Contact: HCFA Press Office


HHS Secretary Donna E. Shalala today proposed new standards for protecting individual health information when it is maintained or transmitted electronically.

The new security standards were designed to protect all electronic health information from improper access or alteration, and to protect against loss of records.

At the same time, Secretary Shalala called on Congress to enact further protections to guarantee the privacy of medical records.

"The proposals we are making today set a national standard for protecting the security and integrity of medical records when they are kept in electronic form," Secretary Shalala said. "It is crucial to have these standards, as we move increasingly toward electronic medical records. But it is also not enough. In addition, we urgently need new legal protections to safeguard the privacy of medical records in all forms."

The new electronic data security standards were mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which also called on the Secretary of HHS to make recommendations to Congress on how to protect the privacy of health information. Secretary Shalala delivered her recommendations for new health privacy legislation last September. Under HIPAA, Congress is given until August 1999 to enact privacy protections. If Congress fails to act by that time, HIPAA authorizes the Secretary to implement privacy protections by regulation.

"Electronic medical records can give us greater efficiency and lower cost. But those benefits must not come at the cost of loss of privacy," Shalala said. "The proposals we are making today will help protect against one kind of threat -- the vulnerability of information in electronic formats. Now we need to finish the bigger job and create broader legal protections for the privacy of those records."

Today's proposed regulations include technical guidance as well as administrative requirements for those who use electronic health information, medical records of individuals. All health plans, health care providers, and health care clearinghouses that maintain or transmit health information electronically will be required to establish and maintain responsible and appropriate safeguards to ensure the integrity and confidentiality of the information.

Depending on size and complexity, health care businesses will have different security needs. All will have to comply with the security requirements. Some businesses may need to implement more sophisticated safeguards than others.

For example, all firms that transmit or maintain electronic health information will need to develop a security plan, provide training for employees, and secure physical access to records. Health information about individuals must be protected during transmission and where maintained in electronic form. Other administrative procedures, physical safeguards, and technical security measures will also be needed.

"This is not a one size fits all security plan," said Nancy-Ann DeParle, Administrator of the Health Care Financing Administration, "but a carefully developed set of standards. They should ensure that individual records are secure while providing the flexibility for each health care business."

The proposal includes an electronic signature standard which specifies that a digital signature be used when an electronic signature is required for one of the standard transactions specified in the law. This standard will verify the identity of the person signing and the authenticity of an electronic health care document.

The proposal, to be published in the Federal Register, is one of a series of administrative simplification efforts required by HIPAA. Other HIPAA-required proposals include standards for a uniform electronic health care claim (and other common administrative transactions), and for reporting diagnoses and procedures in the transactions.

HIPAA also required HHS to establish standards for unique identifier numbers for health care providers, employers and health plans. Proposals have already been made for employers and providers.

In addition, HIPAA called on HHS to adopt standards for a unique health identifier number for each individual American. However, the Clinton Administration has said no proposal for patient identifier numbers will be implemented until privacy protections, as called for by HIPAA, have been put in place.