The IT Law Wiki


Gina Marie Stevens, Compliance with the HIPAA Medical Privacy Rule (CRS Report RS21505) (Apr. 24, 2003) (full-text).


As of April 14, 2003, most health care providers (including doctors and hospitals) and health plans are required to comply with the new Privacy Rule mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and must comply with national standards to protect individually identifiable health information.

The HIPAA Privacy Rule creates a federal floor of privacy protections for individually identifiable health information; establishes a set of basic consumer protections; institutes a series of regulatory permissions for uses and disclosures of protected health information; permits any person to file an administrative complaint for violations; and authorizes the imposition of civil or criminal penalties.

In hearings prior to the effective date of the Rule, there was widespread concern over aspects of the rule, including the extent to which it preempted state laws. On April 17, 2003, HHS published an interim final rule establishing the rules of procedure for investigations and the imposition of civil money penalties concerning violations. This interim final rule was effective from May 19, 2003 through September 16, 2003. HHS plans to issue a complete Enforcement Rule with both procedural and substantive provisions after notice-and comment rulemaking.