Health Information Technology
The primary federal legal protections against inappropriate health information sharing are the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy and Security rules. This set of laws provides a uniform federal floor, or minimum, of privacy protections. HIPAA applies to "covered entities," or organizations that fall into one of the following categories:
- Health care providers, such as physicians, nurses, pharmacists and others who provide health care services;
- Health insurance plans; and
- Health care clearinghouses (companies that help process health information to facilitate the business aspects of health care).
The HIPAA Privacy Rule grants consumers the right to, among other things:
- Have access their medical records;
- Have their personal health information protected;
- Request corrections to their records;
- Be informed about how their health information is used; and
- File complaints related to the use or disclosure of their health information.
The HIPAA Security Rule, with protections that apply to electronic protected health information (ePHI), requires implementation of three types of safeguards: administrative, physical and technical. Covered entities must:
- Ensure the confidentiality, integrity and availability of all ePHI;
- Protect against any reasonably anticipated threats or hazards of ePHI;
- Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the HIPAA Privacy Rule; and
- Ensure their workforce complies with the HIPAA Security Rule.
Even greater protection than that set out in HIPAA may be provided through state laws, which are not pre-empted by HIPAA. Nevertheless, these protections may not always be sufficient in an electronic environment, since new players in the health care arena may not be covered entities, and therefore not subject to HIPAA. These new players may include companies that offer new ways for individuals to store and share their health data (such as Microsoft , which offers personal health records (PHRs)), or data mining companies.