Health Policy Monitor
Skip Navigation

Federal Health Privacy Rule Update

Partner Institute: 
Institute for Global Health (IGH), University of California Berkeley/San Francisco
Survey no: 
Carol Medlin, Insititute for Global Health, UCSF; Anita Lee, MPA candidate, UC Berkeley; Sarah Weston, Institute for Global Health, UCSF
Health Policy Issues: 
System Organisation/ Integration, Others, Responsiveness
Accountability, privacy
Reform formerly reported in: 
Federal Health Privacy Rule
Current Process Stages
Idea Pilot Policy Paper Legislation Implementation Evaluation Change
Implemented in this survey? no no no no yes no no


The federal health privacy rules came into effect in April of this year. The rules, which provide a minimum standard of confidentiality, have been implemented fairly smoothly, although serious concerns persist about the cost and increased bureaucracy in a time of economic recession. California, with some of the most stringent privacy law in the nation, is involved in an ongoing process of determining where the states? existing laws will preempt the federal standards.

Purpose of health policy or idea


The Standards for Privacy of Individually Identifiable Health Information (the Federal Health Privacy Rule) is the first federal standards to protect the privacy of patients' medical records and health information provided to health care providers and health plans.  The Rule came into effect in April this year.  These standards are adopted pursuant to the Health Insurance Portability and Accountability Act (HIPAA), a piece of legislation for insurance reform and administrative simplification.  There is a one- year extension beyond the April 2003 deadline for compliance with the Rule for certain small health plans.


With HIPAA aiming to improve the efficiency and effectiveness of the health care system through administrative simplification and electronic transmission of certain health information, the confidentiality of patient health information is perceived to be at risk.  Individually identifiable health information becomes more readily accessible as a consequence of the more efficient transmission of health information.  The Privacy Rule therefore grew out of the need to protect the security and privacy of personal health information.  Prior to the adoption of the Privacy Rule, only a patchwork of Federal and State laws protected the privacy of personal information that moves across providers, insurers or third party payers, and State lines.  Thus personal health information could be distributed-without either notice or authorization-for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, patient information held by a health plan could, without the patient's permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions.

The Privacy Rule establishes a uniform floor of federal safeguards to protect the confidentiality of medical information. While the Privacy Rule generally preempts contrary state laws, it permits contrary state laws that are "more stringent" than the Privacy Rule to remain in place. That means State laws that provide stronger privacy protections will continue to apply over and above the new federal standards.  California for example already has privacy standards that are among the most stringent in the nation, thus adjustments that are needed for Californian state agencies and other covered entities to become compliant with the Privacy Rule has not presented a major problem.  There is broad consensus as to the critical necessity of the privacy rule and a concerted by all concerned to make it happen.  Even so, the time and resources devoted to set up the systems and procedures to comply explicitly with the Federal Privacy Rule are considerable as the implementation Privacy Rule is complex and painstaking.


Under the Privacy Rule, patients have federal protection over the privacy of their medical records, their rights to access and to correct errors in their medical records, the rights to control how their protected health information is used and disclosed, and they have a clear channel of redress should their rights be violated. 

The main characteristics of these standards in the Federal Health Privacy Rule are:

Patients can see and obtain copies of personal medical records, and these are to be provided normally within 30 days.

Patients can amend or correct protected health information.

Patients have the right to request restrictions on certain uses and disclosures of protected health information.

Patients have the right to receive an accounting of certain disclosures of their protected health information.

Patients are to be given, and they have to acknowledge receipt of, a notice on how their personal medical information may be used and on their rights under the new privacy regulation.

Covered entities are limited on how they can use individually identifiable health information, though this does not include releasing information for medical care purposes. 

New restrictions are set on the use of patient information for marketing purposes.  Releasing information for such purposes must require patient's specific authorization.

Patients can request that providers to take reasonable steps to communicate with them in a confidential manner.

 Search help

Characteristics of this policy

Degree of Innovation traditional innovative innovative
Degree of Controversy consensual neutral highly controversial
Structural or Systemic Impact marginal rather fundamental fundamental
Public Visibility very low very high very high
Transferability strongly system-dependent rather system-neutral system-neutral

Political and economic background

The years during which the provisions of the Privacy Rule have been discussed (from 1996 when HIPAA was enacted to 2002 when the final amendments to the Privacy Rule were made) coincided with a period of economic prosperity in the country at the beginning, with an economic slowdown from 2001 onwards.  The rate at which health care costs increases also surged again in 1999 after a period of slower growth.  Detractors see the Privacy Rule as being costly, and deemed the huge investment necessary to facilitate compliance as a burden on the health care cost.  Proponents however see the Privacy Rule as contributing to higher quality of care that in the final analysis will contribute to lowering costs.  

Politically, the democratic Clinton Administration came to an end in 2000, and the Republican Bush Administration is perceived as catering more to major business interests.  It is under the Bush Administration when the final amendments to the privacy regulations compromised on the stricter requirements as conceived under the Clinton Administration.

Overall, the Privacy Rule under HIPAA enjoys fairly broad consensus as something vital and critical, given that with advancement in medical technology and electronic technology, privacy of personal medical information is at greater risk than ever before.

Purpose and process analysis

Current Process Stages

Idea Pilot Policy Paper Legislation Implementation Evaluation Change
Implemented in this survey? no no no no yes no no

Origins of health policy idea

The main driving force for the Privacy Rule is the concern that as electronic transmission of personal health data became common practice in the industry, personal health information becomes more readily and easily accessible.  Such a rule is considered a much-needed improvement over the existing system, which left sensitive information at the mercy of a patchwork of state protections (USA Today editorial 4/11) Sensitive issues such as HIV status disclosure also brought focus to the need for federal protection of patient privacy.

Of interest is the fact that the Privacy Rule had stricter requirements in its original drafting 2000.  The concern of stakeholders and intense lobbying led to modifications which were embodied in the final version of the Rule in August 2002.  One area which caused a lot of public concern and comment was the requirement to obtain written consents from patients to use or disclose their protected health information to treat them, or to carry out day-to-day operations.  This was deemed to be unnecessarily burdensome and was subsequently removed, thus allowing providers to share patient records for the purposes of treatment and health care operations.  Similarly the requirement that providers must obtain prior consent to use or disclose a patient's health information for treatment, payment or health care operations purposes was removed.   Providers need consent only in nonroutine cases, and also need only to make a good faith effort to obtain written acknowledgement from patients that they have received information about their rights.  The modifications also clarified that with reasonable safeguards, uses and disclosures of protected information which are incidental to appropriate uses will not constitute a vioalation of the Rule. (CHCF 3/5  and OCR congress testimony 9/23)

In its final form, the Rule is regarded as reflecting a common-sense balance between protecting patients' privacy and avoiding imposing unnecessary impediments to quality health care.  (OCR Congress testimony 9/23)

Stakeholder positions

When the standards were first proposed in 1999, over 50,000 public comments were received.  The Rules published in 2000 raised continuing concern and were reopened for comment, and recieved an additional 11,000 comments.  The consultative and modification process is spearheaded by the Federal government, with ardent participation by industry groups and the community in general.  The final modifications to the Rule reflected the views and concerns of industry groups and stakeholders. 

Of interest is the wide spectrum of the community who are stakeholders in the Privacy Rule.  The Advisory Committee on HIPAA Implementation in California, for example, draws its membership from representatives of provider groups (such as the Californian Medical Association, Californian Nurses Association, Californian Pharmacists Association, Californian Dental Association), hospitals (such as Californian Association of Health and Health Systems), clinics (such as Californian Primary Care Association), long term care facilities, mental health providers, pharmaceutical companies, disability insurers,  records associations, state agencies and departments, county government, health care plans, consumer advocates etc.  The broad spectrum of membership reflects the wide-ranging impact of the Privacy Rule and the immense amount of resources and effort that have been put into the implementation, which by and large, has been smooth.

Influences in policy making and legislation

Emanating from the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Privacy Rule was enacted in December 2000, with effective date of April 2001, and a compliance deadline of April 2003.  The Bush Administration made final amendments to the provisions in August 2002. 

Criticisms of the these standards range from being unnecessary and cumbersome to not going far enough.  Privacy advocates consider the protection inadequate as the rules allow providers to share medical records and patient consent is only required for "nonroutine" cases.  Furthermore, providers need only make a good faith effort to obtain written acknowledgement from patients that they have received the information.  It is expected that these advocacy groups will continue to push for even stricter regulations.

Adoption and implementation

The stakeholders in the adoption process are the consumers and the covered entities, which include health care providers, health plans, clearinghouses, hospitals, clinics, nursing homes, pharmacies, etc.  The Office of Civil Rights in the Department of Health and Human Services is the federal agency with the responsibility for implementing, enforcing and helping covered entities to come into compliance with the Privacy Rule. 

Despite such extensive consultation in drawing up the Rules, and widespread compliance by the health care industry, there is still considerable confusion, especially at the beginning of the implementation period.  Perhaps the biggest worry for providers is whether they have interpreted the new rules correctly.  As the Rule has to be flexible enough to cover everything from a one-person medical practice to a national health plan, such flexibility leaves room for interpretation.  Some analysts regard the Rule as existing only in principle, with no defined answers on implementation and compliance.  Admittedly there are still gaps in law, but for the most part, the rule has provided a comprehensive protection that has been previously lacking.  (Georgetown Privacy Project.).   The federal government has also made extensive outreach efforts to make the implementation process a smooth and successful one.

Critics however maintained that the Privacy Rule attracts confusion and misinformation.  The jury is still out on how these privacy rules will impact  consumers.  Experts differ on the parameters of the Rule, with some holding the extreme view that the Privacy Rule will eliminate citizens' rights to withhold their personal health information.  They have interpreted the rule as enabling the covered entities to use and disclose patient data, regardless of the wishes of the consumer. The Administration strongly refutes such claims, and regards the rules as a significant step forward in mandating a federal standard where there has been none before.  Industry groups that support the regulation contend that there is a lot of misinformation being spread on the rule, and attribute such criticisms to partisan politics.  Republicans generally support the Administration's position on the rule, while Democrats are more critical.

Individual States are important stakeholders in the adoption process too, as States may have different requirements than those stipulated under the Federal Rule.  A lot of effort has been made to iron out the wrinkles and minimize any conflict between Federal and State laws.  State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law provides greater privacy protections or privacy rights with respect to such information; or provides for the reporting of disease or injury, child abuse, birth, or death; or for public health surveillance, investigation, or intervention; or requires certain health plan reporting, such as for management or financial audits.

Preemption of a contrary State law will also not occur if it is determined that the State law is necessary to prevent fraud and abuse related to the provision of or payment for health care or is necessary for purposes of serving a compelling public health, safety, or welfare need.

Monitoring and evaluation

The Office of Civil Rights (OCR) in HHS is charged with enforcing the privacy provisions.  Aggrieved consumers can make complaints to the OCR, and enforcement will be mainly complaint-driven.  OCR will investigate the complaint and when appropriate impose civil monetary penalties for violations.  Criminal violations will be referred to Department of Justice for further investigation and appropriate action.  For civil violations of the privacy standards, OCR can impose penalties of up to $100 per violation, up to $25,000 per year, for each requirement violated.  Criminal penalties can be up to $50,000 and one year in prison for certain offences, up to $100,000 and up to five years in prison if the offences are committed under "false pretences"; and up to $250,000 in fines and up to 10 years in prison for disclosure with the intent to sell the information for commercial use, personal gain or malicious harm.  (OCR Fact Sheet dated 4/13)

In California, there is no single agency that is charged with the implementation and enforcement of the Privacy Rule in the private sector.  CalOHI has the purview over state agencies and departments.  It has also set up an Advisory Committee on HIPAA Implementation where representatives from a broad spectrum of the community come together to communicate on issues encountered in the implementation.

OCR has undertaken a comprehensive outreach effort to provide assistance to covered entities and educate consumers.  Such efforts are continuing to iron out the implementation issues and to sustain the ongoing public education effort.

In the months since April, there has been widespread compliance by health plans, clearing houses and those providers covered by the Privacy Rule.  The implementation is considered to be smooth given the extensive scope of the Privacy Rule.  (OCR Congress testimony 9/23)  OCR  has undertaken an extensive outreach effort to provide guidelines and technical assistance for the health care industry and educate the consumers.   The health care industry has undergone a "quiet revolution" to meet the requirements of the Privacy Rule.  (NYTimes 4/6)

Since the implementation in April, 1800 complaints have been received by OCR, the federal agency charged with the implementation and enforcement of the Privacy Rule.   30% of these cases have been resolved, either because they do not raise a privacy issue, or through voluntary compliance.

As the law is written, there is the ability to review and make changes to the Rules up to an annual basis.  There is as yet no overwhelming call for any part of the Rules to be repealed or amended.

In California, the CalOHI has undertaken thorough and comprehensive "preemption analysis" of the State Privacy Laws.  Where the State Law is more stringent, preemption is determined and the State law will prevail.  Examples of State privacy laws and codes which CalOHI has completed a preemption analysis include the Identification of Victims of Crime, Verification of Application for Compensation, California Public Records Act, Information Practices Act,  Patient Access to Health Records, Confidentiality of Medical Information Act, State Employee Disciplinary Proceedings etc. The preemption analysis of other State privacy laws is still ongoing.  The process is not a static one, as current state laws may be amended and new laws promulgated which will necessitate re-analysis at least annually.


All consumers are protected under the rule.  The covered entities of these new rules include hospitals, clinics, nursing homes, health plans, pharmacies, claims clearinghouses, physicians and other health care providers.  The Privacy Rule requires them to establish policies and procedures to protect the confidentiality of protected health information about their patients.  

In order to comply with these standards, providers have in general gone to extraordinary lengths to look into their systems for privacy leaks, which by this new rule has become a federal offence.  The Department of Health and Human Services (HHS) estimated when drawing up the rule in 2000 that the Privacy Rule would entail compliance cost of $17.6 billion with present value costs of $11.8 over ten years (2003-2012).  HHS estimated that modifications to the Rule in 2002 helped avoid about $100 million in compliance cost over ten years.  (OCR Congress testimony 9/23)  The American Hospital Association estimated that hospitals will spend $22 billion over five years to comply with the rules.   (NYTimes report 6/3)

In order to comply with the Rule, providers also need to train employees, designate a privacy official, maintain documentation of complaince, and take necessary steps to ensure that those whom they deal with for administrative purposes are also complying with the regulations. 

In California, a state agency called California Office of HIPAA Implementation (CalOHI) was set up to coordinate the efforts among state agencies to become HIPAA compliant.  California state agencies with covered entity functions include:

Department of Aging

Department of Alcohol and Drug Programs

Department of Corrections

Department of Developmental Services

Department of Forestry and Fire Protection

Department of Health Services

Managed Risk Medical Insurance Board

Department of Mental Health

Department of Personnel Administration

Public Employees' Retirement System

Department of Veterans Affairs

In addition, twelve other state departments have functions that are impacted by HIPAA, and over three hundred different public and private organizations have business relationships with State departments impacted by HIPAA.

Expected outcome

The main objective of the Privacy Rule is to protect patient rights and privacy of health data, while not interfering with the flow of information required to treat patients and to pay claims.  With the implementation, there is a general sense that patient privacy is better protected, although at considerable cost and apprehension on the part of providers who fear claims and litigations.  These rules also change the culture of health care as providers take additional care to make sure patient information is kept private and any disclosures are documented.    Medical consumer groups have hailed the implementation of the Privacy Rule as a substantial advance in protecting patients from cavalier or malicious disclosure of medical information.  At the same time, doctors and hospitals are meeting the new law with apprehension, and some providers view it as yet another government intrusion that spawns a bureaucracy, is unfunded, and only serves to reinforce what is already being done. (Washington Post 4/8).

There have also been concerns over the unintended consequences, which arose not because of the Rule itself, but rather arose out of confusion and misconception of the Rule, or because some entities have chosen to take a more restrictive view of the Rule in their implementation.  Such confusion will dissipate with the continued public education effort by the OCR which is the federal agency charged with the implementation and enforcement of the Privacy Rule.

  • Some providers have become over-cautious about sharing or disclosing information.  Cases of over-caution are reported in the media. e.g. insurance plans refusing to discuss claims with spouses of members without written consent from members, physicians refusing to leave telephone messages for patients which contain medical information.  (NY Times 4/6)
  • Misapplication of the law has led to adverse outcomes.  e.g.  the regulation that allows patients to opt out of being included in the hospital directory.  There are cases where this has been mistaken to mean that patients are to be excluded unless they specifically choose to be included.  Media report stories of relatives unable to find patients who are unconscious or unable to give agreement to their inclusion highlight such a confusion.  (NY Times 6/3)
  • Given that medical providers generally have a good sense of privacy concerns even without these rules, the new rules are perceived to be posing a hindrance, and may even lead to alarm and confusion.  Practitioners may go overboard or take defensive action to avoid violation, and this may stand in the way of providing good patient care.   It could pose a real danger in emergency cases.
  • The general mood of privacy concerns have led to a slowdown in how health information is moving through the system, creating the opposite of HIPAA's intended goal of moving information more quickly and securely.
  • The Privacy Rule, which does not say how providers should communicate with patients, requiring only "reasonable" protections, are perceived by some as impeding the adoption of new health care technology.  Providers say it is harder to use electronic media such as email to communicate with patients, or use online information program which are not encrypted, given the privacy concerns.  (Technology Daily reported in CHCF iHealth July14)
  • The privacy rule is perceived by some as dehumanising the doctor-patient relationship

One undesirable outcome is the high costs involved in the compliance of the Privacy Rule, which will be translated into higher cost for health care.  However, it should be noted that the original intention of HIPAA is that with administrative simplification, costs should be lowered, as the efficiencies realized should outweigh the costs.  Whether the Privacy Rule can be regarded as a driver of health care cost increase cannot be easily answered.


Reform formerly reported in

Federal Health Privacy Rule
Process Stages: Implementation

Author/s and/or contributors to this survey

Carol Medlin, Insititute for Global Health, UCSF; Anita Lee, MPA candidate, UC Berkeley; Sarah Weston, Institute for Global Health, UCSF

Suggested citation for this online article

Carol Medlin, Insititute for Global Health, UCSF; Anita Lee, MPA candidate, UC Berkeley; Sarah Weston, Institute for Global Health, UCSF. "Federal Health Privacy Rule Update". Health Policy Monitor, September 2003. Available at