National health information privacy: regulations under the Health Insurance Portability and Accountability Act.

Health information privacy is important in US society, but existing federal and state law does not offer adequate protection. The Department of Health and Human Services, under powers granted by the Health Insurance Portability and Accountability Act of 1996, recently issued a final rule providing systematic, nationwide health information privacy protection. The rule is extensive in its scope, applying to health plans, health care clearinghouses, and health care providers (hospitals, clinics, and health departments) who conduct financial transactions electronically ("covered entities"). The rule applies to personally identifiable information in any form, whether communicated electronically, on paper, or orally. The rule does not preempt state law that affords more stringent privacy protection; thus, the health care industry will have to comply with multiple layers of federal and state law. The rule affords patients rights to education about privacy safeguards, access to their medical records, and a process for correction of records. It also requires the patient's permission for disclosures of personal information. While privacy is an important value, it may conflict with public responsibilities to use data for social goods. The rule has special provisions for disclosure of health information for research, public health, law enforcement, and commercial marketing. The privacy debate will continue in Congress and within the president's administration. The primary focus will be on the costs and burdens on health care providers, the ability of health care professionals to use and share full medical information when treating patients, the provision of patient care in a timely and efficient manner, and parents' access to information about the health of their children.