPARTMENT OF HEALTH AND HUMAN SERVICES, GARY CLAXTON
The James S. Brady Briefing Room
1:36 P.M. EST
MS. GEGENHEIMER: Hello. As you know, the President today announced
strong new consumer protections to ensure the privacy of medical records.
Secretary Shalala, from the Department of Health and Human Services is here
to talk more about those and answer any questions.
First, I want to introduce Sally Katzen, the Deputy Director for
Management at the OMB, who will lead us off.
MS. KATZEN: Thank you. It is a great day, because this is a great
accomplishment. The President went this afternoon to HHS, to announce the
release of the landmark medical records privacy regulations.
This is a process that has been in the works for over a year now. We
had published a proposal -- the technical name is a notice of proposed
regulation -- last October, after the Congress had been unable to reach
consensus. They had originally given themselves several years to do the
job on what is a very difficult question -- a lot of questions, actually.
And having not been able to do it, we were given the authority to go
ahead. And the last year has consumed a lot of effort by all of the
agencies of the government, along with White House and OMB support.
With us today, I want to make sure you're aware of, is Gary Claxton,
from HHS; Peter Swire, from OMB, who can answer any question you have about
this effort. But as important and significant as it is, and as many people
worked on it, it could not have happened without the indefatigable,
committed dedication, leadership of Donna Shalala, the Secretary of HHS.
SECRETARY SHALALA: Thanks very much. Thanks, Sally. It wouldn't
have happened without Sally Katzen, either. Let me also introduce Tom
Perez, who is head of the Office of Civil Rights in the Department, who
came over to us from the Justice Department, and he will actually
administer the regulations for the Department.
As Sally said, Congress actually wrote into the law, if we don't do
this in three years, you do it. So we were under orders from Congress to
write this regulation. We also paid attention to the congressional debate.
Congress tried to write these regulations and they actually couldn't get it
done, they couldn't find a consensus to get it finished. They ran out of
time in some ways.
We followed that consensus very closely in drafting these regulations.
So we're pretty close to where we knew there was agreement in Congress, and
then of course, we went beyond that. And we had the advantage of being
able to put out something in writing, get 50,000 comments, and then see
where there was consensus, where there wasn't, and go out, for instance,
and talk to industry people, talk to privacy advocacy groups.
So I would describe this as a negotiated reg, in some ways a rule in
which we took into account -- we had to actually respond to each one of
those comments. But they also made us change our thinking. For example,
we originally thought maybe we'll just do electronic records, but the fact
is, all the paper records are being transferred to electronic records.
It's time-consuming, expensive for the industry to have a separate set of
rules for written records and for electronic records, and we just did the
And this, of course, is the basis -- if a state has stronger rules
than these then they can in some ways supersede these. These are still in
place, but the states can obviously strengthen them with their own
This is a very common-sense approach to medical privacy. In 1997, I
actually went out and told the Congress and told everybody else what
principles we would follow. This process of writing this rule was somewhat
different than other rules. We didn't just get in the room and then write
the rules and put them out for comment. We actually laid out the
principles; then we wrote our draft; we had the draft out there for
comments; then we came back based on those comments and wrote the final
In 1997, I said there were five principles that we would follow, and
we actually have followed them very carefully. The first one was the
principle of consumer control. No one should have to trade their privacy
rights to get quality health care. What this reg does is it gives
Americans the power to find out who is looking in their records, and for
what purpose -- what is in their records, how to get them, how to correct
There are lots of stories of people who asked their doctors to see
their records, and someone had filed misinformation in their records, or
someone had written something down wrong actually in the records. And
people will have the authority to actually ask that those records be
Second, the principle of boundaries. With very few exceptions, our
personal information should be disclosed for health care reasons and health
care reasons only. Now, that includes a lot of things. That includes
research; it includes the ability of the hospital when they are doing
accountability and trying to analyze what is happening in terms of costs
and other kinds of things to be able, without of course using our names, to
use a combination of the records.
So we're not deterring research or any appropriate use of health care
records, particularly health care records that are used to improve health
It restricts the amount of medical information that can be disclosed.
And we tried to keep people down to the minimum but, again, keeping to the
principle that our health care records should be used only for health care
Third is the principle of security. When we give out our personal
health care information we should feel like we're leaving it in good, safe
hands. We require internal procedures, ensuring that appropriate
safeguards are in place, limits on who has access to those records --
doctors, hospitals, health plans, they will establish those records.
Now, it's important to point out that the best health care companies
in this country, the best hospitals, already have privacy protections. So
for them, I heard that some people were yelling that this was going to cost
them money. The best parts of the industry already understand the privacy
issue and have this. So it's not a big lift for them. What we're trying
to do is to bring everybody up and make sure that there are basic privacy
protections for everybody, no matter where you live, what part of the
health care system you use.
Fourth is the principle of accountability. If you're using
information improperly, you should be punished. We can't just tell a
hospital worker to stay away from private medical records, we can't just
tell a private investigator not to lie about his identity in order to see a
patient's records. The rule creates new criminal and civil penalties for
the improper use or disclosure of information, including fines up to
$250,000, prison terms of up to 10 years for obtaining protected
information with the intention to sell it.
And some of this has been going on. A former very high official of
this government told me that she was taking a medicine and she got in the
mail a letter suggesting she take a competing medicine. Now, that suggests
that someone gave her diagnosis, or the medicine she was taking, to another
pharmaceutical company so that they could approach her directly through the
mail, not through her doctor, about a competing medicine.
This kind of thing has been going on. And it's not just stories,
we're beginning to actually hear people's experiences where they get a
diagnosis. One of the things that someone pointed out at a press
conference today is that women who get a diagnosis, a pregnancy diagnosis,
are getting mail before they've told their friends and neighbors. They're
getting solicited for things that they might buy for the baby. Now, that
means someone's giving out this very precious and very private information.
Now, in terms of public responsibility, we also need to balance our
protection of privacy with the need to support medical research. We had
very careful conversations with the leaders of the National Institutes of
Health, with the leaders of the academic health centers in the United
States. You know, they would prefer that there were no rules, that they
set the rules themselves, but they understood that we weren't trying to
restrict research, but we were trying to make sure that individual
identifiers, that privacy was protected in the process of doing research.
And, of course, we had extensive discussions with Justice, with my own
Inspector General in the Department who is very supportive of these rules,
to make sure that appropriate law enforcement people can get records when
they need to get them -- hot pursuit, if they're pursuing a criminal, but
also when they're doing a fraud investigation, for example. Our Inspector
General issues an administrative order. She's got no problem with having
to issue something, a kind of subpoena. And from her point of view, it
protects the doctor when she goes and asks for a record, because she's
doing an investigation. So we have worked that out very carefully, too, at
the same time.
I would be happy to take any of your questions, or my colleagues will.
Q Is there any way that Congress or the incoming Bush
administration can undo what you have just done?
SECRETARY SHALALA: Well, the answer is that these privacy regulations
don't go into effect for two years and, I think, two months. However, I
think that once they review them, they'll find that we have found a balance
and that there is broad support for these regulations.
And, obviously, Congress could include these in a broader piece of
legislation. And Congress knew we were writing the regulations, we
testified on what we were doing, on what our principles were. So Congress
had plenty of opportunity to say to us, you know, we're going to change the
law and we don't want you to write them now.
But Congress said, go ahead, see where you can get with these
regulations. But Congress certainly, with any law, with any regulation --
in this case, with ones they asked us to write -- could review these. But
I'd be upbeat and positive about this. I think these rules have broad
support and that Congress certainly needs to add to them to cover insurance
companies and other kinds of things. But I think this helps Congress,
helps the next administration because these will be going into place. But
I think we've found the --
Q You're not required to run back to Congress, run it past again?
SECRETARY SHALALA: No, no we don't have to run back to Congress. Our
hope is that Congress will broaden these protections.
Q Two questions, Secretary Shalala. First of all, while the
electronic paper distinction doesn't really make sense, the legislation
does make that distinction. How do you propose getting around that and
making this apply to paper as well as electronic --
SECRETARY SHALALA: Well, we didn't get around it. We believe that we
were given the authority to cover both of these and we're acting within the
authority that Congress gave us. And we obviously had our lawyers and the
Justice Department and everybody looked at this very carefully. So we
would not have acted outside the law, and we believe that we are acting
within the law.
Q My second question is its application to companies that may not
be traditional doctors or insurers, such as web sites that deal with
medical information, and others. How far does the scope of this cover?
SECRETARY SHALALA: Gary, why don't you come up here to the
MR. CLAXTON: A web site which acts as a health care provider, which
means it provides health care like a pharmacy, and if it meets the other
pertinent definitions under the statute, which means that it bills for its
services, would be covered like any other medical provider.
Just handling information isn't enough. You basically need to be a
health care provider --
SECRETARY SHALALA: Which means there has to be an interaction.
MR. CLAXTON: Right. There has to be a health care provider; you need
to be an insurance company, or something called a health care clearing
house, which is kind of a technical term, and it won't apply to many of the
Internet -- strictly Internet providers.
Q Dr.Koop.com, would that be covered, for just providing
information and --
SECRETARY SHALALA: No. No.
Q Madam Secretary, most of the time, they insure you -- the
insurance companies, they meet -- they get information or medical records.
Now, where they stand after this --
SECRETARY SHALALA: They have to -- everybody -- they have to get your
consent if they want to do something with your medical records.
Q There is some confusion about how often in the ordinary
doctor-patient relationship the doctor needs to get consent from the
patient. Can you comment?
SECRETARY SHALALA: When you start with the doctor, they need to get
permission. There is no confusion in the rule that was written.
Q Is there an expiration date on the consent?
SECRETARY SHALALA: No.
Q Secretary, if this is not a law, why does it apply to private
physicians? Is it a federal law? Or why is it going to apply --
SECRETARY SHALALA: We have the authority to apply this to private
health care companies and to private -- that's what -- it's national
legislation, it could obviously regulate the private sector, and we were
given the authority to do that.
Q As opposed to over state law?
SECRETARY SHALALA: Yes, we don't override state law that is stronger
than these basic rights. We set a floor for the whole country, so that no
matter where you live you get these basic protections. States can add on
The industry would have preferred, parts of the industry, that we
preempted state law. We have not done that; we weren't given the authority
to do that. So what we do is, we set the building block for privacy for
every part of the health care industry in this law.
Q Of entities that are not covered under these regulations, which
are the ones you're most concerned about, and what types of information can
SECRETARY SHALALA: Yes, insurers and contractors. And our hope is
that they will voluntarily comply so that -- life insurance, I'm sorry --
life insurance isn't covered. Our hope is, though, that everybody is
starting to get the message that these protections are important, and
important to how people use the system. After all, we got into this
business because we want people to go to their health care provider, to
their doctor, at the right time and not be reluctant to do that -- whether
it's what people consider more touchy issues, like mental health care -- we
want people not to be reluctant to use health care. And that's why these
privacy regulations are so important.
Q Madam Secretary, two concerns we've heard, one that there's a
sort of a waiver for law enforcement and how much ability does that give
agencies just to wander in and start taking information. And the second
is, how much access the federal government has preserved for itself to
research and other means to get at records that would otherwise other
providers would not be able to get without --
SECRETARY SHALALA: Well, there are -- we did need to accommodate
appropriate law enforcement investigations. Some of the advocates would
like for law enforcement to go to a judge and a court to get permission to
get health care records. That's just not practical when you get down -- we
do think they ought to do something, whether it's issuing an administrative
subpoena the way our IG does before she goes for investigations, or a
variety of other kinds of tools. But they've got to do something that
makes them stop, think, that they've got a reason for doing this.
We do not believe that law enforcement should have unfettered access
to our health care records for no reason at all, so this does build in
You wanted to add something?
MS. KATZEN: I just wanted to underscore a point that the Secretary
made, which is, we talk a lot about how this protects individual
information; but society has a very substantial interest. The purpose here
is to ensure that people are not discouraged from getting the health care
they need because of some concern, real or otherwise, that that information
will be used improperly. And it's important for all of us, because if
individuals do not seek the health care they need, then researchers, public
health officials will not have a complete database, they will not have
reliable information on which to evaluate.
So the underlying purpose here, just to put this in context, is to
make sure that people get the health care that they need.
The only other thing I wanted to add in response to Helen's question
was that any regulation that is passed, that is released by the executive
branch, is subject to the Congressional Review Act, where Congress has a
period of time to have a motion to dispense with. That has been in effect
for about four years; Congress has never used it.
I agree with the Secretary, this is not one of the kinds of situation
that I can even envision, because there is so much support across both
sides of the aisle and in all sectors to support this, that while it is
subject to the Congressional Review Act, I don't think that they'll use
Q Is it mandatory, there are no penalties and violations?
SECRETARY SHALALA: No, there are penalties for violations -- up to
$250,000 and 10 years in jail. There are serious civil and criminal
penalties in this.
On the issue of research, let me respond to that question. Today, I
went and gave the charge to the new Advisory Board on Human Subjects
Research. And, as you well know, there have been some individual cases of
not having proper protections of human subjects in clinical trials.
This privacy regulation tries to balance, but again reinforces our
view that people that participate in research of all kinds ought to know
what they are participating in. And while we need to protect the
identifiers on the data, we also need to make the data available. You have
to find a proper balance.
The whole story of this regulation is about balance. It's balance for
law enforcement versus privacy protections in the health care system; it's
balance for researchers versus privacy, individual privacy protections.
So what we've tried to do, and the reason I think that this is going
to be widely supported in Congress, is to find that balance.
Q What was the executive order, by the way, that the President
MS. KATZEN: The executive order is to put limits on the use to which
health information in the hands of the federal government can be used, so
that where, for example, law enforcement receives health information as
part of the auditing process, they cannot then use that to go prosecute
criminal cases. This is not something that could be done by HHS because it
was not within their statutory authority. It is something that the
President can tell the Attorney General. And we worked very long and hard
with the Justice Department to assure the proper balance, as the Secretary
said, and this executive order, in effect, limits reuse when it's in the
hands of federal law enforcement officials.
Q If I'm on vacation in Florida and I walk into a pharmacy one time
to refill a prescription, would they be expected to give me a consent form
for me to sign?
SECRETARY SHALALA: Yes. Any other questions? This may be the first
time that my department has put out a regulation that affects everyone in
the press corps. (Laughter.)
Q -- reaction from the medical associations --
SECRETARY SHALALA: Oh, I think it's fine. In fact, this request from
the doctors, for instance, notifying someone, was, in part, their approach
to it. So we've talked to every part of the industry.
Obviously, some people are going to complain about the amount of
money. But, again, my argument is, even though we've got evidence that it
-- in the end, within this law, this HIPAA law, we're actually saving
money. The most important thing is the human genome project, all of these
new health care breakthroughs, we want people to be able to take advantage
of them and not worry whether their health care records are going to be
So I consider this a step towards quality in health care because it
Q Who's complaining?
SECRETARY SHALALA: Oh, just I read the papers very carefully. I
think some of the industry is concerned about costs. But, you know, they
have a press release they put out on any announcement that says we're
concerned about costs. When they look at it, I think they're going to be
pretty happy with it.
Q Now that you have these rules in place, would you still be
supportive of a national health identification number?
SECRETARY SHALALA: I think that we have reviewed that over time and I
think that I would want to rethink that issue again. I think the most
important thing is to get the privacy rules in place. I would support
broader legislation, though. And I think the Congress -- our hope is that
we've gotten the core done and some of the heavy lifting and found the
consensus. And when Congress sees a reaction to this, that we will have a
chance to do broader legislation and cover some of the areas we weren't
able to cover because of the legislation.
Thank you very much.
Q How do you feel about leaving Washington, the government?
SECRETARY SHALALA: Leaving Washington? I'm reluctant to leave
Washington. I've loved it. I'm not particularly reluctant to leave the
SECRETARY SHALALA: Because I've done it and I've had a wonderful
time, and I want to leave while I'm ahead. I've had a great run and thank
you to all of you. It's been fun.
Q You're going to Miami?
SECRETARY SHALALA: I'm going to the University of Miami, in Florida,
to be president.
Q What would you tell your successor to watch for, or look at or --
SECRETARY SHALALA: Well, I'd tell him a couple of things -- him or
her, whoever it ends up being. Number one, that you've got to be able to
keep a lot of balls going at the same time. It's a very complicated job.
But it also is the one agency that, every time you make a decision, it
affects not just life and death, but the quality of life -- and not just
for people in this country, but around the world. So it's an extraordinary
It's been just fun. I've had a great time.
Q Have they got a good ball team? (Laughter.)
SECRETARY SHALALA: They're number three in the nation and moving up.
They can be number one if they win the Sugar Bowl.
Q And if Shalala heads. (Laughter.)
THE PRESS: Thank you.
END 2:00 P.M. EST