| Background. Until recently, health information held by the private sector was protected by an inadequate patchwork of state laws, common law, and, professional codes of ethical conduct for clinicians. The implementation deadline for the first federal privacy regulation (the HIPAA Privacy Rule) was April 14th, 2003. Passage of the Privacy Rule represents a legislative effort to impose a minimal, uniform standard of privacy and confidentiality protection on individual clinicians and private sector organizations handling medical information. However, little is known about the current level of organizational and physician efforts in this area and their effectiveness in protecting the confidentiality of medical information.; Objectives. The goals of this research were to (a) contribute to the understanding of current physician and health care organization (HCO) practices in implementing the practices required by the Privacy Rule, (b) examine whether the implementation of these practices results in improved confidentiality protection, and (c) describe physicians' attitudes toward the Privacy Rule, and (d) explore physicians' experiences regarding confidentiality in patient care.; Methods. A newly developed, self-administered survey was mailed to a random, nationally representative sample of 2000 physicians drawn from the 2002 American Medical Association Physician Masterfile. Physicians were asked about their own attitudes and confidentiality practices and to evaluate the privacy practices of a health care delivery organization with which they were closely affiliated.; Results. The response rate for this study was 46% (842 respondents). Only 9.1% of physicians reported that their organization had effectively implemented all six Privacy Rule practices measured in this study in the six months preceding the implementation deadline of the Privacy Rule. Small organizations (i.e. those with 5 or fewer physicians) had 1/3 the odds of implementing each of the Privacy Rule's administrative standards (e.g. naming a privacy officer) but over 2.5 times the odds of implementing each of the three procedural standards (e.g. training in privacy policies) as compared to large organizations. According to responding physicians, organizations with more Privacy Rule practices in place were more likely to do a better job on clinically relevant outcomes such as protecting the confidentiality of medical records. However, just over 20% of physicians agreed that the Privacy Rule would assist them personally in protecting their patients' privacy.; Conclusions. Because different sized organizations appear to have differing strengths and weaknesses with respect to Privacy Rule compliance, DHHS may concentrate its enforcement efforts for particular organizations in areas most relevant to each type of organization. DHHS and privacy advocacy groups should monitor not only compliance and adherence with the regulation but also develop measurable indicators of its efficacy. |
