WASHINGTONNew patient privacy regulations instituted
by the Department of Health and Human Services (HHS) will affect oncology from
research to private practice. The new rules set privacy standards governing the
release of health information that might reveal the identity of individual
Although views vary on how severe the effects might be for
oncologists, there seems little doubt that the new rules will impose additional
burdens for researchers and clinicians alike.
"It’s not as bad as it could have been, but it could
have been a lot better," Anna D. Barker, PhD, speaking for the American
Association for Cancer Research (AACR), told ONI. Dr. Barker is president and
CEO of Bio-Nova, Inc. (Portland, Oregon). "They did listen to some of the
public comments, and I think they made an effort to simplify some of the
particularly onerous kinds of recommendations that were in the original
plans," Dr. Barker added. However, she said, "there are still several
things in the rule that are problematic in terms of how they are going to
affect medical research."
The new rules apply to all personal health informationincluding
paper records, oral communications, and electronic information created or held
by all persons and organizations covered by the regulations. HHS said that the
final rule also requires that most providers get their patients’ consent for
routine use and disclosure of health records, in addition to requiring their
authorization for non-routine disclosures.
According to the HHS, the new privacy regulations will do the
Limit the nonconsensual use and release of private
Give patients new rights to access their medical records
and to know who else has accessed them.
Restrict most disclosure of health information to the
minimum needed for the intended purpose.
Establish new criminal and civil sanctions for improper
use or disclosure.
Establish new requirements for access to records by
researchers and others.
Health care providers, most health care plans, and health care
clearinghouses must comply with the regulations no later than Feb. 26, 2003.
Small health care plansthose with receipts totaling less than $5 million
annuallyhave until Feb. 26, 2004, to comply. However, a movement is building
to extend the final compliance dates because of concerns that providers and
others will be unable to fully comply by the deadlines.
Moreover, the new Bush Administration may seek to revise the
new rules. Sen. James M. Jeffords (R-VT) scheduled a hearing to review the new
regulations almost immediately after being elected chairman of the Senate
Health, Education, Labor, and Pensions Committee.
The rules apply to all consumers, whether they are insured
privately, uninsured, or covered by public programs such as Medicare. However,
federal law only authorizes the HHS secretary to cover those three entities. As
a result, several other entities, including life insurance companies and
workers’ compensation programs, are exempted from the regulations, which
allows them to use and reuse patient information without prior consent.
"Only Congress can fill these critical gaps," notes
an analysis by the Health Policy Project at Georgetown University.
Process Began in 1996
The issuance of HHS’ final rules is the culmination of a
process that began in 1996 and kicked into full gear after the failure of
Congress to enact a patient privacy law. The Health Insurance Portability and
Accountability Act of 1996 stated that if Congress had not enacted such
legislation by Aug. 21, 1999, HHS was to issue regulations to safeguard patient
The proposed regulations, released in Nov. 1999, drew more than
52,000 comments from the public, advocacy groups, provider organizations,
insurers, medical institutions, cancer researchers and their organizations, and
the National Cancer Advisory Board.
The new HHS rules impose less harsh restrictions on researchers
than those originally proposed. "Having said that, there will be a
significant bureaucracy put in place around research that is going to be
expensive and time consuming," Dr. Barker said. "Basically, it is
going to slow down research and, most likely, further discourage people from
doing research, especially clinical research."
Estimates from outside HHS of the added annual cost for medical
researchers to comply with the rules range from $4 billion to $22 billion,
according to Dr. Barker. HHS estimates the cost at $17.6 billion.
Jerome Yates, MD, PhD, senior vice president for population
sciences and health services, Roswell Park Cancer Institute, agrees that the
regulations are more acceptable than those proposed.
"Originally, HHS had proposed asking for informed consent
every time someone was going to go to a database to analyze the data and use it
for publication," said Dr. Yates, speaking for the National Coalition for
Cancer Research. "Now you don’t have to go back to patients, for
example, for tumor registry data that you want to analyze for incidence or
Use for Commercial Purposes
One section of the rules, which allows the use of patient
information for fund raising and commercial purposes, has generated great
concern among providers and patient and privacy groups.
"My concern is that what was formerly prohibited is now
allowed," Dr. Yates said in an interview with ONI. "There is a
potential for real abuse of information and of the rules having exactly the
opposite effect of what was intended in terms of protecting the patient’s
Dr. Yates noted that many cancer patients are extremely
sensitive about others knowing that they have the diseaseeven, sometimes,
close family members. He has had complaints from patients even about getting
mail with the Roswell Park return address on it.
"You can imagine how a breast cancer patient might feel if
she got an advertisement from a breast prosthesis company with an obvious
return address. I am very concerned that somebody is liable to say, let’s
have a blanket protection of privacy, as we had originally intended," Dr.
States Can Be More Restrictive
The new federal regulations set a minimum level of compliance.
However, they also allow states to impose more stringent rules, if they wish to
do so. Minnesota, for example, has a more restrictive law already in force.
"If you want to do clinical trials around the country, and one or more
states have more onerous requirements for privacy than the federal standard,
you are going to be hard pressed to enroll people in clinical trials," Dr.
A major change from the original proposal allows providers to
fully disclose a patient’s medical record to another provider for treatment
purposes. However, notes HHS, "for most disclosures, such as health
information submitted with bills, providers may send only the minimum
information needed for the purpose."
Employers that sponsor health plans for employees are barred
from obtaining health information for use in making employment decisions.
The regulations empower patients with new rights regarding
their medical records. Besides regulating the disclosure of information,
patients have the right to see their medical records and request corrections;
to obtain documentation of disclosures of the health information; and to get an
explanation of their privacy rights and how their disclosed information might
Federal penalties are included for violations of the privacy
rules (see box).