Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

HHS Proposes First-Ever National Standards To Protect Patients' Personal Medical Records

Friday, Oct. 29 1999
Contact: HHS Press Office
(202) 690-6343


HHS Proposes First-Ever National Standards
To Protect Patients' Personal Medical Records

HHS Secretary Donna E. Shalala proposed today the first-ever set of national standards to protect the privacy of Americans' personal health records. The standards will apply to medical records created by health care providers, hospitals, health plans and health care clearinghouses that are either transmitted or maintained electronically, and the paper printouts created from these records.

"The privacy of Americans is protected in their bank transactions, their credit card statements, and even their video rentals. Yet, until today, Americans had no federal privacy protections for their medical records," Secretary Shalala said. "These proposed standards are an important step forward in protecting the privacy of some of our most personal information."

Shalala noted that Americans are increasingly worried that the privacy of their medical information will be violated. Some have even taken action to avoid creating a medical record, including withholding information from their doctors, changing doctors, or even avoiding care altogether. "We cannot allow the absence of privacy protections to compromise the quality of care in our nation," Secretary Shalala said. "Our proposals will provide Americans with greater peace of mind as they seek care, yet they are balanced with the need to protect public health, conduct medical research and improve the quality of health care for the nation."

The bipartisan Health Insurance Portability and Accountability Act of 1996 (HIPAA) -- also known as the Kassebaum-Kennedy law -- called on Congress to enact comprehensive national medical record privacy standards by Aug. 21, 1999. If Congress was unable to meet that deadline, HIPAA required the Secretary of HHS to issue final regulations by Feb. 21, 2000. Today's proposal marks the beginning of that regulatory process.

The proposal reflects the five principles outlined by Secretary Shalala in September 1997 as part of her Recommendations for Protecting the Confidentiality of Individually Identifiable Health Information:

  • Consumer Control. The standards provide consumers with important new rights including, the right to see a copy of their medical records; the right to request a correction to their medical records; and the right to obtain documentation of disclosures of their health information.
  • Accountability. The statute includes new penalties for violations of a patient's right to privacy. These penalties include, for violations of the privacy standards by the persons subject to them, civil monetary penalties of up to $25,000 per person, per year, per standard. There are also substantial criminal penalties applicable to certain types of violations of the statute that are done knowingly: up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
  • Public Responsibility. Privacy protections must be balanced with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse. For example, public health agencies routinely use health records in their efforts to protect the public from outbreaks of infectious diseases. The new standards put in place how such information should be released.
  • Boundaries. With few exceptions, an individual's health care information should be used for health purposes only, including treatment and payment. For example, a hospital could use personal health information to provide care, teach, train and conduct research and ensure quality. However, employers who also function as health care providers or health plans would be barred from using information for non-health purposes like hiring, firing or determining promotions. Similarly, insurers could not use such information to underwrite other products, such as life insurance.
  • Security. Organizations that are entrusted with health information must protect it against deliberate or inadvertent misuse or disclosure. The proposed standards would require each covered organization to establish clear procedures to protect patients' privacy, designate an official to monitor that system and notify their patients about their privacy protection practices. In addition, those who get information and misuse it would be subject to the penalties outlined in the proposal.

The proposed standards would enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws are in conflict, the stronger privacy protection would prevail. The proposed privacy standards would apply to consumers whether they are privately insured, uninsured or participants in public programs such as Medicare or Medicaid.

While the privacy standards proposed today are a significant step toward protecting patients' confidentiality, HHS does not currently have the authority to protect all medical records. Under HIPAA, HHS does not have the authority to protect records that are maintained in paper form only. HIPAA also does not allow HHS to issue standards for records that are maintained by other insurers, or by employers for worker's compensation purposes. The proposed rule does not establish appropriate restrictions on the use or redisclosure of such information by likely recipients, such as researchers, life insurance issuers, marketing firms, or administrative, legal and accounting services.

HHS also lacks the authority to provide Americans with the right to take action in court when their medical information is used inappropriately -- a critical consumer protection that only Congress can provide. The Clinton Administration has called upon Congress to close these important gaps and enact comprehensive national legislation to ensure that all medical records are protected.

The proposed rule will be open for comment from the public for 60 days.