HCFA develops draft standards for protecting privacy of medical data

HHS Secretary
Donna Shalala says the department must expand the legal protections for patient
medical information.

The Health and Human Services Department last month proposed what it called a carefully
developed set of new national security standards to protect electronic medical records in
the United States.

The standards were ordered under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). The law doesn’t mandate the kind of technology that must be used
because institutions have different security requirements, HHS officials said.

“We’re confident the standards we’ve developed will meet the privacy
needs for an increasingly electronic environment,” said Gary Christoph, chief
information officer at HHS’s Health Care Financing Administration.

The standards include a digital signature standard to verify the identification of
signatures and to authenticate documents, Christoph said, and administrative requirements
for all health plans, health care providers and health care clearinghouses in the United
States that keep or send health information electronically.

“Doctors and health companies have ways of protecting private health information
about individuals, such as locking up records at the end of the day,” Christoph said.
“We are now proposing standards for the way they handle their electronic data.”

HCFA spent the past 18 months developing the standards, which were based on security
tools. The standards protect against improper access or alteration and loss of records,
Christoph said.

“This is not a one-size-fits-all security plan but a carefully developed set of
standards,” said Nancy-Ann DeParle, HCFA administrator. “They should ensure that
individual records are secure while providing the flexibility for each health care

For example, health care companies will need to develop a plan to protect individual
health information in databases and during Internet and intranet transmission, Christoph

The standards also require training for employees and secure physical access to
records, he said.

HIPAA mandated that HHS recommend methods of protecting health information to Congress,
Christoph said.

Congress has until August 1999 to enact privacy legislation. If Congress fails to enact
legislation by then, HIPAA lets HHS implement the standards through HHS regulations,
Christoph said.

The standards are one of a series of administrative simplification efforts required
under HIPAA. Another HIPAA-required proposal includes standards for a uniform electronic
health care claim form, said Campbell Gardett, HHS spokesman.

HIPAA also requires HHS to establish standards for unique identifier numbers for health
care providers, employers and health plans, Gardett said.

The Clinton administration has said there will be no patient identifier numbers until
privacy protections are in place, Gardett said.

“Electronic medical records can give us greater efficiency and lower cost. But
those benefits must not come at a loss of privacy,” HHS Secretary Donna H. Shalala
said. “The proposals will help protect against one kind of threat—the
vulnerability of information in electronic formats.”

There needs to broader legal protections for the privacy of medical records, she said.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected