Obama-Biden 2008, “Barack Obama and Joe Biden's Plan to Lower Health Care Costs and Ensure Affordable, Accessible Health Coverage for All,” available at <http://www.barackobama.com/pdf/issues/HealthCareFullPlan.pdf> (last visited June 24, 2009). (last visited June 24, 2009).' href=https://scholar.google.com/scholar?q=Obama-Biden+2008,+“Barack+Obama+and+Joe+Biden's+Plan+to+Lower+Health+Care+Costs+and+Ensure+Affordable,+Accessible+Health+Coverage+for+All,”+available+at++(last+visited+June+24,+2009).>Google Scholar

Health08.org, Kaiser Family Foundation, “2008 Presidential Candidates: Health Care Issues Side-by-Side,” available at <http://www.health08.org/healthissues_sidebyside.cfm> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

The American Recovery and Reinvestment Act of 2009, Public Law No. 111-5.Google Scholar

Connecting for Health, Markle Foundation, Survey Finds Americans Want Electronic Personal Health Information to Improve Own Health Care, survey conducted by Lake Research Partners and American Viewpoint in November 2006 for the Markle Foundation's conference, Connecting Americans to Their Health Care: Empowered Consumers, Personal Health Records and Emerging Technologies, available at <http://www.markle.org/downloadable_assets/research_doc_120706.pdf> (last visited June 24, 2009). (last visited June 24, 2009).' href=https://scholar.google.com/scholar?q=Connecting+for+Health,+Markle+Foundation,+Survey+Finds+Americans+Want+Electronic+Personal+Health+Information+to+Improve+Own+Health+Care,+survey+conducted+by+Lake+Research+Partners+and+American+Viewpoint+in+November+2006+for+the+Markle+Foundation's+conference,+Connecting+Americans+to+Their+Health+Care:+Empowered+Consumers,+Personal+Health+Records+and+Emerging+Technologies,+available+at++(last+visited+June+24,+2009).>Google Scholar

There is a difference between “privacy” and “security.” Although there are no universally accepted definitions of those terms, in general privacy refers to policies and practices that govern the access, use, and disclosure of personal health information, and security refers to the technological tools that are used to implement those policies.Google Scholar

See Goldman, J., “Protecting Privacy to Improve Health Care,” Health Affairs, 10 no. 6 (1998): 47–60, at 49; Goldman, J. and Hudson, Z., California Healthcare Foundation, Promoting Health/Protecting Privacy: A Primer, January 1999, available at <http://www.chcf.org/topics/view.cfm?itemID=12502> (last visited June 24, 2009).CrossRefGoogle Scholar

Harris Interactive, “Many U.S. Adults Are Satisfied with Use of Their Personal Health Information,” The Harris Poll #27, March 26, 2007, available at <http://www.harrisinteractive.com/harris_poll/index.asp?PID=743> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

Bishop, L. S. et al., California Healthcare Foundation, National Consumer Health Privacy Survey 2005, November 2005, available at <http://www.chcf.org/topics/view.cfm?itemID=115694> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

This paper uses the term “personal health information” to refer generally to an individual's identifiable health information, and uses the term “protected health information” to refer to information expressly protected by HIPAA.Google Scholar

Covered entities are health plans, health care clearinghouses, and most health care providers who submit health care claims electronically (specifically, those who transmit health information in electronic form for those transactions for which the Secretary has adopted standards (i.e., transaction code sets). See 45 C.F.R. § 160.102(a) (2007).Google Scholar

Protected health information is individually identifiable health information that includes demographic information and “that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; and that identifies the individual” or “there is a reasonable basis to believe the information can be used to identify the individual.” See 45 C.F.R. § 160.201 (2007) for the precise definition.Google Scholar

Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. See 45 C.F.R. § 164.501 (2007).Google Scholar

Payment includes activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and to furnish or obtain reimbursement for health care delivered to a patient. See 45 C.F.R. § 164.501 (2007).Google Scholar

Health care operations include the following: (1) conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination; (2) reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims; (4) conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; (5) business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and (6) business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating deidentified health information or a limited data set, and fundraising for the benefit of the covered entity. See Appendix A and 45 C.F.R. § 164.501 (2007).Google Scholar

Social Security Act § 1178, 42. U.S.C. § 1320d-7 (2009); 45 C.F.R. § 160.203 (2007).Google Scholar

Pollitz, K., Georgetown University Health Policy Institute, the Genetics and Public Policy Center at Johns Hopkins University, Summaries of the Genetic Information Nondiscrimination Act of 2008 (GINA), Public Law 110–28, Title 1: Health Insurance available at <http://www.dnapolicy.org/resources/GINATitle-1summary.pdf>; Public law 110–233, Title II: Employment, available at <http://www.dnapolicy.org/resources/GINATitle-IIsummary.pdf> (last visited February 3, 2009).;+Public+law+110–233,+Title+II:+Employment,+available+at++(last+visited+February+3,+2009).>Google Scholar

FERPA applies to health and other records in educational settings; part 2 applies to federally funded substance abuse treatment facilities; and the Privacy Act applies to federal facilities.Google Scholar

See 18 U.S.C. §§ 2702 (a)(1)-(3) (2007).Google Scholar

See 18 U.S.C. § 2701 (c)(1) (2007); see also 18 U.S.C. § 2702 (a) (2)(B) (2007).Google Scholar

See Dimitropoulos, L. L., Agency for Healthcare Research and Quality, Privacy and Security Solutions for Interoperable Health Information Exchange: Assessment of Variations and Analysis of Solutions Report, July 2007, 3-8-3-9, available at <http://healthit.ahrq.gov/portal/server.pt/gateway/PTARGS_0_1248_661882_0_0_18/AVAS.pdf> (last visited June 24, 2009) [hereinafter cited as “Privacy and Security Solutions”]. For an “Overzealous” interpretation of HIPAA, see Gross, J., “Keeping Patients' Details Private, Even from Kin,” New York Times, July 3, 2007, available at <http://www.nytimes.com/2007/07/03/health/policy/03hipaa.html7_r=1> (last visited June 24, 2009); see also Houser, S. H. et al., “Assessing the Effects of the HIPAA Privacy Rule on the Release of Patient Information by Healthcare Facilities,” Perspectives in Health Information Management, 4 no. 1 (spring 2007), available at <http://www.pubmedcentral.nih.gov/arti-clerender.fcgi?artid=2082070&tool=pmcentrez> (last visited June 24, 2009) [hereinafter cited as “HIPAA Privacy Rule”] (which recommended additional clarification of HIPAA regulations, standardized instructions, and extensive training of healthcare workers).Google Scholar

Id. (HIPAA Privacy Rule).Google Scholar

See Paasche-Orlow, M. K. et al., “Notices of Privacy Practices: A Survey of the Health Insurance Portability and Accountability Act of 1996 Documents Presented to Patients at U.S. Hospitals,” Medical Care, 43 no. 6 (June 2005): 558–564; Hochhauser, M., “Why Patients Won't Understand Their HIPAA Privacy Notices” Privacy Rights Clearinghouse (April 10, 2003), available at <http://www.privacyrights.org/ar/HIPAA-Readability.htm> (last visited June 24, 2009); Pollio, M. C., “The Inadequacy of HIPAA's Privacy Rule: The Plain Language Notice of Privacy Practices and Patient Understanding,” New York University Annual Survey of American Law 60 (2005): 579-620, at 593.CrossRefGoogle Scholar

A health care clearinghouse is “a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” See Social Security Act § 1171(2), 42. U.S.C. § 1320d (2009).Google Scholar

45 C.F.R. § 165.504(e)(2) (2007).CrossRefGoogle Scholar

Id.Google Scholar

Those who meet the definition of a health care clearinghouse would be covered by HIPAA.Google Scholar

See The HIPAA Privacy Rule and Health IT, Health Information Techonolgy, Department of Health and Human Services, available at <http://healthit.hhs.gov/portal/server.pt> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

Personal health records offered by covered entities would be covered by the Privacy Rule.Google Scholar

National Committee on Vital and Health Statistics (NCVHS) Reports and Recommendations, Letter to the Secretary of the U.S. Department of Health and Human Services: Personal Health Record (PHR) Systems, September 9, 2005, available at <http://ncvhs.hhs.gov/050909lt.htm> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

See Center for Democracy and Technology, Comprehensive Privacy and Security: Critical for Health Information Technology, May 2008, available at <http://www.cdt.org/healthprivacy/20080514HPframe.pdf> (last visited June 24, 2009); see also Promoting the Adoption and Use of Health Information Technology: Hearing before the Subcomm. on Health of the H. Comm. on Ways and Means, 110th Cong. (2008) (statement of Deven McGraw, Director, Health Privacy Project, Center for Democracy and Technology), available at <http://cdt.org/testimony/20080724mcgraw.pdf> (last visited June 24, 2009).+(last+visited+June+24,+2009);+see+also+Promoting+the+Adoption+and+Use+of+Health+Information+Technology:+Hearing+before+the+Subcomm.+on+Health+of+the+H.+Comm.+on+Ways+and+Means,+110th+Cong.+(2008)+(statement+of+Deven+McGraw,+Director,+Health+Privacy+Project,+Center+for+Democracy+and+Technology),+available+at++(last+visited+June+24,+2009).>Google Scholar

With respect to the leading bill in the Senate, the Wired for Health Care Quality Act (S.1693), the version marked up by the Health, Education, Labor and Pensions (HELP) Committee included a provision that would have subjected PHRs to coverage under HIPAA; however, a proposed amendment from Senator Leahy that was under serious consideration by bill sponsors would have stripped out this provision and replaced it a provision similar to those in the House bills.Google Scholar

For an articulation of fair information practices as applied to a health information exchange environment, see The Markle Foundation, “Connecting Professionals: Private and Secure Information Exchange,” 2006, available at <http://www.connectingforhealth.org/commonframework/index.html> (last visited June 24, 2009). See also the Organization for Economic Cooperation and Development (OECD) Data Protection Principles (1980) extract from Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at <http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.html> (last visited June 24, 2009).+(last+visited+June+24,+2009).+See+also+the+Organization+for+Economic+Cooperation+and+Development+(OECD)+Data+Protection+Principles+(1980)+extract+from+Guidelines+on+the+Protection+of+Privacy+and+Transborder+Flows+of+Personal+Data,+available+at++(last+visited+June+24,+2009).>Google Scholar

HIPAA nondiscrimination provisions (Title I) prohibit individuals in group health plans from being denied eligibility for benefits or charged more for coverage because of any “health factor,” which includes health status and medical history or condition. These provisions do not apply to insurance purchased in the individual market. For a summary of these provisions, see Employee Benefits Security Administration, U.S. Department of Labor, “FAQs: About the HIPAA Nondiscrimination Requirements,” available at <http://www.dol.gov/ebsa/faqs/faq_hipaa_ND.html> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

The three states are Arkansas, California, and Delaware. For more information, see Gage, D., “California Data-Breach Law Now Covers Medical Information,” San Francisco Gate, January 4, 2008, available at <http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/04/BuR6U9000.DTL> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

A comprehensive analysis of state breach notification laws is beyond the scope of this paper.Google Scholar

45 C.F.R. § 164.514(b)(1) (2007).Google Scholar

45 C.F.R. § 164.514(b)(2) (2007).Google Scholar

45 C.F.R. § 164.514(a)(b)(2)(ii) (2007).Google Scholar

45 C.F.R. § 164.514(e) (2007).Google Scholar

45 C.F.R. § 164.514(e)(3)-(4) (2007).Google Scholar

Sweeney, L., The Identifiability of Data (forthcoming book publication); see Ocha, S. et al., Massachusetts Institute of Technology, “Reidentification of Individuals in Chicago's Homicide Database, A Technical and Legal Study,” November 2008, available at <http://web.mit.edu/sem083/www/assignments/reidentification.html> (last visited June 24, 2009). (last visited June 24, 2009).' href=https://scholar.google.com/scholar?q=Sweeney,+L.,+The+Identifiability+of+Data+(forthcoming+book+publication);+see+Ocha,+S.+et+al.,+Massachusetts+Institute+of+Technology,+“Reidentification+of+Individuals+in+Chicago's+Homicide+Database,+A+Technical+and+Legal+Study,”+November+2008,+available+at++(last+visited+June+24,+2009).>Google Scholar

45 C.F.R. § 164.514(e)(4)(iii)(A) (2007).Google Scholar

See supra note 4.Google Scholar

45 C.F.R. § 164.501 (2007).CrossRefGoogle Scholar

Id.Google Scholar

The Privacy Rule gives individuals a right to request a restriction on uses or disclosures of protected health information for treatment, payment and health care operations (and on disclosures to family or friends who are assisting in the individual's care), but the covered entity does not have to comply with the request. See 45 C.F.R. § 164.522(a) (2007).Google Scholar

45 C.F.R. § 164.514(d) (2007).Google Scholar

See Privacy and Security Solutions, supra note 20, at 3–5, 3–7.Google Scholar

45 C.F.R. § 164.506(c)(4) (2007).Google Scholar

For an explanation of the definition of “treatment,” see the Preamble to the Final HIPAA Privacy Rule, available at <http://aspe.hhs.gov/ADMNSIMP/final/PvcPre02.htm> (last visited June 24, 2009); see also OCR's clarification of the definition of “treatment” in its FAQs, available at <http://www.hhs.gov/hipaafaq/providers/treatment/481.html> (last visited June 24, 2009). (last visited June 24, 2009).' href=https://scholar.google.com/scholar?q=For+an+explanation+of+the+definition+of+“treatment,”+see+the+Preamble+to+the+Final+HIPAA+Privacy+Rule,+available+at++(last+visited+June+24,+2009);+see+also+OCR's+clarification+of+the+definition+of+“treatment”+in+its+FAQs,+available+at++(last+visited+June+24,+2009).>Google Scholar

See section (1) in the definition of health care operations, 45 C.F.R. § 164.501 (2007).CrossRefGoogle Scholar

Id.Google Scholar

45 C.F.R. § 164.512(i) (2007).Google Scholar

45 C.F.R. § 164.522(a) (2007).Google Scholar

National Committee on Vital and Health Statistics (NCVHS) Reports and Recommendations, Letter to the Secretary of the U.S. Department of Health and Human Services: Privacy and Confidentiality in the a Nationwide Health Information Network (NHIN), June 22, 2006, recommending that individuals have a choice regarding whether or not their information is included in the NHIN. See also NCVHS Reports and Recommendations, Report to the Secretary of the U.S. Department of Health and Human Services: Individual Control of Sensitive Health Information Accessible via the NHIN for Purposes of Treatment, February 20, 2008, recommending individuals be allowed to sequester information in certain sensitive categories.Google Scholar

Id. (NCVHS Report to the Secretary, February 20, 2008).Google Scholar

Id.Google Scholar

45 C.F.R. § 164.524(c)(2) (2007). Such access right is to information maintained in a designated record set, and exempts psychotherapy notes and a few other categories of information; see also 45 C.F.R. 164.524(a)(1) (2007).Google Scholar

U.S. Department of Health and Human Services, Health Information Privacy, Compliance and Enforcement, “Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year,” available at <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.html> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

45 C.F.R § 164.524(b)(2) (2007).CrossRefGoogle Scholar

45 C.F.R. § 164.524(c)(4) (2007).CrossRefGoogle Scholar

See Georgetown University Health Policy Institute, Health Policy Institute, Center on Medical Record Rights and Privacy, available at <http://hpi.georgetown.edu/privacy/records.htmlformoreinformation> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

Standards for Privacy of Individually Identifiable Health Information, 67 Federal Register 53,182 (August 14, 2002) (to be codified at 45 C.F.R pt. 160, 164).Google Scholar

U.S. Department of Health and Human Services, HIPAA Frequently Asked Questions: About the Privacy Rule, “Why Was the Consent Requirement Eliminated from the HIPAA Privacy Rule, and How Will It Affect Individuals' Privacy Protections?” November 9, 2006, available at <www.hhs.gov/hipaafaq/about/193.html> (last visited February 3, 2009). (last visited February 3, 2009).' href=https://scholar.google.com/scholar?q=U.S.+Department+of+Health+and+Human+Services,+HIPAA+Frequently+Asked+Questions:+About+the+Privacy+Rule,+“Why+Was+the+Consent+Requirement+Eliminated+from+the+HIPAA+Privacy+Rule,+and+How+Will+It+Affect+Individuals'+Privacy+Protections?”+November+9,+2006,+available+at++(last+visited+February+3,+2009).>Google Scholar

45 C.F.R. § 164.508(b)(4) (2007).Google Scholar

See, e.g., Discussion Draft of Health Information Technology and Privacy Legislation: Hearing before Subcomm. on Health of the H. Comm. on Energy and Commerce, 110th Cong. (2008) (written testimony of Dr. Deborah Peel, Founder & Chair, Patient Privacy Rights) available at <http://www.patientprivacyrights.org/site/DocServer/Peel_written_testimony_06.04.08.pdf?docID=4021> (last visited June 24, 2009). See also Privacy and Health Information: Hearing Before Subcomm. on Privacy and Confidentiality of the Nat'l Comm. on Vital and Health Statistics, U.S. Department of Health and Human Services, February 23, 2005 (testimony of Sue A. Blevins, Founder and President, Institute for Health Freedom), available at <http://www.ncvhs.hhs.gov/050224p6.htm> (last visited June 24, 2009). (last visited June 24, 2009).' href=https://scholar.google.com/scholar?q=See,+e.g.,+Discussion+Draft+of+Health+Information+Technology+and+Privacy+Legislation:+Hearing+before+Subcomm.+on+Health+of+the+H.+Comm.+on+Energy+and+Commerce,+110th+Cong.+(2008)+(written+testimony+of+Dr.+Deborah+Peel,+Founder+&+Chair,+Patient+Privacy+Rights)+available+at++(last+visited+June+24,+2009).+See+also+Privacy+and+Health+Information:+Hearing+Before+Subcomm.+on+Privacy+and+Confidentiality+of+the+Nat'l+Comm.+on+Vital+and+Health+Statistics,+U.S.+Department+of+Health+and+Human+Services,+February+23,+2005+(testimony+of+Sue+A.+Blevins,+Founder+and+President,+Institute+for+Health+Freedom),+available+at++(last+visited+June+24,+2009).>Google Scholar

See, e.g., Center for Democracy & Technology, Rethinking the Role of Consent in Protecting Health Information Privacy, January 2009, available at <http://www.cdt.org/healthprivacy/20090126Consent.pdf> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

Id., at 14–19 for examples of approaches to consent taken by some state electronic exchange networks. For state profiles, see generally State-Level Health Information Exchange Consensus Project, Profiles of Sate-Level HIE Efforts, available at <http://www.slhie.org/efforts.asp> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

See NCVHS Letter to the Secretary (June 22, 2006), supra note 56.Google Scholar

The Markle Foundation, Connecting for Health, “The Common Framework: Networked Health Information,” available at <http://www.connectingforhealth.org/commonframework/#guide> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

Alonso-Zaldivar, R., “Effectiveness of Medical Privacy Law Is Questioned,” Los Angeles Times, April 9, 2008, available at <http://www.latimes.com/business/la-na-privacy-9apr09,0,5722394.story> (last visited June 24, 2009). In July 2008, HHS announced that Seattle-based Providence Health & Services agreed to pay $100,000 as part of a settlement of multiple violations of the HIPAA regulations. But the press release from HHS made clear that this amount was not a civil monetary penalty. See also U.S. Department of Health and Human Services, HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information, News Release, July 17, 2008, available at <http://www.hhs.gov/news/press/2008pres/07/20080717a.html> (last visited June 24, 2009).+(last+visited+June+24,+2009).+In+July+2008,+HHS+announced+that+Seattle-based+Providence+Health+&+Services+agreed+to+pay+$100,000+as+part+of+a+settlement+of+multiple+violations+of+the+HIPAA+regulations.+But+the+press+release+from+HHS+made+clear+that+this+amount+was+not+a+civil+monetary+penalty.+See+also+U.S.+Department+of+Health+and+Human+Services,+HHS,+Providence+Health+&+Services+Agree+on+Corrective+Action+Plan+to+Protect+Health+Information,+News+Release,+July+17,+2008,+available+at++(last+visited+June+24,+2009).>Google Scholar

For more information on the OLC memo and consequences, see Swire, P., “Justice Department Opinion Undermines Protection of Medical Privacy,” Center for American Progress, June 7, 2005, available at <http://www.americanprogress.org/issues/2005/06/b743281.html> (last visited June 24, 2009).+(last+visited+June+24,+2009).>Google Scholar

Id.Google Scholar

45 C.F.R. § 164.504(e)(1)(ii) (2007).Google Scholar

45 C.F.R. § 164.504(e)(1)(ii)(A)-(B) (2007).Google Scholar

See 15 U.S.C. § 7706(f) (Supp. 2004).Google Scholar