Remarks by the President on Medical Privacy

Speech

By: William Jefferson Clinton

Date: December 20, 2000

Source: Department of Health and Human Services. "Remarks by the President on Medical Privacy." December 20, 2000. 〈http://www.hhs.gov/ocr/whpress.html〉 (accessed September 22, 2005).

About the Author: William Jefferson Clinton (more popularly known as Bill Clinton) was the forty-second President of the United States. Clinton served two terms as president from 1993 to 2001, making him the first democratic president since Franklin D. Roosevelt (1882–1945) to win a second term. In his 2000 speech, Clinton urged Congress to take action to further strengthen regulations governing the privacy of individual medical records.

INTRODUCTION

With an increase in the dependence on information technology and the gaining popularity of electronic media, the issue of individual privacy rights for records came to the forefront of American society in the 1990s. The health care system relies heavily on medical information for making better-informed decisions about an individual's care. Until the 1990s, maintaining the confidentiality of medical records was not a major issue. However, with the advent of many fundamental reforms, such as third party insurance plans, bigger involvement of government agencies, and easy access to medical records by entities outside of the health care industry aided by the computer automation of the records, many Americans perceived medical privacy as under threat.

To partially counter this problem, Congress passed the Health Insurance Portability and Accountability Act in 1996 (more commonly known as HIPAA). HIPAA, which is monitored by the Department of Health and Human Services (HHS), was created mainly to enhance the access of health insurance coverage to the average citizen of America. Although the act mentioned some of the privacy concerns related to medical information, few specific initiatives were included. In 1997, HHS made specific medical privacy recommendations to Congress. These recommendations paved the way for the HIPAA Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule, issued by the Clinton administration in December 2000. The text titled "Remarks by the President on Medical Privacy," as the name suggests, is a transcript of remarks made by Clinton while issuing this rule. The HIPAA Privacy Rule went into effect on April 14, 2001.

PRIMARY SOURCE

… Look, we're having a good time today, but I want to take a moment to be very, very serious. We say that we are a free nation in a world growing increasingly free. And in so many ways, that is literally true. During the period in which I was President, I was fortunate enough to serve here at a time when, for the first time in all of human history, more than half the people on the globe live under governments of their own choosing.

Now, that's a wonderful thing. That's one manifestation of freedom. Then, there's free speech, the freedom of the press, the right to travel. And also, I might add, minority rights of all kinds, restrictions on the ability of government to compromise the fundamental interests and rights of those who may not agree with the majority.

But we must never forget, in this age of increasing interdependence, fueled by an explosion in information technology that is completely changing the way we work and live and relate to each other, that increasingly, we will have to ask ourselves: Does our freedom include privacy? Because there are new and different ways for that privacy to be restricted.

In 1928, Justice Brandeis wrote his famous words saying that privacy was "the right most valued by civilized people," and he defined it simply as the right to be left alone.

Nothing is more private than someone's medical or psychiatric records. And, therefore, if we are to make freedom fully meaningful in the Information Age, when most of our stuff is on some computer somewhere, we have to protect the privacy of individual health records.

The new rules we release today protect the medical records of virtually every American, they represent the most sweeping privacy protections ever written, and they are built on the foundation of the bipartisan Kennedy-Kassebaum legislation I signed four years ago.

This action is required by the great tides of technological and economic change that have swept through the medical profession over the last few years. In the past, medical records were kept on paper by doctors and stored in file cabinets by nurses; doctors and nurses, by and large, known to their patients. Seldom were those records shared with anyone outside the doctor's office.

Today, physicians increasingly store them electronically, and they are now obliged to share those records in paper or electronic form with insurance companies and other reviewers. To be sure, storing and transmitting medical records electronically is a remarkable application of information technology. They're cost-effective; they can save lives by helping doctors to make quicker and better-informed decisions.

But it is quite a problem that, with a click of a mouse, your personal health information can be accessed without your consent by people you don't know who aren't physicians, for reasons that have nothing to do with your health care. It doesn't take a doctor to understand that is a prescription for abuse.

So, the rules that we release today have been carefully crafted for this new era, to make medical records easier to see for those who should see them, and much harder to see for those who shouldn't. Employers, for instance, shouldn't see medical records, except for limited reasons, such as to process insurance claims. Yet, too often they do, as you just heard.

A recent survey showed that more than a third of all Fortune 500 companies check medical records before they hire or promote. One large employer in Pennsylvania had no trouble obtaining detailed information on the prescription drugs taken by its workers, easily discovering that one employee was HIV positive. That is wrong. Under the rules we released today, it will now be illegal.

There's something else that's really bothered me too, for years, and that is that private companies should not be able to get hold of the most sensitive medical information for marketing purposes. Yet, too often, that happens as well. Recently, expectant mothers who haven't even told their friends the good news are finding sales letters for baby products in their mailboxes. That's also wrong. And under these new rules, it will also be illegal.

Health insurance companies should not be able to share medical records with mortgage companies who might be able to use them to deny you a loan. That actually happens today, but under these rules, it will be illegal. Health insurance companies shouldn't be able to keep you from seeing your own medical records; up to now, they could. Under these rules, they won't be able to do that anymore.

Under the rules being issued today, health plans and providers will have to tell you up front who will and won't be allowed to see your records. And under an executive order I am issuing today, the federal government will no longer have free reign to launch criminal prosecutions based on information gleaned from routine audits of medical records.

With these actions today, I have done everything I can to protect the sanctity of individual medical records. But there are further protections our families need that only Congress can provide. For example, only new legislation from Congress can make these new protections fully enforceable, and cover every entity which holds medical records. So I urge the new Congress to quickly act to provide these additional protections….

SIGNIFICANCE

Medical records contain considerable personal information including an individual's complete medical history, details about his or her lifestyle, lab tests, medications taken in the past or present, and additional information such as health insurance numbers and Social Security number. Prior to the Privacy Rule, private companies could obtain these records from insurance firms and use them for their own marketing purposes. Employers were also often privy to detailed medical information about their employees. Under the HIPAA Privacy Rule, employers cannot access employee medical information unless they process the employee's insurance claims. Violation of these rights result in fines and/or prosecution.

The HIPAA Privacy Rule identifies all sensitive and confidential information within a medical record as Protected Health Information (PHI). In addition to the restricted access by organizations outside of the health care industry, any individual has the following rights under this rule (as stated by the HHS and Electronic Privacy Information Center (EPIC):

• Right to access, inspect, and copy PHI held by hospitals, clinics, health plans, and other entities
• Right to request amendments to PHI
• Right to request an accounting of disclosures that have been made without authorization to anyone other than the individual for purposes other than treatment, payment, and health care operations
• Right to request confidential communications of PHI
• Right to request restrictions on uses or disclosures, although the covered entity receiving the request is not obligated to accept it.

Portions of the HIPAA Privacy Rule were amended on August 14, 2002, in an effort to simplify and standardize requirements by health care providers and to allow medical records to be disclosed under certain conditions, including public health surveillance and law enforcement activities.

FURTHER RESOURCES

Books

Kennedy, Edward M. Oversight On Medical Privacy: Hearing Before The Committee On Health, Education, Labor, and Pensions, U.S. Senate Collingdale, Pa.: Diane, 2004.

Sullivan, June M. HIPAA: A Practical Guide to the Privacy and Security of Health Data. Chicago: American Bar Association, 2005.

Web sites

Electronic Privacy Information Center. "Medical Privacy." July 8, 2004. 〈http://www.epic.org/privacy/medical〉 (accessed September 23, 2005).

Privacy Rights Clearinghouse. "How Private is My Medical Information?" February 2004. 〈http://www.privacyrights.org/fs/fs8-med.htm〉 (accessed September 23, 2005).