New Law Protects Privacy of Medical Records

More of this Feature • Part 2: Tough Penalties & Consideration for Public Safety     Related Resources • Financial Govt. Aid • Financial Help for Cancer Patients • Cheap - Free Health Insurance for Kids • Patients' Rights Act • Health Resources • The Privacy Act    From Other Guides • Consumer Privacy • Laws of Privacy • Online Privacy • Your Right to Privacy • Wiretapping • Social Security Privacy • FBI's Echelon Snooper • Safeguarding Records    Elsewhere on the Web • Dept. of Health • Health Finder

On Dec. 20, 2000, President Clinton announced regulations creating the first-ever federal privacy protections for the personal health information of all Americans. The rules apply to virtually all health insurers and most health care providers and clearinghouses. 

The regulations, will be fully implemented within two years, and were issued under the authority of the bipartisan Health Insurance Portability and Accountability Act (HIPAA). 

You know what the problems are -- regulated only by various state laws, if at all, medical records are shared without the patients' consent for uses totally unrelated to health care. Insurers pass records to mortgage lenders, credit agencies and employers. Health plan providers often give, or sell, medical records for insurance underwriting, market research and other purposes without any concern for the patients' privacy. In fact, the only person often denied access to a patient's medical records -- is the patient.

Let's see in non-legalese what the new federal regulations do to solve those problems and protect our personal privacy. Under the new rules:

• Consumers gain control over their health information

  Health plans and providers must tell consumers how their information is being used, and to whom it is and has been disclosed. Patients have the right to a "disclosure history," listing all parties that were given their information for purposes unrelated to their medical treatment within 60 days.

  Doctors and hospitals must get patients' written consent to use their health information -- even for routine purposes, such as treatment and insurance payment. Non-routine uses of records require separate, specific authorization by the patient. 

  Patients have the right to see and copy their own records, as well as the right to request correction of potentially harmful errors in their health files. This may be the single most important provision of the new regulations. Without it, incorrect or inappropriate medical information could be used to deny health insurance, leaving the patient with no course of appeal.
  
  

•  Limits set on use and release of medical records

  The quantity of information used and disclosed is limited to the "minimum necessary." For example, if an employer requests specific information necessary to process a worker's compensation claim, the health care provider may release only the specific information, not the workers entire medical history.
  
  

• Ensures the security of personal health information

  Responsibility for privacy is placed on the people who have the records. All entities holding patient records must establish formal internal procedures to ensure that health records remain private. These procedures should include employee training, designation of a "privacy officer" to assist patients with complaints, and ensuring that appropriate safeguards are in place for the protection of health information.
  
  

• Establishes criminal and civil  penalties for improper use of medical records

  For intentional disclosure of records without consent of the patient -- up to $50,000 and one year in prison. For disclosure with intent to sell the data -- up to $250,000 and 10 years in prison. Also, civil penalties of $100 per person for unintentional disclosures and other violations (up to $25,000 per person per year). The rules in no way limit a person's individual right to sue and be compensated for damages related to improper use of medical records.