Date: August 9, 2002

For Release: Immediately

Contact: HHS Press Office

(202) 690-6343

Headline: HHS ISSUES FIRST MAJOR PROTECTIONS FOR PATIENT PRIVACY Consumers Gain New Controls Over Records Beginning April 2003

HHS Secretary Tommy G. Thompson today issued the first-ever comprehensive federal regulation that gives patients sweeping protections over the privacy of their medical records. The final regulation, which takes effect April 14, 2003, will ensure strong privacy protections without interfering with Americans' access to quality health care.

The federal privacy regulation empowers patients by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The rule will protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

"Patients now will have a strong foundation of federal protections for the personal medical information that they share with their doctors, hospitals and others who provide their care and help pay for it," Secretary Thompson said. "The rule protects the confidentiality of Americans' medical records without creating new barriers to receiving quality health care. It strikes a common sense balance by providing consumers with personal privacy protections and access to high quality care."

Under the privacy rule:

· Patients must give specific authorization before entities covered by this regulation could use or disclose protected information in most non-routine circumstances - such as releasing information to an employer or for use in marketing activities. Doctors, health plans and other covered entities would be required to follow the rule's standards for the use and disclosure of personal health information.

· Covered entities generally will need to provide patients with written notice of their privacy practices and patients' privacy rights. The notice will contain information that could be useful to patients choosing a health plan, doctor or other provider. Patients would generally be asked to sign or otherwise acknowledge receipt of the privacy notice from direct treatment providers.

· Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before sending them marketing materials. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

· Specifically, improvements to the final rule strengthen the marketing language to make clear that covered entities cannot use business associate agreements to circumvent the rule's marketing prohibition. The improvement explicitly prohibits pharmacies or other covered entities from selling personal medical information to a business that wants to market its products or services under a business associate agreement.

· Patients generally will be able to access their personal medical records and request changes to correct any errors. In addition, patients generally could request an accounting of non-routine uses and disclosures of their health information.

HHS issued privacy regulations in December 2000 but had to make changes to address the serious unintended consequences of the rule that would have interfered with patients' access to quality care. For example, patients would have been required to visit a pharmacy in person to sign paperwork before a pharmacist could review protected health information in order fill their prescriptions. Similar barriers would have arisen when a patient is referred to a specialist and in other situations.

"We took great care to make sure we weren't creating greater hardships or more health care bureaucracy for patients as they seek to get prompt and effective care," Secretary Thompson said. "The prior regulation, while well-intentioned, would have forced sick or injured patients to run all around town getting signatures before they could get care or medicine. This regulation gives patients the power to protect their privacy and still get efficient health care."

HHS' privacy regulation is designed to enhance the protections afforded by many existing state laws. Stronger state laws and other federal laws continue to apply, so the federal regulation provides a national base of privacy protections. The standards for covered entities apply whether its patients are privately insured, uninsured or covered under public programs such as Medicare or Medicaid.

Most covered entities have until April 14, 2003, to comply with the patient privacy rule; under the law, certain small health plans have until April 14, 2004 to comply.

To help people prepare for and meet the rule's requirements, HHS' Office for Civil Rights (OCR) will continue to conduct outreach and education targeted to health plans, health care providers, consumers and others affected by the privacy regulation.

"We are working to do our part to educate the health care industry and the public about these rights and protections in advance of the April 2003 compliance date required under the law," OCR director Richard M. Campanelli said. "We believe the improvements in this final rule will be helpful to both health care providers and the public. Our goal is to ensure patients enjoy their full federal privacy rights and protections by helping covered entities follow the rule."

In 1996, Congress recognized the need for national patient privacy standards and, as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), set a three-year deadline for it to enact such protections. HIPAA also required that, if Congress did not meet this deadline, HHS was to adopt health information privacy protections via regulation based upon certain specific parameters included in HIPAA. Congress did not enact health privacy legislation.

HHS FACT SHEET

August 9, 2002

Contact: HHS Press Office

(202) 690-6343

MODIFICATIONS TO THE STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION -- FINAL RULE

Overview: The Department of Health and Human Services on August 14th will publish final modifications to the Privacy Rule to ensure that the Rule provides strong privacy protection without hindering access to quality health care. President Bush and Secretary Thompson are committed to maintaining protections for the privacy of individually identifiable health information. Based on the comments received on the notice of proposed rulemaking, the Department modified a number of provisions of the Privacy Rule.

The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) took effect on April 14, 2001. The Privacy Rule creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule.

Final Modifications:

Marketing -- The final Rule requires a covered entity to obtain an individual's prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value. The Department defines marketing to distinguish between the types of communications that are and are not marketing, and makes clear that a covered entity is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization. The Rule clarifies that doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing. For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses.

Consent and Notice -- The Department makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional. The Rule requires covered entities to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity. The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices. The final Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. The Rule also allows consent requirements already in place to continue.

Uses and Disclosures Regarding Food and Drug Administration (FDA)-Regulated Products and Activities -- The final Rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products. This assures that information will continue to be available to protect public health and safety, as it is today.

Incidental Use and Disclosure -- The final Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors' offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse's stations without fear of violating the rule if overheard by a passerby.

Authorization -- The final Rule clarifies the authorization requirements to the Privacy Rule to, among other things, eliminate separate authorization requirements for covered entities. Patients will have to grant permission in advance for each type of non-routine use or disclosure, but providers will not have to use different types of forms. These modifications also consolidate and streamline core elements and notification requirements.

Minimum Necessary -- The final Rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. The Rule previously exempted only certain types of authorizations from the minimum necessary requirement, but since the rule will only have one type of authorization, the exemption is now applied to all authorizations. Minimum necessary requirements are still in effect to ensure an individual's privacy for most other uses and disclosures. The Department clarifies in the preamble that the minimum necessary standard is not intended to impede disclosures necessary for workers' compensation programs. The Department will actively monitor to ensure that worker's compensation programs are not unduly affected by the Rule.

Parents and Minors -- The final Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor's health information to a parent, or access to a child's medical record by a parent, the final Rule clarifies that state law governs. In addition, the final Rule clarifies that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents' ability to access the child's health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.

Business Associates -- The final Rule gives covered entities (except small health plans) up to an additional year to change existing written contracts to come into compliance with the business associate requirements. The additional time will ease the burden of covered entities renegotiating contracts all at once. The Department has also provided sample business associate contract provisions.

Research -- The final Rule facilitates researchers' use of a single combined form to obtain informed consent for the research and authorization to use or disclose protected health information for such research. The final Rule also clarifies the requirements relating to a researcher obtaining an IRB or Privacy Board waiver of authorization by streamlining the privacy waiver criteria to more closely follow the requirement of the "Common Rule," which governs federally funded research. The transition provisions have been expanded to prevent needless interruption of ongoing research.

Limited Data Set -- The final Rule permits the creation and dissemination of a limited data set (that does not include directly identifiable information) for research, public health, and health care operations. In addition, to further protect privacy, the final Rule conditions disclosure of the limited data set on a covered entity and the recipient entering into a data use agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, and to ensure the security of the data, as well as not to identify the information or use it to contact any individual.

Other provisions:

· Hybrid Entities -- The final Rule permits any entity that performs covered and non-covered functions to elect to use the hybrid entity provisions and provides the entity additional discretion in designating its health care components.

· Health Care Operations: Changes in Legal Ownership -- The final Rule clarifies the definition of "health care operations" to allow a covered entity who sells or transfers assets to, or consolidates or merges with, an entity who is, or will be, a covered entity upon completion of the transaction, to use and disclose protected health information in connection with such transaction, which include due diligence and transferring records containing protected health information as part of the transaction.

· Group Health Plan Disclosures of Enrollment and Disenrollment Information -- The final Rule allows a group health plan, a health insurance issuer, or HMO acting for a group health plan to disclose to a plan sponsor, such as an employer, information on whether the individual is enrolled in or has disenrolled from a plan offered by the sponsor without amending the plan documents.

· Accounting of Disclosures -- The final Rule exempts disclosures made pursuant to an authorization from the accounting requirements. The authorization process itself adequately protects individual privacy by assuring that the individual's permission is given both knowingly and voluntarily. The final Rule also exempts from the accounting requirements incidental disclosures, and disclosures that are part of a limited data set. The Rule provides a simplified alternative approach for accounting for multiple research disclosures that includes providing a description of the research for which an individual's protected health information may have been disclosed and contact information.

· Disclosure for Treatment, Payment, or Health Care Operations of Another Entity- The final Rule clarifies that covered entities can disclose protected health information for the treatment and payment activities of another covered entity or a health care provider, and for certain health care operations of another entity.

· Protected Health Information: Exclusion for Employment Records - The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information.

The final Rule also includes technical corrections and additional clarifications related to various sections of the existing rule. The final Rule is designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care.