WASHINGTON File cabinets with medical records are being locked. Callers to hospitals are getting little, if any, information about sick friends and relatives.
Pharmacy customers are being kept back from the desk so pharmacists can privately discuss medication with other patients.
Privacy rules that take effect today for most health plans will cover every health insurance company, hospital, clinic, doctor and pharmacy.
The new Health Insurance Portability and Accountability Act rules, years in the making, prohibit disclosure, without patient permission, of information for reasons unrelated to health care. HIPAA violators face civil and criminal penalties that can mean up to $250,000 in fines and 10 years in prison.
"This is the biggest thing to hit the health-care sector since Medicare," said Dr. Jeffrey N. Hausfeld, an ear, nose and throat doctor in the Washington area who has been advising his peers about the rules.
It is the first federal law that guarantees medical privacy. The rules were first written by the Clinton administration. The Bush administration allowed them to move ahead with some changes.
Patients will receive notices explaining their new rights, including the right to examine their medical records and to request corrections. Patients have a right to know if their records have been shared with law enforcement or with public-health authorities.
The rules bar doctors and hospitals from giving out patient information to third parties for marketing or other purposes or to employers, unless a patient specifically agrees.
Most hospitals have new policies about giving information about a patient's condition. This was once routinely provided to family, friends, clergy and news reporters who called. Under the new rules, hospitals must give patients a chance to opt out of being listed in any hospital patient directory.
No information even that a patient is in the hospital may be released if a patient objects. Even if a patient should agree to a general listing, hospitals may release only limited information without specific authorization and only if a caller asks about a patient by name.
The biggest impact may be on news organizations that routinely call hospitals to learn the condition of people injured in crimes, car accidents and other noteworthy events. Reporters will have to know the name of a patient before any information is released.
Frank Gibson, political editor for The Tennessean newspaper in Nashville and chairman of the Tennessee Press Association's Freedom of Information committee, said that rule will make it tough for small-town reporters. And he said hospitals almost certainly will be overprotective of such information.
"I think maybe it's gone a little bit too far. I understand the need for doctors to protect intimate information, but if the mayor was involved in a wreck and you can't get the hospital to tell you how serious it is, that's a problem," Gibson said.
There are exceptions for disasters, such as the Greyhound bus hijacking and crash in Manchester, Tenn., in 2001 that killed seven people and injured 34.
John Howser, spokesman for Vanderbilt University Medical Center in Nashville, said in a case like that, in which the hospital treated eight people, he could disclose the number of patients, their gender, age groups and medical condition in general terms.
"In those instances, it would be to the general benefit to the public ... and hopefully offer information relevant to families finding their loved ones," he said.
Other than that, HIPAA won't even allow a hospital to say when a patient has been released or transferred. Hospitals may tell callers that a patient has died, but they cannot give the time or cause of death without permission from next-of-kin.
Also under the rules, health-care companies may not disclose information beyond what is minimally necessary to deliver care.
It is this last, broad requirement that is leading to adjustments in hospitals and doctor's offices, said Rick Campanelli, director of the Office for Civil Rights at Health and Human Services Department.
The law allows for "incidental" disclosures of information, but those covered by the rule are expected to put in place "reasonable safeguards" to protect people's private information. That means that in doctor's reception areas, sign-in sheets may be used, but patients should no longer be asked to write down their conditions because other patients see the sheet.
In an emergency room, the large white boards, where patient names and medical problems are listed, should be moved to areas out of public view. In hospitals, patient charts should be turned to face the wall so people walking by cannot read them.
New computer software allows doctor's offices to identify patients by full name or just by initials, just in case others might catch a glance of the screen.
The rules were authorized by a 1996 law called the Health Insurance Portability and Accountability Act. They were created as part of a larger effort to allow for electronic exchange of patient information. Critics were concerned that once medical information was concentrated in electronic files, it could too easily land in the wrong hands. Thus, Congress mandated that privacy rules be put into place first.
"This is the best way to make sure that patients get the rights and protections that they expect," HHS Secretary Tommy Thompson said in a statement.
The smallest health plans will have an additional year to comply with the rules.