Health information privacy is important in US society, but existing
federal and state law does not offer adequate protection. The Department of
Health and Human Services, under powers granted by the Health Insurance Portability
and Accountability Act of 1996, recently issued a final rule providing systematic,
nationwide health information privacy protection. The rule is extensive in
its scope, applying to health plans, health care clearinghouses, and health
care providers (hospitals, clinics, and health departments) who conduct financial
transactions electronically ("covered entities"). The rule applies to personally
identifiable information in any form, whether communicated electronically,
on paper, or orally. The rule does not preempt state law that affords more
stringent privacy protection; thus, the health care industry will have to
comply with multiple layers of federal and state law. The rule affords patients
rights to education about privacy safeguards, access to their medical records,
and a process for correction of records. It also requires the patient's permission
for disclosures of personal information.
While privacy is an important value,
it may conflict with public responsibilities to use data for social goods.
The rule has special provisions for disclosure of health information for research,
public health, law enforcement, and commercial marketing. The privacy debate
will continue in Congress and within the president's administration. The primary
focus will be on the costs and burdens on health care providers, the ability
of health care professionals to use and share full medical information when
treating patients, the provision of patient care in a timely and efficient
manner, and parents' access to information about the health of their children.