A newspaper reporter just called to ask about the state of privacy under electronic medical records, which will now be spreading thanks to $20 billion in the federal economic stimulus plan.  Electronic medical records can help avoid medical mistakes, like those suffered by Dennis Quaid’s newborn twins, but the privacy protections under the stimulus bill need to improve.

Here’s a run down from our health policy director Jerry Flanagan and the World Privacy Forum’s Pam Dixon on the protections and loopholes for electronic medical records in the stimulus bill.

1. The "prohibition" on the sale of medical records is weak, full of loopholes, and applies only to HIPPA covered entities or their "business associates" (think: doctors and anaethesiologists).  DOES NOT apply to Google and Microsoft.  Major exceptions to prohibition of sale if sale is for "research" purposes.

2. The breach provisions requiring companies to notify patients when electronic medical records are breached does apply to Google and MS.  However, there are "safe harbor" provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."  Bringing Google and MS into the breach requirement (as a "vendor" of electronic medical records) was a last minute change, and something Google and MS will try to eviscerate in the technical clean-up bill.

3. Audit trail only gives patients information of when there information was "disclosed" but not how it was "used."  What this means is that when you go to the hospital for a surgery, the hospital will have tell you when they disclosed the information to a "business associate" but not how the hospital used the information.  As a result, the patient will not know which hospital personnel looked at the information or for what purposes — i.e. you won’t know if a nurse reviewed your file to look up drug allergies or whether the hospital’s fundraising office reviewed the record for the purpose of requesting a donation.  Also, the hospital will only tell a patient which "business associates" (again, think specialists and non-contract doctors) the information was disclosed to, but not who those business associates disclosed the information to or how they used the information.  Patient will have to go to each business associate to get disclosure information — could be hundreds of business associates for each hospital stay.