Donna Shalala says the department must expand the legal protections for patient
The Health and Human Services Department last month proposed what it called a carefully
developed set of new national security standards to protect electronic medical records in
the United States.
The standards were ordered under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). The law doesnt mandate the kind of technology that must be used
because institutions have different security requirements, HHS officials said.
Were confident the standards weve developed will meet the privacy
needs for an increasingly electronic environment, said Gary Christoph, chief
information officer at HHSs Health Care Financing Administration.
The standards include a digital signature standard to verify the identification of
signatures and to authenticate documents, Christoph said, and administrative requirements
for all health plans, health care providers and health care clearinghouses in the United
States that keep or send health information electronically.
Doctors and health companies have ways of protecting private health information
about individuals, such as locking up records at the end of the day, Christoph said.
We are now proposing standards for the way they handle their electronic data.
HCFA spent the past 18 months developing the standards, which were based on security
tools. The standards protect against improper access or alteration and loss of records,
This is not a one-size-fits-all security plan but a carefully developed set of
standards, said Nancy-Ann DeParle, HCFA administrator. They should ensure that
individual records are secure while providing the flexibility for each health care
For example, health care companies will need to develop a plan to protect individual
health information in databases and during Internet and intranet transmission, Christoph
The standards also require training for employees and secure physical access to
records, he said.
HIPAA mandated that HHS recommend methods of protecting health information to Congress,
Congress has until August 1999 to enact privacy legislation. If Congress fails to enact
legislation by then, HIPAA lets HHS implement the standards through HHS regulations,
The standards are one of a series of administrative simplification efforts required
under HIPAA. Another HIPAA-required proposal includes standards for a uniform electronic
health care claim form, said Campbell Gardett, HHS spokesman.
HIPAA also requires HHS to establish standards for unique identifier numbers for health
care providers, employers and health plans, Gardett said.
The Clinton administration has said there will be no patient identifier numbers until
privacy protections are in place, Gardett said.
Electronic medical records can give us greater efficiency and lower cost. But
those benefits must not come at a loss of privacy, HHS Secretary Donna H. Shalala
said. The proposals will help protect against one kind of threatthe
vulnerability of information in electronic formats.
There needs to broader legal protections for the privacy of medical records, she said.