WESTPORT, CT (Reuters Health) Dec 20 - The Clinton Administration's release today of sweeping new regulations to protect patient confidentiality is considered a boon for all Americans but opens up a minefield of compliance hazards and a potential legal quagmire for doctors, hospitals, HMOs and pharmaceutical companies alike.
The rules are the first ever to establish national standards for how personal health information is used and distributed, and to set criminal and civil penalties for breaching patient privacy. They set in a motion a portion of the 1996 Health Insurance Portability and Accountability Act, known as HIPAA.
The final rules, however, reach well beyond those proposed a year ago, providing protection for paper, oral and electronic healthcare information. The proposed regulation issued in November 1999 affected only electronic records and any paper records that had, at some point, existed in electronic form.
The broadened level of protection is what Congress called for and what patients need, declared Health and Human Services (HHS) Secretary Donna Shalala. "Protection for all records is the most logical, workable and understandable approach for patients and providers alike," she said.
Under final rules issued today, plans and providers will be required to inform patients about how their information is being used and to whom it is being disclosed. The regulations also will give each patient a right to a "disclosure history'' listing the entities that received their personal medical information.
Patients will also have the right to access their own medical files, as well as the right to request amendments or corrections. And doctors and hospitals will be required to obtain written consent before using a patient's health information, even for routine purposes.
The nation's HMO lobby expressed deep concern today that the rules could "unintentionally jeopardize care" by hindering disease management activities. Karen Ignagni, president and CEO of the American Association of Health Plans (AAHP), said that the rules could undermine efforts to remind women to have a mammogram, for instance, or to encourage diabetes patients to get retinal screenings. "We are going to be looking at all available options" for addressing the problem, she said at a press briefing today.
Consumer advocates hailed the privacy regulations for giving people unprecedented access to and control over their personal medical information. "It's important for consumers to have clarity on what the rules are and to have some assurance that they have some rights and some protections here," Dr. Mark D. Smith, president and CEO of the California HealthCare Foundation, told Reuters Health.
It's also important, he said, for providers to have a single set of rules to play by. There will be implementation issues, of course, and it's going to cost some money, he noted. "But in the end, it turns out to be a good thing."
In the interim, however, the healthcare industry faces the daunting task of installing appropriate computer systems and processes, providing appropriate staff training, securing patient authorizations to use and share information and conducting ongoing compliance activities.
"This is a regulation that is going to have a deep and serious impact on the business of healthcare," said Larry Ponemon, senior partner with PricewaterhouseCoopers and a global leader of the firm's privacy practice. "That's really what it's about," he told Reuters Health.
The regulations also will create new criminal penalties for intentional disclosure of up to $50,000 and up to a year in prison. Disclosure with intent to sell the data is punishable with a fine of up to $250,000 and up to 10 years in prison, the White House said.
The rule creates some very steep hurdles for the entire healthcare industry, Ponemon told Reuters Health.
"A lot of hospitals quite frankly are lacking quite severely in their internal control of patient records," he said. Pharmaceutical companies may be liable for breaching patient confidentiality in clinical trials even though they don't control those studies or the teaching institutions, researchers and clinicians involved, he added. Providers who fail to make a good-faith effort to comply with the rules are not only vulnerable to civil and criminal penalties but may face class action litigation, Ponemon said.
"The overall message to healthcare providers is wake up and smell the coffee," he said.
While the Clinton
White House would like Congress to pass legislation next year to expand
the protections more broadly and to stiffen penalties for privacy violations,
it remains to be seen whether President-elect George W. Bush and Republican
congressional leaders would take up the initiative once Clinton leaves