ACLU of Washington -
Legislation Would Protect Medical Record Privacy
FOR IMMEDIATE RELEASE
Monday, January 24, 2000
OLYMPIA, WA -- Responding to citizen
demands for action to safeguard sensitive personal information, the
American Civil Liberties Union of Washington has drafted House and
Senate bills to protect the privacy of people's medical information.
The bills would prohibit non-health
care providers with legitimate access to medical records from
disclosing the information to anyone else for further use. The bills
would also bar insurance companies from marketing medical records to
"Washington citizens have a
right to expect that their medical records will be used to help
health care providers give the best medical care possible, not as a
marketing tool of insurance companies," said Jerry Sheehan,
Legislative Director for the ACLU of Washington.
The ACLU said it is especially
important to put these protections in place now, when the
legislature is considering adoption of a patients' Bill of Rights.
"Protecting privacy should be an
important component of a patients' Bill of Rights," Sheehan
House Bill 2901 is sponsored by
Representative Dow Constantine, and Senate Bill 6684 is sponsored by
Senator Pat Thibaudeau. Both measures were introduced in the state
Standards for Privacy
of Individually Identifiable Health Information
Notice of Proposed Rule Making
Published November 3, 1999
Comment period closes January 3, 2000
Summary of Proposed
Standards for Privacy of Individually Identifiable Health
To download the complete Notice of Proposed Rulemaking click below:
Section 264 of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Public Law
104-191, enacted August 21, 1996, requires that, if legislation
establishing privacy standards is not enacted “by the date that is
36 months after the date of the enactment of this Act, the Secretary
of Health and Human Services shall promulgate final regulations
containing such standards not later than the date that is 42 months
after the date of the enactment of this Act.”
The statutory deadline for Congress to enact
legislation was August 21, 1999. Absent legislation, HHS has
developed its proposed rule.
The proposed rule would:
- allow health information to be used and shared
easily for the treatment and for payment of health care;
- allow health information to be disclosed
without an individual’s authorization for certain national
priority purposes (such as research, public health and
oversight), but only under defined circumstances;
- require written authorization for use and
disclosure of health information for other purposes, and
- create a set of fair information practices to
inform people of how their information is used and disclosed,
ensure that they have access to information about them, and
require health plans and providers to maintain administrative
and physical safeguards to protect the confidentiality of health
information and protect against unauthorized access.
Entities covered by the proposed rule
- Health care providers who transmit health
- Health plans
- Health care clearinghouses
Health information covered by the proposed rule
(“Protected health information”)
- Protection would start when information becomes
electronic, and would stay with the information as long as the
information is in the hands of a covered entity.
- Information becomes electronic either by
being sent electronically as one of the specified
Administrative Simplification transactions or by being
maintained in a computer system.
- The paper progeny of electronic information
is covered; the information would not lose its protections
simply because it is printed out of the computer.
- HIPAA protects the information itself, not
the record in which the information appears.
- The information must be “identifiable.” If
the information has any components that could be used to
identify the subject, it would be covered.