US HHS removes most onerous conditions of HIPAA privacy rule, but the rest of HIPAA remains unchanged. The US Department of Health and Human Services has announced that it will publish the “new” final HIPAA privacy rule, effective August 14. The initial rule, published in 2000, included a heavy administrative burden on covered entities (mainly, medical providers and health plans) to obtain written consent from patients to use their medical information for routine heath care delivery, which it defined as “treatment, payment, and health care operations.” The new rule only requires that patients be given a notice of their privacy rights, and medical providers are only required to make a “good faith” effort to obtain patient written consent, which can be difficult when some patients simply refuse to sign anything. It is important to note that although the HIPAA privacy rule has been softened, this in no way affects any of the other HIPAA provisions, such as those regarding electronic data interchange or information security. There has been some amount of “denial” among many health care providers that HIPAA might just “go away.” Nothing could be further from the truth. As deadlines for HIPAA compliance approach in 2003 and 2004, we expect a great deal of action in the health care industry to upgrade or replace non-compliant systems.