Skip to main content Back to Top


HHS Clarifies Privacy Rule

Cheryl A. Thompson

When President Bush decided to let the controversial federal standards protecting the privacy of patients' medical records take effect on April 14, Health and Human Services (HHS) Secretary Tommy G. Thompson said his agency would provide clarifications and propose modifications in the coming months. HHS issued the first set of clarifications on July 6, giving health care providers and health plans guidance in complying with the regulation and an indication of the modifications the agency intends to propose.

The Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule, were developed under the direction of the previous HHS Secretary, Donna E. Shalala. HHS released the regulation on December 20, 2000, and set February 26, 2001, as the effective date, with a 24-month period for most health care providers and health plans to comply (see February 1 AJHP News).

The regulation differed in many ways from the version proposed in 1999, with the final rule providing greater restrictions on health care providers' and health plans' use of patients' identifiable health information. Thompson decided to postpone the rule's effective date to April 14 so that the public could offer comments and agency personnel could determine their merit. HHS received more than 11,000 comments in 30 days.

Those comments provided the basis for HHS's recent clarifications, not all of which are described below.

Consent. The regulation defines "consent" as a general document, signed by a patient, that gives a health care provider, who has a "direct treatment relationship" with that patient, permission to use and disclose all of the person's health information to carry out treatment, payment, or health care operations. Through the consent document, which can be less than one page and can be electronic, the health care provider informs a patient of the opportunity to review the provider's policy on protecting the privacy of personal health information. A patient may choose to sign the consent without reading the privacy policy. The health care provider must obtain the patient's written consent only once.

According to the recently released set of clarifications, a pharmacist, before advising a patient about nonprescription medicines, does not have to obtain written consent to use that person's health information when discussing the available options. Also, a pharmacist may use professional judgment to give a filled prescription to a patient's relative or friend who comes to the pharmacy whose name was not provided in advance to the pharmacist. Affiliated health care providers can decide to share a patient's consent. A health plan does not have to obtain a patient's consent to use or disclose personal health information to pay a claim.

An overview of the Privacy Rule and detailed guidance on requirements in the regulation are available.

Minimum necessary release of information. In general, a health care provider must take reasonable steps to use, disclose, or request only as much of a patient's health information as needed to accomplish the intended purpose.

A privacy policy must identify the specific employees or types of health care professionals who, as part of their job duties, need access to patients' personal health information. The policy must also stipulate the types of personal health information needed, such as the entire medical record, and the conditions under which such information should be accessed. If the health care provider supervises health-professional students or trainees, the privacy policy should identify procedures that would allow those people to access patients' health information. Employees' access to patients' personal health information stored in computers can be minimized by level of need through the use of passwords. For paper records, the use of locks on file cabinets containing patients' personal health information is an option.

Oral communications. The Privacy Rule covers a health care provider's spoken communications. Again, the government expects every health care provider to take reasonable steps to protect the privacy of patients' personal health information.

Health care providers who speak to each other in lowered voices or undertake some other means to minimize the chance of other people overhearing the conversation may orally coordinate services for a patient at a hospital's nursing station, discuss a patient's condition over the telephone, talk over laboratory test results in a joint treatment area, and speak about a patient's condition during medical rounds in a teaching hospital. A pharmacy should request that waiting customers stand a few feet back from the patient counseling area. Cubicles, rather than separate rooms, can be used for patient counseling. Encryption is not needed for the telephone system.

Business associates. Health care providers and health plans should obtain assurances from contractors that they will not disclose patients' personal health information or use it for a purpose other than the one agreed upon.

HHS developed the Privacy Rule because Congress did not meet its self-imposed deadline of August 21, 1999, for enacting a comprehensive set of national standards to protect medical records. The deadline was cited in the Health Insurance Portability and Accountability Act of 1996.

Parents and minors. Under the Privacy Rule, a parent can usually be considered the "personal representative" of his or her minor child. A patient's personal representative has the right to access the patient's personal health information.

If state law does not require a parent's consent before a minor child receives a particular health care service, such as mental health treatment, that the child has consented to receive, then the parent is not the patient's personal representative. Also, if a court has authorized someone other than a parent to make treatment decisions for a minor child, then the parent is not considered the child's personal representative for that therapy.

Health-related communications and marketing. The government recognizes that essential health-related communications may be hard to differentiate from marketing; the latter generally requires a patient's specific authorization before personal health information can be used or disclosed.

A health plan is not marketing when it describes a network's participating providers, notifies enrollees of a new pharmacy in the network, or informs enrollees about the drug formulary. A health care provider is not marketing when using a patient's personal health information to recommend a specific brand-name medication that is part of the treatment plan or to give a sample product during an office visit. A reminder notice for a prescription refill is not considered marketing if sent by the health care provider or health plan.

A health care provider or health plan may not give away or sell a list of its patients or enrollees without obtaining each person's authorization. If marketing a health-related product or service, the health care provider or health plan must tell recipients whether they have been targeted on the basis of their health status; direct or indirect compensation for the communication must also be disclosed. Disease management, health promotion, preventive care, and wellness programs may be considered marketing efforts rather than health-related communications, depending on how the activities are conducted.

Research. Health care providers and health plans may always, for research purposes, use or disclose a patient's health information if it cannot be traced back to that person. The clarifications released on July 6 explain under which circumstances health care providers and health plans may use identifiable personal health information without a patient's authorization.

Restrictions on government access to health information. Government-run health care providers and health plans must follow "substantially the same requirements" for privacy as do other groups. Health plans, hospitals, and other health care providers must cooperate with efforts by HHS to investigate privacy-related complaints or ensure compliance with the rule.

The Privacy Rule continues to allow a health care provider or health plan to share a patient's personal health information, including details about a drug-related adverse outcome, with public health authorities that can legally collect or receive this information as part of their mission to protect the public's health.

Payment. The Privacy Rule does not prevent a health care provider or health plan from informing a consumer credit reporting agency about a patient's payment history or from using the services of a debt collection agency.

Changes to be proposed by HHS. Actual changes to the standards in the Privacy Rule must go through the formal process of proposal, solicitation of comments from the public, review of the comments by the agency, and publication of the final modification. By April 14, 2003, most health care providers and health plans must comply with the Privacy Rule as it was issued in 2001 and with any modifications that have been put in final form.

HHS indicated it will propose changing a standard so that phoned-in prescriptions can be filled before the patient arrives at the pharmacy. Without the change, a pharmacist would not legally be able to use a patient's personal health information in filling a prescription unless the pharmacy or pharmacy chain already had in its possession the patient's written consent.

Also planned by HHS are changes that would make it legal for

  • Health care providers who directly treat patients to schedule an appointment for a new referral without first having that person's written consent on file, 
  • Health plans and health care providers to discuss a treatment with staff members involved in coordinating the patient's care and to announce patients’ names to locate that person in a waiting room, 
  • Clinics and other health care providers with waiting rooms to use a sheet of paper on which patients sign in when they arrive, and 
  • Hospitals to keep a patient's medical chart at the bedside.

Other changes may also be proposed.