HIPAA regulations - a new era of medical-record privacy?

Although the regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regarding the privacy of medical records are new, 1 the concept of using federal law to protect the privacy of medical records is not. The substance of the new regulations can be traced back to work done in the 1970s, especially the report of the Privacy Protection Study Commission, which helped to articulate the case for national privacy standards for a variety of records kept on citizens. 2 The Clinton Health Security Act contains a separate section entitled “Privacy of Information” that sets forth the framework for the national standards created by the HIPAA regulations. 3 Provisions for the privacy of medical records became part of HIPAA, 4 which authorized the secretary of Health and Human Services to promulgate regulations to protect the privacy of health information in which the patient is identifiable in the event that Congress did not enact legislation on this subject (which it did not). In the context of the Clinton health plan, rules for the privacy of medical records were part of a much broader package whose main aim was to provide access to health insurance for all Americans. Now regulations for medical-record privacy have arrived alone. I believe the new regulations are excessively and unnecessarily complex and often more attuned to making sure that businesses and government agencies get access to medical records than to the protection of patients’ privacy. The debate over the content and effect of the HIPAA regulations has been fierce over the past four years and is likely to intensify in the post–September 11 era of surveillance, which has brought even more proposals to authorize virtually unlimited access to medical records by national security, law-enforcement, and public health agencies. 5-7