The introduction to the paper below has a lengthy and illuminating rant about the pre-HIPAA patchwork of laws and regulations around medical records privacy. I’d definitely want to read the original NRC report

HIMSS (Healthcare Information and Management Systems Society): JHIM: Journal of Healthcare Information Management

Security Measures Required for HIPAA Privacy

Margret Amatayakul, RHIA, FHIMSS

The state of security in healthcare is no less diverse. In 1997, the National Research Council released a landmark work: For the Record: Protecting Electronic Health Information. This report of a field study revealed that healthcare organizations did very little to counter security threats. Although it could not document the actual volume of threats, it did identify mistakes, improper use of access privileges, unauthorized use for spite or profit, unauthorized physical intrusion, and technical break-in as not uncommon occurrences. Likewise, organizational and even simple technical mechanisms such as authentication, auditing, access controls, and cryptography were rarely in place. Most healthcare organizations relied on corporate culture and closed networks to protect the private information of their patients and providers.