HLC PRINCIPLES FOR CONFIDENTIALITY OF PATIENT INFORMATION
The confidentiality and security of medical information is protected by privacy and security regulations issued under the “Health Insurance Portability and Accountability Act of 1996” (HIPAA). The HIPAA privacy rule protects the quality of health care and strengthens privacy protections. While still allowing for the needed flow of medical information in order to assure quality health care, the privacy rule ensures that patients' confidential medical information stays secure.
HIPAA allows identifiable information to be used and disclosed only for legitimate health care activities such as treatment, payment, health care operations, and research. Disclosing identifiable information for other activities requires patient authorization. Strong penalties for unauthorized disclosures are established by the HIPAA privacy rule.
Congress should reject legislation on issues such as data security, outsourcing, banking, internet, patient safety, health information technology, or genetic nondiscrimination that would duplicate or contradict the HHS privacy rule. It should also exempt the entities and activities already regulated by the HHS privacy rule from legislation dealing with other sectors that may overlap with health care.
Legislation to facilitate the adoption of HIT should establish a uniform federal standard for privacy and security of health information. Without federal action, HIT adoption will be impeded by conflicting state laws on privacy. Nationally uniform rules protecting confidentiality will provide patients the best protection.
Requiring providers to obtain consent for each use of patients' information would seriously delay and disrupt the care of patients, particularly the most vulnerable elderly and sick patients. Elderly patients would not be able to send a family designee to a pharmacy to pick up a prescription without first going to the pharmacy to sign consent forms; pharmacies would not be able to fill prescriptions for patients phoned in by physicians; and emergency medical personnel would be forced to get consent forms signed before treating patients – even when contrary to best medical practice.
Interoperable electronic health records that are constrained by these types of consent requirements would provide only a fraction of the speed and efficiency necessary to improve patient outcomes. Having to obtain patient consent for each use of medical records would dramatically slow and impede providers' current ability to deliver health care services.
Additional penalties and sanctions are not necessary to ensure that patients' privacy is protected. HHS and the DOJ may already seek civil and criminal monetary penalties or imprisonment on health plans, providers, or clearinghouses that fail to comply with privacy rule requirements. Criminal penalties range from fines of $50,000-$250,000 and up to ten years of imprisonment.
