Dr. Mirvis is the Editor-in-Chief of this journal and Professor of Radiology, Diagnostic Imaging Department, University of Maryland Medical Center, Baltiimore, MD.

Like most other medical facilities in this country, our hospital has been frantically trying to educate the staff concerning the new HIPAA rules. On the positive side, I can frankly say that the hospital education system has worked quite well at delivering the message through lectures, articles in the hospital newspaper, and online teaching and tests (HIPAA 101 for everyone and 201 for researchers). For anyone left out there who still has not become acquainted with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) because you were perhaps in an extended coma or held captive by a lost Amazon civilization, the goals of the act are severalfold. Of the many parts of this act, which covers 367 pages in the Federal Register, ^1,2 the one that has the most direct impact on physicians is the section on health information privacy.

Many good intentions lay behind the creation of the HIPAA provisions, such as making it easier for people to move from one job to another and maintain health care insurability, giving individuals access to their medical information and informing them who else has had such access, streamlining and promoting electronic standards for processing health claims, and providing security for electronic health information systems.

I agree whole-heartedly with the intent of the health information privacy rule. Basically, this rule says that you cannot, under penalty of law, disclose to another party private health information that is not directly for the medical benefit of the patient or for certain functions as billing, public health, research, and law enforcement.

However, there are many nuances that accompany this common-sense protection that propel it into the arena of the truly mind-boggling. As I read through the well-organized and diagrammed online description of the privacy provision for researches provided at our institution, I became more than a little confused. Arrows and boxes signifying covered and hybrid entities and notice of privacy practices were whirling around on the screen, seemingly governed by some underlying set of laws written by strange bureaucrats with large budgets and too much free time (Figure 1). What really put the icing on the cake is that the privacy rule is part of the standards required under HIPAA's administrative simplification provisions.

Of course, what I also realized, even with my somewhat limited capacity to comprehend most of this, besides the obvious common sense guideline that I had always followed anyway, was that future research projects were going to have another hurdle to jump. Any prospective study that includes private health information will require consent from the patient, which can later be withdrawn. Whether or not and to what extent the requirement to obtain this consent, in addition to the usual institutional review board research study consent, will make medical research efforts more difficult and time-consuming remains to be seen. Further, any research-related databases or data repositories that contain private medical information that already exist, that might potentially be added to in the future, or that will be established for a research project must obtain institutional review board approval requiring specific consent for inclusion of identifiable patient information whenever possible. Fortunately, teaching files of cases used for education and quality improvement functions that involve maintaining private medical information are excluded. Clearly, another layer of red-tape has been added to our research efforts.

I wonder how many situations have actually occurred in which patients were in any way negatively impacted by use of their private medical information in medical research studies or in everyday medical information exchanges among healthcare professionals. After all, the Hippocratic Oath states above all do no harm, and that certainly includes a prohibition against violating a patient's personal or medical privacy. Clearly, the intentional misuse of such information for personal gain is certainly possible, has occurred, and should be specifically and harshly punished under the law. However, HIPAA may have been stretched to cover an area where it was, in most instances, not really needed.