Patient Privacy: New Law May Lead to Endless Meetings and Big Dollar Signs

Edition: October 2001 - Vol 9 Number 10
Article#: 1079
Author: Repertoire

Speed and proficiency can mean everything to health care providers, and the Internet has served as one of the more useful vehicles for meeting these ends. But the electronic exchange of information that hospitals and physicians have come to depend on has become a double-edged sword, compromising patient privacy for medical expediency.

In response, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress to lower health care costs by reducing administrative overhead, and provide privacy guarantees to protect patients. The first step – to lower costs by reducing red tape – has been a relatively easy hurdle to leap. The second part of the law dealing with patient privacy has presented a much larger obstacle to navigate.

Under the HIPAA law, Congress was given three years to pass more extensive health privacy legislation. When, after three years, Congress failed to do so, the Department of Health and Human Services (HHS) was assigned the task.

In November 1999, HHS published regulations designed to protect patients against the misuse of private records. By December 2000, HHS set forth its final rule on patient privacy, which took effect on April 14, 2001. HIPAA law requires health facilities and physicians to comply with its provisions by April 14, 2003.

This could mean endless meetings and lots of dollar signs for providers.

Gives patients more control

The final HHS ruling on HIPAA ensures patients the following rights to understand and determine how their personal health information is used:

Patient Control Over Information

•Providers and health plans must offer patients a written explanation of how their health records may be used.

•Patients are ensured access to their medical records.

•Providers need patient consent prior to releasing personal information.

•Patients have the right to file a formal complaint when their privacy is violated.

Medical Record Use and Release

•Health information may not be used for non-medical purposes.

•When health disclosures are necessary, they must reveal as little information as necessary.

The Security of Personal Health Information Is Ensured

•Providers must meet privacy safeguard standards, but retain the flexibility to design their own policies.

•Written privacy procedures must be included.

•Employees must be trained in privacy procedures.

Accountability for Medical Records Use and Release

•Providers and health plans that violate standards face civil monetary penalties.

•Violators also may face criminal penalties involving fines up to $250,000 and prison.

The final ruling also permits:

•Certain public disclosure in emergency situations.

•Higher protection for psychotherapy notes.

The ruling pertains equally to private and public providers. Project costs are estimated to reach $17.6 billion over 10 years, but this will be offset by the $29.9 billion in savings under the final electronic transactions regulation (August 2000), according to the HHS.

The HHS also noted that HIPAA will not overturn pre-existing state laws. In some states where pre-existing privacy laws are stricter than HIPAA standards, those patients simply will have extra protection.

Finally, the HHC Office for Civil Rights (OCR) will enforce all standards and assist providers and health plans in meeting requirements.

For more information on the final ruling, visit