HHS Secretary Leavitt announced Monday new key privacy principles for electronic health information exchange. In addition, HHS’s Office of Civil Rights published new HIPAA Privacy Rule guidance, which provides important clarifying information on how the Privacy Rule governs covered entities engaged in electronic health information exchange. For example, it clarifies when covered entities must enter into business associate agreements with health information exchanges; it also makes clear that HIPAA Privacy and Security Rules cover consumer personal health records offered by covered entities. However, the guidance merely encourages the adoption of stronger privacy and security policies consistent with the new principles. CDT calls on Congress and the new Administration to implement a comprehensive, enforceable framework of protections for personal health information that builds public trust and facilitates widespread adoption of health IT.