HHS ISSUES FIRST MAJOR PROTECTIONS FOR PATIENT PRIVACY
Consumers Gain New Controls Over Medical Records Beginning April 2003
HHS Secretary Tommy G. Thompson today (August, 2002) issued
the first-ever comprehensive federal regulation that gives patients sweeping
protections over the privacy of their medical records. The final regulation,
which takes effect April 14, 2003, will ensure strong privacy protections
without interfering with Americans' access to quality health care.
The federal privacy regulation empowers patients by
guaranteeing them access to their medical records, giving them more control over
how their protected health information is used and disclosed, and providing a
clear avenue of recourse if their medical privacy is compromised. The rule will
protect medical records and other personal health information maintained by
certain health care providers, hospitals, health plans, health insurers and
health care clearinghouses.
"Patients now will have a strong foundation of federal
protections for the personal medical information that they share with their
doctors, hospitals and others who provide their care and help pay for it,"
Secretary Thompson said. "The rule protects the confidentiality of Americans'
medical records without creating new barriers to receiving quality health care.
It strikes a common sense balance by providing consumers with personal privacy
protections and access to high quality care."
Under the privacy rule:
- Patients must give specific authorization before entities
covered by this regulation could use or disclose protected information in most
non-routine circumstances - such as releasing information to an employer or
for use in marketing activities. Doctors, health plans and other covered
entities would be required to follow the rule's standards for the use and
disclosure of personal health information.
- Covered entities generally will need to provide patients
with written notice of their privacy practices and patients' privacy rights.
The notice will contain information that could be useful to patients choosing
a health plan, doctor or other provider. Patients would generally be asked to
sign or otherwise acknowledge receipt of the privacy notice from direct
- Pharmacies, health plans and other covered entities must
first obtain an individual's specific authorization before sending them
marketing materials. At the same time, the rule permits doctors and other
covered entities to communicate freely with patients about treatment options
and other health-related information, including disease-management programs.
- Specifically, improvements to the final rule strengthen the
marketing language to make clear that covered entities cannot use business
associate agreements to circumvent the rule's marketing prohibition. The
improvement explicitly prohibits pharmacies or other covered entities from
selling personal medical information to a business that wants to market its
products or services under a business associate agreement.
- Patients generally will be able to access their personal
medical records and request changes to correct any errors. In addition,
patients generally could request an accounting of non-routine uses and
disclosures of their health information.
HHS issued privacy regulations in December 2000 but had to
make changes to address the serious unintended consequences of the rule that
would have interfered with patients' access to quality care. For example,
patients would have been required to visit a pharmacy in person to sign
paperwork before a pharmacist could review protected health information in order
fill their prescriptions. Similar barriers would have arisen when a patient is
referred to a specialist and in other situations.
"We took great care to make sure we weren't creating greater
hardships or more health care bureaucracy for patients as they seek to get
prompt and effective care," Secretary Thompson said. "The prior regulation,
while well-intentioned, would have forced sick or injured patients to run all
around town getting signatures before they could get care or medicine. This
regulation gives patients the power to protect their privacy and still get
efficient health care."
HHS received more than 11,000 public comments on the proposed
modifications issued in March 2002 and today is adopting final changes. The
final version, which will be published in the Aug. 14th Federal Register,
includes some key revisions to address public concerns. The rule will be
available online today at
HHS' privacy regulation is designed to enhance the protections
afforded by many existing state laws. Stronger state laws and other federal laws
continue to apply, so the federal regulation provides a national base of privacy
protections. The standards for covered entities apply whether its patients are
privately insured, uninsured or covered under public programs such as Medicare
Most covered entities have until April 14, 2003, to comply
with the patient privacy rule; under the law, certain small health plans have
until April 14, 2004 to comply.
To help people prepare for and meet the rule's requirements,
HHS' Office for Civil Rights (OCR) will continue to conduct outreach and
education targeted to health plans, health care providers, consumers and others
affected by the privacy regulation.
These efforts include developing appropriate technical
assistance materials, which may include fact sheets, handbooks and other
materials, as well as responding to frequently asked questions. HHS also will
hold national educational conferences in the fall to address issues related to
key parts of the privacy regulation. Technical assistance materials will be
posted on OCR's privacy rule website at http://www.hhs.gov/ocr/hipaa/.
"We are working to do our part to educate the health care
industry and the public about these rights and protections in advance of the
April 2003 compliance date required under the law," OCR director Richard M.
Campanelli said. "We believe the improvements in this final rule will be helpful
to both health care providers and the public. Our goal is to ensure patients
enjoy their full federal privacy rights and protections by helping covered
entities follow the rule."
In 1996, Congress recognized the need for national patient
privacy standards and, as part of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), set a three-year deadline for it to enact
such protections. HIPAA also required that, if Congress did not meet this
deadline, HHS was to adopt health information privacy protections via regulation
based upon certain specific parameters included in HIPAA. Congress did not enact
health privacy legislation.
HHS proposed federal privacy standards in 1999 and, after
reviewing and considering more than 52,000 public comments on them, published
final standards in December 2000. In March 2001, Secretary Thompson requested
additional public input and received more than 11,000 comments, which helped to
shape the improvements proposed in March 2002. Today's final improvements
reflect public comments received on that proposal.
The privacy rule is part of a set of standards required under
HIPAA's "administrative simplification" provisions. More information about these
standards is available at