Approved by the AHIMA Board of Directors - July 10, 2003

American Health Information Management Association (AHIMA)
Statement on the Privacy, Confidentiality, and Security of Health Records

AHIMA's Position

AHIMA calls upon the healthcare and information technology industries and the government to ensure that privacy, confidentiality, and security protections, and the use of technology to secure such protections, are afforded to all so that the electronic health record - no matter where it resides or how it is transferred - remains protected with integrity, and that the record's subject, (the "individual,") is assisted in understanding and using these technology tools in his or her transmission and maintenance of personal health information. With the advent of the electronic health record and the transfer of an individual's health information through electronic media, including the Internet, the need for privacy, confidentiality and security protection takes on new meanings and challenges.

AHIMA members believe privacy, confidentiality, and security are essential components of the health record and of fostering trust between healthcare consumers and providers. Trust is essential if the health information collected is to serve as a complete and accurate foundation not only for patient health information but also for clinical care, research, payment, and healthcare policymaking. Health information and data are now being developed on aspects of an individual's health and care that have not been considered by law or practice. Privacy and confidentiality laws have not kept pace with these developments, and federal preemption under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has created a "floor" for privacy protection rather than raised the HIPAA requirement to a national ceiling. At the same time, HIPAA has not provided the necessary relief from inconsistent administration, a burden whose elimination was set as a goal of this legislation. In addition, health data, especially in areas such as genetics, could cause irreparable harm to an individual if accessed by an inappropriate party. AHIMA, therefore, calls upon the healthcare industry and government to ensure full, uniform protection, security, and administration of every individual's health information.

Current Situation

Educated and certified AHIMA members have been committed for 75 years to ensuring patient healthcare information is used to fulfill appropriate needs as provided by consent or law - a balancing act complicated by the lack of uniform national guidelines governing healthcare privacy and confidentiality. Health information management (HIM) professionals handle millions of pieces of health information each day, and HIM professionals have assumed the task of ensuring as much protection, security, and integrity of an individual's health information privacy and confidentiality as possible. The ability to effect such protection, however, has changed with time, technology, and legislation.

Today, the health record is not just a paper file. It includes documentation, data, records, and information that might reside, for a single individual, in a number of entities and locations. It might be in the individual's own possession, and it could be in paper or electronic media or a combination of both. The task of ensuring the privacy, confidentiality, and security of an individual's health information therefore becomes all the more challenging as the nation moves into an electronic healthcare world and the industry moves between paper and computer.

The history and breadth of the privacy issue is long and wide. This is only a glimpse of the issue, where it has been, and where it appears to be going:

  • In the 1990s, the privacy issue was debated extensively by Congress, culminating in the passage of administrative simplification legislation in HIPAA. HIPAA was not the end of the debate, but to date Congress has passed no additional legislation.
  • HIPAA mandated both privacy and security regulations. The privacy regulation was implemented by most of the healthcare industry on April 14, 2003. On April 21, 2003 the final security regulation -identified as a subset of privacy - became effective, with initial implementation for most healthcare-related entities required by April 21, 2005.
  • HIPAA does not affect all entities (especially nonhealthcare entities) that might send, receive, or transmit an individual's health information; therefore, its protections are limited. Current laws do not adequately address the new technology, systems, and processes that affect health information, or the various ways institutions, professionals, and the individual might access or transmit information, especially today through the Internet, intranets, or other networks. New threats in the form of "identity theft" also require attention. Comprehensive and non-conflicting rules and regulations remain necessary to deal with health information in the total environment.
  • A public need exists to share health information, including, at times, information that can identify a specific individual. Such needs include maintaining the public health, medical research, addressing medical error, bioterrorism monitoring, or preventing medical fraud. The balance between an individual's right to privacy and the public good, as well as the need for a national healthcare information infrastructure to move, collect and store such information, must be resolved.
  • Medical science and technology continue to mature, and new data is being created that, when accessed, could be used to discriminate against an individual. How this data should be used and protected is another example of the problems facing this nation as it attempts to protect an individual's privacy and confidentiality.
  • Current HIPAA laws and regulations have not fully addressed myriad state and federal laws, which leaves conflicts for those trying to comply with them. HIM professionals, whose function it is to protect privacy and confidentiality and maintain security, are faced with a conflict between advocating administrative uniformity and creating a high standard or "ceiling" for privacy and confidentiality protections across state boundaries. Privacy cannot be sacrificed for expediency. The need continues for a uniform federal law preempting all others, so that protection and administration are uniform.
Privacy, Confidentiality, and Security of Health Information Will Be Achieved When:
  • Privacy and confidentiality protections are uniform and set the high standard throughout the country through federal preemptive law(s) that establish fair, reasonable, and uniform health information practices, across all states, which understand and respect the rights of the individual and the public and apply to the medium in which such information is stored, transferred, or accessed.
  • An individual will have the right to:
    • Access his or her health information in any setting (with minimal limits);
    • Have an understanding of his or her privacy rights and options;
    • Be notified about all information practices concerning his or her information;
    • Have the right to appropriately challenge the accuracy of his or her health information; and
    • Have the right, in certain electronic or Internet situations, to opt-in or authorize the collection or use of information beyond what is originally authorized by the individual or law.
  • The collection and use of health information will be permitted only for legitimate purposes, and only as provided by law, and will be uniform across all jurisdictions and entities and for all individuals.
  • Credentialed HIM professionals, given their training and education in privacy and information release and HIM, are considered the primary custodians of health information and principal experts in maintaining the privacy, confidentiality, and security of information in the healthcare industry.
  • Laws, practices, and technologies are put in place to provide protections required to maintain appropriate privacy, confidentiality, security, and integrity of health information.

Because the issue of health information privacy, confidentiality, and security is so broad, AHIMA fully expects to issue position statements regarding individual aspects of this issue. With almost 75 years of ensuring the management and protection of health records, AHIMA has a number of definitions and "best practices" related to privacy and confidentiality, including its "Definition for the Legal Medical Record." This information can be obtained at the AHIMA Web site.


The American Health Information Management Association is a dynamic organization of more than 45,000 specially educated professionals - all working to ensure accurate and timely information within healthcare.
www.ahima.org