Until the HIPAA privacy rules went into effect, privacy and access to medical records was mostly controlled by state law. There was a federal law that protects alcohol and substance abuse treatment records from disclosure without out the patient's permission and limits the use of these records in court without the patient's permission.[ M.A.K. v. Rush-Presbyterian-St.-Luke's Medical Center, 764 N.E.2d 1, 261 Ill.Dec. 710 (Ill. 2001) ] The federal courts also recognized the psychiatrist- patient relationship and protected those records from discovery in some legal proceedings. The federal courts did not recognize the general physician patient relationship and, in some medical business law cases, allowed the parties access to the records of patients being treated by the hospital or physicians involved in the lawsuit. The Americans With Disabilities Act (ADA) limits an employer's access to employee medical information.

Otherwise, state law controlled medical privacy. Some states provided more protection than others and few provided any systematic enforcement of privacy standards. While states have traditionally regulated medical practice and the delivery of medical services, states ability to do this regulation was being undermined by use of interstate electronic medical databases. The advent of the Internet made it clear that there needed to be national standards for medical privacy. Medical information that was accidentally or maliciously published on the Internet is open to the entire world. Medical care providers and business that do business on the Internet or try to use it deliver more effective medical care are open to hacking and the compromising of their databases. States are not able to regulate interstate and international information flows, so Congress stepped in 1996.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). At the time, the major purpose of this Act was to reduce job lock: the inability of an employ who had a chronic disease, or who had a family member with a chronic disease, to change jobs because the group health plan at the new job would exclude the pre-existing medical conditions from coverage. HIPAA solved this, at least for employees moving between employers with group health coverage, by requiring that the new plan not exclude pre- existing illness if it was covered by the employer's old plan. This was an important change in insurance law and had bi- partisan support. Less well publicized, was a provision in HIPAA that required the Department of Health and Human Services (HHS) to promulgate standards to protect the electronic transmission of medical information. These standards were expected to be technical, dealing with format and encryption issues.

When the proposed rule on medical records security came out, it was fairly broad, but only applied to the electronic transmission of records. There were a huge number of comments on the rule from the public and from medical care providers. The public wanted the rule to be broader and to put more restrictions on access to records. The medical providers, especially the hospitals, were concerned that the rule would be expensive to implement, could get in the way of patient care, and would make little real difference in the security of records. The providers cautioned that while there were several anecdotes presented to Congress when it was taking testimony before the passage of HIPAA, there was no evidence of any systematic breach of patient confidentiality by medical care providers.

After considering the comments, HHS promulgated a final rule just before the end of the Clinton administration. This rule was dramatically broader, applying not only to electronically transmitted records, but any records held by a provider who transmitted any records electronically. This effectively extended the reach of the rule to all medical records held by most medical care providers. Medical care providers complained that the procedures for authorizing the release of records, which the rule required the patient to execute for many previously routine transactions, would be very costly and would make it difficult for patients to obtain care in emergencies. HHS, now under a new Secretary who was part of the Bush administration, took these complaints seriously and promulgated a revised final rule which made it easier to share medical information for patient care without requiring as much formal process. The following discussion deals with the revised final rule in effect in fall 2003.