We've written often about the need for more health information technology (used wisely in combination with other delivery reforms as the CBO has made clear). We have also written that patients will be more comfortable with electronic medical records when privacy breaches stop making headlines. We can protect computerized records, and we do protect computerized records in many settings, including electronic health records. But the breaches persist, and we draw attention to them not because we don't think the problem can be fixed but precisely because we believe the problem can and must be fixed. Grady Memorial Hospital is the latest to have patient medical information end up on a publicly accessible web site. As the Atlanta Journal-Constitution reported:

Grady outsourced the job of transcribing the notes to a Marietta firm, Metro Transcribing Inc., which outsourced the work to a Nevada contractor, Renee Lella. Lella, in turn, turned the work over to a firm in India, Primetech Infosystems.

Depending on the circumstances, HIPAA regulations require the hospital to notify patients (and relevant regulators) and according to the newspaper Grady did track down the affected patients. But HIPAA provides no recourse to the patients. In other words, no matter how damaging the breach, the patients who had their records posted to a web site cannot sue Grady for damages under HIPAA. That is one reason why 39 states and DC have enacted legislation requiring notification of security breaches involving personal information.

The Atlanta paper said it learned of the Grady breach through the state's open record law. Makes us wonder whether some kind of mandatory public reporting of privacy breaches, even accidental ones as this appears to be, wouldn't help do more to protect patient information. Because we are so convinced that health information technology will help drive many solutions to our health care crisis (e.g., better consumer and provider access to important patient records, reduction of unnecessary duplicative tests and adverse drug interactions, decreased waiting time for results, referrals, etc.) we are eager to put the best possible protections in place. If we can trust the L.L.Bean web site with our credit card numbers, we can surely trust our doctors with our computerized health records.

By the way, the National Governors Association has put a lot of energy into health IT during the last year or so, and issued another report just this week. Check out pages 16, 27–28 specifically on the privacy challenges. In brief, the governors say that state privacy laws are scattered in bits and pieces across state statutes and regulations, and some are still in the pen and paper age. The recommendation in a nutshell is that the laws be overhauled, consolidated, and modernized.