HHS readies health security standards

The Department of Health and Human Services expects to issue final security

standards early next year to protect health care records that are stored

or transmitted electronically.

HHS issued a draft version of the electronic security regulations in August

1998. The regulations would require all health plans, health care providers

and clearinghouses that maintain or transmit medical information electronically

to establish appropriate safeguards to ensure that data cannot be lost,

improperly accessed or altered.

On Wednesday, HHS issued the first national standards designed to protect

the privacy of personal medical records whether they are stored electronically

or on paper. The regulations put standards in place to protect medical information

maintained by health care providers, hospitals, health plans and insurers,

and health care clearinghouses.

The privacy requirements include:

* Providers and health plans must give patients a clear written explanation

of how the plan can use, keep and disclose their health information.

* Patients must be able to see and get copies of their records and request

amendments.

* Health care providers who see patients must obtain patient consent before

sharing their information for treatment, payment and health care operations

purposes.

The privacy and security standards are part of the Health Insurance Portability

and Accountability Act of 1996.

President Clinton said Wednesday that because medical records are increasingly

stored electronically, they are easy to abuse. The new privacy rules will

"make medical records easier to see for those who should see them, and much

harder to see for those who shouldn't," he said.