$30 Billion: Money Well Spent?

Thanks to the HITECH Act, the federal government may spend as much as $30 billion to boost electronic health records and health information exchange. Will that prove to be a smart investment? Not if the public lacks trust that their digitized medical information will remain private.

See Also: Entering the Era of Generative AI-Enabled Security

So I was pleased to see a new report this week from The Bipartisan Policy Center hammer home the importance of gaining public trust (see: Report Calls for EHR Privacy Action). After all, if patients don't have confidence that their information will be adequately protected, they'll resist the movement from paper to electronic records.

Headlines about major health information breaches raise doubts about just how secure records really are. 

Headlines about major health information breaches raise doubts about just how secure records really are. As we recently reported, more than 19 million Americans have been affected by major health information breaches since the HIPAA breach notification rule went into effect late in 2009.

Meanwhile, we're waiting to see whether the rules for Stage 2 of the HITECH EHR incentive program will include beefed-up privacy and security requirements as widely anticipated. Those proposed rules, which may be issued in the next few weeks, could trigger more action to protect patient information. And that action, if well-publicized, could build public trust.

But long-overdue HITECH-mandated modifications to the Health Insurance Portability and Accountability Act's privacy and security rules remain on hold. Also in limbo is a final version of the HIPAA breach notification rule. The continued delays in the release of these important rules do nothing to boost public confidence in the privacy of their records. That's why it's so important for these rules to be released as soon as possible.

Providing Guidance

The Bipartisan Policy Center made several recommendations regarding records privacy. One of the most significant was this: "The administration should consistently issue comprehensive and clear guidance on compliance with federal privacy and security laws covering personal health information with reasonable and achievable implementation timelines."

Some entities are reluctant to adopt electronic records and exchange information, the report notes, because of "uncertainty about how to comply with existing and new health data privacy and security laws and regulations, coupled with concerns about liability." And that's why guidance is so important.

The policy center also called for regulators to develop and distribute basic, 'common-sense' security practices to healthcare organizations of all sizes.

If regulators overseeing the dispersal of as much as $30 billion in HITECH Act funding for EHRs and HIEs want to build public confidence, it's essential that they issue all the overdue rules pronto, provide healthcare organizations with extensive compliance guidance, and then find ways to educate the public about all actions taken to protect sensitive patient information. Otherwise, patients may resist the digitization of their records, and billions of taxpayer dollars could be wasted.