As discussed in last week's news on the Spondylitis Association of America web site, a new federally mandated law went into effect on Monday, April 14. The regulations stem from the Health Insurance Portability and Accountability Act (HIPAA), which Congress passed in 1996. After six years of body work, HIPAA is now the law. The new rules affect millions of doctors, hospitals, health plans, and others to comply with medical privacy rules, which cover a broad range of practices but are not as strong as some patient advocates had hoped. Many consider HIPAA to be the most sweeping reforms since Medicare.

"While many states have enacted laws giving different degrees of patient protection, there has never before been a federal law standard defining and ensuring medical privacy," said Secretary of Health and Human Services Tommy Thompson in a statement. "Now new federal law standards are coming into force to protect the personal health information of every American patient."

The original intent of HIPAA was to allow people to carry their insurance from job to job, but the final version tilts more towards protecting the privacy of medical records and information regarding the person's physical and mental health. It tries to keep sensitive information out of the hands of marketers, employers, reports, and anyone who might abuse it. It also guarantees patients the right to view, copy and add to their own records. Patients cannot sue over violations under the rules, but they can file complaints with the government, who in turn can impose penalties.

One of the most significant reforms prevents insurance companies from disclosing a worker's medical history to an employer. "Most people are terribly worried that their bosses are going to find out about conditions that they have," says Janlori Goldman, director of the Health Privacy Project, a Washington-based health-privacy advocacy group. "They are worried about being discriminated against on the job, [or] they won't get a job or a promotion, so this will really go a long way toward protecting people in their jobs." Employees who try to peek at coworkers' medical records now potentially risk steep fines and/or jail time.

Other changes mean that doctors, hospitals, insurers and health care companies can no longer share patient information with third parties without the patient's authorization. Sign-in sheets in doctors' waiting rooms can no longer request personal information.

Despite reports to the contrary, there are some things that HIPAA does not do. For example, it allows family and friends to visit sick loved ones in the hospital and send flowers or care packages unless the patient has asked to be left alone.

Not everyone sees much to recommend in HIPAA. A coalition of health care groups has filed a lawsuit in federal court to reject the new law, while some members of Congress have introduced legislation to plug what they consider to be loopholes in the law. Kathryn Serkes, a spokeswoman for the Association of American Physicians and Surgeons, in Tucson, Arizona, says that patients may believe the HIPAA forms they are now signing at their doctors' offices grant or deny permission to disclose their medical information, but in reality, they are merely an advisory about how that information is going to be used. Furthermore, the law does not cover doctors who do not transmit medical information electronically. For example, records can be faxed from one health provider to another, provided there are "reasonable" safeguards. Serkes' association has launched an advertising campaign urging consumers to pressure their doctors to stay out of the program.