- Final Federal Health Care Privacy Standard Adopted
- September 24, 2003 | Authors: Jeffrey J. Calabrese; Philip R. Fileri; Ross P. Lanzafame; Patrick Pullano; David W. Robinson; Thomas G. Smith; Carol E. Heckman
- Law Firms: Harter Secrest & Emery LLP - Rochester Office; Harter Secrest & Emery LLP - Buffalo Office; Harter Secrest & Emery LLP - Rochester Office
Privacy has been defined as "the right to be left alone." For those receiving medical care, it is the right to have their personal health records kept as confidential as possible. In this age of free-flowing information, strict confidentiality standards are crucial.
The United States Department of Health and Human Resources ("DHHS") has now recognized the importance of protecting the privacy and confidentiality of health records by developing comprehensive standards which address the release of, and access to, these personal records. These first-ever national "Standards" for protecting the privacy of personal health records were released for publication by DHHS on December 20, 2000. In doing so, the government has finally addressed the need for uniform privacy Standards which will apply across the country.
These privacy Standards apply to health plans, health care clearinghouses, health insurers, and those health care providers who transmit any health information (such as billing and funds transfers) in electronic form. The term "health care providers" includes hospitals, skilled nursing facilities, home health agencies, hospices, and other individual providers. It is important to note that health care providers who do not submit information in standard electronic form will still be covered by the Standards if other entities, such as a hospital or billing service, transmit electronic transactions on their behalf.
What the New Standards Do
The new privacy Standards generally:
- limit the use and release of private health care information without appropriate advance consent from patients;
- provide patients with the right to access their personal medical records;
- provide patients with the right to know what other parties have accessed their records;
- establish new standards regarding the access of records by researchers;
- limit the release of most private and personally identifiable health information to the minimum amount required for the specified purpose; and
- establish criminal and civil penalties (including prison time) for the improper use or release of private health information.
The newly-developed Standards further strengthen a patient's protection and control over their own health records by providing protection for records maintained in all forms: electronic records, paper records and oral communications. This is a substantial change from the proposed standards which were issued in November 1999, which had applied only to electronic records and paper records that previously had been in an electronic form.
These Standards will now require that most health care providers obtain their patients' consent for the routine disclosure of health records, as well as for non-routine disclosures. The original regulations had proposed allowing routine disclosures (such as disclosures for purposes of treatment and payment) without a patient's advance notice and consent. The Standards also require that patients receive detailed written information on their privacy rights and how their personal health information will be utilized.
The proposed standards issued in 1999 provided that for most disclosures of personal health information, such as information accompanying bills, providers were required to send only the minimum amount of information necessary for the disclosure. This final rule differs from the earlier proposal, however, by recognizing that providers may need to submit more detailed information where the disclosure involves medical treatment. In this regard, the final Standards provide health care providers with full discretion in determining what personal health information should be included when forwarding a patient's medical records to another provider for purposes of medical treatment.
The Standards also protect against the unauthorized use of medical records for employment purposes by providing that companies sponsoring health plans will be unable to access personal health information maintained by the health plan for employment purposes, without prior patient authorization and consent.
The Standards are intended to be a minimum set of guidelines to be followed and are not intended to supersede any state laws that provide additional privacy protections, such as the New York State laws addressing the confidentiality of HIV and AIDS-related information. The Standards apply to all health care consumers, whether they have Medicare or Medicaid coverage, are privately insured, or lack insurance altogether. Most entities to which the Standards apply will have two years to come into compliance with the applicable requirements.