Rules Issued on Privacy of Health Records

Bazelon Center Comments on the Proposed Privacy Rules (11/99) Support the Bazelon Center. Your tax-deductible donation helps the Bazelon Center keep you informed on important developments in mental health law and policy. Not a Subscriber? Sign up now to receive action alerts and updates from the Bazelon Center.

November 4, 1999—The President has announced proposed rules to protect privacy of medical records. The rules are the first federal ban on the release of identifiable health information without a patient's specific consent for purposes unrelated to treatment and payment.

The Administration issued these rules to meet a deadline imposed by the Health Insurance Portability and Accountability Act of 1996. Under this law, if Congress fails to pass privacy legislation, the Department of Health and Human Services (HHS) must issue final regulations on privacy of electronically transmitted records by February 2000.

As proposed, the rules will protect individuals from breaches of privacy that are legal today. For example, medical records can currently be shared with marketing firms or other commercial interests, including banks considering whether to approve a loan.

Rules Create New Protections for Electronic Records

The proposed regulations apply to all health plans, most providers, pharmacies and health care clearinghouses (such as billing companies), and to any business partners of such entities. The rules cover any information entered into a computer or transmitted electronically, but do not cover information that is kept only in a paper record. Congress would have to act to cover paper records. The proposed rules:

• limit the release of private health information without consent;
• require that consumers be informed how their health information will be used;
• give individuals access to their own health records and the right to request corrections; restrict the disclosure of information to that minimally necessary for the task at hand;
• require the establishment of privacy-conscious business practices.

While creating a new federal floor for privacy protection, the rules also permit states to provide greater privacy protection.

Informed Consent Not Required to Share Information Among Health Entities

The standards of privacy are very different, however, depending upon the purpose for which information is to be used. Patients need not be asked for consent to the sharing of their health information for purposes of "treatment, payment and health care operations." While individuals can make a specific request to limit who has access to some or all of their information for these purposes, the health plan or provider is not obligated to honor that request. As a result, information about mental health treatment can be shared with, for example, other treating providers, the health plan under which a person is insured and administrative staff in the health plan.

For all other purposes, such as research, public health, fraud and abuse investigations and law enforcement, the proposed rules generally require informed consent before information can be shared. Strict standards are set on the limited ways information can be shared without consent for purposes other than treatment, payment and health care operations.

Psychotherapy Notes Specifically Protected

There is a specific protection for psychotherapy notes. Psychotherapy notes—personal notes of the treating provider which may contain highly sensitive and private information—cannot be shared without the subject's specific authorization. Health plans are prohibited from conditioning treatment or payment on access to such notes. This provision will keep managed care plans and other insurers from demanding unnecessary details about the person's life before they pay for treatment.

Access to Own Information Allowed

Under these rules, individuals with mental illnesses will have access to their own records on the same grounds as others. Access can, but need not be, denied when a licensed health care professional determines that release of the information is likely to endanger the life or physical safety of the individual or another person. In the preamble to the rule, HHS specifically states that this section is "not intended to be used liberally as a means of denial of individual inspection and copying rights for all mental health records.... Each request would have to be assessed on its own merits (using) current professional standards for determining what constitutes a threat to life or physical safety."

Other Provisions

Other rights granted to individuals are:

• the right to receive a written notice of information practices from health plans and providers that describes how the plan or provider uses health information;
• the right to receive an accounting of instances where protected health information about them has been disclosed for purposes other than treatment, payment or health care operations.

Other provisions of the proposed rules require that covered entities:

• have in place administrative systems that enable them to protect health information;
• designate a privacy official responsible for privacy policies and for ensuring that these policies are followed;
• train their work force on the entity's privacy policies and procedures;
• establish sanctions for violation of privacy rules.

Implementation Delayed Two Years

Under the law, covered entities must be given time to adapt their policies to comply with the rules. Once the rules are published in final form, they will not take effect for another two years.

Comments Invited for 60 Days

HHS extended until February 17, 2000 for the public to comment on the voluminous proposed rules, which cover more than 600 pages of double-spaced type. The Bazelon Center analyzed the details and, in our comments, provided an assessment of areas of concern on which mental health advocates may wish to comment.

The proposed rules appeared in the Federal Register of November 3, 1999 and can be accessed through the HHS website: http://aspe.hhs.gov/admnsimp.