The long awaited final privacy and security regulations required for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been issued.  I won’t try to summarize the lengthy rules but will highlight a few of the key enhanced privacy protections for consumers.  You can find more detailed information in two excellent articles: one is by Deven McGraw, Center for Democracy & Technology, (; “Final HIPAA Rules a Major Step Forward, but There’s More Work To Be Done”; and at; the other is by Marianne Kolbasuk McGee (; “HIPAA Omnibus Consumer Protections”).

I’ve summarized a few of the key consumer/patient protections that Ms. McGraw and Ms. McGee identify in their respective articles:

  • Patients will now be able to have easier access to their electronic health records.  They can request and get electronic copies of their health records even if the records are stored in multiple sets of records.
  • Patients can have their electronically stored health information sent directly to a 3rd party such as a doctor, or caregiver or mobile health app.  The ability to do so wasn’t clear under the prior HIPAA regulations so this clarification is most welcome.
  • Patients can request that copies of health records be provided in a specific format.  The request has to filled but only if the electronic information can be produced in the format requested by the patient.
  • Patients will now have much more control over the use of their health information for marketing purposes.  Current HIPAA regulations already require that patients provide prior consent before their health information can be used for marketing purposes.  However, under the new HIPAA regulations a patient has to provide prior authorization before information can be used in marketing communications to promote a product or service — whether that marketing communication is paid for directly or indirectly by the maker of the product or service.
  • Patients have to provide this marketing communication authorization in writing.

Health information should be private, more easily accessible to patients and used for the purposes they want and have approved.