Health privacy rules proposed

The federal government is seeking public comments on proposed rules to protect the privacy of medical records transmitted on the Internet.

The proposals by the Health and Human Services Department come as privacy issues increasingly are a major issue on the Net. Web-based companies and those that are just coming online alike are finding they must have solid privacy policies in place or risk complaints from consumers and scrutiny of federal authorities.

The Health Insurance Portability and Accountability Act of 1996 called for new electronic data security standards and asked Health and Human Services Secretary Donna Shalala to make recommendations to Congress on ways to protect the privacy of health information.

The proposals, issued last week, call for standards in four categories: administrative procedures, physical safeguards, technical security services, and technical security mechanisms.

"The new security standards were designed to protect all electronic health information from improper access or alteration, and to protect against loss of records," according to a department statement.

Shalala also is seeking further protections from Congress to secure medical records.

"Electronic medical records can give us greater efficiency and lower cost. But those benefits must not come at the cost of loss of privacy," Shalala said in a statement. "The proposals we are making?will help protect against one kind of threat--the vulnerability of information in electronic formats. Now we need to finish the bigger job and create broader legal protections for the privacy of those records."

The proposals include technical and administrative rules that would apply to all health plans, health care providers, and others that transmit medical data electronically.

Examples of the proposed rules are as follows:

Health care providers and organizations must have formal, documented procedures in place regarding physical access to private data as well as the receipt or removal of hardware or software from a facility.

Organizations will be required to use encryption and message authentication controls to ensure that private data cannot be intercepted or otherwise violated during transmission over a network.

Organizations will be required to train employees on how to use privacy protections.

The proposals take into account the varying sizes and complexities of health care providers. The Health Department would require all providers to comply, but also would allow for differences in the sophistication of the security measures.

"This is not a one-size-fits-all security plan, but a carefully developed set of standards," Nancy-Ann DeParle, administrator of the Health Care Financing Administration, said in a statement. "They should ensure that individual records are secure while providing the flexibility for each health care business."

The financing agency mandates that Congress enact privacy protections by August 1999. If Congress does not do so, the act authorizes the health and human services secretary to implement privacy protections. Public comments on the proposals will be accepted until October 13.