JAMAPublished online June 20, 2018.

Donald M. Berwick, MD, MPPMartha E. Gaines, JD, LLM

Knock, knock.”

“Who’s there?”

“HIPAA.”

“HIPAA, who?”

“I’m sorry, but I cannot disclose that.”

Clinicians and patients alike will laugh at this, but behind the laughter are anger and frustration. The Health Insurance Portability and Accountability Act (HIPAA), a law created to protect patients, has borne with it serious obstacles to effective care. How did this happen? What went wrong on the road to protecting privacy?

Passed in 1996, HIPAA was not originally a privacy law at all. Its primary intent was to assure “portability”: continuity of health insurance coverage as individuals changed jobs. In fact, the privacy part of the law was very brief. Congress had been debating a Patients’ Bill of Rights for some time, which was to include privacy rights as well as the right to sue insurers for wrongful denial of coverage; but Congress failed to pass such legislation. This prompted the Department of Health and Human Services (HHS) to create the privacy regulations governing transfer of records (paper or electronic) containing personal health information (PHI), designed to ensure patient safety and prevent insurance companies from using that information to manipulate coverage.

The regulations that compose the HIPAA Privacy Rule are complex and voluminous. (The 2013 update alone, regarding electronic medical records and e-health, is 563 pages long.1) However, these regulations coalesce around one simple rule: clinicians and health care organizations may not disclose PHI without patient permission unless that information is being used for treatment, payment, or health care operations. For these purposes, patient permission is assumed. In addition, organizations must release records to patients who ask for them and to HHS for enforcement purposes.

For full article, visit JAMA