HHS Issues Guidance On New Medical Privacy Information
For Immediate Release, August 16, 2001
Contact: Chris Marshall
On July 6, 2001, the Department of Health and Human Services (HHS) issued the first in a series of guidance materials on new federal privacy protections for medical records and other personal health information. The Clinton administration published the final federal rule regulating the privacy of health information in December 2000. After the change in administration, HHS Secretary Thompson requested additional public comment on the rule before allowing it to take effect on April 14, 2001. To access NAMI's comments please go to http://www.nami.org/update/010408.html The HHS guidance and other information on the new privacy protection rule can be accessed at http://www.hhs.gov/ocr/hipaa
The HHS guidance is designed to clarify key provisions of the rule and provides a user-friendly question-and-answer format about the new privacy protections for consumers. It also addresses requirements for providers, hospitals, health plans and insurers, and health care clearinghouses. HHS intends to issue proposed modifications to correct unintended negative effects of the privacy rule in the future. Proposed modifications to the rule will be published in the Federal Register and will invite public comment. After reviewing and addressing those comments, HHS will issue a final rule to implement any modifications.
The HHS guidance provides clarification for the following key provisions:
- Consumer Consent - includes requirements for providers and health plans before use or disclosure of personal health information;
- Minimum Necessary Disclosure - the rule requires disclosure of the minimum necessary information to accomplish treatment, payment or health care operations;
- Protection of Oral Communications of personal health information;
- Business Associates - providers and health plans often give protected health information to business associates (typically a business outside of the health plan that it contracts with to provide a service that requires the sharing of personal health information). This provision addresses the requirements related to business associates receiving personal health information;
- Rights of Parents and Minors concerning personal health information;
- Health-Related Communications and Marketing - addresses the use and disclosure of protected health information for marketing purposes;
- Research - explains the conditions under which protected health information may be used or disclosed for research purposes;
- Restrictions on Government Access to Health Information; and
- Use or Disclosure of Personal Health Information for Payment Purposes.
The federal rule on privacy rights establishes a federal floor of safeguards to protect the confidentiality of personal health information. State laws that provide stronger protections will continue to apply over and above the federal privacy rule. Most entities covered by the rule have two years from the date that the regulation took effect - or until April 14, 2003 - to come into compliance with the rule. Small health plans have three years - or until April 14, 2004 - to come into compliance with the rule. The privacy rule will be enforced by the HHS Office for Civil Rights and civil and criminal penalties may be imposed for violations of consumer privacy rights.