The stimulus bill that President Barack Obama signed last week has a $19-billion section devoted to a nationwide transition to electronic medical records, one of his administration’s highest priorities. However, it remains to be seen how the software industry will react to the stipulations regarding patient privacy, including clauses that describe how health information technology companies will be liable if patient privacy is breached.
Section XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 explains the consequences for liable entities in the case of a breach. Patients must be notified via mail within 60 days, Health and Human Services must be notified, and, if the breach involves more than 500 patients, the news media must also be notified. Individuals must also be provided a way to contact the company to discuss the breach.
Under the legislation, patients can also request an audit trail showing all disclosures of their health information made through an electronic record.
Much of the privacy language was added in at the 11th hour, during a joint House-Senate conference committee meeting held on February 12th, Nextgov.com reported. Obama signed the bill into law on February 17th.
"Our medical records are among the most sensitive information we have about ourselves, so it is essential that health IT systems have strong protections to protect patients’ privacy," Rep. Edward Markey, D-Mass., co-chair of the Congressional Privacy Caucus, told Nextgov.com. Markey reportedly claimed responsibility for introducing the privacy language.
Consumer Watchdog, a Washington D.C.-based consumer advocacy group, said the additions were a victory for patient privacy rights activists.
"Google and Microsoft and medical records companies are now accountable in the way HIPAA providers are," Jamie Court, president of Consumer Watchdog told The Industry Standard. "Heretofore these guys had no accountability."
Google, a major player in the electronic medical records field, declined a request for an interview. But in a company blog post from last month, Google attorney Pablo Chavez said the company was in support of strong privacy protections of medical records.