Progress in securing health records, but still a long way to go

An excellent article this week in InformationWeek by Mitch Wagner provides an nice overview of the privacy and security issues related to widespread deployment of electronic medical records, noting both the recent progress made in these areas and highlighting key challenges that remain. Some of the new privacy rules put into place with the HITECH Act portion of the American Recovery and Reinvestment Act — such as the application of HIPAA enforcement and penalties against individuals, rather than just organizations — are accurately characterized as incremental but still important steps in reaching the point where all personal health information is protected by the appropriate policies and safeguards, including technical controls to make sure those policies are actually followed. Similar steps to strengthen rules such as accounting of disclosures (basically keeping track of all the times and circumstances an individual’s health record is accessed) and ramp up enforcement mechanisms available to the government agencies responsible for investigating violations of the laws, should in the aggregate help consumers feel at least a little more comfortable about having their personal medical data stored electronically. With the additional attention now being placed on collecting and honoring patient preferences for information disclosure — in the form of explicit consent — it appears that the people responsible for working to overcome some of these challenges do understand the nature and extent of the problem, and continue to solicit input and collaboration from all sides of the issues. It remains to be seen whether the privacy and security concerns can be mitigated sufficiently to allow the rollout of electronic health records to proceed on the timetable set by the current administration.

A follow-up article by Wagner addresses many of the same issues, but provides more perspective on privacy concerns, especially opinions by some privacy advocates that the privacy measures to date (even the enhanced ones in the HITECH Act) just don’t go far enough. The Health IT privacy debate provides an interesting contrast to similar but differently focused conversations about societal expectations about privacy sparked by Facebook’s recent change in privacy policy.