HHS ISSUES FIRST MAJOR PROTECTIONS FOR PATIENT PRIVACY
Consumers Gain New Controls
Over Records Beginning April 2003
Date: August 9, 2002
For Release: Immediately
Contact: HHS Press Office
(202) 690-6343
HHS Secretary Tommy G. Thompson today issued the first-ever comprehensive
federal regulation that gives patients sweeping protections over the privacy of
their medical records. The final regulation, which takes effect April 14, 2003,
will ensure strong privacy protections without interfering with Americans'
access to quality health care.
The federal privacy regulation empowers patients by guaranteeing them access
to their medical records, giving them more control over how their protected
health information is used and disclosed, and providing a clear avenue of
recourse if their medical privacy is compromised. The rule will protect medical
records and other personal health information maintained by certain health care
providers, hospitals, health plans, health insurers and health care
clearinghouses.
"Patients now will have a strong foundation of federal protections for
the personal medical information that they share with their doctors, hospitals
and others who provide their care and help pay for it," Secretary Thompson
said. "The rule protects the confidentiality of Americans' medical records
without creating new barriers to receiving quality health care. It strikes a
common sense balance by providing consumers with personal privacy protections
and access to high quality care."
Under the privacy rule:
- Patients must give specific authorization before entities covered by this
regulation could use or disclose protected information in most non-routine
circumstances - such as releasing information to an employer or for use in
marketing activities. Doctors, health plans and other covered entities would
be required to follow the rule's standards for the use and disclosure of
personal health information.
- Covered entities generally will need to provide patients with written
notice of their privacy practices and patients' privacy rights. The notice
will contain information that could be useful to patients choosing a health
plan, doctor or other provider. Patients would generally be asked to sign or
otherwise acknowledge receipt of the privacy notice from direct treatment
providers.
- Pharmacies, health plans and other covered entities must first obtain an
individual's specific authorization before sending them marketing materials.
At the same time, the rule permits doctors and other covered entities to
communicate freely with patients about treatment options and other
health-related information, including disease-management programs.
- Specifically, improvements to the final rule strengthen the marketing
language to make clear that covered entities cannot use business associate
agreements to circumvent the rule's marketing prohibition. The improvement
explicitly prohibits pharmacies or other covered entities from selling
personal medical information to a business that wants to market its products
or services under a business associate agreement.
- Patients generally will be able to access their personal medical records
and request changes to correct any errors. In addition, patients generally
could request an accounting of non-routine uses and disclosures of their
health information.
HHS issued privacy regulations in December 2000 but had to make changes to
address the serious unintended consequences of the rule that would have
interfered with patients' access to quality care. For example, patients would
have been required to visit a pharmacy in person to sign paperwork before a
pharmacist could review protected health information in order fill their
prescriptions. Similar barriers would have arisen when a patient is referred to
a specialist and in other situations.
"We took great care to make sure we weren't creating greater hardships
or more health care bureaucracy for patients as they seek to get prompt and
effective care," Secretary Thompson said. "The prior regulation, while
well-intentioned, would have forced sick or injured patients to run all around
town getting signatures before they could get care or medicine. This regulation
gives patients the power to protect their privacy and still get efficient health
care."
HHS received more than 11,000 public comments on the proposed modifications
issued in March 2002 and today is adopting final changes. The final version,
which will be published in the Aug. 14th Federal Register, includes some key
revisions to address public concerns. The rule will be available online today at
http://www.hhs.gov/ocr/hipaa/.
HHS' privacy regulation is designed to enhance the protections afforded by
many existing state laws. Stronger state laws and other federal laws continue to
apply, so the federal regulation provides a national base of privacy
protections. The standards for covered entities apply whether its patients are
privately insured, uninsured or covered under public programs such as Medicare
or Medicaid.
Most covered entities have until April 14, 2003, to comply with the patient
privacy rule; under the law, certain small health plans have until April 14,
2004 to comply.
To help people prepare for and meet the rule's requirements, HHS' Office for
Civil Rights (OCR) will continue to conduct outreach and education targeted to
health plans, health care providers, consumers and others affected by the
privacy regulation.
These efforts include developing appropriate technical assistance materials,
which may include fact sheets, handbooks and other materials, as well as
responding to frequently asked questions. HHS also will hold national
educational conferences in the fall to address issues related to key parts of
the privacy regulation. Technical assistance materials will be posted on OCR's
privacy rule website at http://www.hhs.gov/ocr/hipaa/.
"We are working to do our part to educate the health care industry and
the public about these rights and protections in advance of the April 2003
compliance date required under the law," OCR director Richard M. Campanelli
said. "We believe the improvements in this final rule will be helpful to
both health care providers and the public. Our goal is to ensure patients enjoy
their full federal privacy rights and protections by helping covered entities
follow the rule."
In 1996, Congress recognized the need for national patient privacy standards
and, as part of the Health Insurance Portability and Accountability Act of 1996
(HIPAA), set a three-year deadline for it to enact such protections. HIPAA also
required that, if Congress did not meet this deadline, HHS was to adopt health
information privacy protections via regulation based upon certain specific
parameters included in HIPAA. Congress did not enact health privacy legislation.
HHS proposed federal privacy standards in 1999 and, after reviewing and
considering more than 52,000 public comments on them, published final standards
in December 2000. In March 2001, Secretary Thompson requested additional public
input and received more than 11,000 comments, which helped to shape the
improvements proposed in March 2002. Today's final improvements reflect public
comments received on that proposal.
The privacy rule is part of a set of standards required under HIPAA's
"administrative simplification" provisions. More information about
these standards is available at
http://www.hhs.gov/news/press/2002pres/hipaa.html.
HHS FACT SHEET: MODIFICATIONS TO THE STANDARDS FOR PRIVACY OF INDIVIDUALLY
IDENTIFIABLE
HEALTH INFORMATION -- FINAL RULE
August 9, 2002
Contact: HHS Press Office
(202) 690-6343
Overview: The Department of Health and Human Services on August 14th
will publish final modifications to the Privacy Rule to ensure that the Rule
provides strong privacy protection without hindering access to quality health
care. President Bush and Secretary Thompson are committed to maintaining
protections for the privacy of individually identifiable health information.
Based on the comments received on the notice of proposed rulemaking, the
Department modified a number of provisions of the Privacy Rule.
The Standards for Privacy of Individually Identifiable Health Information
(the Privacy Rule) took effect on April 14, 2001. The Privacy Rule creates
national standards to protect individuals' personal health information and gives
patients increased access to their medical records. As required by the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule
covers health plans, health care clearinghouses, and those health care providers
who conduct certain financial and administrative transactions electronically.
Most covered entities must comply with the Privacy Rule by April 14, 2003. Small
health plans have until April 14, 2004 to comply with the Rule.
Final Modifications:
Marketing -- The final Rule requires a covered entity to obtain an
individual's prior written authorization to use his or her protected health
information for marketing purposes except for a face-to-face encounter or a
communication involving a promotional gift of nominal value. The Department
defines marketing to distinguish between the types of communications that are
and are not marketing, and makes clear that a covered entity is prohibited from
selling lists of patients and enrollees to third parties or from disclosing
protected health information to a third party for the marketing activities of
the third party, without the individual's authorization. The Rule clarifies that
doctors and other covered entities communicating with patients about treatment
options or the covered entity's own health-related products and services are not
considered marketing. For example, health care plans can inform patients of
additional health plan coverage and value-added items and services, such as
discounts for prescription drugs or eyeglasses.
Consent and Notice -- The Department makes changes to protect privacy
while eliminating barriers to treatment by strengthening the notice requirement
and making consent for routine health care delivery purposes (known as
treatment, payment, and health care operations) optional. The Rule requires
covered entities to provide patients with notice of the patient's privacy rights
and the privacy practices of the covered entity. The strengthened notice
requires direct treatment providers to make a good faith effort to obtain
patient's written acknowledgement of the notice of privacy rights and practices.
The final Rule promotes access to care by removing mandatory consent
requirements that would inhibit patient access to health care while providing
covered entities with the option of developing a consent process that works for
that entity. The Rule also allows consent requirements already in place to
continue.
Uses and Disclosures Regarding Food and Drug Administration
(FDA)-Regulated Products and Activities -- The final Rule permits covered
entities to disclose protected health information, without authorization, to a
person subject to the jurisdiction of the FDA for public health purposes related
to the quality, safety or effectiveness of FDA-regulated products or activities
such as collecting or reporting adverse events, dangerous products, and defects
or problems with FDA-regulated products. This assures that information will
continue to be available to protect public health and safety, as it is today.
Incidental Use and Disclosure -- The final Rule acknowledges that uses
or disclosures that are incidental to an otherwise permitted use or disclosure
may occur. Such incidental uses or disclosures are not considered a violation of
the Rule provided that the covered entity has met the reasonable safeguards and
minimum necessary requirements. For example, if these requirements are met,
doctors' offices may use waiting room sign-in sheets, hospitals may keep patient
charts at bedside, doctors can talk to patients in semi-private rooms, and
doctors can confer at nurse's stations without fear of violating the rule if
overheard by a passerby.
Authorization -- The final Rule clarifies the authorization
requirements to the Privacy Rule to, among other things, eliminate separate
authorization requirements for covered entities. Patients will have to grant
permission in advance for each type of non-routine use or disclosure, but
providers will not have to use different types of forms. These modifications
also consolidate and streamline core elements and notification requirements.
Minimum Necessary -- The final Rule exempts from the minimum necessary
standards any uses or disclosures for which the covered entity has received an
authorization. The Rule previously exempted only certain types of authorizations
from the minimum necessary requirement, but since the rule will only have one
type of authorization, the exemption is now applied to all authorizations.
Minimum necessary requirements are still in effect to ensure an individual's
privacy for most other uses and disclosures.
The Department clarifies in the preamble that the minimum necessary standard
is not intended to impede disclosures necessary for workers' compensation
programs. The Department will actively monitor to ensure that worker's
compensation programs are not unduly affected by the Rule.
Parents and Minors -- The final Rule clarifies that state law, or
other applicable law, governs in the area of parents and minors. Generally, the
Privacy Rule provides parents with new rights to control the health information
about their minor children, with limited exceptions that are based on state or
other applicable law and professional practice. For example, where a state has
explicitly addressed disclosure of a minor's health information to a parent, or
access to a child's medical record by a parent, the final Rule clarifies that
state law governs. In addition, the final Rule clarifies that, in the special
cases in which the minor controls his or her own health information under such
law and that law does not define the parents' ability to access the child's
health information a licensed health care provider continues to be able to
exercise discretion to grant or deny such access as long as that decision is
consistent with the state or other applicable law.
Business Associates -- The final Rule gives covered entities (except
small health plans) up to an additional year to change existing written
contracts to come into compliance with the business associate requirements. The
additional time will ease the burden of covered entities renegotiating contracts
all at once. The Department has also provided sample business associate contract
provisions.
Research -- The final Rule facilitates researchers' use of a single
combined form to obtain informed consent for the research and authorization to
use or disclose protected health information for such research. The final Rule
also clarifies the requirements relating to a researcher obtaining an IRB or
Privacy Board waiver of authorization by streamlining the privacy waiver
criteria to more closely follow the requirement of the "Common Rule,"
which governs federally funded research. The transition provisions have been
expanded to prevent needless interruption of ongoing research.
Limited Data Set -- The final Rule permits the creation and
dissemination of a limited data set (that does not include directly identifiable
information) for research, public health, and health care operations. In
addition, to further protect privacy, the final Rule conditions disclosure of
the limited data set on a covered entity and the recipient entering into a data
use agreement, in which the recipient would agree to limit the use of the data
set for the purposes for which it was given, and to ensure the security of the
data, as well as not to identify the information or use it to contact any
individual.
Other provisions:
- Hybrid Entities -- The final Rule permits any entity that performs
covered and non-covered functions to elect to use the hybrid entity
provisions and provides the entity additional discretion in designating its
health care components.
- Health Care Operations: Changes in Legal Ownership -- The final
Rule clarifies the definition of "health care operations" to allow
a covered entity who sells or transfers assets to, or consolidates or merges
with, an entity who is, or will be, a covered entity upon completion of the
transaction, to use and disclose protected health information in connection
with such transaction, which include due diligence and transferring records
containing protected health information as part of the transaction.
- Group Health Plan Disclosures of Enrollment and Disenrollment
Information -- The final Rule allows a group health plan, a health
insurance issuer, or HMO acting for a group health plan to disclose to a
plan sponsor, such as an employer, information on whether the individual is
enrolled in or has disenrolled from a plan offered by the sponsor without
amending the plan documents.
- Accounting of Disclosures -- The final Rule exempts disclosures
made pursuant to an authorization from the accounting requirements. The
authorization process itself adequately protects individual privacy by
assuring that the individual's permission is given both knowingly and
voluntarily. The final Rule also exempts from the accounting requirements
incidental disclosures, and disclosures that are part of a limited data set.
The Rule provides a simplified alternative approach for accounting for
multiple research disclosures that includes providing a description of the
research for which an individual's protected health information may have
been disclosed and contact information.
- Disclosure for Treatment, Payment, or Health Care Operations of Another
Entity -- The final Rule clarifies that covered entities can disclose
protected health information for the treatment and payment activities of
another covered entity or a health care provider, and for certain health
care operations of another entity.
- Protected Health Information: Exclusion for Employment Records --
The final Rule clarifies that employment records maintained by a covered
entity in its capacity as an employer are excluded from the definition of
protected health information. The modifications do not change the fact that
individually identifiable health information created, received, or
maintained by a covered entity in its health care capacity is protected
health information.
The final Rule also includes technical corrections and additional
clarifications related to various sections of the existing rule. The final Rule
is designed to ensure that protections for patient privacy are implemented in a
manner that maximizes privacy while not compromising either the availability or
the quality of medical care.
On July 6, 2001, the Department issued its first guidance to answer common
questions and clarify certain of the Privacy Rule's provisions. The Department
is committed to assisting covered entities come into compliance with the Rule.
Therefore, the Department will update the guidance to reflect the modifications
adopted in this final Rule. The revised guidance will be available on the HHS
Office for Civil Rights Privacy Web site at http://www.hhs.gov/ocr/hipaa/.
| 
