Skip to main content Back to Top


Final Rule on Health Information Privacy Issued

Nancy Tarleton Landis

Federal standards for protecting the privacy of personal health records were released December 20. The new regulations from the Department of Health and Human Services (HHS) will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.

Congress mandated the regulations after failing to pass comprehensive privacy legislation. The new standards limit the nonconsensual use and release of private health information, give patients new rights to access their medical records and to know who else has accessed them, restrict most disclosure of health information to the minimum needed for the intended purpose, establish new criminal and civil sanctions for improper use or disclosure, and establish new requirements for access to records by researchers and others.

HHS received more than 52,000 comments on its proposed privacy rule published in 1999. The final rule, says HHS, is based on careful consideration of every comment and reflects a balance between accommodating practical uses of individually identifiable health information and rendering maximum privacy protection of that information.

Changes from proposed rule. The final regulations go further than the proposed rule, extending coverage to personal medical records in all forms—including paper records and oral communications. The earlier proposal had applied to electronic records and to any paper records that had at some point existed in electronic form.

The final rule also requires most providers to obtain patient consent for routine use and disclosure of health records, in addition to requiring special patient authorization for nonroutine disclosures. The proposed rule had allowed routine disclosures without advance consent for purposes of treatment, payment, and health care operations (such as internal data gathering by a provider or health care plan). Most of those commenting on this provision, including many physicians, believed consent even for these routine purposes should be obtained in advance, as is the usual current practice. The final rule requires that patients must also be given detailed written information on their privacy rights and how their information will be used.

The final rule (PDF) was published in the December 28, 2000, Federal Register. A fact sheet is available from HHS.

The final rule allows disclosure of the full medical record to providers for purposes of treatment: For most disclosures, such as health information submitted with bills, covered entities are required to send only the minimum information needed for the purpose of the disclosure. However, for purposes of treatment, health care providers need to be able to transmit fuller information to other providers. The final rule gives providers full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes.

The final rule protects against unauthorized use of medical records for employment purposes: Companies that sponsor health plans will not be able to access personal health information from the sponsored plan for employment-related purposes without authorization from the patient.

HIPAA requirement fulfilled. The bipartisan Health Insurance Portability and Accountability Act of 1996 (HIPAA) called on Congress to enact comprehensive national medical record privacy standards by August 21, 1999. When Congress was unable to enact standards by that deadline, HIPAA required that HHS issue regulations. Proposed regulations were published November 3, 1999, and the December 2000 final rule completes the HHS regulatory process on health information privacy under the HIPAA provision. The regulation will be enforced by the HHS Office for Civil Rights.

When state law exists, stronger protection prevails. The new regulation is designed to enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws are in conflict, the stronger privacy protection would prevail. The standards apply to all consumers whether they are privately insured, uninsured, or participants in public programs such as Medicare or Medicaid. Most covered entities will have two years to come into compliance.

Financial impact. Congress intended that the HIPAA regulations have the overall effect of reducing costs. HHS projects savings of $29.9 billion over 10 years from the recently released regulation on standardizing electronic claims processing and costs of $17.6 billion for the privacy regulation—for a net savings of approximately $12.3 billion for the health care delivery system. The American Hospital Association (AHA) said the government's cost estimate was low: Costs to hospitals could exceed $22 billion over five years, according to an AHA-sponsored study.

Further legislation needed. HHS notes that the current law and final rule do not directly regulate many entities, including life insurers and worker's compensation programs—thus allowing unlimited use and reuse of information by such entities. Additional legislation is also needed to fortify the penalties and to create a private right of action so that citizens can hold health plans and providers directly accountable for inappropriate and harmful disclosures of information.

Privacy Principles

The new privacy regulation reflects five basic principles outlined in September 1997 by HHS Secretary Donna Shalala:

1. Consumer control. The final rule gives patients greater control over how their health information is used. Providers and plans must give patients a clear written explanation of how they can use, keep, and disclose their information. Patients must be able to see and obtain copies of their records and request amendments, and must have access to a history of most disclosures.

Specific patient consent must be sought and granted for nonroutine uses and most non-health-care purposes, such as releasing information to financial institutions that determine loans or selling mailing lists to interested parties. Patients have the right to request restrictions on the uses and disclosures of their information. In general, providers and health plans cannot condition treatment on a patient's agreement to disclose health information for nonroutine uses. If privacy protections are violated, patients have the right to complain to a covered provider or health plan or to the secretary of HHS.

2. Boundaries on use of an individual's health care information. A hospital may use personal health information to provide care, teach, train, conduct research, and ensure quality. However, employers that also sponsor health plans may not obtain information for nonhealth purposes, such as hiring, firing, or determining promotions, without permission from the individual. Similarly, insurers may not use such information to underwrite other products, such as life insurance.

3. Accountability. Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated. For noncriminal violations of the privacy standards by the persons subject to the standards, including disclosures made in error, there are civil monetary penalties of $100 per violation up to $25,000 per year per standard. In addition, criminal penalties are provided in HIPAA for certain types of violations of the statute that are done knowingly: up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.

4. Public responsibility. The new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse.

5. Security. It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures to protect patients' privacy, including designating an official to establish and monitor the entity's privacy practices and training.