|List By Date|
|Health Care and Entitlements|
Protection For Patients Privacy Gets Green Light From White House
(RIVERWOODS, ILL., April 13, 2001) - Millions of
healthcare consumers will see new protection for their personal information and records
now that the Bush Administration has given a green light to the patient privacy
guidelines, according to CCH INCORPORATED (CCH), a leading provider of health law
information and services and healthcare compliance e-learning. For healthcare providers,
however, the news is not as welcome.
"The controversial rule establishes important new consumer rights with respect to
the use and disclosure of information in this area. For the first time, people will have
some control over this very personal information," said CCH healthcare analyst Jay
Healthcare providers, however, are concerned about the costs and administrative burdens
associated with the new rule.
"Not only are implementation and ongoing costs a concern for providers, but so is
the potential cost of noncompliance," said Nawrocki. "Providers could be liable
for up to $250,000 or go to jail for violating the new rule."
New Rule Puts Patients Privacy First
The rule creates a new playing field for consumers and providers of healthcare, with a
patients rights kicking in with their very first office visit; providers will have
to give notice about how medical information will be handled at the first visit with each
Providers also would be significantly restricted as to when and why they share patient
information. Under the rule, providers may disclose protected health information only to
the individual; in compliance with a consent signed by the individual; under an
authorization signed by the individual; or without consent or authorization under certain
Other key provisions of the new rule, mandated by Congress under the Health Insurance
Portability and Accountability Act (HIPAA), follow:
- Patient's Rights: Patients may view, request a copy of, amend or receive a list of
individuals and organizations that have seen their medical information from the previous
six years. A provider may deny access to a patient's records if the provider feels that
release of the information will endanger the life or physical safety of the individual. In
all other cases, providers have 60 days from the request to make the information
available. Providers will be permitted, however, to charge a fee for providing the
Nawrocki also noted another important new protection under the rule: employers would be
prohibited from using medical information obtained from the administrator of their group
health plan to make employment-related decisions or actions.
- Consent and Authorization: A provider must obtain an individual's consent before
using or disclosing protected health information to carry out treatment, payment or
healthcare operations. Protected health information is any information that identifies an
individuals past, present or future physical or mental health, and includes all
communicationeven information communicated verbally. Under the rule, providers can
deny care if an individual refuses to sign a consent form.
Patients may grant providers authorization to use data for specific purposes other than
carrying out treatment, payment or healthcare operations covered by the consent. In this
case, however, providers may not condition the provision of healthcare based on a
patient's signing of an authorization.
Only the minimum amount of information necessary may be released. Also, providers are
responsible for the use of protected information released to other organizations.
- Exemptions: Protected health information may be released without consent or
authorization in certain situations including: in an emergency to a family member or
friend; to public health authorities to prevent or control disease; for certain research
purposes; in judicial and administrative proceedings and limited law enforcement
activities; and in investigations of abuse or neglect.
- Penalties and Other Provisions: Penalties range from the slight to significant: not
more than $100 per person per violation to a fine of not more than $250,000 and/or
imprisonment of not more than 10 years if the offense is with intent to sell, transfer or
use individually identifiable health information for commercial advantage, personal gain
or malicious harm.
- State Regulations: The regulation preempts all state regulations unless the state
regulation provides more protection, or the Secretary determines that the state law may
Rule Could Change Before 2003 Implementation
The guidelines, advanced at the eleventh hour by former President Clinton, had been on
hold under the new administration before President Bush directed the Department of Health
and Human Services (HHS) to implement the new medical privacy rule as of April 14, 2001.
HHS has said it will continue to explore possible modifications to the rule based on
comments the agency has receiveda position that is encouraging news to the
Under the new rule, most providers have until 2003 to come into compliance, Small plans
have until 2004.
About CCH INCORPORATED
CCH INCORPORATED, headquartered in Riverwoods, Ill., was founded in 1913 and has served
generations of business professionals and their clients. For more than 50 years, the
company has regularly tracked, reported, explained and analyzed health and entitlement law
for health care providers, insurers, attorneys and consumers. CCH is the premier provider
of Medicare and Medicaid information and publishes the industry standards, the CCH
Medicare and Medicaid Guide and the CCH Healthcare Compliance Portfolio, as
well as offers ComplianceEdge, the e-learning program for health care
compliance. CCH is a wholly owned subsidiary of Wolters Kluwer North America. The CCH web
site can be accessed at www.cch.com. The
Health group site can be accessed at http://health.cch.com.
-- ### --