Health Experts: E-health Records Privacy Rules Needed

The U.S. needs new medical privacy rules as the country moves toward greater use of IT to store health records, a group of health-care experts said Wednesday.

"Thousands" of databases that contain U.S. residents' health records exist, and patients don't have any way to keep their personal information from being shared with third parties, said Dr. Deborah Peel, a psychiatrist and founder of the Patient Privacy Rights Foundation. Private companies have been data-mining prescription records for years, she added.

The Health Insurance Portability and Accountability Act (HIPAA), passed by the U.S. Congress in 1996, sets security standards that health-care providers must follow, but the law leaves major gaps in privacy, Peel said at an electronic health-records privacy forum sponsored by public relations firm Dittus Communications.

HIPAA gave many organizations with ties to health-care vendors, including offshore transcription vendors, insurance brokers and credit bureaus, authorization to use health care-records, she said. "Because of this confusion that HIPAA engendered, data is being exchanged and used for reasons that have nothing to do with people getting well," she said. "People think this is the wild west because of HIPAA, and every piece of data that's not nailed down can be used for some other purpose."

While panelists at the forum seemed to agree that some type of privacy policy for e-health records is needed, they did not agree on how to accomplish it. Peel called for the U.S. government to create a national standard, but David Merritt, project director at the Center for Health Transformation and the Gingrich Group, called for private groups to develop privacy standards.

The U.S. Department of Health and Human Services has proposed moving a privacy commission to the private sector, but a bill sponsored by Senator Edward Kennedy, a Massachusetts Democrat, would keep that commission in the federal government.

In addition, Kala Evelyn Ladenheim, program director for state health policy leadership at the National Conference of State Legislators, called on the federal government to allow states to develop their own privacy policies. Some states may create stronger protections than a national effort would, she said.

But 50 state privacy policies would be difficult for health providers to comply with, countered Tom Wilder, senior regulatory counsel for America's Health Insurance Plans, a trade group representing health insurance providers.

In most other industries, private organizations have developed privacy policies, Merritt said. He called on a public and private partnership to create privacy standards.

"The government is really good at creating commissions and creating advisory boards ... and studying an issue," he said. "What the government is not good at, and what we shouldn't ask it to do, is to lead and to act."

Peel disagreed, saying health-care providers would have conflicts when creating privacy standards, and HHS employees may not have the public's best interest in mind. "We would actually say the problem is that the government is not in the lead," she said. "Unelected officials, bureaucrats and conflicted industry representatives shouldn't be making decisions about privacy."

Subscribe to the Security Watch Newsletter

Comments