HHS announces medical record privacy regulation

Health and Human Services Secretary Donna E. Shalala released the nation's first standards for protecting the privacy of Americans' personal health records.

This new regulation will protect medical records and other personal health information maintained by healthcare providers, hospitals, health plans and health insurers, and healthcare clearinghouses.

"For the first time, all Americans - no matter where they live, no matter where they get their healthcare - will have protections for their most private personal information, their health records," Secretary Shalala said.

The new standards limit the non-consensual use and release of private health information, give patients new rights to access their medical records and to know who else has accessed them, restrict most disclosure of health information to the minimum needed for the intended purpose, establish new criminal and civil sanctions for improper use or disclosure, and establish new requirements for access to records by researchers and others.

The earlier proposal applied to electronic records and to any paper records that had at some point existed in electronic form. The final regulation provides protection for paper, oral and electronic information, creating a privacy system that covers all personal health information created or held by covered entities.

The final rule also requires that most providers get their patients' consent for routine use and disclosure of health records, in addition to requiring their authorization for non-routine disclosures. The earlier version proposed allowing routine disclosures without advance consent – disclosures for purposes of treatment, payment and healthcare operations (such as internal data gathering by a provider or healthcare plan). But most of those commenting on this provision, including many physicians, believed consent should be obtained in advance even for these routine purposes.

Other changes from the proposed rule include:

•Â Allowing disclosure of full medical records to providers for purposes of treatment. The final rule gives providers full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes.

•Â Protecting against unauthorized use of medical records for employment purposes. Companies that sponsor health plans will not be able to access personal health information from the sponsored plan for employment-related purposes without authorization from the patient.

The new regulation is designed to enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws are in conflict, the stronger privacy protection will prevail. The standards apply to all consumers, whether they are privately insured, uninsured or participating in public programs such as Medicare or Medicaid. Most covered entities will have two years to come into compliance.

More work is needed

While the new regulation significantly strengthens protections for patients' confidentiality, Secretary Shalala said Congress still needs to act in areas not covered by existing federal law. Under current law, the final regulation does not directly cover many entities, including life insurers and worker's compensation programs - thus allowing unlimited use and reuse of information by such entities. Federal legislation is also needed to fortify the penalties and to create a private right of action so that citizens can hold health plans and providers directly accountable for inappropriate and harmful disclosures of information. PR