Protecting the Privacy of Patients' Health Information:
Summary of the Final Regulation

HHS Press Office

Overview: Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. For many years, the confidentiality of those records was maintained by our family doctors, who kept our records sealed away in file cabinets and refused to reveal them to anyone else. Today, the use and disclosure of this information is protected by a patchwork of state laws, leaving large gaps in the protection of patients' privacy and confidentiality. There is a pressing need for national standards to control the flow of sensitive patient information and to establish real penalties for the misuse or disclosure of this information.

President Clinton and Congress recognized the need for national patient record privacy standards in 1996 when they enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). That law gave Congress until August 21, 1999, to pass comprehensive health privacy legislation. After three years of discussion in Congress without passage of such a law, HIPAA provided HHS with the authority to craft such privacy protections by regulation. Following the principles and policies laid out in the recommendations for national health information privacy legislation the Administration submitted to Congress in 1997, the Administration drafted regulations to guarantee patients new rights and protections against the misuse of disclosure of their health records and the President and Secretary Donna E. Shalala released them in October of last year. During an extended comment period, HHS received, electronically or on paper, more than 52,000 communications from the public.

This final rule provides the first comprehensive federal protection for the privacy of health information. However, because of the limitations of the HIPAA statute, these protections do not fully achieve the Administration's goal of a seamless system of privacy protection for all health information. Members of both parties in Congress will need to pass meaningful, comprehensive privacy protection for American patients that would extend the reach of the standards being finalized today to all entities that hold personal health information.

Covered Entities

As required by the HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.

Information Protected

All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation.

COMPONENTS OF THE FINAL RULE
The rule is the result of the Department's careful consideration of every comment and reflects a balance between accommodating practical uses of individually identifiable health information and rendering maximum privacy protection of that information.

CONSUMER CONTROL OVER HEALTH INFORMATION
Under this final rule, patients have significant new rights to understand and control how their health information is used.

• Patient education on privacy protections. Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information.

• Ensuring patient access to their medical records. Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.

• Receiving patient consent before information is released. Patient authorization to disclose information must meet specific requirements. Health care providers who see patients are required to obtain patient consent before sharing their information for treatment, payment, and health care operations purposes. In addition, specific patient consent must be sought and granted for non-routine uses and most non-health care purposes, such as releasing information to financial institutions determining mortgages and other loans or selling mailing lists to interested parties such as life insurers. Patients have the right to request restrictions on the uses and disclosures of their information.

• Ensuring that consent is not coerced. Providers and health plans generally cannot condition treatment on a patient's agreement to disclose health information for non-routine uses.

• Providing recourse if privacy protections are violated. People have the right to complain to a covered provider or health plan, or to the Secretary, about violations of the provisions of this rule or the policies and procedures of the covered entity.

• Ensuring that health information is not used for non-health purposes. Patient information can be used or disclosed by a health plan, provider or clearinghouse only for purposes of health care treatment, payment and operations. Health information cannot be used for purposes not related to health care - such as use by employers to make personnel decisions, or use by financial institutions - without explicit authorization from the individual.

• Providing the minimum amount of information necessary. Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide best quality care.

• Ensuring informed and voluntary consent. Non-routine disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary.

ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
The regulation establishes the privacy safeguard standards that covered entities must meet, but it leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity. In this way, implementation of the standards will be flexible and scalable, to account for the nature of each entity's business, and its size and resources. Covered entities must:

• Adopt written privacy procedures. These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also takes steps to ensure that their business associates protect the privacy of health information.

• Train employees and designate a privacy officer. Covered entities must provide sufficient training so that their employees understand the new privacy protections procedures, and designate an individual to be responsible for ensuring the procedures are followed.

• Establish grievance processes. Covered entities must provide a means for patients to make inquiries or complaints regarding the privacy of their records.

ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORDS USE AND RELEASE
Penalties for covered entities that misuse personal health information are provided in HIPAA.

• Civil penalties. Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $100 per incident, up to $25,000 per person, per year, per standard.

• Federal criminal penalties. There would be federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

BALANCING PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
After balancing privacy and other social values, HHS is establishing rules that would permit certain existing disclosures of health information without individual authorization for the following national priority activities and for activities that allow the health care system to operate more smoothly. All of these disclosures have been permitted under existing laws and regulations. Within certain guidelines found in the regulation, covered entities may disclose information for:

• Oversight of the health care system, including quality assurance activities
  
• Public health
  
• Research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board
• Judicial and administrative proceedings
  
• Limited law enforcement activities
  
• Emergency circumstances
  
• For identification of the body of a deceased person, or the cause of death
  
• For facility patient directories
  
• For activities related to national defense and security
  

The rule permits, but does not require these types of disclosures. If there is no other law requiring that information be disclosed, physicians and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.

SPECIAL PROTECTION FOR PSYCHOTHERAPY NOTES
Psychotherapy notes (used only by a psychotherapist) are held to a higher standard of protection because they are not part of the medical record and never intended to be shared with anyone else. All other health information is considered to be sensitive and treated consistently under this rule.

EQUIVALENT TREATMENT OF PUBLIC AND PRIVATE SECTOR HEALTH PLANS AND PROVIDERS. The provisions of the final rule generally apply equally to private sector and public sector entities. For example, both private hospitals and government agency medical units must comply with the full range of requirements, such as providing notice, access rights, requiring consent before disclosure for routine uses, establishing contracts with business associates, among others.

CHANGES FROM THE PROPOSED REGULATION

• Providing coverage to personal medical records in all forms. The proposed regulation had applied only to electronic records and to any paper records that had at some point existed in electronic form. The final regulation extends protection to all types of personal health information created or held by covered entities, including oral communications and paper records that have not existed in electronic form. This creates a privacy system that covers virtually all health information held by hospitals, providers, health plans and health insurers.

• Requiring consent for routine disclosures. The final rule requires most providers to obtain patient consent for routine disclosure of health records, in addition to requiring special patient authorization for non-routine disclosures. The earlier version had proposed allowing these routine disclosures without advance consent for purposes of treatment, payment and health care operations (such as internal data gathering by a provider or health care plan). However, most individuals commenting on this provision, including many physicians, believed consent for these purposes should be obtained in advance, as is typically done today. The final rule retains the new requirement that patients must also be provided detailed written information on privacy rights and how their information will be used.

• Allowing disclosure of the full medical record to providers for purposes of treatment. For most disclosures, such as information submitted with bills, covered entities are required to send only the minimum information needed for the purpose of the disclosure. However, for purposes of treatment, providers need to be able to transmit fuller information. The final rule gives providers full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes.

• Protecting against unauthorized use of medical records for employment purposes. Companies that sponsor health plans will not be able to access the personal health information held by the plan for employment-related purposes, without authorization from the patient.

COST OF IMPLEMENTATION
Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress provided in HIPAA 1996 that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the ten-year $29.9 billion savings HHS projects for the recently released electronic claims regulation and the projected $17.6 billion in costs projected for the privacy regulation. This produces a net savings of approximately $12.3 billion for the health care delivery system while improving the efficiency of health care as well as privacy protection.

PRESERVING EXISTING, STRONG STATE CONFIDENTIALITY LAWS
Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule sets a national "floor" of privacy standards that protect all Americans, but in some states individuals enjoy additional protection. In circumstances where states have decided through law to require certain disclosures of health information for civic purposes, we do not preempt these mandates. The result is to give individuals the benefit of all laws providing confidentiality protection as well as to honor state priorities.

THE NEED FOR FURTHER CONGRESSIONAL ACTION
HIPAA limits the application of our rule to the covered entities. It does not provide authority for the rule to reach many persons and businesses that work for covered entities or otherwise receive health information from them. So the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information. There is no statutory authority for a private right of action for individuals to enforce their privacy rights. We need Congressional action to fill these gaps in patient privacy protections.

IMPLEMENTATION OF THE FINAL REGULATION
The final regulation will come into full effect in two years. The regulation will be enforced by HHS' Office for Civil Rights, which will provide assistance to providers, plans and health clearinghouses in meeting the requirements of the regulation - including a toll free line to help answer questions: 1-866-OCR-PRIV (1-866-627-7748). The TTY number is 1-866-788-4989. A Web site on the new regulation will also be available at http://www.hhs.gov/ocr.