Clinton issues rules on privacy of medical records

U.S. President Bill Clinton on Wednesday issued new rules designed to safeguard the privacy of medical records in response to heightened public concern that their most private data easily could be disclosed using new information technologies.

The rules apply to health insurers, doctors, pharmacies and other organizations that collect personal medical information, Clinton said in an appearance at the Health and Human Services Department. In announcing the new rules, which are expected to be fully implemented within two years, Clinton acknowledged that the pervasiveness of new technologies, including the use of computer storage systems in doctors’ offices and the amount of data stored by insurance companies, has convinced a majority of Americans that they have lost control of their personal information.

Not long ago a medical record was something filled out by hand, stored in a filing cabinet at a doctor’s office and seldom shared with anyone, Clinton said. Now doctors and insurers commonly store medical records electronically and can easily send the data outside their offices.

“It is quite a different thing when with the click of a mouse your personal information can be accessed … by people who have nothing to do with your health care,” Clinton said.

Companies that obtain an individual’s medical information for marketing purposes are among the most disturbing, Clinton said, citing a case of an expectant mother who started receiving information in the mail from companies selling baby items before she had told her friends and family that she was pregnant. Credit applications are another concern because there is currently no law preventing an insurer from passing on medical information to a lender, who might then decide not to issue a loan based on the applicant’s health record.

Clinton joined Health and Human Services Secretary Donna Shalala in introducing the rules, which they said were the first federal standard for protecting American’s personal health records, an improvement over the current loose patchwork of state laws.

The new rules also require health insurers and health care providers to inform consumers how their health information is being used and to whom it is disclosed. Doctors and hospitals must obtain a patient’s written consent to use their health information and they must give patients access to their health file, which they have the right to correct or amend. Criminal and civil penalties for improper use or disclosure of medical information are also set under the new rules.

The Health and Human Services Department can be reached at