[1] Confidentiality has become a growing concern. In the healthcare industry HIPAA regulations try to ensure an individual’s privacy by limiting access to medical records.HIPAA was enacted by Congress and signed into law by President William Clinton on August 21, 1996. The goal of HIPAA is to ensure that healthcare providers secure electronic records about patients in the same manner that hard copy records are secured. By securing the records, the healthcare industry can improve their level of services since improved security will lead to greater adoption of electronic transactions. One of the reasons that HIPAA was enacted was because the U.S. Federal Government wants all Medicare transactions to occur electronically by October 16, 2003. Before Congress could mandate patient records surrounding Medicare occur electronically, the security and privacy of patient records needed to be guaranteed.

Congress enacted HIPAA in response to the growing use of the Internet and electronic transactions. HIPAA is a privacy law to protect consumers from having their personal health information exploited by insurance companies, employers, and anyone else who may try to exploit, disclose, or publish their personal health information. In the Federal Register, HIPAA is more informally known as the Privacy Rule. Except in certain circumstances, individuals have the right to inspect, review and receive a copy of their medical and billing records that are held by health plans and healthcare providers. There are, however, some circumstances in which a patient would not be permitted to access his medical record. If a health care professional feels that the information requested could cause potential harm to either the patient or another individual, access could be denied. Other restricted health care information may include: psychotherapy notes, information gathered for legal proceedings, and laboratory results kept confidential by some research institutes.

Personal Health Information can be used for the following purposes, unrelated to health care:

1. As required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders.

2. For Public Health Activities. Covered entities may disclose protected health information to: public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance.

3. Victims of Abuse, Neglect or Domestic Violence. In certain circumstances, covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.

4. Health Oversight Activities. Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.

5. Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal.

6. Decedents. Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.

7. Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.

8. Serious Threat to Health or Safety. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.

9. Workers’ Compensation. Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

HIPAA is far more complex than the Year 2000 date problem that information technology administrators faced in 1999, and that is why there are few guidelines available and few organizations providing compliancy services.