In 1996, health care providers, plans and others in the United States invested about $10 to $15 billion on information technology to store and transmit health information.^[1] Advances to information technology in the health care industry increased the ability of providers to identify and treat individuals "at risk for disease, conduct vital research, detect fraud and abuse, and measure and improve the quality of care delivered in the U.S."^[2]  However, the shift from paper medical records to electronic records also came with an increase in the flow of sensitive medical data, which ultimately heightened the need for legal protections for the privacy of this information.^[3]

Due to the increase of information technology in all business sectors, came the development of numerous laws, regulations and legislative proposals ranging from financial privacy to safeguarding the privacy of children online.^[4]  The Congress addressed the opportunities and challenges created with the increase use of information technology in the health care industry in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191.^[5]  Section 262(b) of the Administrative Simplification provision under HIPAA required the Department of Health and Human Services (HHS) to develop recommendations for privacy standards and submit to Congress.^[6]  The recommendations were to include:  (1) the rights individuals should have in regards to their individually identifiable health information; (2) a process on how individuals can exercise these rights; and (3) what uses and disclosures of the information should be with authorization or required.^[7]  The HHS Secretary submitted the recommendations to Congress on September 11, 1997.^[8]

Congress was also working on broad health privacy standards during this time and provided a three-year deadline for the issuance of this legislation under section 264(c)(1) of the Administrative Simplification provisions of HIPAA.^[9]  This section also directed the Secretary of HHS to publish the proposed rules if there were no privacy legislation enacted by Congress at the end of the three-year deadline.^[10]  Ultimately, Congress did not enact any federal privacy legislation within the required period.^[11]  Therefore, the Secretary of HHS published the proposed privacy regulations in 1999 and finalized the rules in December 2000, which required health care entities compliance by April 14, 2003.^[12]

[1] Federal Register, Part II, Department of Health and Human Services; Office of the Secretary; 45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information; Final Rule; December 28, 2000; page 82465  https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf 

[2] Id.

[3] Id.

[4] Id. at 82469

[5] Id.

[6] Id.

[7] Id. and 82470

[8] Id. at 82470

[9] Id.

[10] Id. at 82469-82470

[11] Id.

[12] https://www.hhs.gov/hipaa/for-professionals

See the article for references.