The U.S. Department of Health and Human Services late last month released new rules to protect the privacy of individuals medical records and other private health information managed by health care providers, insurers and clearinghouses.
Called for under the HIPAA (Health Insurance Portability and Accountability Act), the privacy standards limit the nonconsensual use of medical records in an effort to make patients more comfortable with the electronic processing of their personal information.
HHS officials in Washington estimated that health care organizations will spend about $18 billion in the next 10 years on hardware and software as well as on training personnel to comply with the privacy standards. However, they said that ensuring privacy may save more money in the long run by reducing discrimination and lawsuits.
The rules mandate the following:
• Patients must get a clear, written explanation of how information is used, kept and disclosed.
• Patients must be able to get copies of their records and request amendments.
• Patients must give authorization before information is disclosed and can request restrictions on disclosure.
• Providers and health plans cannot demand a patients blanket approval to disclosure before giving treatment.
• Health information can be used for health purposes only, with few exceptions.
• Providers and health plans must adopt written privacy procedures, train employees and designate a privacy officer.
The standards also specify civil penalties of up to $25,000 per person and criminal penalties of up to $250,000 and 10 years in prison for improper use or disclosure of health information.
Hospital CIOs generally agree that the privacy standards are based on good business practices.
"If youre going to do business on the Web, you should be concerned about the privacy and confidentiality of your customers, and if youre concerned about those things, you should be doing what HIPAA requires in any case," said Rick Skinner, CIO for the Oregon region of Providence Health System, in Portland.
"This will lower administrative costs and make it cheaper to do business in the long run," said Linda Tiano, senior vice president and general counsel of Empire Blue Cross and Blue Shield, in New York.
The final standards will be effective in February 2003. Early this year, HHS will issue the final data security standards to protect all electronically transmitted health information.