future, particularly in light of the additional genetic information that will become available as a result of advances such as those associated with the human genome project. Already, evidence exists to support claims that individuals experience discrimination by employers, insurers, and others based on the existence of genetic predispositions to particular ailments rather than on manifestations of such ailments.34 Furthermore, even if individuals are not necessarily subject to economic discrimination as the result of such information, they may well wish to limit the dissemination or availability of information that might be embarrassing (e.g., a history of sexually transmitted diseases, treatment for depression, or a familial history of alcoholism).
In an attempt to improve protections for health information, a number of bills were introduced in the 104th Congress to address the use and disclosure of health information and to establish civil and criminal penalties for misuse of such information. These included the Medical Records Confidentiality Act of 1995 (S. 1360), Fair Health Information Practices Act of 1995 (H.R. 435), Medical Privacy in the Age of New Technologies Act of 1996 (H.R. 3482), and Health Insurance Portability and Accountability (HIPA) Act of 1996 (H.R. 3103). The Fair Information Practices Act was reintroduced into the 105th Congress in January 1997. Of these, only HIPA has been signed into law.
HIPA contains several provisions regarding health data standards and health information privacy. The purposes of these provisions are (1) to improve the efficiency and effectiveness of the health care delivery system by standardizing the electronic exchange of administrative and financial data and (2) to protect the confidentiality and security of transmitted health information.
Under HIPA, the Secretary of Health and Human Services is required to adopt standards by February 1998 providing for a unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. The Secretary is also required to adopt security standards that take into account (1) the technical capabilities of record systems used to maintain health information; (2) the costs of security measures; (3) the need for training persons who have access to health information; (4) the value of audit trails in computerized record systems;