Despite federal protections, the majority of Americans are concerned about the privacy of personal health information. At the same time, many say they would like to take advantage of new tools such as electronic personal health records and online social networks. Proposals for health care reform promote greater adoption of electronic medical records, disease registries, electronic prescribing, and other tools to make health care delivery more effective.

To help clarify the issues surrounding health privacy, CHCF cofunded a series of reports by the Center for Democracy and Technology (CDT). With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in the use of global communications technologies.

Following are three of the CDT reports.

Comprehensive Privacy and Security: Critical for Health Information Technology (PDF). In this paper, published in May 2008, CDT calls for the adoption of a comprehensive privacy and security framework for the protection of health data. The paper describes how implementation of a comprehensive policy and security framework will require a mix of legislative action, regulation, and industry commitment, and must take into account the complexity of the evolving health information exchange environment.

HIPAA and Health Privacy: Myths and Facts (PDF). This paper, published in January 2009, rebuts common myths about health privacy and the Health Information Portability and Accountability Act (HIPAA). The facts presented correct long-standing myths about the right to privacy, patient consent and rights, enforcement of HIPAA provisions, Internet-based health services, the interaction between HIPAA and state laws, information disclosures, marketing, and de-identified data.

Rethinking the Role of Consent in Protecting Health Information Privacy (PDF). Published in January 2009, this paper argues for a new generation of privacy protections that would allow personal health information to flow among health care entities for treatment, payment, and certain core administrative tasks without first requiring patient consent, as long as there is a comprehensive framework of rules governing access to, and disclosure of, medical data.