Protection For Patients’ Privacy Gets Green Light From White House

(RIVERWOODS, ILL., April 13, 2001) - Millions of healthcare consumers will see new protection for their personal information and records now that the Bush Administration has given a green light to the patient privacy guidelines, according to CCH INCORPORATED (CCH), a leading provider of health law information and services and healthcare compliance e-learning. For healthcare providers, however, the news is not as welcome.

"The controversial rule establishes important new consumer rights with respect to the use and disclosure of information in this area. For the first time, people will have some control over this very personal information," said CCH healthcare analyst Jay Nawrocki.

Healthcare providers, however, are concerned about the costs and administrative burdens associated with the new rule.

"Not only are implementation and ongoing costs a concern for providers, but so is the potential cost of noncompliance," said Nawrocki. "Providers could be liable for up to $250,000 – or go to jail – for violating the new rule."

New Rule Puts Patients’ Privacy First

The rule creates a new playing field for consumers and providers of healthcare, with a patient’s rights kicking in with their very first office visit; providers will have to give notice about how medical information will be handled at the first visit with each patient.

Providers also would be significantly restricted as to when and why they share patient information. Under the rule, providers may disclose protected health information only to the individual; in compliance with a consent signed by the individual; under an authorization signed by the individual; or without consent or authorization under certain circumstances.

Other key provisions of the new rule, mandated by Congress under the Health Insurance Portability and Accountability Act (HIPAA), follow:

  • Patient's Rights: Patients may view, request a copy of, amend or receive a list of individuals and organizations that have seen their medical information from the previous six years. A provider may deny access to a patient's records if the provider feels that release of the information will endanger the life or physical safety of the individual. In all other cases, providers have 60 days from the request to make the information available. Providers will be permitted, however, to charge a fee for providing the information.

Nawrocki also noted another important new protection under the rule: employers would be prohibited from using medical information obtained from the administrator of their group health plan to make employment-related decisions or actions.

  • Consent and Authorization: A provider must obtain an individual's consent before using or disclosing protected health information to carry out treatment, payment or healthcare operations. Protected health information is any information that identifies an individual’s past, present or future physical or mental health, and includes all communication—even information communicated verbally. Under the rule, providers can deny care if an individual refuses to sign a consent form.

Patients may grant providers authorization to use data for specific purposes other than carrying out treatment, payment or healthcare operations covered by the consent. In this case, however, providers may not condition the provision of healthcare based on a patient's signing of an authorization.

Only the minimum amount of information necessary may be released. Also, providers are responsible for the use of protected information released to other organizations.

  • Exemptions: Protected health information may be released without consent or authorization in certain situations including: in an emergency to a family member or friend; to public health authorities to prevent or control disease; for certain research purposes; in judicial and administrative proceedings and limited law enforcement activities; and in investigations of abuse or neglect.
  • Penalties and Other Provisions: Penalties range from the slight to significant: not more than $100 per person per violation to a fine of not more than $250,000 and/or imprisonment of not more than 10 years if the offense is with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm.
  • State Regulations: The regulation preempts all state regulations unless the state regulation provides more protection, or the Secretary determines that the state law may supercede.

Rule Could Change Before 2003 Implementation

The guidelines, advanced at the eleventh hour by former President Clinton, had been on hold under the new administration before President Bush directed the Department of Health and Human Services (HHS) to implement the new medical privacy rule as of April 14, 2001.

HHS has said it will continue to explore possible modifications to the rule based on comments the agency has received—a position that is encouraging news to the healthcare industry.

Under the new rule, most providers have until 2003 to come into compliance, Small plans have until 2004.


CCH INCORPORATED, headquartered in Riverwoods, Ill., was founded in 1913 and has served generations of business professionals and their clients. For more than 50 years, the company has regularly tracked, reported, explained and analyzed health and entitlement law for health care providers, insurers, attorneys and consumers. CCH is the premier provider of Medicare and Medicaid information and publishes the industry standards, the CCH Medicare and Medicaid Guide and the CCH Healthcare Compliance Portfolio, as well as offers ComplianceEdge™, the e-learning program for health care compliance. CCH is a wholly owned subsidiary of Wolters Kluwer North America. The CCH web site can be accessed at The Health group site can be accessed at

-- ### --