Privacy

What do Britney Spears and Farrah Fawcett have in common with California First Lady Maria Shriver? How soon we forget: someone snooped in their medical files. The California state Senate hasn't forgotten. It just passed legislation that would require health care providers to monitor employees to ensure that they do not violate patients' medical rights, the LA Times reports. California Gov. Arnold Schwarzenegger—Shriver's husband—supports the bill, which still must pass the state Assembly.

Much of the language in the California bill sounds like the federal HIPAA Privacy law. It would require health care providers to have clear and appropriate safeguards to protect patient privacy and "reasonably safeguard confidential medical information from unauthorized or unlawful access, use or disclosure."

But the California initiative differs from HIPAA in several ways. First, it  would allow an individual to sue the person who negligently released confidential medical information. The federal law, in contrast, only allows the Secretary of Health and Human Services to investigate complaints and assess penalties. California would also impose fines up to $25,000—but this pales in comparison to the possible monetary damages available in a civil lawsuit.

Earlier this week we posted our interview about the future of health IT with Carol Diamond of the Markle Foundation. (Part one, and part two). Today we'd like to point you to The Hill 's interview with Health and Human Services Secretary Mike Leavitt on the same topic.

Two points struck us. First, neither the article nor the full Leavitt transcript mentions the word "privacy"—a big issue both for policymakers and for the public who keep reading about nosy hospital staff, researchers who do sloppy things like leave laptops with patient records in the car, and thieves who steal credit card numbers and other financial identity information from medical records. Not insurmountable but essential if we're going to get the country on board with health IT. Second, Leavitt really depicted the health IT challenge primarily as a technology question involving interoperability (letting different computer systems talk to each other) while Markle's Connecting for Health program and conversations with some other experts have made us think about a far broader range of policy challenges that won't be solved only by the computer geeks.

The Wall Street Journal had a great piece and blog item yesterday about Health IT and privacy breaches — we would have blogged about it then had we not, coincidentally, been out much of the day with some other think-tankers and foundation folks educating ourselves about that very topic. Among other things, the Journal article made the key point that privacy breaches are rarely prosecuted. That's not the right way to build public confidence in electronic health records.

Some 35,000 reports of privacy violations have been reported to the Department of Health and Human Services under HIPAA (Health Insurance Portability and Accountabilty Act) since 2003, but not a single civil fine has been levied, WSJ reported. HHS says several hundred reports of violations have been referred to the Department of Justice for criminal prosecution; about 200 cases have been filed although it's not clear how many of them were under HIPAA.