MEDICAL PRIVACY: Clinton Unveils New Rules
President Clinton is slated today to release the first federal protections safeguarding the confidentiality of Americans' medical records and ensuring "patients the right to peer into their own medical records, determine who else has looked at them and pursue criminal action against anyone who misuses their medical history." While the policy could be modified before becoming final -- HHS is soliciting comments from health care insiders -- it does not require congressional approval. The policy is set to become law in February and to be enforced in 2002. The new rules emerge "at a time when the proliferation of electronic records has allowed medical information to be used in ways that would have been unimaginable even a few years ago, provoking widespread public anxiety about the security of information that once remained a secret between patients and their personal doctors." They also come "after a lengthy tug of war," in which Congress had given the White House authority to develop a medical privacy policy unless lawmakers had passed a policy of their own by August 1999 (Goldstein, Washington Post, 10/29). President Clinton said, "I will use the full authority of this office to create the first comprehensive national standards for the protection of medical records. The new rules I'm proposing would apply to all electronic medical records and to all health plans. It represents an unprecedented step toward putting Americans back in control of their own medical records" (AP/Orlando Sentinel, 10/29). CNN offers highlights of the privacy plan.
The Nitty Gritty
Under the new rules, electronic records kept by health plans, insurance companies, health-care clearinghouses and employers who offer self-funded plans can only be used without authorization for payment, treatment or minor administrative purposes. If health plans or insurers want to use patients' records, they must first inform them how the records are to be used and then could only pull the minimum data necessary -- for example, a single test result as opposed to an entire medical history. The rules "do bar the disclosure of diagnostic and treatment information to banks or credit card companies as part of the payment process, a major concern due to the credit-rating implications" (Murray, Wall Street Journal, 10/29). For the first time, patients will be allowed to view their own medical records and correct any mistakes. Health plans and other providers must alert patients to their policy regarding records release and, if patients ask, also will be required to provide a list of every organization that has received their medical information (Washington Post, 10/29).
Major Loopholes
But the Wall Street Journal reports there are "significant gaps in the regulations," including the fact that paper records that have never been electronically transmitted are not covered. Also, lawyers, auditors, consultants, third-party administrators and several other individuals who come into contact with medical information are not barred from using patient records without permission. Those who abuse the new laws will be subject to a $25,000 per person, per year civil penalty and the possibility of criminal charges if the information is "intentionally abused" (10/29).
Burden on Insurers
For care providers, insurers and claims managers, the new rules are a major inconvenience. These groups will have to follow "stringent new rules" while handling consumer's data. They predict that doing so will "add billions of dollars to the cost of health care." To adhere to the rules, health plans and insurers will have to implement internal controls, including training employees about medical privacy and designating an employee to act as a privacy point person who would monitor and install privacy and confidentiality protocols. A recent Blue Cross and Blue Shield Association study discovered similar confidentiality requirements would add $43 billion to health care bills over the next five years. Bill Pierce, a spokesperson for Blue Cross, said, "We don't think anybody looked at potential expenses or interference with physician communication" (Rubin, AP/Los Angeles Times, 10/29).