In the months ahead, policymakers in the United States will continue to debate how to control the ever-increasing cost of our nation's health care system. Several legislative proposals introduced in the 102nd Congress included provisions intended to reduce the cost of administering the system,[1] and similar proposals have already been introduced in the 103rd Congress.[2] Indeed, the President has recently unveiled his health care reform proposal. A key feature of most of these reform proposals is the heavy reliance on computer technology to facilitate the flow of sensitive medical records (potentially on a national scale) to achieve administrative savings. A major impetus for relying on computerized medical records is the mobile nature of U.S. society. Census figures indicate that 44 percent of the American population changed their place of residence between 1985 and 1990. Approximately 25 percent of these people changed residences across state lines.[3] Because the health care system is to be reformed on a national scale, conforming to a minimum set of standards, it is crucial that patients' right to privacy and the confidentiality of their medical records also be standard across the nation. Yet thus far, the fact that die law currently does not provide consistent protection for most medical records has been conspicuously absent from reform discussions. Only a handful of states have adopted any laws to protect these records, an d those vary in scope and applicability. For instance, most states recognize a provider-patient privilege (discussed in more detail later). Some states also have specific laws to deal with highly sensitive medical information, such as mental health records and/or AIDS test results. A few states--for example, California, Washington, and Montana--have enacted laws defining access to health information generally, while others deal more with insurance transactions. In addition, different states may have laws governing patient medical records within their statutes dealing with licensing of medical providers and facilities, insurance transactions, or public health reporting. Moreover, state laws often contain provisions more favorable to information exchange than to patient privacy.[4] With the exception of records relating to substance abuse or records in the custody of the federal government, federal law does not protect the confidentiality of medical information. In fact, video rental records are afforded more federal protection than are medical records. As the law now stands, while the unauthorized disclosure of medical records may be ethically reprehensible, in the majority of states in this country it is not illegal. A patient's fundamental need to provide sensitive medical information to a practitioner without fear of the consequences should be fixed arid not fluid--it must be consistent across every state. This will be especially critical with the advent of standardized and automated medical records and insurance claims. As a report to the secretary of health and human services noted, Historically, providers have stored medical information and filed health insurance claims on paper. The paper medium is cumbersome and expensive, two factors that led to the call for the use of EDI [electronic data interchange]. Ironically, it is this negative aspect of the paper medium (its cumbersome nature) that has minimized the risk of breaches of confidentiality. Although a breach could occur if someone gained access to health records or insurance claim forms, the magnitude of the breach was limited by the sheer difficulty of unobtrusively reviewing large numbers of records or claim forms. From the provider perspective, EDI changes the environment dramatically. …