HHS.gov Archive
Friday, August 9, 2002
Contact: HHS Press Office
(202) 690-6343

Consumers Gain New Controls Over Records Beginning April 2003

HHS Secretary Tommy G. Thompson today issued the first-ever comprehensive federal regulation that gives patients sweeping protections over the privacy of their medical records. The final regulation, which takes effect April 14, 2003, will ensure strong privacy protections without interfering with Americans' access to quality health care.

The federal privacy regulation empowers patients by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The rule will protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

"Patients now will have a strong foundation of federal protections for the personal medical information that they share with their doctors, hospitals and others who provide their care and help pay for it," Secretary Thompson said. "The rule protects the confidentiality of Americans' medical records without creating new barriers to receiving quality health care. It strikes a common sense balance by providing consumers with personal privacy protections and access to high quality care."

Under the privacy rule:

HHS issued privacy regulations in December 2000 but had to make changes to address the serious unintended consequences of the rule that would have interfered with patients' access to quality care. For example, patients would have been required to visit a pharmacy in person to sign paperwork before a pharmacist could review protected health information in order fill their prescriptions. Similar barriers would have arisen when a patient is referred to a specialist and in other situations.

"We took great care to make sure we weren't creating greater hardships or more health care bureaucracy for patients as they seek to get prompt and effective care," Secretary Thompson said. "The prior regulation, while well-intentioned, would have forced sick or injured patients to run all around town getting signatures before they could get care or medicine. This regulation gives patients the power to protect their privacy and still get efficient health care."

HHS received more than 11,000 public comments on the proposed modifications issued in March 2002 and today is adopting final changes. The final version, which will be published in the Aug. 14th Federal Register, includes some key revisions to address public concerns. The rule will be available online today at www.hhs.gov/ocr/hipaa/.

HHS' privacy regulation is designed to enhance the protections afforded by many existing state laws. Stronger state laws and other federal laws continue to apply, so the federal regulation provides a national base of privacy protections. The standards for covered entities apply whether its patients are privately insured, uninsured or covered under public programs such as Medicare or Medicaid.

Most covered entities have until April 14, 2003, to comply with the patient privacy rule; under the law, certain small health plans have until April 14, 2004 to comply.

To help people prepare for and meet the rule's requirements, HHS' Office for Civil Rights (OCR) will continue to conduct outreach and education targeted to health plans, health care providers, consumers and others affected by the privacy regulation.

These efforts include developing appropriate technical assistance materials, which may include fact sheets, handbooks and other materials, as well as responding to frequently asked questions. HHS also will hold national educational conferences in the fall to address issues related to key parts of the privacy regulation. Technical assistance materials will be posted on OCR's privacy rule website at www.hhs.gov/ocr/hipaa/.

"We are working to do our part to educate the health care industry and the public about these rights and protections in advance of the April 2003 compliance date required under the law," OCR director Richard M. Campanelli said. "We believe the improvements in this final rule will be helpful to both health care providers and the public. Our goal is to ensure patients enjoy their full federal privacy rights and protections by helping covered entities follow the rule."

In 1996, Congress recognized the need for national patient privacy standards and, as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), set a three-year deadline for it to enact such protections. HIPAA also required that, if Congress did not meet this deadline, HHS was to adopt health information privacy protections via regulation based upon certain specific parameters included in HIPAA. Congress did not enact health privacy legislation.

HHS proposed federal privacy standards in 1999 and, after reviewing and considering more than 52,000 public comments on them, published final standards in December 2000. In March 2001, Secretary Thompson requested additional public input and received more than 11,000 comments, which helped to shape the improvements proposed in March 2002. Today's final improvements reflect public comments received on that proposal.

The privacy rule is part of a set of standards required under HIPAA's "administrative simplification" provisions. More information about these standards is available at www.hhs.gov/news/press/2002pres/hipaa.html.


Note: All HHS press releases, fact sheets and other press materials are available at www.hhs.gov/news.

Last revised: August 9, 2002