Protection for Patients' Privacy Gets Green Light From White House, CCH Outlines Changes

Apr 16, 2001, 01:00 ET from CCH INCORPORATED

    RIVERWOODS, Ill., April 16 /PRNewswire/ -- Millions of healthcare
 consumers will see new protection for their personal information and records
 now that the Bush Administration has given a green light to patient privacy
 guidelines, according to CCH INCORPORATED (CCH), a leading provider of health
 law information and healthcare compliance e-learning.  For healthcare
 providers, however, the news is not as welcome.
     "The controversial rule establishes important new consumer rights with
 respect to the use and disclosure of information in this area.  For the first
 time, people will have some control," said CCH healthcare analyst Jay
 Nawrocki.
     Healthcare providers, however, are concerned about the costs associated
 with the new rule.
     "Not only are implementation and ongoing costs a concern for providers,
 but so is the potential cost of noncompliance," said Nawrocki.  "Providers
 could be liable for up to $250,000 -- or go to jail -- for violating the new
 rule."
 
     New Rule Puts Patients' Privacy First
     The rule creates a new playing field for consumers and providers of
 healthcare, with a patient's rights kicking in with their very first office
 visit; providers will have to give notice about how medical information will
 be handled at the first visit with each patient.
     Providers also would be significantly restricted as to when and why they
 share patient information.  Under the rule, providers may disclose protected
 health information only to the individual; in compliance with a consent signed
 by the individual; under an authorization signed by the individual; or without
 consent or authorization under certain circumstances.
     Other key provisions of the new rule, mandated by Congress under the
 Health Insurance Portability and Accountability Act (HIPAA), follow:
 
     -- Patient's Rights: Patients may view, request a copy of, amend or
        receive a list of individuals and organizations that have seen their
        medical information from the previous six years.  A provider may deny
        access to a patient's records if the provider feels that release of the
        information will endanger the life or physical safety of the
        individual.  In all other cases, providers have 60 days from the
        request to make the information available.  Providers will be
        permitted, however, to charge a fee for providing the information.
 
        Another important new protection under the rule prohibits employers
        from using medical information obtained from the administrator of their
        group health plan to make employment-related decisions or actions.
 
     -- Consent and Authorization: A provider must obtain an individual's
        consent before using or disclosing protected health information to
        carry out treatment, payment or healthcare operations.  Protected
        health information is any information that identifies an individual's
        past, present or future physical or mental health, and includes all
        communication -- even information communicated verbally.  Under the
        rule, providers can deny care if an individual refuses to sign a
        consent form.
 
        Patients may grant providers authorization to use data for specific
        purposes other than carrying out treatment, payment or healthcare
        operations covered by the consent.
 
        Only the minimum amount of information necessary may be released.
        Also, providers are responsible for the use of protected information
        released to other organizations.
 
     -- Exemptions: Protected health information may be released without
        consent or authorization in certain situations including:  in an
        emergency to a family member or friend; to public health authorities to
        prevent or control disease; for certain research purposes; in judicial
        and administrative proceedings and limited law enforcement activities;
        and in investigations of abuse or neglect.
 
     -- Penalties and Other Provisions: Penalties range from slight to
        significant:  not more than $100 per person per violation to a fine of
        not more than $250,000 and/or imprisonment of not more than 10 years if
        the offense is with intent to sell, transfer or use individually
        identifiable health information for commercial advantage, personal gain
        or malicious harm.
 
     -- State Regulations: The regulation preempts all state regulations unless
        the state regulation provides more protection, or the Secretary of
        Health and Human Services determines that the state law may supercede.
 
     Rule Could Change Before 2003 Implementation
     The guidelines had been on hold under the new administration before
 President Bush directed the Department of Health and Human Services (HHS) to
 implement the new medical privacy rule as of April 14, 2001.  HHS will
 continue to explore possible modifications to the rule based on comments the
 agency has received-a position that is encouraging news to the healthcare
 industry.  Under the new rule, most providers have until 2003 to come into
 compliance, small plans have until 2004.
 
     About CCH INCORPORATED
     CCH INCORPORATED, headquartered in Riverwoods, Ill., was founded in 1913
 and has served generations of business professionals and their clients.  For
 more than 50 years, the company has regularly tracked, explained and analyzed
 health and entitlement law.  CCH is a wholly owned subsidiary of Wolters
 Kluwer North America.  The CCH web site can be accessed at www.cch.com .  The
 Health group site can be accessed at http://health.cch.com .
 
 

SOURCE CCH INCORPORATED
    RIVERWOODS, Ill., April 16 /PRNewswire/ -- Millions of healthcare
 consumers will see new protection for their personal information and records
 now that the Bush Administration has given a green light to patient privacy
 guidelines, according to CCH INCORPORATED (CCH), a leading provider of health
 law information and healthcare compliance e-learning.  For healthcare
 providers, however, the news is not as welcome.
     "The controversial rule establishes important new consumer rights with
 respect to the use and disclosure of information in this area.  For the first
 time, people will have some control," said CCH healthcare analyst Jay
 Nawrocki.
     Healthcare providers, however, are concerned about the costs associated
 with the new rule.
     "Not only are implementation and ongoing costs a concern for providers,
 but so is the potential cost of noncompliance," said Nawrocki.  "Providers
 could be liable for up to $250,000 -- or go to jail -- for violating the new
 rule."
 
     New Rule Puts Patients' Privacy First
     The rule creates a new playing field for consumers and providers of
 healthcare, with a patient's rights kicking in with their very first office
 visit; providers will have to give notice about how medical information will
 be handled at the first visit with each patient.
     Providers also would be significantly restricted as to when and why they
 share patient information.  Under the rule, providers may disclose protected
 health information only to the individual; in compliance with a consent signed
 by the individual; under an authorization signed by the individual; or without
 consent or authorization under certain circumstances.
     Other key provisions of the new rule, mandated by Congress under the
 Health Insurance Portability and Accountability Act (HIPAA), follow:
 
     -- Patient's Rights: Patients may view, request a copy of, amend or
        receive a list of individuals and organizations that have seen their
        medical information from the previous six years.  A provider may deny
        access to a patient's records if the provider feels that release of the
        information will endanger the life or physical safety of the
        individual.  In all other cases, providers have 60 days from the
        request to make the information available.  Providers will be
        permitted, however, to charge a fee for providing the information.
 
        Another important new protection under the rule prohibits employers
        from using medical information obtained from the administrator of their
        group health plan to make employment-related decisions or actions.
 
     -- Consent and Authorization: A provider must obtain an individual's
        consent before using or disclosing protected health information to
        carry out treatment, payment or healthcare operations.  Protected
        health information is any information that identifies an individual's
        past, present or future physical or mental health, and includes all
        communication -- even information communicated verbally.  Under the
        rule, providers can deny care if an individual refuses to sign a
        consent form.
 
        Patients may grant providers authorization to use data for specific
        purposes other than carrying out treatment, payment or healthcare
        operations covered by the consent.
 
        Only the minimum amount of information necessary may be released.
        Also, providers are responsible for the use of protected information
        released to other organizations.
 
     -- Exemptions: Protected health information may be released without
        consent or authorization in certain situations including:  in an
        emergency to a family member or friend; to public health authorities to
        prevent or control disease; for certain research purposes; in judicial
        and administrative proceedings and limited law enforcement activities;
        and in investigations of abuse or neglect.
 
     -- Penalties and Other Provisions: Penalties range from slight to
        significant:  not more than $100 per person per violation to a fine of
        not more than $250,000 and/or imprisonment of not more than 10 years if
        the offense is with intent to sell, transfer or use individually
        identifiable health information for commercial advantage, personal gain
        or malicious harm.
 
     -- State Regulations: The regulation preempts all state regulations unless
        the state regulation provides more protection, or the Secretary of
        Health and Human Services determines that the state law may supercede.
 
     Rule Could Change Before 2003 Implementation
     The guidelines had been on hold under the new administration before
 President Bush directed the Department of Health and Human Services (HHS) to
 implement the new medical privacy rule as of April 14, 2001.  HHS will
 continue to explore possible modifications to the rule based on comments the
 agency has received-a position that is encouraging news to the healthcare
 industry.  Under the new rule, most providers have until 2003 to come into
 compliance, small plans have until 2004.
 
     About CCH INCORPORATED
     CCH INCORPORATED, headquartered in Riverwoods, Ill., was founded in 1913
 and has served generations of business professionals and their clients.  For
 more than 50 years, the company has regularly tracked, explained and analyzed
 health and entitlement law.  CCH is a wholly owned subsidiary of Wolters
 Kluwer North America.  The CCH web site can be accessed at www.cch.com .  The
 Health group site can be accessed at http://health.cch.com .
 
 SOURCE  CCH INCORPORATED