HHS issues privacy standard for personal health records

HHS issues privacy standard for personal health records

By Matt McLaughlin

GCN Staff

DEC. 21—The Health and Human Services Department has issued the nation's first set of standards for protecting the privacy of personal health records.

The regulation:


  • limits the non-consensual use and release of private health information;

  • gives patients new rights to access their records and to know who else has accessed them;

  • restrict disclosure of most health information to the minimum needed for an intended purpose;

  • establishes new requirements for access to records by researchers and others; and

  • sets new civil and criminal penalties for violation of the rules.


The department was required to establish the regulation when Congress failed to pass a set of privacy rules for personal health records. HHS proposed a rule last year and issued the final version after receiving more than 52,000 comments. The final regulation covers all personal health information maintained by health care providers and clearinghouses, hospitals, and health plans and insurers on paper or in oral or electronic form.

The rule requires providers to get patients' consent for routine use and disclosure of health records, in addition to authorization for non-routine disclosures. Civil penalties for violation of the rules include fines up to $25,000 per year. Criminal punishment includes up to $250,000 and up to 10 years in prison.

The full text of the standards and a fact sheet about the regulation can be found at www.hhs.gov/ocr/hipaa.html.

inside gcn

  • cloud (Singkham/Shutterstock.com)

    TIC alternative gets FedRAMP approval

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group