Clinton Will Issue Sweeping Rules for Patients’ Privacy

After years of fruitless congressional efforts, the Clinton administration today will issue the first comprehensive regulations protecting the privacy of patients’ medical records.

The rules prohibit doctors, hospitals, HMOs and other health providers from sharing patients’ medical records--except for treatment and payment.

The new measure--considerably broader than earlier versions--covers all records, not just those stored electronically. It also strengthens the provisions that limit employer access to medical data.

“The new rules will apply to all health insurers and virtually every health care provider . . . and it will give patients more control over and access to their medical records,” said Chris Jennings, chief health care advisor to President Clinton.

The president, however, will emphasize when he unveils the regulations that more needs to be done to guarantee the privacy of patients’ records. He will argue for additional legislation requiring that life insurers and worker compensation programs also safeguard patients’ records--and that consumers should have a right to sue providers who violate the medical confidentiality rules.

The privacy regulations were required by the 1996 Health Insurance Portability and Accountability Act--which said that if Congress had failed to produce legislation to protect medical records by August 1999, the secretary of Health and Human Services should issue such regulations. Congress considered legislation for several years but could not reach agreement on several key provisions--including a consumer’s right to sue health care plans and providers if they breached the privacy rules, and how to handle teenagers’ reproductive health information.

The rules would prohibit a number of practices that consumers often are unaware of--but which violate the privacy of their health care records. For instance, the regulations would end the practice by some pharmacies of sharing specific information about the drugs prescribed to the patient. That practice, while rare, allows pharmaceutical companies with competing drugs to promote their products directly to a specific patient.

The rules also would also make it illegal to disclose more medical information than a patient had authorized. In one such case, a California woman who was suffering from a work-related injury to her wrist told her insurance company to release information about her ailment to her employer. The insurer, however, sent her entire medical record--including information on her recent fertility treatment and pregnancy loss. While such breaches often are inadvertent, they can harm a patient’s reputation and standing in the workplace.

Privacy advocates praised the rules as a major step toward giving consumers more security and allowing medical information to remain private unless patients authorize its release.

“This is a landmark privacy law that creates a federal right of privacy to people’s medical records, and it is the most sweeping privacy law we’ve seen,” said Janlori Goldman, director of the health privacy project at the Institute for Health Care Research and Policy at Georgetown University.

Hospitals, HMOs See Potential Problems

Doctors, many of whom worked hard to ensure that broad protections were in place for patients, were similarly enthusiastic.

However, hospitals, insurers and HMOs said there are potential problems with the new rules. Although they had not yet seen the final regulations, they worried that it would cost them billions of dollars to adjust their practices to ensure compliance.

Particularly troublesome, they said, is a provision requiring that only the minimum patient information be transferred from files for the purposes of payment or other health care operations. A second concern is that health care plans and providers must require that any entities they contract with that view patient information be bound by the same rules.

“Raising the concern and the awareness of the need for privacy is very useful,” said Melinda Hatton, Washington counsel for the American Hospital Assn. “But what’s been frustrating is that [the administration has] not appreciated the profound cost impacts of this rule.” One industry consultant, she said, estimated that for hospitals alone, the cost to come into compliance could be as much as $22 billion.

However, the Clinton administration estimates that the overall cost of putting the new rules into effect will be nearly $18 billion over 10 years.

The measure attracted an enormous amount of attention from consumer groups, disability advocates, employers and provider groups. In the year since the first draft was printed in October 1999, more than 50,000 comments have been sent to the Department of Health and Human Services. While there is a patchwork of state privacy rules that govern HIV and other sexually transmitted diseases--and in a few cases mental illness--there are no federal rules. And the state laws have many gaps.

Under the regulations, patients for the first time will get the right to copy and amend their health care records. Health plans, doctors and hospitals must inform patients about how their information is being used and to whom it is being disclosed. Consumer groups pushed hard for the latter provision.

The rules allow health care providers, HMOs and hospitals to use patient information only for treatment, payment or a limited list of health care operations. They can only disclose the minimum information necessary. Currently, providers often send an entire medical record to an insurer rather than limiting it to the specific information requested.

Every consumer will have the right to a disclosure history listing who received information unrelated to treatment or payment.

Delayed Response to Consumer Concerns

The measure attempts to deal with the problem of employers obtaining private information both by prohibiting the release of such details except for treatment and through another provision requiring that self-insured employers erect a firewall between their own health care operations and other company divisions.

Employer groups said their concern about the self-insured employers prohibition was that, in many companies, the person in charge of human resources often has duties in other divisions.

The new regulations represent a long-delayed response to consumer concerns about the security of records that, with modern computer technology, can be circulated outside a medical office with a few keystrokes.

The administration estimates it will take two years for health plans and providers to come into compliance with the regulations.