48 Journal of Regulatory Compliance Vol. I
primary policy objectives:
1. To protect and enhance the rights of consumers by
providing them access to their health information and
controlling the inappropriate use of that information;
2. To improve the quality of health care in the United
States by restoring trust in the health care system among
consumers, health care professionals, and the multitude
of organizations and individuals committed to the
delivery of care; and
3. To improve the efficiency and the effectiveness of health
care delivery by creating a national framework for health
privacy protection that builds on efforts by states, health
systems, and individual organizations and individuals. 14
These purposes are advanced through rules promulgated by the U.S.
Department of Health & Human Services (“HHS”) to regulate the handling
of PHI. The HIPAA rules apply directly to “covered entities,” which
generally includes health plans, providers, and healthcare clearinghouses
(e.g., billing service providers and health management information
systems). 15 The rules also apply to “business associates” of covered entities,
which are any third party that acts on behalf of the covered entity to render
services or perform functions involving the creation, use, maintenance, or
disclosure of PHI. 16
Prior to 2009, the HIPAA rules were criticized for placing excessive
emphasis on patient consent to release PHI, which historically existed in
physical form only, while ignoring the privacy and security technological
realities experienced by a growing number of entities that handle e-PHI. 17
Congress took action in 2009 and passed the Health Information Technology
for Economic and Clinical Health Act (“HITECH Act”). 18 The overall
purposes of HITECH were to ( 1) incentivize adoption of health IT, including
817, 818 (2010).
14. Health Insurance Portability and Accountability Act of 1996 (HIPAA), CMS.GOV,
http://www.cms.hhs.gov/hipaa/hipaa2/general/background/kkiml.asp, reprinted in JUNE M.
SULLIVAN, HIPAA: A PRACTICAL GUIDE TO THE PRIVACY AND SECURITY OF HEALTH DATA 2
15. See 45 C.F.R. § 160.103 (2014).
16. See id.
17. Pasternack, supra note 13, at 827.
18. See generally HITECH Act, 42 U.S. C. §§ 300jj, 17901 (2012).