Healthcare Privacy Legislation in the USA

Executive Summary

We came across some useful information from CRC Press and the U.S. Department of Health and Human Services and have combined it into the summary below on the topic of healthcare privacy legislation in the United States. Please refer to the original sources below for more detailed information.

In the 1990s, the increasing use of health IT created a focus on the need to standardize the technical aspects of exchange of personal health information. Along with standardization arose the issue of protecting personal health information from disclosure or misuse. The Health Insurance Portability and Accountability Act (HIPAA), which became federal law in the United States of America in 1996, may be one of the most widely recognized statutes regarding privacy and security of electronic information. However, the U.S. laws and principles pertaining to the protection of personal information stored electronically go back more than 30 years. This law dictates much of the federal U.S. practice around health information privacy.[9] Grounded by the FIPPS, HIPAA outlined the basic elements of a series of healthcare regulations:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated use or disclosure of such information that is not permitted or required under the law.
  • Ensure compliance in the workforce.


HIPAA includes provisions designed to save money for health care businesses by encouraging electronic transactions and also includes regulations to protect the security and confidentiality of patient information. The privacy rule took effect on April 14, 2001, with most covered entities (health plans, hospitals, and health care providers who conduct certain financial and administrative transactions electronically) having until April 2003 to comply. The security rule took effect on April 21, 2003.[2]

Contact Organizations:


We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.

An overview of the various privacy laws in United States legislation can be found here

The Privacy Act of 1974

The Privacy Act of 1974, 5 U.S.C. - 552a, establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. This Act prevents federal agencies from disclosing any record, which is contained in a system of records, without the prior written consent of the individual whose information is contained in the record.

The Privacy Act of 1974 and its implementing regulations:

  1. Prohibits the disclosure of personally identifiable information maintained by agencies in a system of records without the consent of the subject individual, subject to twelve codified exceptions.
  2. Grants individuals increased rights of access to agency records maintained on them.
  3. Grants individuals the right to seek amendment of agency records that are maintained on them upon showing that the records are not accurate, relevant, timely, or complete.
  4. Establishes a code of fair information practices that require agencies to comply with statutory norms for the collection, maintenance, and dissemination of records.

Health Information Privacy

Fair Information Practice Principles

The privacy laws and regulations adopted in the U.S. in the last few decades are based upon a commonly accepted set of information practices. The earliest public documentation of this concept was published in 1972 in the report, "Records, Computers, and the Rights of Citizens," which introduced Fair Information Practices Principles (FIPPs). These principles created a code of fair information practices that addressed the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. The four FIPPs are:

  1. Notice: There must be no personal data record-keeping system whose very existence is secret.
  • Data collectors must disclose their data collection.
  • The existence and purpose of record-keeping systems must be known to the individuals whose data is contained therein.

2. Choice: There must be a way for a person to find out what personal information is contained in a record and how it may be used.

  • There must be a way for a person to find out what personal information is contained in a record and how it may be used.
  • Data subjects should have the right to opt of uses and disclosures of their data.
  • Information must be (1) collected only with the knowledge and implicit or explicit permission of the subject; (2) used only in ways relevant to the purpose for which the data was collected; (3) disclosed only with permission of the subject or in accordance with overriding legal authority (such as a public health law that requires reporting of a serious contagious disease).

3. Access: There must be a way for a person to correct or amend a record of identifiable personal information.

  • Data subjects should be able to view their information and have it corrected if necessary.
  • Individuals must have the right to see records of personal information and to assure the quality of that information.

4. Security: Any organizations creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of their data for their intended use and must take precautions to prevent misuses of the data.

  • Reasonable safeguard must be in place to protect the confidentiality, integrity, and availability of information.

Key Takeaways

The major federal laws and regulations addressing confidentiality, privacy, and security in healthcare are as follows:

Federal Law Summary
Health Insurance Portability and Accountability Act (HIPAA), Privacy Rule (2000)

Establishes national standards regarding health information privacy.

Creates a federal floor of health information privacy protection; some more protective state laws remain in force.

The Privacy Rule creates certain individual rights in health information, imposes restrictions on uses and disclosures of protected health information, and provides for civil and criminal penalties for violations.

Health Insurance Portability and Accountability Act (HIPAA), Security Rule

Establishes nationally requires and addressable security standards.

Works in tandem with HIPAA Privacy Rule and lays out three types of security safeguards required for compliance: administrative, physical, and technical.

HITECH Act Breach Notification Rule (Health and Human Services)

Amends HIPAA to require notification by HIPAA covered entities upon the discovery of a breach of security.

Requires covered entities to provide notice to patients, HHS, and, in some cases, the media, following a breach of unsecured protected health information.

Requires business associates to notify covered entities following the discovery of such a breach.

SAMHSA: Confidentiality of Substance Abuse Patients Records

Addresses the confidentiality of substance abuse patient records (alcohol and drug abuse patient records).

Prohibits the disclosure of substance abuse patient records, and information that identifies an individual as an alcohol or drug abuser, without obtaining the written consent of the individual.

The regulations establish limited circumstances permitting disclosures without consent for medical emergencies, audit/evaluation activities, and research. Other disclosures without patient consent are permitted with an authorizing court issued by a court of competent jurisdiction.

Clinical Laboratory Improvement Amendments (CLIA) (1998)

Regulates laboratories conducting testing on human specimens for medical purposes.

Assures quality standards for all laboratory testing to ensure the accuracy, reliability, and timeliness of patient test results.

Certified labs may disclose test results or reports only to authorized people, those responsible for using the results (i.e., those treating the patient), and the referring lab in a reference lab scenario; state laws define who is authorized, which may include the patient.

SAMHSA: Confidentiality Provisions for Data Collection and Survey Information

Requires the consent of the person or establishment prior to use or release of identifiable information.

Identifiable information obtained in the course of activities undertaken or supported by SAMHSA pursuant to data collection authorized activities may not be used for any purpose other than the purpose for which it was supplied unless such establishment or person has consented (as determined under regulations of the Secretary) to its use for another such purpose.[9]