CONFIDENTIALITY OF PATIENT INFORMATION

In 1996, Congress directed the Department of Health and Human Services (HHS) to issue regulations governing confidentiality of individuals’ health information, should Congress fail to enact legislation establishing such protections by August 1999.  Because Congress did not pass such legislation, as instructed in the Health Insurance Portability and Accountability Act (HIPAA), HHS issued regulations.  Since April 2003, healthcare providers, plans, and clearinghouses have been subject to the HIPAA privacy standards, which govern the use and disclosure of health information.  In these regulations, the Clinton and Bush administrations sought to strike a careful balance between protecting the privacy of a patient’s medical information and allowing necessary access to the information needed for providing quality healthcare and conducting medical research. Recently, there has been concern among some policymakers that new legislation and regulation were required to address a lack of privacy protections in certain instances.  Notably, third-party entities that operate electronic personal health records are not regulated by the original Privacy Rule. The American Recovery and Reinvestment Act of 2009 created new law and provided for subsequent rulemaking to create additional provisions aimed at protecting the privacy of health information. In addition to these new policies and the original HIPAA Privacy Rule, which established a national standard, states may also enact additional privacy standards. This results in variation from state to state in applicable medical privacy rules. Such complexity can pose a barrier to the adoption of health information technology that some organizations have already begun to address.