CONFIDENTIALITY OF PATIENT INFORMATION

In 1996, Congress directed the Department of Health and Human Services (HHS) to issue regulations governing confidentiality of individuals’ health information should Congress fail to enact legislation establishing such protections by August 1999.  Because Congress was unsuccessful in passing such legislation, as instructed in the Health Insurance Portability and Accountability Act (HIPAA), HHS issued regulations.  Since April 2003, health care providers, plans, and clearinghouses have been subject to the HIPAA privacy standards, which govern the use and disclosure of health information.  These regulations strike the appropriate balance between protecting the privacy of a patient’s medical information and ensuring that necessary information is available for providing quality health care and conducting vital medical research.  However, the privacy rule does not govern health information exchanges of some organizations holding electronic personal health records, which has led some to call for expansion of HIPAA's "covered entities." And, though the HIPAA privacy rule established a national standard, it permits significant state variation that makes complying with all applicable rules unnecessarily complex and presents a barrier to adoption of health information technology (HIT).