In enacting HIPAA, United States Congress mandated the establishment of Federal standards relating to the privacy of individually identifiable healthcare information. With regards to personal information that moves across hospitals, doctors’ offices, insurance companies or even 3rd party payers, and State lines, our country has focused on a patchwork of Federal and State laws. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could very well be distributed—without either notice or authorization—for reasons which in fact had nothing to do with a patient’s medical treatment or heath care treatment reimbursement. For example, unless alternatively restricted by State or local law, without the Privacy Rule patient information contained by a health plan can, without the presence of the patient’s authorization, be forwarded to a lender who could then refuse the individual’s application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule determines a Federal floor of safeguards that secure the privacy of medical information. State laws which provide stronger privacy rights is going to continue to apply over and above the new Federal privacy standards.
Health care providers have a sturdy tradition associated with protecting private health information. Nonetheless, in today’s world, the old system of paper records inside locked filing cabinets is not enough. With important information extensively held and transmitted electronically, the Rule provides clear standards towards the protection of personal health information.