On December 20, 2000, President Clinton signed a regulation that established the first-ever federal privacy protections for personal health information. The regulation issued by President Clinton was the culmination of a process that dates from 1996. When the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted, both President Clinton and Congress discussed a need for national patient record privacy standards. At that time, Congress gave itself until August 21, 1999, to pass comprehensive health information privacy legislation. When Congress did not enact standards by that deadline, HIPAA provided that the US Department of Health and Human Services (HHS) issue regulations. The proposed regulation was initially published on November 3, 1999, for comments. During the comment period, HHS received 52,000 comments from the public. After consideration of these comments, revisions were made that resulted in the final regulation enacted by President Clinton in December 2000. The regulation is effective February 26, 2001. Compliance with these rules by health care providers is not required until February 26, 2003. Either Congress or President Bush could reverse these rules with a new regulation. Given that Congress could not agree on a set of rules within the 3-year period provided by HIPAA, it is unlikely that they would be able to agree on specific changes or a new set of rules. President Bush has not expressed any reservations about these standards. Further, his campaign platform promised rules to protect the privacy of medical information. Administration advisers, however, stated that they would want to review the details of these standards, particularly the benefits, costs, and burdens. Because these rules have such a far-reaching effect and place new burdens and duties on health care providers, it is important to become familiar with, understand, and consider them as a first step toward compliance.