Comment: Many commenters expressed the opinion that federal legislation is necessary to protect the privacy of individuals' health information. One comment advocated Congressional efforts to provide a comprehensive federal health privacy law that would integrate the substance abuse regulations with the privacy regulation.
Response: We agree that comprehensive privacy legislation is urgently needed. This administration has urged the Congress to pass such legislation. While this regulation will improve the privacy of individuals' health information, only legislation can provide the full array of privacy protection that individuals need and deserve.
Comment: Many commenters noted that they do not go to a physician, or do not completely share health information with their physician, because they are concerned about who will have access to that information. Many physicians commented on their patients' reluctance to share information because of fear that their information will later be used against them.
Response: We agree that strong federal privacy protections are necessary to enhance patients' trust in the health care system.
Comment: Many commenters expressed concerns that this regulation will allow access to health information by those who today do not have such access, or would allow their physician to disclose information which may not lawfully be disclosed today. Many of these commenters stated that today, they consent to every disclosure of health information about them, and that absent their consent the privacy of their health information is "absolute." Others stated that, today, health information is disclosed only pursuant to a judicial order. Several commenters were concerned that this regulation would override stronger state privacy protection.
Response: This regulation does not, and cannot, reduce current privacy protections. The statutory language of the HIPAA specifically mandates that this regulation does not preempt state laws that are more protective of privacy.
As discussed in more detail in later this preamble, while many people believe that they must be asked permission prior to any release of health information about them, current laws generally do not impose such a requirement. Similarly, as discussed in more detail later in this preamble, judicial review is required today only for a small proportion of releases of health information.
Comment: Many commenters asserted that today, medical records "belong" to patients. Others asserted that patients own their medical information and health care providers and insurance companies who maintain health records should be viewed as custodians of the patients' property.
Response: We do not intend to change current law regarding ownership of or responsibility for medical records. In developing this rule we reviewed current law on this and related issues, and built on that foundation.
Under state laws, medical records are often the property of the health care provider or medical facility that created them. Some state laws also provide patients with access to medical records or an ownership interest in the health information in medical records. However, these laws do not divest the health care provider or the medical facility of its ownership interest in medical records. These statutes typically provide a patient the right to inspect or copy health information from the medical record, but not the right to take the provider's original copy of an item in the medical record. If a particular state law provides greater ownership rights, this regulation leaves such rights in place.
Comment: Some commenters argued that the use and disclosure of sensitive personal information must be strictly regulated, and violation of such regulations should subject an entity to significant penalties and sanctions.
Response: We agree, and share the commenters' concern that the penalties in the HIPAA statute are not sufficient to fully protect individuals' privacy interests. The need for stronger penalties is among the reasons we believe Congress should pass comprehensive privacy legislation.
Comment: Many commenters expressed the opinion that the proposed ruled should provide stricter privacy protections.
Response: We received nearly 52,000 comments on the proposed regulation, and make substantial changes to the proposal in response to those comments. Many of these changes will strengthen the protections that were proposed in the NPRM.
Comment: Many comments express concerns that their health information will be given to their employers.
Response: We agree that employer access to health information is a particular concern. In this final regulation, we make significant changes to the NPRM that clarify and provide additional safeguards governing when and how the health plans covered by this regulation may disclose health information to employers.
Comment: Several commenters argued that individuals should be able to sue for breach of privacy.
Response: We agree, but do not have the legislative authority to grant a private right of action to sue under this statute. Only Congress can grant that right.