We need to move carefully in establishing a national electronic medical records database, since there really are serious problems as it stands now with healthcare records privacy. The fairly recent Privacy Rule (2006) established under The Health Insurance Portability and Accountability Act (HIPAA, 1996), was touted as a measure that would protect patient records, but turned out to be no more than another GWB/Orwellian type measure - it sounds good, but then one discovers it has an effect that was the opposite of what it ostensibly was supposed to achieve.

In fact, not long after the HIPAA Privacy Rule went into effect, a coalition of medical providers sued HHS because of the more egregious but little-known provisions of HIPAA that, despite all the promises, actually provided less control by consumers over their personal medical data. Unfortunately, the decision was against the coalition, so the questionable rules remain.

Further, although HIPAA did establish some apparently stronger guidelines for records confidentiality, it gives patients no right to file a private lawsuit in order to challenge those who violate the confidentiality rules. Only the Secretary of HHS can sue. So in the years since HIPAA privacy was passed, there have been hardly any lawsuits for confidentiality breaches under HIPAA. Here's a recent article from a Healthcare IT website about the almost non-existant HIPAA enforcement.

So HIPAA appears to be a case legislative of bait and switch: a tedious process (all those forms that we have to fill out) deceives us into thinking that the records are protected, but in reality, many HIPAA protections are illusory, and the lack of enforcement by HHS means it's a law without teeth.

Patient confidentiality is a very serious issue. A study sometime before the HIPAA Privacy Rule was put into place found that around 3 out of 4 (that's 75%!) of medical consumers felt there had been breaches of their medical records. And even after the passage of HIPAA, studies revealed significant concern among medical consumers over records privacy. How much worse would this be if there were a centralized database? Who would have access to such a database? What specific information would it contain? What protections would be put in place to prevent unauthorized access? Would the consumer have access to their personal information, or only medical and governmental personnel? What procedures would there be for correcting errors in the record? Obviously, those with conditions that are subject to substantial social stigma, such as mental illness or HIV/AIDS have a much higher level of concern about how these questions may ultimately be answered, but anyone who visits a doctor has the right to expect effective safeguards of their privacy. So it's reasonable to raise serious questions about the new proposed database, especially in light of the many failures to protect patient info, even after HIPAA was passed. And the questions above are just a start; there are so many questions that need to be asked and answered before we, as citizens, sign off on something like this.

The idea of electronic records may be a very good one, when looked at primarily in terms of efficiency. We do need to find ways to reduce our ridiculously large medical expenditures. But there are potentially very serious problems with records privacy that need to be resolved first.

UPDATE: 2-13-09, 3:51pm PST
I am very happy to report that in researching this issue further, I happened upon additional new information that says the Congress included stronger medical records protection as part of the stimulus. And it looks like the medical records privacy issues made it through the conference committee, so we're almost there. Apparently, Congress wrote in a provision that establishes that advocacy groups will be participating in the regulatory process, a very good sign. (Initially Congress, in writing HIPAA, apparently intended for there to be strong privacy protections for medical records, but it was in the writing of the rules by HHS that things became watered down and dicey.)

Here's an excerpt from an article I found, written just today, on what's in the stimulus bill regarding medical records privacy protections:

Economic stimulus legislation awaiting final approval by Congress, then expected to be signed into law by President Barack Obama, includes more stringent medical records privacy requirements along with $19 billion in funding for health information technology (IT).

The American Recovery and Reinvestment Act (H.R. 1) would provide grants and payment incentives for physicians, hospitals, nursing homes and other health care entities to adopt and make meaningful use of technology designed to create and manage electronic health records (EHRs).

The legislation also includes provisions intended to shore up public confidence in the use of EHRs and personal health records (PHRs) by beefing up enforcement of and expanding the scope of businesses covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

HIPAA consultant John Parmigiani said Feb. 12 that he expects the health IT provisions in the economic recovery bill to have a "significant impact" on health care privacy and security.

Because it speaks to privacy and security breach notifications, increased enforcement, audit trails, encryption and "a definite concern for driving the attainment of an EHR while protecting patient information," he said, the legislation "emphasizes the critical ingredient in fostering widespread implementation, acceptance and use of e-health -- trust -- among patients, providers and payers to effectively and efficiently deliver health care and share health care information."

http://www.thompson.com/public/newsbrief.jsp?cat=HEALTHCARE&id=2058
 
I'm going to be keeping my fingers crossed...