Dec. 20, 2000 (Washington) -- President Clinton on Wednesday issued sweeping final rules that establish broad privacy protections for individual health records.
The rules, announced by the president to a standing ovation by hundreds of employees at the Department of Health and Human Services (HHS), are this administration's final health initiatives. On Jan. 20, the White House will go to Republican control under George W. Bush.
The rules take full effect in two years and apply to practically all personal medical information, whether documented in electronic records or on paper and includes oral communications. Those who have to abide by the rules include doctors, nurses, hospitals, health plans, health insurers, and healthcare transaction contractors.
And the rules establish new criminal penalties, including a fine of up to $50,000 and a year in prison for intentionally disclosing information. Unlawful disclosures with the intent to sell data will carry a maximum fine of $250,000 and 10 years in prison.
Until now, no national standards protected individual health information. "This is a quantum leap forward for Americans' privacy rights in the Internet age," Sen. Pat Leahy (D-Vt.) said.
The rules will not override state laws that establish stronger protections; rather, they set a national "floor" of basic protections.
The new standards, however, go well beyond the protections proposed by the Clinton administration in 1999. Privacy advocates criticized those initial protections, saying they were insufficient. The earlier proposal, for example, only covered electronic records, which account for just a small minority of today's personal medical data.
The rules require doctors to obtain a patient's one-time advance written consent even for "routine" use and disclosure of their health data; the 1999 proposal had not required this authorization. The "routine" use of records includes accessing the information for treatment purposes, to discuss with another physician, for payment reasons, and for health plan operations. For other uses, the rules require patients to provide separate and specific patient authorization. And the rules set even higher protections for psychotherapy notes.
If medical records are used or disclosed, the rules require health plans and providers to inform patients how the information is being used, or to whom it is disclosed. Patients also can request a "disclosure history" from their health plan or doctor.
When health information is released, the rules direct health plans and providers to release only the "minimum amount necessary." And the rules give consumers the right to see their own records and request that errors in their records be corrected
Janlori Goldman, director of Georgetown University's Health Privacy Project, praised the administration's "remarkable, historic step toward restoring public trust and confidence in our nation's healthcare system. We believe that the administration heard consumers' voices loud and clear."
The new standards, however, do permit unauthorized disclosures for public health, emergency, and quality assurance reasons.
While the rules drew praise from privacy advocates, others said that they had concerns. The American Medical Association (AMA), a proponent of strict patient-doctor privacy requirements, offered a noncommittal reaction. "We will be examining the new rules to make sure there are no dangerous loopholes or unexpected problems," said trustee Donald Palmisano, MD.
And although the American Civil Liberties Union's Barry Steinhardt praised the rules as "a significant step forward," he said a flaw remained in terms of law enforcement having access to medical records. Law enforcers could access medical records if they had a subpoena or arrest warrant, but do not have to make a special request for such access.
The rules also protect against employment discrimination, setting out that employers cannot access an individual's medical information for employment or promotion, or any other purposes not related to healthcare.
But Clinton on Wednesday said that Congress needs to go further -- to give consumers a right to sue for breaches in their confidentiality.
Quick action in Congress may be unlikely, though, since the new regulations are a direct result of inaction by lawmakers. In 1996, Congress was charged with passing privacy protections for medical information. But lawmakers missed their August 1999 deadline, sending the task over to HHS.
According to the Clinton administration, the new privacy provisions will cost $17.6 billion over the next 10 years. Health plans would have to establish internal procedures to ensure privacy, including the designation of a "privacy officer."
Drug companies, insurers, and employers oppose the rules, saying they will impose new bureaucracy and slow down research that relies on patient information that is now shared without patient consent.
Heidi Wagner, a lobbyist for the biotech firm Genentech, tells WebMD, "The administration bent over backward to meet the privacy advocates' concerns and basically forgot that the health system needs to work. The system just can't function under this level of micromanagement and detail, and that will come to light."
Neil Trautwein, a lobbyist for the National Association of Manufacturers, tells WebMD that business may be able to convince the Bush administration to block the rules from becoming effective. "They're putting it out awfully late in Clinton's tenure, so it's more likely the Bush administration could reexamine it or delay it."
But Wagner says that most hospitals and managed care companies "basically have to operate now as though this is the law of the land and prepare for implementation in two years. They can't rely on the fact that any of this is going to be withdrawn."
"If the Bush administration is concerned about how broad and unworkable this is, they can't just come out and say, 'We're nullifying it,'" Wagner says. "All the reports have been, 'President Clinton steps up for the first time to provide privacy protections for individuals,' so I don't think that George Bush wants to be the one that takes those away."