I know I’m not the only one who’s a little leery of the charge ahead toward electronic access of health records. I’m not a Luddite, I use technology for hours every day, and can’t completely remember life without the computer. And when I handle a long-term disability case, I LOVE receiving medical records that are typewritten, not written in that arcane code and famously bad handwriting.
But the assumption that every American’s complete health history should be available for nationwide electronic exchange and use scares me a little. HIPAA, the Health Insurance Portability and Accountability Act, governs the disclosure of health information. A new law has added to the mix, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), part of the American Recovery and Reinvestment Act of 2009. The law and its regulations erect standards intended to minimize disclosures. This new law also sets out a lot of requirements for notifications that are necessary in the case of a breach of the privacy provisions. Specifically, the person whose privacy has been breached is entitled to notice.
The problems are: what if notice is not given; and what if it is? In the first instance, the person with the divulged health information has suffered a loss of privacy, but may never know. So, enforcement of this law is not going to be easy without whistleblowers or honorable companies holding the information.
In the second instance, privacy is breached, and the person is so notified. Now what is there to do? As of now, only the federal or state government can pursue the discloser and seek penalties. The penalties can get large; for example, for wilful violation which is not corrected, the maximum penalty is $50,000. But this still deprives the individual of control, not to mention the damages. An individual whose health information breach leads to the potential for identity theft can act quickly, and often avoid the worst of the damage. (See the Federal Trade Commission site for a step-by-step guide to dealing with identity theft.) And a violation could lead to a state case for invasion of privacy. Damages are difficult to measure in those cases, though.
This situation is similar to what we often face in considering severance agreements. It is typical for the company and employee to promise not to disparage each other. But what if they do? How do you prove the damages? In some cases, you just have to trust the good faith of the other party, because the prospects of enforcing a promise like that are dim.