(Press release from the Department of Health and Human Services)
Date: July 6, 2001


The Department of Health and Human Services (HHS) today issued the first in a series of guidance materials on new federal privacy protections for medical records and other personal health information.

Today’s guidance explains and clarifies key provisions of the medical privacy regulation, which was published last December. Providing this guidance is part of an ongoing process to help health care providers and health plans come into compliance with the regulation by April 14, 2003.

“The patient privacy rule will provide strong protections for personal health information while maintaining the high quality of care that Americans expect,” HHS Secretary Tommy G. Thompson said. “This guidance is an opening step in helping physicians, health care providers and health plans understand their obligations to patients under the rule.”

The guidance — available on the Web at http://www.hhs.gov/ocr/hipaa — answers common questions about the new protections for consumers and requirements for doctors, hospitals, other providers, health plans and health insurers, and health care clearinghouses. It also clarifies some of the confusion regarding the meaning of key provisions of the rule.

For example, the guidance makes clear that hospitals do not have to build private, soundproof rooms to prevent overheard conversations about a patient’s condition, as some mistakenly believed. Rather, the rule simply requires that hospitals provide reasonable safeguards to protect confidential information – such as using curtains, screens or similar barriers, which are often already used. The guidance also indicates that the rule allows a friend or relative to pick up a patient’s prescription at the pharmacy, as often occurs today.

Congress in 1996 recognized the need for national patient privacy standards and set a three-year deadline for itself to enact such protections as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). When Congress did not enact such legislation after three years, the law required HHS to adopt such protections via regulation.

HHS proposed federal privacy standards in 1999 and, after reviewing and considering more than 50,000 public comments on them, published final standards in December 2000. Secretary Thompson requested public comment on the rule this spring before allowing the rule to take effect on April 14.

The guidance addresses many key issues of concern reflected in the more than 11,000 separate public comments on the final rule submitted to HHS during a 30-day comment period this March. Topics include patient consent, parental rights, marketing, medical research and governmental access issues.

Most covered entities have until April 14, 2003, to comply with the patient privacy rule; small health plans have an additional year to comply. HHS’ Office for Civil Rights will conduct extensive outreach to consumers and health care providers to explain what the rule means for them. HHS also will provide technical assistance and further guidance to health care providers and other covered entities to help them comply.

As permitted under the HIPAA law itself, HHS also expects to propose appropriate changes to the rule in order to ensure that it does not adversely affect patients’ access to quality health care. For example, Secretary Thompson has said he intends to propose modifications to ensure that a pharmacist can fill a phoned-in prescription for a new patient, even when the pharmacist does not first have the patient’s signed consent on file.