Clinton to Seek Rules on Medical Record Privacy

President Clinton today will propose far-reaching regulations that place strict limits on the dissemination and use of consumers’ medical records.

The proposed regulations would be the first federal standards designed to protect individuals’ health information. The rules would cover electronic records held by doctors, hospitals, pharmacies and managed care organizations, among others, and would require a patient’s consent before information could be released, and then only for purposes related to treatment and payment.

“I will use the full authority of this office to create the first comprehensive national standards for protection of medical records,” Clinton said in a text prepared for delivery today. “The new rule . . . represents an unprecedented step toward putting Americans back in control of their own medical records.”

The need for such rules stems from the technological revolution in the health care system, which has resulted in the sharing by doctors, pharmacies and hospitals of an ever-increasing amount of electronic information. The sharing has been done in part to meet demands of insurers and managed care organizations for more information before they will pay claims.

Consumers rarely know when their medical records have been shared. In surveys, 20% of consumers reported that their medical records were disclosed inappropriately, and half of those said their cases resulted in harm or embarrassment, according to administration officials. Health care privacy laws in the states are a patchwork, with some states, including California, having strong protections, especially for information related to sexually transmitted diseases and psychiatric care. But few states have broad rules to protect all health information and not all states enforce their laws.

Under the proposed regulations, insurers, billing companies and health care providers would be permitted to share medical records only for treatment, payment or health care operations such as quality assurance. That means records could not be sold or shared with consultants or others except for those purposes.

Currently, for instance, when a consumer uses a credit card to pay a medical bill, the company issuing the card can give the information legally to a bank considering whether to grant the consumer a loan. Similarly, individual health information can be released to firms marketing drugs or medical devices and for a host of other purposes unrelated to the individual’s medical treatment or payment.

Under the new rules, consumers would have to be notified by their health providers about how medical information would be used and to whom it would be released. If the provider or insurer wanted to release information for purposes other than treatment or payment, they would have to obtain consumers’ permission. Consumers would have the right to request histories of information disclosed.

And for the first time, consumers would have an explicit right to examine their medical files, copy them and request additions or corrections.

A 1996 law required the administration to issue the new rules, since Congress had failed to pass legislation on the subject.

The final regulations will be published in February and health care providers and managed care organizations would have two years to comply.

Under the 1996 law, the new rules cannot cover records kept on paper. While the number of computer records grows daily, most records are still on paper. The balance is expected to change within a couple of years.

The administration appears to have made the rules as broad as possible. They would apply to “any information that is maintained or transmitted electronically, even if subsequently it is stored on paper,” said an administration official.

The 1996 law made no mention of the many intermediaries used by providers and insurers, such as lawyers and consultants. To reach those players, the administration has proposed requiring that providers and insurers have contractual agreements with their partners to limit disclosure to treatment, payment or operations--the same ground rules that must be followed by the providers themselves.

For providers, insurers and claims managers, the regulations set out an array of stringent new rules for handling consumers’ health care data, which providers predict will add billions of dollars to the cost of health care. A recent study by the Blue Cross and Blue Shield Assn. found that similar confidentiality requirements would add $43 billion to health care bills over the next five years.

“We don’t think anybody looked at potential expenses or interference with physician communication,” said Bill Pierce, a spokesman for the Blue Cross and Blue Shield Assn., adding that the group strongly supports the confidentiality of records.

A core tenet of the proposed regulations is that providers and insurers may release only the minimum amount of information necessary for claims payment and treatment. Currently, for instance, an employer requesting information from a provider because of a work-related injury might be sent the worker’s entire medical record, an administration official said. That would no longer be possible under the proposal.

A 1996 survey by researchers at the University of Illinois found that 35% of Fortune 500 companies used individual medical information to make job-related decisions.

To ensure that the strict limits are followed, health plans and providers would have to put in place internal controls, including training employees about medical confidentiality and designating an employee to act as privacy point person, charged with monitoring and setting up privacy and confidentiality protocols.

“The privacy of Americans is protected in their bank transactions, their credit card statements and even their video rentals,” according to remarks prepared for delivery today by Donna Shalala, secretary of Health and Human Services, the lead agency overseeing the regulations.

“These proposed standards are an important step forward in protecting the privacy of some of our most personal information,” the statement said.