It is clear that many – in and out of the health care system – view electronic medical records, personal health records and additional use of health information technology as a means of creating dramatic improvement in our health care system. At the same time, these records - along with some of these benefits - are creating a new debate as to whether the existing health care privacy and security rules are reasonable and effective in today’s evolving health care information environment. In the current debate, privacy has become a stumbling block of sorts to development of health information technology. And, as Congress begins to move more quickly on the legislative front dealing with these records, privacy threatens to become an even bigger concern, with the real risk that privacy and security concerns ultimately may impede, reduce or eliminate many of the benefits of these new electronic records.
From a pure policy perspective, what should the rules be for the collection, use and exchange of these electronic records? As we struggle to develop appropriate means of designing information exchange networks, and entities across the country, both public and private, face challenges in determining appropriate ground rules, will we be able to develop systems that will provide the benefits identified by government advocates while still protecting patient privacy through appropriate means? This commentary explores these issues.
Beyond this policy debate, the questions about these electronic health records are now moving to the legislative arena – with Congress actively evaluating various health information technology bills that are designed to promote the use of health information technology while providing appropriate privacy and security protections. Congress has been reviewing health information technology legislation for several years, designed to promote the use of health information technology and create an appropriate regulatory framework for this development. These bills have languished in Congress, both because of concerns about the goals of this legislation and, most recently, because of the perceived need to develop “new” privacy and security rules for this new environment. While this debate in Congress has been moving quickly, it is far from over. Moreover, as it now stands, the privacy and security proposals create the risk of both undercutting the incentives to use health information technology and imposing significant new burdens on health care entities in the name of patient privacy, without any concrete new privacy benefits or clear problems with the current privacy environment.
Accordingly, there are significant risks that Congress will create more harm than good from its actions. Congress appears determined to revisit carefully drawn HIPAA compromises without any credible need, thereby creating significant new costs and burdens for health care entities without any corresponding benefits. At a time when Congress is trying to motivate health care entities to implement electronic records programs, it also seems determined to impose new obligations on companies that do choose to implement these records, thereby creating incentives and disincentives in the same piece of legislation.
The author of this commentary holds that Congress should evaluate carefully whether there is a need at this time to develop new privacy and security rules. The technology portions of the legislation can proceed without any specific new privacy rules. These provisions – while important – mainly serve to motivate and guide a process of development of electronic health records over time. There are not new privacy risks created by this legislation – even assuming there are in fact any new risks created at all by the movement towards electronic records. Rather than slow down these important technological issues, Congress should step back from new privacy and security rules, so that the push towards these rules does not create undue burdens without a corresponding benefit (particularly in a health care privacy system that generally is working well for covered entities and patients), while not impeding the important progress towards development of more comprehensive systems of electronic health records from health care providers across the country.
Access the complete Emerging Issues Commentary on lexis.com.