| PRESIDENT CLINTON ISSUES STRONG NEW CONSUMER PROTECTIONS |
| TO ENSURE THE PRIVACY OF MEDICAL RECORDS |
| December 20, 2000 |
Today, President Clinton will release a final regulation establishing the
first-ever federal privacy protections for the personal health information
of all Americans. This rule, which applies to health insurers, virtually
all health care providers and clearinghouses, will give consumers more
control over and access to their health information; set boundaries on the
use and release of health records; safeguard that information; establish
accountability for inappropriate use and release; and balance privacy
protections with public safety. The final regulation improves on the
proposed rule by strengthening several key protections, including:
extending protections to personal medical records in all forms ? including
paper records and oral communications; providing for written consent for
routine use and disclosure of health records; protecting against
unauthorized use of medical records for employment purposes; and ensuring
that health care providers have all the information necessary to
appropriately treat their patients.
THE PRIVACY OF INDIVIDUAL MEDICAL RECORDS IS NOT CURRENTLY PROTECTED.
Today, despite the increase in the collection and dissemination of personal
data, there is no comprehensive federal requirement to provide patients
with basic privacy protections.
? Americans are increasingly concerned about losing their privacy.
Recent studies show a rising level of public concern about privacy; in
1999, over 80 percent of people surveyed agreed with the statement that
they had ?lost all control over their personal information.?
? Personal health information can be distributed without consent for
reasons that are unrelated to treatment. Under the current loose patchwork
of state laws, information held by an insurer can be passed on to a lender
who can then deny that patient?s application for a home mortgage or a
credit card, or to an employer who uses it in personnel decisions.
Personal health information may be disclosed for insurance underwriting
purposes, for market research, or any other reason without any safeguards
to protect it against misuse.
? Patients are often unable to access their own medical records. In
addition, patients wishing to access or control the release of such records
may be unable to do so because of overwhelming barriers established by
their insurance company, health care provider, or anyone else who holds
PRESIDENT CLINTON TAKES FINAL ACTION NECESSARY TO IMPLEMENT NEW NATIONAL
SAFEGUARDS FOR SENSITIVE HEALTH INFORMATION. The final regulation, which
will be fully implemented within two years, is being issued under the
authority of the bipartisan Health Insurance Portability and Accountability
Act (HIPAA). This regulation, which underscores the Administration's
commitment to safeguarding the security of personal health information,
GIVE CONSUMERS CONTROL OVER THEIR HEALTH INFORMATION
? Inform consumers how their health information is being used. This new
regulation requires health plans and providers to inform patients about how
their information is being used and to whom it is disclosed. It also gives
each individual patient a right to a "disclosure history," listing the
entities that received information unrelated to treatment or payment, that
must be provided within 60 days.
? Limit the release of private health information without consent. This
rule establishes a new federal requirement for doctors treating patients
and hospitals to obtain patients? written consent to use their health
information even for routine purposes, such as treatment and payment.
Other, non-routine disclosures would require separate, specific patient
? Give patients access to their own health file and the right to request
amendments or corrections. The regulation gives patients the right to see
and copy their own records as well as the right to request correction of
potentially harmful errors in their health files. These access and
amendment rights are a core part of efforts to protect individual privacy.
Without them, a person with an improper diagnosis in his or her medical
file could be denied health insurance and left no redress.
SET BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
? Restrict the amount of information used and disclosed to the "minimum
necessary." Currently, health care providers and plans often release a
patient's entire health record even if an employer or other entity only
needs specific information, such as the information necessary to process a
worker?s compensation claim. This new regulation restricts the information
that is used and disclosed to the minimum amount necessary.
ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
? Require the establishment of privacy-conscious business practices.
The regulation requires the establishment of internal procedures to protect
the privacy of health records. They include: training employees about
privacy considerations in the workplace; receiving complaints from patients
on privacy issues; designating a "privacy officer" to assist patients with
complaints; and ensuring that appropriate safeguards are in place for the
protection of health information. Many responsible doctors, hospitals and
health plans already provide these common-sense services for their
patients, and were instrumental in advocating for a national standard.
ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORD USE AND RELEASE
? Create new criminal and civil penalties for improper use or disclosure
of information. In the past, there often has not been any legal basis to
prosecute individuals who inappropriately disclose private medical
information. This rule applies the standards included in HIPAA to create
new criminal penalties for intentional disclosure ? up to $50,000 and up to
a year in prison. Disclosure with intent to sell the data is punishable
with a fine of up to $250,000 and up to 10 years in prison. The regulation
also establishes new civil penalties of $100 per person for unintentional
disclosures and other violations (up to $25,000 per person per year).
Although these enforcement provisions will be helpful, they are no
substitute for a private right of action, which makes it possible for
patients to be compensated for harmful plan actions.
BALANCE PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
? Require that information be disclosed only for public health
priorities and other responsible research. The regulation balances the
need to protect the public health and support carefully monitored medical
research against the need to protect personal medical records from misuse
and abuse. The regulation recognizes that threats to public health, such
as life-threatening and easily transmitted infectious diseases, will
require appropriate monitoring by public health authorities. The
regulation encourages health professionals to use de-identified records
? Limit the disclosure of information without sacrificing public safety.
The rule strikes the proper balance between protecting privacy and meeting
the needs of law enforcement. Medical records are often important to the
investigation and prosecution of serious criminal activity. At the same
time, Americans must not be discouraged from seeking health care because of
concerns about having their information inappropriately given to others.
FINAL REGULATION INCLUDES KEY CHANGES TO STRENGTHEN PRIVACY PROTECTIONS.
In response to over 50,000 comments submitted by the public, the final
regulation being released today strengthens patient protection and control
over their health information by:
? Extending coverage to personal medical records in all forms ?
including paper records and oral communications. The proposed regulation
released last year was limited to electronic records and any paper records
that previously existed in electronic form. The final regulation provides
protection for paper and oral in addition to electronic information,
creating a privacy system that covers all personal health information
created or held by covered entities. Comments received on the proposed
regulation affirmed that the Administration had the authority to extend
coverage to paper records and overwhelmingly supported broadening the
regulation to these records because it would be impractical to have two
separate sets of privacy standards for different sets of records.
? Requiring consent for routine use and disclosure of health records.
The proposed regulation released last year allowed routine disclosure of
health information without advance consent for purposes of treatment,
payment, and health care operations. The final regulation ensures that
written consent for disclosures by front line providers? even routine ones
? be obtained in advance. This new requirement was strongly supported by
physician and patient advocacy groups.
? Protecting against unauthorized use of medical records for employment
purposes. The proposed regulation did not clearly explain the regulation's
limits on large self-insured employers' access to personal health
information for employment or other purposes unrelated to health care
without consent. The final regulation clarifies that these employers cannot
access medical information for purposes unrelated to health care.
? Ensuring that health care providers have all the information necessary
to appropriately treat their patients. For most disclosures of health
information, such as health information submitted with bills, providers may
send only the minimum information needed for the purpose of the disclosure.
However, when treating patients, health care providers often need to be
able to share more complete information with other providers. The final
rule gives providers full discretion in determining what personal health
information to include when sending patient records to other providers for
Financial Impact of Implementation of Privacy Regulation. Recognizing the
savings and cost potential of standardizing electronic claims processing
and protecting privacy and security, the Congress required that the overall
financial impact of the HIPAA regulations reduce costs. As such, the
financial assessment of the privacy regulation includes the ten-year $29.9
billion savings HHS projects for the recently released electronic claims
regulation and the projected $17.6 billion in costs over 10 years projected
for the privacy regulation. This produces a net saving of approximately
$12.3 billion over 10 years for the health care delivery system while
improving the efficiency as well as privacy protections.
PRESIDENT CLINTON CALLS ON THE CONGRESS TO ENACT PRIVACY LEGISLATION TO
FINISH THE JOB. Today, President Clinton will once again call on Congress
to finish the job on privacy. The regulation being finalized today
represents a critical step towards protecting patient privacy that became
necessary after Congress failed to act in the three-year timeframe it gave
itself in 1996. However, the President's administrative authority is
limited by statute and there remains an urgent need for federal privacy
protections to: strengthen penalties and to create a private right of
action so citizens can hold health plans and providers accountable for
inappropriate and harmful disclosures of information; extend privacy
protections to cover other entities that routinely handle sensitive medical
information, such as life insurers and worker's compensation programs; and
to place appropriate limits on the re-use of medical information by other
entities. Today the President is doing what he can in this area. He is
issuing an Executive Order to limit the re-use and re-disclosure of certain
medical records within the Federal government, but new legislation would be
needed to extend these protections more broadly.