MEDICAL PRIVACY: Clinton Unveils New Rules
The Nitty Gritty
Under the new rules, electronic records kept by health plans, insurance companies, health-care clearinghouses and employers who offer self-funded plans can only be used without authorization for payment, treatment or minor administrative purposes. If health plans or insurers want to use patients' records, they must first inform them how the records are to be used and then could only pull the minimum data necessary -- for example, a single test result as opposed to an entire medical history. The rules "do bar the disclosure of diagnostic and treatment information to banks or credit card companies as part of the payment process, a major concern due to the credit-rating implications" (Murray, Wall Street Journal, 10/29). For the first time, patients will be allowed to view their own medical records and correct any mistakes. Health plans and other providers must alert patients to their policy regarding records release and, if patients ask, also will be required to provide a list of every organization that has received their medical information (Washington Post, 10/29).
But the Wall Street Journal reports there are "significant gaps in the regulations," including the fact that paper records that have never been electronically transmitted are not covered. Also, lawyers, auditors, consultants, third-party administrators and several other individuals who come into contact with medical information are not barred from using patient records without permission. Those who abuse the new laws will be subject to a $25,000 per person, per year civil penalty and the possibility of criminal charges if the information is "intentionally abused" (10/29).
Burden on Insurers
For care providers, insurers and claims managers, the new rules are a major inconvenience. These groups will have to follow "stringent new rules" while handling consumer's data. They predict that doing so will "add billions of dollars to the cost of health care." To adhere to the rules, health plans and insurers will have to implement internal controls, including training employees about medical privacy and designating an employee to act as a privacy point person who would monitor and install privacy and confidentiality protocols. A recent Blue Cross and Blue Shield Association study discovered similar confidentiality requirements would add $43 billion to health care bills over the next five years. Bill Pierce, a spokesperson for Blue Cross, said, "We don't think anybody looked at potential expenses or interference with physician communication" (Rubin, AP/Los Angeles Times, 10/29).