Electronic health records are already subject to federal standards of privacy. The 1996 Health Insurance Portability and Accountability Act (HIPAA) created rules for who may access health records and set criminal penalties for privacy breaches. HIPAA also included a ruling that patients must be notified whenever there has been an improper breach of a medical record. The new electronic medical records will be subject to these HIPAA guidelines, and some guidelines have already been strengthened and clarified under the new legislation.
Under the shadow of HIPAA, however, the Privacy Rights Clearinghouse reports that 5 million people were subject to breaches of their medical records in a period of 18 months [source: Pear]. Laptops stolen from medical offices, paper records that weren't disposed properly and overly curious (and sometimes malicious) employees were just some of the causes. While many people immediately think of the dangers of hackers when they contemplate a world of electronic medical records, it's important to consider that paper records aren't that safe from nosy workers or people with an ax to grind. One instance of a privacy breach in 2003 involved a medical transcriptionist holding medical information hostage until she was paid for her work [source: Wagner].
It may be impossible to promise complete security of any medical record -- paper or digital -- but digital records do have a few more safeguards in place. For example, hospitals and medical offices will most likely authorize the people who can see each person's chart. They will have a password to sign into the chart, which will allow the electronic system to monitor every single access point. And under HIPAA, a patient could request the audit trail and see a list of all of the people who have left a digital fingerprint on the chart. If someone accesses a record improperly, he or she is subject to termination, criminal charges and fines.
Under discussion is how forthcoming doctors will have to be with that audit trail. By law, a patient can request it at any time, and a patient must also be informed when there's been a malicious breach -- if, for example, your billing information may have ended up in the wrong hands. But there is some gray area. If your doctor can tell that an intern accessed a record that he shouldn't have, should the patient be notified? Or will the doctor be allowed to determine that the intern meant no harm? If the patient has extremely sensitive health information, he or she may have a different definition of harm than the doctor.
Speaking of sensitive health information, another guideline under discussion would allow patients to keep certain parts of their medical record separate. However, doctors are hoping that patients will be forthcoming so they can receive the best care possible.
Stay tuned for more on privacy of our digitized health data. If you'd like to learn more about the conversion to electronic medical records in the United States, there's plenty of information on the next page.