The new health information technology part of the stimulus changes the old rules of HIPAA (Health Insurance Portability and Accessibility Act), a law that we have come to think of as a patient privacy law, but which is actually a law to entitle the patient to his own records. The new law takes into account that electronic health records can be used for good or ill.
So there is an expanded right for the patient to resist disclosure of certain health information, and restrictions on data resale and marketing. On the other hand, if you are the developer of a PHR or the proprietor of a Health Information Exchange, you will now have to make business associate agreements with all your business partners and providers tying them to the same standards of confidentiality to which you are tied. This is called an expanded “chain of trust” agreement, and it extends the provisions of HIPAA for patient privacy far beyond the mere healthcare provider’s office to his IT supply chain.
There are also new notification requirements for health information breaches, increased enforcement, and penalties for privacy violations. Remember when somebody took millions of health records home on a laptop and lost it, along with all the records? There will now be penalties for that, and you will have to be notified. Your health care provider will have to establish an audit trail for your health information.
If you don’t want your information included in the health information exchange and you pay out of pocket for your care, you can withhold information. But if you have insurance, you can’t. You can still opt out of having your information used for fundraising, and tightens the consent requirements for all marketing purposes
These laws have been tightened because consumers are pushing for networked personal health records (PHRs), and are adopting technology faster than providers.