Download Locations:
Summary:
On December 28, 2000, the Secretary of Health and Human Services (HHS) issued a final regulation (65 Fed. Reg. 82462) to protect the privacy of personally identifiable medical information. The rule covers health care providers, health plans, and clearinghouses (i.e., entities that facilitate and process the flow of information between providers and payers). Under the rule, patients have the right to inspect and amend their medical records. Providers are required to obtain a patient's one-time, written consent to use or disclose health information for routine health care operations (e.g., treatment and payment). In addition, health plans and providers must get a patient's specific authorization to use or disclose information for non-routine uses and most non-health care purposes. Covered entities that fail to comply with the rule are subject to civil and criminal penalties, but patients do not have the right to sue for violations of the law. The health privacy rule does not preempt, or override, state laws that are more protective of medical records privacy. The rule took effect on April 14, 2001, and most covered entities have 2 years to comply. On July 6, 2001, HHS issued the first of several guidance documents to accompany the rule. The guidance clarifies the rule's provisions and reiterates the department's intent not to interfere with patients' access to health care or the quality of health care delivery.
