Employers that administer their own health care plans are barred from using medical information for anything other than health care.
The final regulation is considerably broader than the year-earlier proposal, following more than 50,000 comments from the public.
However, the administration removed a provision that would have given patients the right to sue for privacy violations. Opponents of the provision were concerned this would encourage frivolous lawsuits.
The rules cover both electronic and paper records – a major victory for privacy advocates. An earlier version had only applied to electronic records.
Crime and Punishment
The new rules will take effect in two years, and restrict the sharing of confidential information by health-care providers and insurers. For the first time federal fines and prison sentences will be imposed for violations, according to the Associated Press. Fines of $100/violation, up to $25,000/year could be imposed, with criminal penalties up to $250,000 and 10 years in prison for the worst violations, according to the report.
In 1996, Congress gave HHS the power to issue privacy regulations if it failed to enact legislation within three years, as called for under the Health Insurance Portability and Accountability Act (HIPAA). After Congress missed the August 1999 deadline, HHS published proposed rules roughly a year ago.
Among other things, the new rules:
- Allow states to pass stricter laws if they want, despite insurer interest in a single national standard.
- Requires health providers and insurance companies to modify contracts with business partners – including attorneys, auditors and consultants – to assure their compliance with the rules
The regulations are expected to be posted at www.aspe.os.dhhs.gov/admnsimp following the President’s announcement.