WASHINGTON -- File cabinets with medical records are being locked. Callers to hospitals are getting little, if any, information about sick friends and relatives.
Pharmacy customers are being kept back from the desk so pharmacists can privately discuss medication with other patients.
Privacy rules that take effect today for most health plans will cover every health insurance company, hospital, clinic, doctor and pharmacy.
The rules, years in the making, prohibit disclosure, without patient permission, of information for reasons unrelated to health care. Violators face civil and criminal penalties that can mean up to $250,000 in fines and 10 years in prison.
"This is the biggest thing to hit the health care sector since Medicare," said Dr. Jeffrey N. Hausfeld, an ear, nose and throat doctor in the Washington area who has been advising his peers about the rules.
It is the first federal law that guarantees medical privacy. The rules were first written by the Clinton administration. The Bush administration allowed them to move ahead with some changes.
Patients will receive notices explaining their new rights, including the right to examine their medical records and to request corrections. Patients have a right to know if their records have been shared with law enforcement or with public health authorities.
The rules bar doctors and hospitals from giving out patient information to third parties for marketing purposes or to employers, unless a patient specifically agrees.
Health-care companies may not disclose information beyond what is minimally necessary to deliver care.
It is this last, broad requirement that is leading to adjustments in hospitals and doctor's offices, said Rick Campanelli, director of the Office for Civil Rights at Health and Human Services Department.
The law allows for "incidental" disclosures of information, but those covered by the rule are expected to put in place "reasonable safeguards" to protect people's private information.
That means that in doctor's reception areas, sign-in sheets may be used, but patients should no longer be asked to write down their conditions because other patients see the sheet.
In an emergency room, the large white boards, where patient names and medical problems are listed, should be moved to areas out of public view.
In hospitals, patient charts should be turned to face the wall so people walking by cannot read them.
New computer software allows doctor's offices to identify patients by full name or just by initials, just in case others might catch a glance of the screen.
Most hospitals have new policies about giving information about a patient's condition. Under the new rules, no information -- even that a patient is in the hospital -- may be released if a patient objects.
Even if a patient should agree to a general listing, hospitals may release only limited information without specific authorization and only if a caller asks about a patient by name.
The rules were authorized by a 1996 law called the Health Insurance Portability and Accountability Act.
They were created as part of a larger effort to allow for electronic exchange of patient information. Critics were concerned that once medical information was concentrated in electronic files, it could too easily land in the wrong hands. Thus, Congress mandated that privacy rules be put into place first.
"This is the best way to make sure that patients get the rights and protections that they expect," HHS Secretary Tommy Thompson said in a statement.
The smallest health plans will have an additional year to comply with the rules.