US Health and Human Services (HHS) Secretary Donna Shalala has proposed new standards for protecting individual medical information online. In the seemingly-unending debate about whether or not legislation is needed to protect the privacy of personal information stored electronically, the two special cases that all sides seem to be prepared to make are medical records and kids (CI No 3,465). Like most of us, Shalala doesn’t want to see records improperly accessed, altered or lost. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) called on the Secretary to make recommendations to Congress on how to protect health data. Today’s raft of recommendations seek to address security threats to information stored electronically. If the proposals are adopted, all companies that maintain or transmit medical information electronically will have to develop a security plan, train employees and secure physical access to records. This is pretty modest stuff and it raises the worrying question of whether some such organizations aren’t taking those measures already. If not, why not? HHS must get these recommendations through before it can meet its obligations under HIPAA. The 1996 Act required the Secretary to issue unique identifier numbers for health care providers, employers, health plans and patients, but the Clinton administration, acting on popular anxiety, nixed patient IDs until HHS can demonstrate adequate privacy protections. Looks like we’re still waiting.