New Federal Regulation Protects Patient Privacy

Part 3: Basic Principles of Regulation, Existing State Laws, Implementation

The final regulation keeps the original approach outlined by Secretary Shalala in September 1997 in her "Recommendations for Protecting the Confidentiality of Individually Identifiable Health Information," by reflecting the five basic principles she outlined at that time including:

1. Consumer Control: By providing consumers with key new rights to control the disclosure of their personal health information including:
   1. advance consent for most disclosures of health information
   2. the right of individuals to see a copy of their health records
   3. the right to request correction of inaccurate health records
   4. the right to obtain documentation of disclosures of their health information
   5. the right to an explanation of their privacy rights and how their information may be used or disclosed.
      
2. Boundaries: Although there are a few exceptions, in the majority of cases, a patient's health care information is to be used for health purposes only such as treatment and payment. This means that a hospital may use personal health information for the purpose of providing care, teaching, training, conducting research, and ensuring quality; however employers may not obtain personal health information for the purpose of hiring, firing, or determining promotions without the consent of the individual. Additionally, insurance companies may not use personal health information for the purpose of underwriting products such as life insurance. In all cases disclosure is to be limited to the minimum amount necessary for the intended purpose of the disclosure.
   
3. Accountability: HIPPA provides specific federal penalties if a patient's right to privacy is violated including:
   1. Non-criminal violations such as disclosures made in error provide civil monetary penalties of $100 per violation up to $25,000 per year per standard.
   2. Criminal penalties are provided for certain types of violations of statute that are done knowingly including:
      1. up to $50,000 and one year in prison for obtaining or disclosing protected health information
      2. up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under "false pretenses"
      3. up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
         
4. Public Responsibility: The need to balance privacy protections with the public responsibility to support such national priorities including protecting public health, conducting medical research, improving quality of care, and fighting health care fraud and abuse are reflected in the new standards. Potential situations that fall under this standard include times when there is an outbreak of an infectious disease and public health agencies need to obtain information to protect the public. However, the new regulation provides standards for how such information is to be released to balance privacy and public health needs.
   
5. Security: Health care providers, and organizations who are entrusted with personal health information are responsible to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures that protect patient privacy, and to designate an official who establishes and monitors the groups privacy practices and training.

Stronger Existing State Laws Prevail

Although many existing state laws provide protection of personal health information, the new regulation is designed to enhance existing protections. When federal and state laws conflict, the stronger privacy protection prevails. The standards apply to all patients whether they are privately insured, uninsured or participants in public programs such as Medicare or Medicaid. Most covered groups will have two years to come into compliance.

Cost of the New Regulation

Because Congress recognized the savings and potential cost of standardizing electronic claims, HIPAA 1996 provided that the overall financial impact of the HIPPA regulations reduce costs. the financial assessment of the privacy regulation produces a net savings of $12.3 billion for the health care delivery system over 10 years including: a $29.9 billion savings for HHS projects for the electronic claims regulation, and a projected $17.6 billion in costs for privacy regulation.

More Legislation Needed

While the new regulation significantly strengthens protections for privacy of patient health information, Secretary Shalala says that Congress still needs to act in areas not covered by existing federal law. The current final regulation does not directly regulate many entities including life insurers, and worker's compensation programs-- allowing use and reuse of personal health information by these groups. Federal legislation is also needed to strengthen penalties, and to create a private right of action so that patients can hold health plans and providers accountable for inappropriate and harmful disclosures of health information.

When Will the Final Regulation Be Implemented?

Full implementation of the final regulation will take two years. It will be enforced by the HHS' Office for Civil Rights, which will provide assistance to providers, plans and health clearinghouses in meeting the requirements of the regulation - including a toll free line to help answer questions: 1-866-OCR-PRIV (1-866-627-7748). The TTY number is 1-866-788-4989. A Web site on the new regulation will also be available from HHS.

Next page >Personal Health Information Protected > Page 1, 2, 3