1. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was the most significant legislation affecting the health care field since the Medicare and Medicaid programs were introduced in 1965. The Administrative Simplification provisions contained new requirements for the uniform transfer of electronic health care data such as for billing and payment; new patient rights regarding personal health information, including the right to access this information and to limit its disclosure; and broad new security rules that health care organizations must put in place to safeguard the confidentiality of patients' medical information.2. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI). It requires covered entities (CEs) to have appropriate privacy policies and procedures and to notify patients about their privacy rights and about how their information can be used or disclosed. The CE must train employees so that they understand the privacy practices. The CE must appoint a staff member to be responsible for seeing that the privacy practices are adopted and followed. Finally, CEs must safeguard patients' health records.3. Protected health information (PHI) can be released without patients' authorization when a covered entity uses it for health care treatment, payment, or operations. In addition, the rules for use and disclosure do not apply to the release of PHI in certain circumstances, such as public health, law enforcement, research, workers' compensation cases, and national security situations. There are no restrictions on the use or disclosure of de-identified health information.4. Threats to the security of electronic information can come from a number of sources, including individuals; environmental hazards such as floods, wind, and lightning; and computer hardware, software, and networks.5. The HIPAA Security Rule requires medical offices to establish safeguards to protect the confidentiality, integrity, and availability of health information that is stored on a computer system or transmitted across computer networks, including the Internet. The security standards are divided into three categories: administrative, physical, and technical safeguards. Administrative safeguards are policies and procedures designed to protect electronic health information. Physical safeguards are mechanisms to protect electronic systems, equipment, and data from environmental hazards and unauthorized intrusion. Technical safeguards are automated processes to protect data and to control access to data.6. The rise in the use of information technology may place protected health information at increased security risk. A greater volume of confidential clinical patient information is available in electronic form, and there are many more points of access to that information. In addition, the use of portable computing and storage devices increases the possibility of lost data or stolen devices. Existing privacy laws may not cover some new types of companies that have entered the health care market.7. Since HIPAA was enacted in 1996 and the HIPAA Privacy Rule (2003) and Security Rule (2005) went into effect, the field of health information technology has changed dramatically. Increasingly, an individual's personal health information is accessed, maintained, and exchanged by groups that may not be covered under current HIPAA privacy laws. Examples of groups that may not be covered are regional health information exchanges (RHIOs), providers of personal health records (PHRs), and overseas business associates. In addition, conflicts in state privacy laws must resolved to determine how state laws apply to transmission across state lines.8. Patients must sometimes reveal sensitive information to their providers. They do this because they trust their providers to keep the information confidential. Individuals who lack trust may withhold important information, which could result in inappropriate diagnoses. Reports of computer security breaches appear in newspapers, on the Internet, and on television news on a regular basis. If individuals do not believe that their personal information will be secure in an electronic system, they may not share health information with their providers. This can undermine the public's willingness to participate in an electronic health record system.
