Office of the Press Secretary

For Immediate Release October 29, 1999

PRESIDENT CLINTON TAKES STRONG NEW STEPS TO
PROTECT THE PRIVACY OF PERSONAL HEALTH INFORMATION

President Clinton today will unveil a landmark set of privacy protections for medical information stored or transmitted electronically. This new regulation, which the President is proposing because of Congress's failure to act, underscores the Administration's commitment to safeguarding the security of personal health information. But the President will note that because his regulatory authority is limited, comprehensive federal legislation is urgently needed, and he will urge Congress to enact broader privacy protections without further delay.

The new regulation that President Clinton and HHS Secretary Shalala are announcing today would apply to all health plans and many health care providers, as well as to health care clearinghouses such as billing companies. It would: 1) limit the non-consensual use and release of private health information; 2) inform consumers about their right to access their records and to know who else has accessed them; 3) restrict the disclosure of protected health information to the minimum necessary; 4) establish new disclosure requirements for researchers and others seeking access to health records; and 5) establish new criminal and civil sanctions for the improper use or disclosure of such information.

THE AMERICAN PEOPLE WANT THE PRIVACY OF THEIR HEALTH RECORDS TO BE PROTECTED. Today, even amidst a boom in the collection and dissemination of personal data, patients do not have the right under Federal law to see their own health files or to know who is receiving their health information. Nor do they have basic protections to ensure that sensitive information is not inappropriately used or disclosed. Indeed, under the current loose patchwork of state laws, personal health information can be distributed -- without consent -- for reasons that have nothing to do with a patient's medical treatment. Patient information held by an insurer can in many cases be passed on to a lender who may then deny the patient's application for a home mortgage or a credit card, or to an employer who may use it in personnel decisions. Moreover, patients wishing to access or control the release of such information may be subject to the whim of their insurance company or health care provider.

PRESIDENT CLINTON UNVEILS NEW SAFEGUARDS FOR SENSITIVE HEALTH INFORMATION. The new regulation being unveiled today is designed to give consumers more control over their health information; set boundaries on the use and release of health records and ensure their security; establish accountability for inappropriate use and release; and balance public responsibility with privacy protections. This new regulation would:

GIVE CONSUMERS CONTROL OVER THEIR HEALTH INFORMATION

• Limit the release of private health information without consent. This rule would establish a new Federal requirement that doctors, hospitals, health plans, and other covered entities could not -- without a patient's written consent -- release identifiable health information for purposes unrelated to treatment, payment for services, or priorities like public health. Under the current regime, such data is often released to marketing firms, financial institutions, and employers, without knowledge or consent, and is then used in direct marketing campaigns, in loan eligibility decisions, and for promotion and other purposes. In fact, a recent University of Illinois survey indicated that 35 percent of Fortune 500 companies check health records before they hire or promote.
• Inform consumers how their health information is being used. This new regulation will require health plans and providers to publish a notice to patients about how their information is being used and to whom it is being disclosed. It will also give each individual patient a right to a "disclosure history," listing the entities that have received information for purposes unrelated to treatment or payment.
• Give patients access to their own health file and the right to request amendments or make corrections. The regulation will give patients the right to see and copy their own records as well as the right to request correction of potentially harmful errors in their health files. These access and amendment rights are a core part of any regime to protect individual privacy. Without them, a person with an improper diagnosis in his or her medical file or payment record could be denied health insurance and left no redress.

SET BOUNDARIES ON MEDICAL RECORD USE AND RELEASE

• Restrict the amount of information used and disclosed to the "minimum necessary." Currently, health care providers and plans can often release a patient's entire health record even if an employer or other entity needs only particular information. This new regulation would restrict the information that is used and disclosed to the minimum amount of information necessary.

ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION

• Require the establishment of privacy-conscious business practices. Sensitive information is often stored where it can be easily accessed. Earlier this year, for example, a major medical center inadvertently stored several thousand patient records on a public Internet site for two months. The regulation the President will announce today will require health plans and providers to establish internal procedures to protect the privacy of health records. They include: training employees about privacy considerations in the workplace; receiving complaints from patients on privacy issues; designating a "privacy officer" to assist patients with complaints and employees with questions; and ensuring that appropriate safeguards are in place for the protection of health information.

BALANCE PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS

• Require that information be disclosed only for research conducted responsibly. Since health care research is an important public priority, under this rule researchers may obtain identifiable health information without prior consent if they certify to a provider or plan that an "institutional review board" or "privacy board" has reviewed the research protocol and determined that the research would meet certain privacy protection criteria.

ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORD USE AND RELEASE

• Create new criminal and civil penalties for improper use or disclosure of information. Currently, there is often no legal basis to prosecute individuals who inappropriately disclose private medical information. This rule creates new criminal penalties for intentional disclosure -- up to $50,000 and up to a year in prison. Disclosure with an intent to sell the data will be punishable with a fine of up to $250,000 and up to 10 years in prison. The regulation also establishes new civil penalties of $100 per person for unintentional disclosures and other violations (up to $25,000 per person per year).

NOW CONGRESS MUST ENACT COMPREHENSIVE LEGISLATION. The important new protections President Clinton will unveil today are a critical first step -- a step he is taking because Congress has failed to act in the three-year timeframe it gave itself in 1996. But the President's administrative authority is limited by statute and there remains an urgent need for comprehensive Federal privacy protections. Today's regulation, for instance, does not cover all paper records. It does not directly regulate many entities, including employers, other insurers, or public health agencies -- thus allowing for unlimited reuse of information by such entities. Federal legislation is also needed to fortify the penalties and to create a private right of action so that citizens can hold health plans and providers directly accountable for inappropriate and harmful disclosures of information. That is why President Clinton today will call on Congress to finish the job and enact the comprehensive protections that the American people want and need.