Computerworld - President Clinton today announced a sweeping set of federal rules aimed at protecting the privacy of medical records and other personal health information, establishing the potential for penalties to be imposed on executives at health care businesses that breach the new standards.
The regulations, which were prepared by the U.S. Department of Health and Human Services (HHS), are the final version of proposed rules that were issued a year ago after Congress failed to pass comprehensive medical privacy legislation as required by the 1996 Health Insurance Portability and Accountability Act (HIPAA).
Oral, paper-based and electronic communications are all covered by the measures announced today. That casts a wider net than the original proposal, which applied to electronic records and to paper ones that at some point had existed in electronic form.
Under the regulations, health care providers are prohibited from releasing most information about individual patients without getting their consent in advance. But in another change from the proposed rules, HHS said doctors and hospitals will be given "full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes."
However, the final rules also tighten the consent requirement, mandating that approval be secured from patients for even "routine use and disclosure of health records" for purposes such as bill payments. Patients also must be given detailed written information about their privacy rights and any planned use of their personal information.
In addition, HHS is calling on hospitals, health insurers and health care clearinghouses to establish procedures for protecting the privacy of patients, including the appointment of executives to oversee their internal privacy procedures. And companies are prohibited from accessing health records for employment purposes.
Under the HIPAA, civil fines of $100 per violation can be imposed, up to a total of $25,000 per year. Criminal penalties of up to $250,000 and 10 years in prison could also be targeted at individuals who try to profit from the sale of health information, HHS said. Most health care companies will be given two years to comply with the regulations.
"Nothing is more private than someone's medical or psychiatric records," Clinton said during the announcement of the new rules. "And therefore, if we are to make freedom fully meaningful in the Information Age, when most of our stuff is on some computer somewhere, we have to protect the privacy of individual health records."
He added that the regulations were made necessary "by the great tides of technological and economic change that have swept
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
