Consumer Fact Sheet
The new privacy regulations ensure a
national floor of privacy protections for patients by limiting the ways that
health plans, pharmacies, hospitals and other covered entities can use
patients' personal medical information. The regulations protect medical
records and other individually identifiable health information, whether it
is on paper, in computers or communicated orally. Key provisions of these
new standards include:
- Access To Medical Records.
Patients generally should be able to see and obtain copies of their
medical records and request corrections if they identify errors and
mistakes. Health plans, doctors, hospitals, clinics, nursing homes and
other covered entities generally should provide access these records
within 30 days and may charge patients for the cost of copying and sending
- Notice of Privacy Practices.
Covered health plans, doctors and other health care providers must provide
a notice to their patients how they may use personal medical information
and their rights under the new privacy regulation. Doctors, hospitals and
other direct-care providers generally will provide the notice on the
patient's first visit following the April 14, 2003, compliance date and
upon request. Patients generally will be asked to sign, initial or
otherwise acknowledge that they received this notice. Health plans
generally must mail the notice to their enrollees by April 14 and again if
the notice changes significantly. Patients also may ask covered entities
to restrict the use or disclosure of their information beyond the
practices included in the notice, but the covered entities would not have
to agree to the changes.
- Limits on Use of Personal Medical
Information. The privacy rule sets
limits on how health plans and covered providers may use individually
identifiable health information. To promote the best quality care for
patients, the rule does not restrict the ability of doctors, nurses and
other providers to share information needed to treat their patients. In
other situations, though, personal health information generally may not be
used for purposes not related to health care, and covered entities may use
or share only the minimum amount of protected information needed for a
particular purpose. In addition, patients would have to sign a specific
authorization before a covered entity could release their medical
information to a life insurer, a bank, a marketing firm or another outside
business for purposes not related to their health care.
- Prohibition on Marketing.
The final privacy rule sets new restrictions and limits on the use of
patient information for marketing purposes. Pharmacies, health plans and
other covered entities must first obtain an individual's specific
authorization before disclosing their patient information for marketing.
At the same time, the rule permits doctors and other covered entities to
communicate freely with patients about treatment options and other
health-related information, including disease-management programs.
- Stronger State Laws.
The new federal privacy standards do not affect state laws that provide
additional privacy protections for patients. The confidentiality
protections are cumulative; the privacy rule will set a national "floor"
of privacy standards that protect all Americans, and any state law
providing additional protections would continue to apply. When a state law
requires a certain disclosure -- such as reporting an infectious disease
outbreak to the public health authorities -- the federal privacy
regulations would not preempt the state law.
- Confidential communications.
Under the privacy rule, patients can request that their doctors, health
plans and other covered entities take reasonable steps to ensure that
their communications with the patient are confidential. For example, a
patient could ask a doctor to call his or her office rather than home, and
the doctor's office should comply with that request if it can be
Consumers may file a formal complaint regarding the privacy practices of a
covered health plan or provider. Such complaints can be made directly to
the covered provider or health plan or to HHS' Office for Civil Rights
(OCR), which is charged with investigating complaints and enforcing the
privacy regulation. Information about filing complaints should be included
in each covered entity's notice of privacy practices. Consumers can find
out more information about filing a complaint at
or by calling (866) 627-7748.
HEALTH PLANS AND PROVIDERS
The privacy rule requires health plans,
pharmacies, doctors and other covered entities to establish policies and
procedures to protect the confidentiality of protected health information
about their patients. These requirements are flexible and scalable to allow
different covered entities to implement them as appropriate for their
businesses or practices. Covered entities must provide all the protections
for patients cited above, such as providing a notice of their privacy
practices and limiting the use and disclosure of information as required
under the rule. In addition, covered entities must take some additional
steps to protect patient privacy:
- Written Privacy Procedures.
The rule requires covered entities to have written privacy procedures,
including a description of staff that has access to protected information,
how it will be used and when it may be disclosed. Covered entities
generally must take steps to ensure that any business associates who have
access to protected information agree to the same limitations on the use
and disclosure of that information.
- Employee Training and Privacy Officer.
Covered entities must train their employees in their privacy procedures
and must designate an individual to be responsible for ensuring the
procedures are followed. If covered entities learn an employee failed to
follow these procedures, they must take appropriate disciplinary action.
- Public Responsibilities.
In limited circumstances, the final rule permits -- but does not require
--covered entities to continue certain existing disclosures of health
information for specific public responsibilities. These permitted
disclosures include: emergency circumstances; identification of the body
of a deceased person, or the cause of death; public health needs; research
that involves limited data or has been independently approved by an
Institutional Review Board or privacy board; oversight of the health care
system; judicial and administrative proceedings; limited law enforcement
activities; and activities related to national defense and security. The
privacy rule generally establishes new safeguards and limits on these
disclosures. Where no other law requires disclosures in these situations,
covered entities may continue to use their professional judgment to decide
whether to make such disclosures based on their own policies and ethical
- Equivalent Requirements For
Government. The provisions of the
final rule generally apply equally to private sector and public sector
covered entities. For example, private hospitals and government-run
hospitals covered by the rule have to comply with the full range of
OUTREACH AND ENFORCEMENT
HHS' Office for Civil Rights (OCR) oversees
and enforces the new federal privacy regulations. Led by OCR, HHS has issued
extensive guidance and technical assistance materials to make it as easy as
possible for covered entities to comply with the new requirements. Key
elements of OCR's outreach and enforcement efforts include:
- Guidance and technical assistance
materials. HHS has issued
extensive guidance and technical materials to explain the privacy rule,
including an extensive, searchable collection of frequently asked
questions that address major aspects of the rule. HHS will continue to
expand and update these materials to further assist covered entities in
complying. These materials are available at
- Conferences and seminars.
HHS has participated in hundreds of conferences, trade association
meetings and conference calls to explain and clarify the provisions of the
privacy regulation. These included a series of regional conferences
sponsored by HHS, as well as many held by professional associations and
trade groups. HHS will continue these outreach efforts to encourage
compliance with the privacy requirements.
- Information line.
To help covered entities find out information about the privacy regulation
and other administrative simplification provisions of the Health Insurance
Portability and Accountability Act of 1996, OCR and HHS' Centers for
Medicare & Medicaid Services have established a toll-free information
line. The number is (866) 627-7748.
- Complaint investigations.
Enforcement will be primarily complaint-driven. OCR will investigate
complaints and work to make sure that consumers receive the privacy rights
and protections required under the new regulations. When appropriate, OCR
can impose civil monetary penalties for violations of the privacy rule
provisions. Potential criminal violations of the law would be referred to
the U.S. Department of Justice for further investigation and appropriate
- Civil and Criminal Penalties.
Congress provided civil and criminal penalties for covered entities that
misuse personal health information. For civil violations of the standards,
OCR may impose monetary penalties up to $100 per violation, up to $25,000
per year, for each requirement or prohibition violated. Criminal penalties
apply for certain actions such as knowingly obtaining protected health
information in violation of the law. Criminal penalties can range up to
$50,000 and one year in prison for certain offenses; up to $100,000 and up
to five years in prison if the offenses are committed under "false
pretenses"; and up to $250,000 and up to 10 years in prison if the
offenses are committed with the intent to sell, transfer or use protected
health information for commercial advantage, personal gain or malicious