under what circumstances.7 Whether this confusion merely reflects a transitional effect between pre-HIPAA and post-HIPAA regimes remains to be seen.

The requirement for training has been seen by some as a way of changing the culture of the medical provider profession in a way that is positive albeit costly. The impact on researchers, especially those wishing to do large-scale and long-term investigations across sets of medical records, is currently unknown; however, the formulation of the privacy regulation has created a mechanism for dialog between researchers and regulators.

Finally, there remains the question of enforcement of HIPAA’s privacy regulations. In June 2006, the Washington Post reported that in the 3 years since the HIPAA regulations went into force, thousands of complaints alleging violations have resulted in two criminal prosecutions, no civil fines, and many agreements to fix problems that may have occurred without any penalty.8 These complaints have included allegations that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained, and that patients were frustrated in obtaining their own records. One administration official was quoted as saying that “our first approach to dealing with any complaint is to work for voluntary compliance.” Critics have asserted, however, that a lack of aggressive enforcement has made providers and insurers complacent about complying.

In the long run, an enforcement regime of some sort is likely to be needed to ensure substantial compliance with the regulations. But as with the confusion about the circumstances under which what personal health information may be provided to which parties, the long-term results of the current approach to compliance remain to be seen.

Patient Perspectives on Privacy
Notifications of Privacy Policy

As noted above, HIPAA mandates a number of privacy protections for personal health information. The concept of informed consent is important to these protections, and thus health care providers are required to


Rob Stein, “Patient Privacy Rules Bring Wide Confusion: New Directives Often Misunderstood,” Washington Post, August 18, 2003, available at http://www.washingtonpost.com/ac2/wp-dyn/A7124-2003Aug17.


Rob Stein, “Medical Privacy Law Nets No Fines: Lax Enforcement Puts Patients’ Files at Risk, Critics Say,” Washington Post, June 5, 2006, available at http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672_pf.html.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement