Stimulus' electronic record provision sets breach protocol

More details emerged Thursday about the economic stimulus package's treatment of patient privacy as part of a $19 billion section intended to spur nationwide adoption of electronic medical records.

The plan would establish a federal breach notification requirement for health data that is not encrypted or otherwise made indecipherable. It would also require that an individual be notified if there is an unauthorized disclosure or use of their health information.

Under the legislation, patients would be able to request an audit trail showing all disclosures of their health information made through an electronic record. Additionally, the bill would ban -- with "sensible exceptions" -- the practice of selling and mining health data without permission.

Pharmacies and other providers would be limited in their ability to get paid for use of a person's health information to market healthcare products without permission. Patients would be given the opportunity to opt out of fundraising drives that make use of their own health information. Furthermore, the stimulus would strengthen enforcement of federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities.

Rep. Edward Markey, D-Mass., co-chair of the Congressional Privacy Caucus, said he was thrilled the conference report includes privacy language he introduced when the package came before the Energy and Commerce Committee. "Our medical records are among the most sensitive information we have about ourselves, so it is essential that health IT systems have strong protections to protect patients' privacy," he said.

But Republicans like Sen. Tom Coburn, R-Okla., insist the bill is not ready for a vote because of uncertainties surrounding health IT standards development and the billions of dollars allotted for HHS grant-making and Medicare and Medicaid incentives.

"The reason doctors aren't buying programs for electronic medical records has nothing to do with a lack of money," he said Thursday on the floor. "They know if they buy it now, they get to buy it again because none of the computers in health IT talk to each other."

Coburn is also afraid the public-private panel bankrolled by HHS to develop such a framework at a cost of $780 million to date will be abandoned, even though the group is on track to finish its work in 2011.

"If we proceed the way this bill is written, we'll have some bureaucrats at HHS deciding what the standards should be," he said. "You'll absolutely stop private investment in this area that is so much needed."