As more and more providers and other stakeholders in the health care sector move towards using the electronic medium as their preferred method to store and exchange patients’ health information, there is growing concern that HIPAA does not adequately assure that patients’ privacy will be maintained.  In response, on July 18, 2007, Senators Patrick Leahy (D-Vt.) and Edward Kennedy (D-Mass.) introduced the Health Information Privacy and Security Act of 2007 ("HIPSA") in an attempt to give patients more control over their protected health information.  In addition, HIPSA would create a private right to sue violators (i.e., doctors, hospitals, health plans etc.) for violating their privacy rights, something that HIPAA does not currently afford (HIPAA enforcement is reserved for government action only).  Those who handle patients’ health information likely will want to know: (1) how else does the Health Information Privacy and Security Act of 2007 differ from HIPAA and (2) how will it affect them? 

In contrast to HIPAA, HIPSA would prohibits the disclosure or use of health information without patient authorization for nearly all purposes.  Under HIPAA, authorization is not required to use such information for treatment, payment and health plan operations purposes.  Exceptions would be granted under HIPSA to use information without patient authorization for specific emergency, law enforcement or public health purposes.

In addition, according to a summary of the Bill provided from Senator Leahy’s office, the Bill also would:

* Guarantee an individual’s right to supplement, amend, correct, destroy and segregate any protected health information maintained or stored by an entity;

* Require patients be notified of a data security breach involving their health information within 15 days of discovery;

* Require entities to publish a list of all data brokers that provide the entity with services that involve protected health information;

* Require data brokers to establish safeguards to secure health information;

* Mandate that entities conduct annual risk assessment, management and control exercises to detect, prevent and limit security threats or breaches;

* Create an office of health information privacy within the Department of Health and Human Services and increase existing HIPAA penalties for privacy rule violations; and