Joy L. Pritts


Medical records contain some of the most intimate details about an individual that can be found in a single place. Health information privacy is based on the principle that individuals should be able to exercise control over this intimate information, both by having full knowledge about what information is contained in the records and by being able to control who has access to the information. Because professional ethical requirements do not adequately protect health information in today's complex health care system, we have increasingly turned to the law as a source of protection.

Until the recent promulgation of the Federal Health Privacy Rule, states have been the primary regulators of health information through their constitutions, common law, and statutory provisions. Although all three of these legal sources remain important, recent focus has been on the enactment of detailed health privacy statutes that apply the fair information practice principles to health information. However, for the most part states have adopted these principles in a fairly haphazard fashion resulting in a patchwork of legal protections both within and between states.

The recently issued Federal Health Privacy Rule has effectively evened out some of this discrepancy by establishing a federal floor of privacy protections based on fair information practices. The Federal Rule, however, does not afford adequate protection of health information because it has limited applicability and areas of lax protection. Because the Federal Rule only preempts conflicting, less protective state laws, there is still room for states to protect their own citizens by retaining or enacting health privacy protections that mirror and improve upon those in the Federal Health Privacy Rule.