Wednesday, Dec. 20, 2000
Contact: HHS Press Office
(202) 690-6343


HHS Secretary Donna E. Shalala today released the nation's first-ever standards for protecting the privacy of Americans' personal health records. This new regulation will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.

"For the first time, all Americans -- no matter where they live, no matter where they get their health care -- will have protections for their most private personal information, their health records," Secretary Shalala said. "Gone are the days when our family doctor kept our records sealed away in an office file cabinet. Patient information is now accessed and exchanged quickly. With these standards, all Americans will be able to have confidence that their personal health information will be protected."

The regulation was mandated by Congress when it failed to pass comprehensive privacy legislation. The new standards: limit the non-consensual use and release of private health information; give patients new rights to access their medical records and to know who else has accessed them; restrict most disclosure of health information to the minimum needed for the intended purpose; establish new criminal and civil sanctions for improper use or disclosure; and establish new requirements for access to records by researchers and others.

HHS received more than 52,000 comments on its proposed privacy rule published last year. The standards announced today further strengthen patients' protection and control over their health information by extending coverage to personal medical records in all forms -- including paper records and oral communications. The earlier proposal had applied to electronic records and to any paper records that had at some point existed in electronic form. The final regulation provides protection for paper, oral and electronic information, creating a privacy system that covers all personal health information created or held by covered entities.

"Comprehensive protection of personal medical records is what Congress called for in the law, and it's what American patients and their providers want and need," Shalala said. "Protection for all records is the most logical, workable and understandable approach for patients and providers alike."

The final rule also requires that most providers get their patients' consent for routine use and disclosure of health records, in addition to requiring their authorization for non-routine disclosures. The earlier version had proposed allowing routine disclosures without advance consent -- disclosures for purposes of treatment, payment and health care operations (such as internal data gathering by a provider or health care plan). But most of those commenting on this provision, including many physicians, believed consent even for these routine purposes should be obtained in advance.

Advance written consent for routine purposes will be similar to the practice most patients are accustomed to when they visit a doctor or hospital today. However, the regulation will provide additional protection by requiring that patients must also be given detailed written information on their privacy rights and how their information will be used.

Other changes from the proposed rule include:

Allowing disclosure of the full medical record to providers for purposes of treatment: For most disclosures, such as health information submitted with bills, providers may send only the minimum information needed for the purpose of the disclosure. However, for purposes of treatment, health care providers need to be able to transmit fuller information to other providers. The final rule gives providers full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes.

Protecting against unauthorized use of medical records for employment purposes: Companies that sponsor health plans will not be able to access personal health information from the sponsored plan for employment-related purposes, without authorization from the patient.

The bipartisan Health Insurance Portability and Accountability Act of 1996 (HIPAA) called on Congress to enact comprehensive national medical record privacy standards by Aug. 21, 1999. When Congress was unable to enact standards by this deadline, HIPAA required that HHS issue regulations. Proposed regulations were published Nov. 3, 1999. Today's issuance of final regulations completes HHS' regulatory process on health information privacy under the HIPAA provision. The regulation will be enforced by the HHS Office for Civil Rights.

The final regulation retains the approach originally outlined by Secretary Shalala in September 1997 in her "Recommendations for Protecting the Confidentiality of Individually Identifiable Health Information."

The new regulation reflects the five basic principles outlined at that time:

  • Consumer Control: The regulation provides consumers with critical new rights to control the release of their medical information, including: advance consent for most disclosures of health information; the right to see a copy of their health records; the right to request a correction to their health records; the right to obtain documentation of disclosures of their health information; and the right to an explanation of their privacy rights and how their information may be used or disclosed.
  • Boundaries: With few exceptions, an individual's health care information should be used for health purposes only, including treatment and payment. For example, a hospital may use personal health information to provide care, teach, train, conduct research and ensure quality. However, employers who also sponsor health plans may not obtain information for non-health purposes like hiring, firing or determining promotions, without permission from the individual. Similarly, insurers may not use such information to underwrite other products, such as life insurance. Disclosure is to be kept to the minimum information needed for the purpose of the disclosure.
  • Accountability: Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated. For non-criminal violations of the privacy standards by the persons subject to the standards, including disclosures made in error, there are civil monetary penalties of $100 per violation up to $25,000 per year, per standard. In addition, criminal penalties are provided in HIPAA for certain types of violations of the statute that are done knowingly: up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under "false pretenses;" and up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
  • Public Responsibility: The new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse. For example, when there is an infectious disease outbreak, public health agencies need to obtain important information to better protect the public. The new regulation provides standards for how such information should be released to balance privacy and public health needs.
  • Security:It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures to protect patients' privacy, including designating an official to establish and monitor the entity's privacy practices and training.

The new regulation is designed to enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws are in conflict, the stronger privacy protection would prevail. The standards apply to all consumers whether they are privately insured, uninsured or participants in public programs such as Medicare or Medicaid. Most covered entities will have two years to come into compliance.

Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress provided in HIPAA 1996 that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the 10-year $29.9 billion savings HHS projects for the recently released electronic claims regulation and the projected $17.6 billion in costs projected for the privacy regulation. This produces a net savings of approximately $12.3 billion for the health care delivery system.

While the regulation announced today significantly strengthens protections for patients' confidentiality, Secretary Shalala said Congress still needs to act in areas not covered by existing federal law. Under current law, the final regulation does not directly regulate many entities, including life insurers and worker's compensation programs - thus allowing unlimited use and reuse of information by such entities. Federal legislation is also needed to fortify the penalties and to create a private right of action so that citizens can hold health plans and providers directly accountable for inappropriate and harmful disclosures of information.

A fact sheet on this subject is available at: http://www.hhs.gov/news/press/2000pres/00fsprivacy.html

An actuality of Secretary Donna E. Shalala announcing the new Medical Recordf Privacy Regulation is available on the Internet at: http://www.hhs.gov/news/broadcast/. In addition, a photograph from this announcement is available at: http://www.hhs.gov/news/photos/.