A hacker downloads medical records, health information and Social Security numbers on more than 5,000 patients at a university medical center.

A 30-year-veteran of the FBI is forced to retire early after his employer learns he sought mental health treatment.

A banker improperly accesses a medical database to determine which of his borrowers have cancer – then attempts to terminate relationships with them.

These are real life horror stories from across the U.S. that show what can happen when personal medical information gets into the wrong hands.

No issue is more sensitive for people than their private medical information and what may happen to it.

That’s one of the reasons the Health Insurance Portability and Accountability Act (HIPAA) became law.

In August, federal rules were finalized on the privacy protections – which affect all of us. The new rules give all of us the “right to know” and the “right to say no” in sharing our personal information.

The act is the first comprehensive federal protection of patient privacy. It sets national standards to protect personal health information, standardizes its use, and makes health coverage more portable. The privacy portion becomes law in 2003.

The entire health care industry in all 50 states must implement the new law. This includes hospitals, doctors’ offices, health plans, government and others.

In Oregon, HIPAA will also affect many state agencies, counties and local governments. The Oregon Department of Human Services is covered by the new law.

As a result, thousands of clients we serve in programs for children, families, seniors, people with disabilities, those with mental health issues, and others will see subtle but important changes.

Among other things, HIPAA will guarantee clients access to their medical records. It will give clients the right to limit what can be disclosed to others. It will allow them to review their records for accuracy.

The department is helping to lead other Oregon state agencies on this issue, using its experience from months of work. The department is already:

Developing department-wide policies and forms under the privacy rule.

Changing 18 major information systems, estimated to require 150,000 work hours.

Developing new security practices to protect health information.

Amending hundreds of contracts and business agreements, among other changes.

The bottom line is that HIPAA is not only the right thing to do to protect people’s privacy – it’s the law. Failure to comply brings severe penalties. At stake is $3.3 billion in Medicaid funds biennially that go to serve hundreds of thousands of clients all over Oregon. If Oregon doesn’t comply, it could lose these funds.

The law is not intended to stop integrated services or the sharing of information. DHS has always recognized the importance of keeping client information private. The new rules will strengthen these safeguards, while allowing information sharing to continue at a level necessary to accomplish our work.

Today, health care information can be transmitted around the globe with the click of a computer mouse.

The new privacy law is aimed at making it more difficult to use this technology against us, to keep others from rifling through our medicine cabinets or peeking into our health charts.

As we continue to combine offices and integrate our programs to better serve Oregonians, we will also be improving how we protect privacy. This will give our clients new protections against the horror stories that can result from improper use or disclosure of their personal health records.

—

Bobby S. Mink is director of the Oregon Department of Human Services.