HITECH: Be afraid, be very afraid

Maureen Martin of The Heartland Institute, a think tank promoting public policy based on individual liberty, limited government and free markets, argues that the new Health Information Technology for Economic and Clinical Health Act  exposes too much personal information.

When President Obama talked about computerizing medical records during the presidential campaign, the plan sounded benign; he said it would give "doctors and nurses easy access to all the necessary information about their patients." But now that his plan has become law, it turns out lots of other people will have "easy access" too.

The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed by Congress and signed by President Obama on Feb. 17, 2009, as part of the stimulus bill. Despite supposedly heightened privacy provisions, the details of HITECH are chilling. These, of course, are the very details most members of Congress didn't bother reading before voting for the bill.

Under HITECH, every American's "health information" is to be computerized by 2014.  Health information is anything to do with "the past, present, or future physical or mental health or condition of an individual." It includes information known to "healthcare providers." Health information is not just what our doctors and nurses know but also information from any source that is known to our employers, schools and universities, which are now all defined as  healthcare providers. The government, through the U.S. Department of Health and Human Services, is to arrange for this information to be shared not only with direct healthcare providers but also with "the government" and "other interested parties."

Creating these computerized records will require a vast assortment of laboring oars, all of which will have access to our electronic health information records. These include the outside "vendors of personal health records" that create and maintain them and the "third-party service providers" that help them out. It also includes "business associates" of "healthcare providers"— and business associates' lenders, consultants, accountants and lawyers.

All of these laboring oars are sworn to secrecy, of course, but what happens if they disclose your records? Not much. If the disclosure is accidental or unintentional, nothing happens. Those whose disclosures are willful may face prosecution for fines from $10,000 to $100,000. But there are two reasons why this consequence is lame. First, crimes involving specific intent are notoriously difficult to prove. Second, there are no funds for more government prosecutors, who will likely view many privacy violations as too trivial to bother with, even if they are a big deal to the individual involved.

And it gets worse. Our electronic health information records can be freely sold for  research — which means any "systematic investigation" aimed at contributing to general knowledge. And our employers can buy these records to "conduct an evaluation relating to medical surveillance of the workplace" and evaluate whether our illnesses or injuries are work-related. So employers can review our health information "just in case" our ailments might be work-related. And there are no restrictions on resale of this information by these employers and researchers.