Health Privacy

Advances in information technology, along with an increasing number of parties with access to identifiable health information, have created new challenges to maintaining the privacy of medical records. Patients and providers alike have expressed concern that broad access to medical records by insurers, employers, and others may result in inappropriate use of the information. Congress sought to protect the privacy of individuals' medical information as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA included a timetable for developing comprehensive privacy standards that would establish rights for patients with respect to their medical records and define the conditions for using and disclosing identifiable health information. The final privacy regulation offers all Americans the opportunity to know and, to some extent, control how physicians, hospitals, and health plans use their personal information. At the same time, these entities will face a complex set of privacy requirements that are not well understood at this time. Some of the uncertainty expressed by stakeholder groups reflects the recent issuance of the regulation. With time, everyone will have greater opportunity to examine its provisions and assess their implications for the ongoing operations of everyone affected. In addition, on a more fundamental level, the uncertainty stems from HHS' approach of allowing entities flexibility in complying with its requirements. Although organizations generally applaud this approach, they acknowledge that greater specificity would likely allay some of their compliance concerns.