HIPAA's privacy rules were created in response to real-world privacy violations. Here are some examples (taken from HIPAA's preamble and from other sources).
- A Tampa, Florida, health care worker took a computer disk from work which contained the names of 4,000 HIV-positive people.
- A Michigan health organization accidentally posted thousands of patients' medical records on the internet.
- Several Fort Lauderdale, FL, patients who were diagnosed with depression were sent unsolicited letters containing Prozac inside. Some of the patients were never prescribed Prozac, and did not give permission for marketers to contact them regarding their depression. The letter stated "Enclosed you will find a free one month trial of Prozac Weekly… Congratulations on being one step closer to full recovery."
- In the early 1990s, it was discovered that Johnson and Johnson had marketed a list of five million names and addresses of elderly incontinent women.
- Thousands of patients' health insurance claim forms blew out of a truck driving to a recycling center in Connecticut.
- A Nevada woman bought a used computer from a pharmacy, and found the computer contained pharmacy customers' prescription records. The records included names, addresses, social security numbers, and all the medications the customers had bought.
- A survey found that 35 percent of Fortune 500 companies review job applicants' and employees' medical records before making hiring and promotion decisions.
- In the Journal of the American Medical Association, several emergency room doctors expressed concern about TV shows that film patients in emergency rooms. Although TV producers usually ask patients to sign permission forms before the shows air, doctors and others worry the TV shows still intrude on patient privacy. Some think the permission is somewhat coerced because the patients are offered money, and their health and awareness are often compromised.
These are just a few examples of patient privacy concerns. The privacy rules intend to help us make these situations better for the patient, or prevent the situations from happening altogether.
The privacy rules also intend to prevent privacy violations that may occur in the future - especially privacy violations involving genetic information. Genetic research is providing more and more valuable ways to diagnose and treat patients. However, genetic information about patients will also become more and more valuable to parties who may use the information contrary to patients' interests. In drafting HIPAA, the government had future concerns like this in mind.
As you can see, there are many different kinds of privacy concerns. Also, privacy issues differ from organization to organization, and from state to state. Some states' privacy laws are more lenient than others, so patients have been getting less protection in some areas than others. The government created federal privacy rules, in part, so that all states, and all health care workers in the U.S., are following the same minimum-level privacy practices.