The Federal Privacy Rule

In the past, physicians could physically secure and shield personal medical records from disclosure, absent consent from their patients. Electronic databanks have changed all that (as foretold by the Supreme Court in Whalen, above). With the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (which encouraged electronic transmission of patient data), Congress passed concurrent legislation for uniform protection of medical records and personal information. In December 2000, the Department of Health and Human Services (HHS) published its Privacy Rule (“Standards for Privacy of Individually Identifiable Health Information”, 65 Fed. Reg. 82462), which became effective on April 14, 2001. The regulation covers health plans, health care clearinghouses, and health care providers that bill and transfer funds electronically. The regulation mandates a final compliance date of April 14, 2003 (small health plans have until April 14, 2004 to comply.) The Privacy Rule includes provisions for the following:

  • Ensuring patient access to medical records, ability to get copies and/or request amendments
  • Obtaining patient consent before releasing information. Health care providers are required to obtain consent before sharing information regarding treatment, payment, and health care operations. Separate patient authorizations must be obtained for all non-routine disclosures and non-health related purposes. A history of all non-routine disclosures must be accessible to patients.
  • Providing recourse for violations through an administrative complaint procedure.

In March 2002, the Bush Administration proposed amendments to the Privacy Rule that would address several complaints registered by patients and medical facilities alike. Specifically, the impact of the proposed amendments would remove the requirement for express consent in such communications as pharmacists filling prescriptions, patient referrals to specialists, treatments provided or authorized from telephone communications, and emergency medical care. The relaxed consent requirement would only apply to uses and disclosures for treatment, payment, and health care operations (TPOs) purposes. All other uses and disclosures would continue to require express patient consent.


Inside The Federal Privacy Rule