LegiStorm Pro

The Department of Health and Human Services (HHS) issued proposed regulations in November 1999 to help ensure the confidentiality of patient data, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). GAO found that HHS' regulatory strategies appear to be consistent with HIPAA's goal of protecting the privacy of health information and are legally permissible. By requiring that entities directly regulated by the rule--health plans, health care providers, and health care clearinghouses--control the information practices of entities with which they do business, HHS has attempted to fill an otherwise significant gap in privacy protection. HHS has covered the "paper progeny" of electronically maintained or transmitted health information--the privacy protections extended to individuals by HIPAA would be easy to circumvent if protected health information in an electronic record lost its protection merely by being printed. HHS' decision to build flexibility into the proposed rule by allowing the implementation of the standards to vary on the basis of an organization's size is also within its authority. Comments from many of the entities that will have to implement the policies reflect two overriding themes. First is a widespread acknowledgment of the importance of protecting the privacy of medical records. Second is a fundamental difference in the groups' positions that reflects the conflicts that sometimes arise between privacy and competing goals.