Americans will be given a tool that helps them keep their personal information private if a proposed Department of Health and Human Services (HHS) rule is adopted.  The change in federal healthcare privacy laws proposed by HHS would give patients the right to see the name of any person who accessed their electronic health records, and what he or she did with them.  The “access reports” would be available from some healthcare providers as soon as January 1, 2013.  It would be similar to a free credit report — consumers would have the ability to request one report for free every year.  The move is the latest in an effort by the Obama administration to update and streamline the nation’s medical records system.

The proposed “access report” right has its roots in a provision of the 2009 stimulus package passed by Congress to start the economy moving and which contained $30 billion to encourage development of electronic healthcare records, called the Health Information Technology for Economic and Clinical Health (HITECH).  To ease concerns about the security of online health records, Congress told the HHS’  Office of Civil Rights (OCR) to strengthen consumer disclosure rights included in the Health Information Portability and Accountability Act (HIPAA).

“This proposed rule represents an important step in our continued efforts to promote accountability across the healthcare system, ensuring that providers properly safeguard private health information,” OCR Director Georgina Verdugo said.  “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”

In the proposed rule, HHS said the majority of providers oppose the change, because they believe it would be costly to implement and provide minimal consumer benefit.  Tena Friery, a HIPAA expert with the Privacy Rights Clearinghouse advocacy organization, disagrees, noting that the potential to identify who accessed a health record would be a significant disincentive to potential snoops.

Disclosure reports would summarize medical information transfers to entities such as law enforcement, judicial hearing or public health investigations, but would not explain the reason for the transaction.  Under the proposed rule, exchanges of medical information made via an electronic health records systems would not be included in a disclosure report.  “After careful consideration of this option, we concluded that accounting for such disclosures at this time would be overly burdensome when compared to the potential benefit to individuals,” the proposed rule states.

So just how prevalent are unauthorized views of Americans’ healthcare records?  The New York Times reports that the personal medical records of at least 7.8 million people have been improperly accessed in the past two years.  The Office of Civil Rights has a website dubbed the “wall of shame“ which lists 300 hospitals, doctors and insurance companies who have reported significant breaches of medical privacy.  The list reveals that major HMOs such as Kaiser Permanente Medical Care Program, New York Presbyterian Hospital and Columbia University Medical Center have experienced medical records security breaches.  These can occur when a laptop or other portable electronic device is lost or stolen.  An employee of Massachusetts General Hospital left the paper records of 192 patients on a Boston subway train.  Other reasons may be improper record disposal; hacking; and the unauthorized accessing of computer records.