HITECH Increases Exposure of Personal Care Records

Published June 1, 2009

When presidential candidate Barack Obama talked about computerizing medical records, the plan sounded benign. He said it would give “doctors and nurses easy access to all the necessary information about their patients.”

But now that his plan has become law, it turns out lots of other people will have “easy access” too.

The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed by Obama in February as part of the stimulus bill. Despite supposedly heightened privacy provisions, the details of the act are chilling—the very details most members of Congress didn’t bother reading before voting for the bill.

Under HITECH every American’s “health information” is to be computerized by 2014. “Health information” includes anything having to do with “the past, present, or future physical or mental health or condition of an individual.” It includes any information known to one’s “health care providers,” now very broadly defined as including employers, schools, and universities.

The government, through the Department of Health and Human Services, is to arrange for this information to be shared not only with health care providers but also with “the government” and “other interested parties.”

Disclosure Penalties Weak

Creating these computerized records will require a vast assortment of laboring oars with access to our electronic health information records. These include outside “vendors of personal health records” who create and maintain them, and “third party service providers” who assist them. It also includes “business associates” of “health care providers”—and those associates’ lenders, consultants, accountants, and lawyers.

All of these entities are sworn to secrecy, of course, but the penalties for disclosing your records are laughable. If the disclosure is accidental or “unintentional,” nothing happens. Those whose disclosures are “willful” may face fines of $10,000 to $100,000.

There are two reasons why this is lame. First, crimes involving specific intent are notoriously difficult to prove. Second, there are no funds for more government prosecutors, so they will likely view many privacy violations as too trivial to bother with, even if they are a big deal to the individuals involved.

Records Freely Sold

And there’s worse. Your electronic health records can be freely sold for “research,” defined as any “systematic investigation” aimed at contributing to general “knowledge.” Your employer can buy these records to “conduct an evaluation relating to medical surveillance of the workplace”—whatever that means—and root around in them to “evaluate” whether any illnesses or injuries are work-related. And there are no restrictions on resale of this information by these employers and researchers.

The U.S. Comptroller General is authorized to examine how successful all of this information-sharing is “with respect to the quality of the resulting health care provided to the individual” and report on this to the U.S. Senate and House. Which means it’ll be open season on our private information.

Participation in this program by health care providers isn’t mandatory, but the $19 billion in federal subsidies and the penalties for Medicare and Medicaid doctors are powerful incentives to join.

There’s only one way around all this: The next time you go to the doctor, just say, “Hi, doc, I’m feeling fine.”

Maureen Martin ([email protected]) is senior fellow for legal affairs at The Heartland Institute.