and the type of information (i.e., mental health, HIV or AIDS, substance abuse, genetic information). Most statutes do not address redisclosure of health information and lack penalties for misuse or misappropriation. Few states have enacted statutes and regulations as to whether medical records can be created, authenticated, and stored electronically. Only 28 states explicitly protect and ensure the rights of patients to review their medical records so that they can see what information exists about them and recommend changes or make amendments if necessary. Four states allow patient access to hospital records only, whereas 24 provide access to hospital and physician records.

As health care providers have expanded their reach across state borders, the need for greater uniformity has increased. In recent years, the National Conference of Commissioners on Uniform State Laws developed the Uniform Healthcare Information Act in an attempt to stimulate uniformity among states on health care information management issues. As of 1996, only two states, Montana and Washington, had enacted this model legislation.17 Clearly, efforts must be directed toward developing national standards of confidentiality and security to support the development of computer-based patient record systems and to instill trust by consumers in the use of technology.

Limitations of State Protections

For the most part, state law has not overcome the weaknesses in current federal data protection. State statutes do not address the flow of health information to secondary users outside the provider setting. They do not address the responsibilities of third-party payers in handling health information, nor do they impose rules on the use of health information by secondary users of the data. Most state statutes fail to recognize the particular challenges posed by the use of electronic health records and by the rapid growth of organizations that compile information about patients-in both patient-identifiable and aggregated form—for sale to interested corporations.18


The main provisions of this model legislation are (1) to give patients the right to have access to their own medical records; (2) to allow patients to correct or amend their records if the content is suspected to be in error; (3) to require providers to obtain a written authorization before disclosing patient information to other parties; and (4) to outline situations in which patient information may be disclosed without patient authorization. (gopher://


Office of Technology Assessment. 1993. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. U.S. Government Printing Office, Washington, D.C., September, pp. 43-44.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement