Document Type


Publication Date



Twenty years ago, President Clinton signed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) into law. Over the past two decades, the federal Department of Health and Human Services (HHS) has published several sets of rules implementing the Administrative Simplification provisions within HIPAA as well as the Health Information Technology for Economic and Clinical (HITECH) Act within the American Recovery and Reinvestment Act (ARRA). These rules include a final rule governing the use and disclosure of protected health information by covered entities and their business associates (Privacy Rule).

This Article addresses the question of what it means for covered entities and business associates to comply with the Privacy Rule. In particular, this Article will examine the challenges covered entities and business associates face in attempting to comply with the Privacy Rule while delivering and supporting the delivery of health care in an administratively responsible and financially feasible manner.

Part I of the Article summarizes the history of the Privacy Rule, including the many proposed rules, interim final rules, final rules, guidance documents, and resolution agreements published by HHS. Part II reviews the Privacy Rule’s theory of and approach to health information confidentiality. Part III identifies three themes relating to Privacy Rule compliance.

Publication Citation

1 Loy. U. Chi. J. Reg. Compliance 23 (2016).