This is an archive page. The links are no longer being updated.

Date: Thursday, September 11, 1997
FACT SHEET
Contact:  HHS Press Office  (202) 690-6343

Overview: In the past, our health care privacy was protected by our family doctors, who kept our records sealed away in large file cabinets. Today, rapid changes in the ways that health care is provided, documented, and paid for in the United States have raised new issues about the privacy and confidentiality of health information. Health information increasingly travels electronically across state lines and between health care providers, insurers, and third parties. However, the use and disclosure of health information is protected by only limited federal law and a patchwork of state laws, creating gaps in the protection of health information and the potential for breaches of confidentiality. Comprehensive federal legislation is necessary to protect the privacy of patients and outline the responsibilities of those who provide them health care.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the Secretary of Health and Human Services to submit recommendations to Congress for protecting the confidentiality of health information. HIPAA also directs HHS to propose security standards by October 1997 that all health plans, clearinghouses, and providers will be required to use when transmitting and storing health care information.

On September 11, 1997, HHS Secretary Donna E. Shalala submitted to Congress recommendations for Federal health record confidentiality legislation that would guarantee rights for patients and define responsibilities for record keepers, so that there will be clear guidance and real incentives for confidential, fair, and respectful treatment of personal health information, and penalties for its misuse. Using these recommendations as a guide, HHS will work closely with Congress to craft legislation to provide these important protections.

HHS RECOMMENDATIONS

The recommendations submitted to Congress by Secretary Shalala outline five key principles that must underlie national health privacy legislation:

BOUNDARIES. With few exceptions, an individual's health care information should be used for health purposes only. It should be easy to use health information for health purposes, and very difficult to use it for other purposes. Specifically, HHS recommends that:

• Patient information be used within an organization only for purposes reasonably related to the purposes for which the information was collected.
• Patient information not be disclosed except as authorized by the patient or as explicitly permitted by the legislation.
• All disclosures of information be limited to the minimum necessary for the purpose of the disclosure.
• Disclosures without patient authorization be allowed only in specified circumstances, under careful controls.
• The law should permit, but not require, disclosures. If there is no other law requiring that information be disclosed, physicians and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.

SECURITY. Organizations that are entrusted with health information must protect it against deliberate or inadvertent misuse or disclosure. Security measures should be required to protect the information against improper use by employees, or threats from outside. HHS believes that the following entities should be covered by the recommended health information confidentiality legislation:

• Providers and Payers. Health care providers and payers create and collect health information, and should be primarily obliged to comply with the requirements.
• Service Organizations. Organizations hired by providers and payers to process information and complete other tasks should also be bound.
• Organizations Receiving information. Providers and payers could give patient information to other specified types of organizations for important national priority purposes (like public health, research, and audit of health care payments) under careful conditions without patient authorization. The recipients should be restricted in how they use this information.
• Disclosure with Authorization. If patient authorizes a provider or payer to disclose information to another organization not subject to the legislation, the patient should be able to enter into a legally enforceable agreement with that organization governing how the information will be used.
• Employers. Employers should be covered if they provide or pay for health care, in the same way as a hospital or insurance company would be covered.

CONSUMER CONTROL. Under the HHS recommendations, patients would have significant new rights to understand and control how their health information is used:

• Those who provide and pay for health care should be required to give patients a clear written explanation of how they will use, keep, and disclose information.
• Patients would be able to see and get copies of their records, and propose corrections.
• A history of most disclosures would have to be maintained, and be made accessible to patients.
• A patient's authorization to disclose information would have to meet specific requirements.
• A provider or payer could not condition treatment, payment, or coverage on a patient's agreement to disclose health information unless the information is needed for treatment, coverage, or payment purposes.

ACCOUNTABILITY. There should be punishment for those who misuse personal health information, including law enforcement authorities, and redress for people who are harmed by its misuse. HHS recommends the following penalties for misuse of health information:

• There would be Federal criminal penalties for knowingly and improperly disclosing information, or obtaining information under false pretenses. Penalties should be higher for actions designed to generate monetary gain.
• A person whose information was improperly disclosed should have a civil right of action against the offending party.
• Those receiving information with patient authorization would have to abide by the agreement on its use made with the patient, or face civil liability.
• Some existing uses of information would not be affected at all, such as reporting of birth and death and reporting of abuse such as child abuse.

PUBLIC RESPONSIBILITY. Privacy protections must be balanced with the public responsibility to support national priorities - like public health, research, quality care, and our fight against health care fraud and abuse. In all of these cases, controls and protections must be in place to ensure that health information is protected and the impact on any individual is minimized. Those who get information and misuse it will be subject to the penalties created by the law. Specific instances in which HHS recommends such use of health information include:

• For oversight of the health care system, including audit, investigation, quality assurance, and licensing of health professionals
• In emergencies affecting life or safety
• For public health
• For research
• To State health data systems, pursuant to State law
• To law enforcement authorities, in accordance with existing law
• In court proceedings in which the patient is a party
• In court proceedings, pursuant to court order

IMPACT ON EXISTING CONFIDENTIALITY LAWS

HHS recommends a new national standard for protecting the privacy of health care information. This new national standard would not limit or reduce other stronger legal protections for confidentiality of health information. Stronger state laws (like those covering mental health and HIV infection and AIDS information) would continue to apply. However, the Federal law should apply as well, so that if either the Federal or State law forbade a disclosure, the disclosure should not be made. The confidentiality protections would be cumulative, and the Federal legislation would provide "floor preemption." The aim is to give individuals the benefit of all laws providing confidentiality protection.