HCFA develops draft standards for protecting privacy of medical data

HHS Secretary
Donna Shalala says the department must expand the legal protections for patient
medical information.

The Health and Human Services Department last month proposed what it called a carefully
developed set of new national security standards to protect electronic medical records in
the United States.

The standards were ordered under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). The law doesn’t mandate the kind of technology that must be used
because institutions have different security requirements, HHS officials said.

“We’re confident the standards we’ve developed will meet the privacy
needs for an increasingly electronic environment,” said Gary Christoph, chief
information officer at HHS’s Health Care Financing Administration.

The standards include a digital signature standard to verify the identification of
signatures and to authenticate documents, Christoph said, and administrative requirements
for all health plans, health care providers and health care clearinghouses in the United
States that keep or send health information electronically.

“Doctors and health companies have ways of protecting private health information
about individuals, such as locking up records at the end of the day,” Christoph said.
“We are now proposing standards for the way they handle their electronic data.”

HCFA spent the past 18 months developing the standards, which were based on security
tools. The standards protect against improper access or alteration and loss of records,
Christoph said.

“This is not a one-size-fits-all security plan but a carefully developed set of
standards,” said Nancy-Ann DeParle, HCFA administrator. “They should ensure that
individual records are secure while providing the flexibility for each health care

For example, health care companies will need to develop a plan to protect individual
health information in databases and during Internet and intranet transmission, Christoph

The standards also require training for employees and secure physical access to
records, he said.

HIPAA mandated that HHS recommend methods of protecting health information to Congress,
Christoph said.

Congress has until August 1999 to enact privacy legislation. If Congress fails to enact
legislation by then, HIPAA lets HHS implement the standards through HHS regulations,
Christoph said.

The standards are one of a series of administrative simplification efforts required
under HIPAA. Another HIPAA-required proposal includes standards for a uniform electronic
health care claim form, said Campbell Gardett, HHS spokesman.

HIPAA also requires HHS to establish standards for unique identifier numbers for health
care providers, employers and health plans, Gardett said.

The Clinton administration has said there will be no patient identifier numbers until
privacy protections are in place, Gardett said.

“Electronic medical records can give us greater efficiency and lower cost. But
those benefits must not come at a loss of privacy,” HHS Secretary Donna H. Shalala
said. “The proposals will help protect against one kind of threat—the
vulnerability of information in electronic formats.”

There needs to broader legal protections for the privacy of medical records, she said.


  • Pierce County

    CARES dashboard ensures county spending delivers results

    The CARES Act Funding Outcomes Dashboard helps Pierce County, Wash., monitor funding and key performance indicators for public health emergency response, economic stabilization and recovery, community response and resilience, and essential government services.

  • smart city challenge

    AI-based traffic management improves mobility, saves fuel, cuts pollution

    Researchers are developing a dynamic feedback traffic signal control system that reduces corridor-level fuel consumption by 20% while maintaining a safe and efficient transportation environment.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.