provide civil and criminal penalties for unauthorized disclosure of patient records; require that records be kept of disclosures of patient data; and require the Department of Health and Human Services to draft standards for organizational protection of personal medical information. Under certain conditions, the proposal would also allow researchers, public health authorities, and health oversight organizations (e.g., licensing bodies, claims review organizations) to gain access to personal medical information without patient authorization or notification and would provide law enforcement authorities access to information without patient authorization but with notification under some circumstances. Much of the controversy over the legislative proposal revolves around these exceptions (Kolata, 1995; Schwartz, 1995). H.R. 3482 would, in addition, allow states to set stricter privacy rules and let patients designate some information (e.g., HIV status) as specifically protected (Page, 1996b).
An alternative to federal legislation establishing more uniform protection for personal medical information is the voluntary adoption of model state legislation (Eid, 1995). The American Medical Association, for example, has proposed model privacy legislation (AMA, 1995). Earlier model legislation drafted by the National Association of Insurance Commissioners in 1985 has not been widely and consistently adopted by states (Gelman, 1995).
In response to concerns from a wide variety of business, consumer, government, and other organizations, security systems and procedures have been developed to guard electronically stored and transmitted information against misuse (see, e.g., Hammond, 1992; OTA, 1993, 1995; WEDI, 1993; IOM, 1994b; Gilbert, 1995a; Young and Waters, 1995). In addition to protecting sensitive personal, commercial, and national security information, these procedures are also intended to protect organizations from intrusions that destroy, damage, or disrupt information and operating systems. They likewise help shield organizations from liability for damages resulting from lax security (e.g., if a hacker or disgruntled employee changed pharmacy orders or revealed information in patient records). Security measures include