Dec. 19, 2000 – President Clinton is issuing sweeping new rules to protect the privacy of medical records by requiring doctors and hospitals to get consent from patients before disclosing health information, the White House said today.

The new rules, completing four years of work, will affect virtually every doctor, patient, hospital, pharmacy and health insurance plan in the country, setting the first comprehensive federal standards for transactions now regulated by a jumble of state laws.

Congress directed the administration to adopt privacy standards under a 1996 law passed with bipartisan support. Federal officials said the need for such rules had grown with advances in technology that have permitted people to pilfer and disseminate health care data with a few clicks of a computer mouse.

Chris Jennings, the health policy coordinator at the White House, said Mr. Clinton would unveil the rules on Wednesday at the Department of Health and Human Services.

President-elect George W. Bush has not expressed any reservations about the standards. His campaign platform promised new rules to protect the privacy of medical information, but gave no details.

Gail R. Wilensky, an adviser to Mr. Bush on health policy, said today: “Republicans are every bit as concerned as Democrats about protecting the privacy of medical records. But the new administration will probably want to review the details of these standards – the benefits, costs and burdens – as with any rules issued late in President Clinton’s term.”

Janlori Goldman, director of the Health Privacy Project at Georgetown University, hailed the rules as “a major victory for consumers.” She said “the administration went to great lengths to respond to consumers’ concerns about the proposed rules,” which were issued in November 1999 and generated more than 50,000 public comments.

Insurance companies and employers, while declaring their support for privacy in principle, complained that the rules were burdensome and bureaucratic and would increase costs.

Charles N. Kahn III, president of the Health Insurance Association of America, said: “Insurers and health plans feel strongly that consumers’ records should be protected. However, these rules give us no uniformity and impose onerous, costly requirements.”

Under the rules, doctors and hospitals will need to obtain written consent from patients before disclosing their medical information even for routine purposes like treatment or the payment of claims.

The patient could sign one form, in the first visit to a doctor, authorizing future disclosures for such purposes. Other disclosures for other purposes – to an employer, for example, for use in personnel decisions – could be made only if the patient gave a separate, specific authorization.

Consumers will, for the first time, have a federal right to inspect and copy information in their medical records. Under the rules, they will also have a right to request correction of information that they consider inaccurate or incomplete. If the request is denied, the patient may file a complaint with the health care provider or the federal government.

Dr. Wilensky said “it strikes me as appropriate” for patients to be able to see and copy their records. She said she had not studied the rules’ consent requirements.

As originally proposed last year, the rules would have covered electronic records and printouts of such records. The final rules go much further. They cover not only electronic records, but also paper records, regardless of whether they ever existed in electronic form. The rules will also cover oral communications by health care providers and health plans.

Thus, for example, the rules will apply to statements made over the telephone by someone who works in a doctor’s office, regardless of whether the information is recorded in a patient’s file.

The new rules are to take effect in two years. They do not authorize patients to sue for damages. But James C. Pyles, a lawyer for the American Psychoanalytic Association, said, “The rules will immediately establish a standard of care.” Health care providers who do not meet that standard may open themselves to lawsuits under state law for breach of privacy, he said.

The White House estimated that it would cost $17.6 billion over 10 years for the health care industry and employers to comply. But it said these costs would be offset by $30 billion in savings that could be achieved by eliminating paperwork and filing claims electronically.

The new rules will not supersede more stringent state laws. Many states have strict laws limiting disclosure of information about specific conditions like AIDS, cancer and mental illness. But only a few states, like California, Hawaii and Maine, have comprehensive health privacy laws.

The federal rules limit access to medical records by law enforcement officers, but do not provide as much protection for privacy as the American Civil Liberties Union wanted.

Under the rules, doctors, hospitals and insurers could disclose medical records to a law enforcement official only if the official had a warrant, a subpoena or some other written legal order, like a civil investigative demand or an administrative subpoena issued by government investigators.

Ronald Weich, a lawyer for the A.C.L.U., said: “In general, the new rules are a step forward, but they have a loophole. They allow the police to gain access to medical records without having a judge review the justification, the need.”

Under the rules, the disclosure of medical information would be limited to the “minimum necessary” for any purpose like paying bills. Some health care providers and health plans now release a patient’s entire record when only specific bits are needed.

Doctors will have discretion in deciding how much information to disclose to another health care provider treating the same patient. The premise here is that doctors need most or all of a patient’s record to provide appropriate care.

A person who violates the rules will be subject to a civil penalty of $25,000. Criminal violations can be punished by a $50,000 fine and one year in prison. A person who violates the rules for commercial advantage or personal gain can be fined $250,000 and imprisoned for 10 years.

Here are highlights of other provisions, as described in White House documents and by administration officials interviewed today:

  • Doctors, hospitals and insurers must give patients a clear written notice of their rights, explaining how medical information will be stored, used and disclosed. Each patient will have a right to obtain a “disclosure history,” listing entities that received information unrelated to treatment or payment.
  • Health care providers and health plans must have internal procedures to protect the privacy of medical information. They must designate a “privacy officer” to help patients with questions and complaints, and they must train their employees to guard the privacy of medical data.
  • Doctors, hospitals and health plans will have to ensure compliance with the new standards by the people with whom they do business, including lawyers, accountants, billing companies and other contractors. If a doctor knows of a violation and takes no steps to correct it, the doctor can be held responsible for violating the rules.
  • Personal medical information may not be disclosed for purposes unrelated to health care unless the patient explicitly gives permission. Such permission would be needed, for example, if a doctor shares information with an employer making personnel decisions or with a bank evaluating a mortgage application.

Under the rules, hospitals will ordinarily be able to share information with a patient’s close relatives and will be able to disclose limited information, like the patient’s condition, to anyone who inquires. But hospitals will have to honor a patient’s request not to divulge such information.

See also…

Healthcare Law Forum

Insurance Issues