A number of prominent health law experts agree that patients have very limited recourse to protect themselves against violations of privacy. They have concluded that more state and federal legislation is necessary, because there are major holes in the way current health care law is written. Some enlightening and relatively nontechnical details are given in a representative 2007 article in the University of Illinois Law Review entitled `Ensuring the Privacy and Confidentiality of Electronic Health Records`, by Nicolas Terry and Leslie Francis. (Very few primary changes have occurred during the intervening years.) In brief, personal health information has been judged to be under threat either by its collection or its disclosure. The law has parsed these threats separately, expressed as the distinct models of privacy and confidentiality. When I read this legal splitting of hairs, my antennae quickly went way up. It turns out that contemporary U.S. confidentiality and privacy models are shaped and constrained by several persistent features. First, the regulation of medical records is primarily a creature of state (not federal) law, has a number of exceptions, and is highly qualified. Moreover, and unsurprisingly, there is remarkable variation by state. Second, the law relating to the privacy of medical information is described as underdeveloped and narrowly circumscribed.  As a result, common law privacy actions have been successful in only a few extreme cases. Gaps in data protection may be especially apparent if data are transferred across regimes, as when health records are made available to insurers or employers. Any EHR system that transcends state boundaries (including virtually all of the major software providers) thus poses the issue that patient protection is only as strong as the weakest state link. Worse, privacy dispute resolution has been in the hands of the Office for Civil Rights, in the Department of Health and Human Services. Although this may sound benign or neutral, in practice, from a patient’s perspective, enforcement has been placed in the hands of an `insider` primarily interested in ensuring the efficiency and continuity of the present system. This is the same agency that enforces the HIPAA Privacy, security and breach notification rules.

The conclusions from this paper come with added gravitas, given the stature within the field of the co-authors. Nicolas P. Terry is Professor at the Indiana University McKinney School of Law and Director of the Hall Center for Law and Health, while Professor Francis is the Director of the Center for Law and Biomedical Sciences, Emery Professor of Law and Distinguished Professor of Law and Philosophy at the University of Utah. In particular, Professor Terry is a longstanding authority on the intersection of medicine, law and information technology, and has written extensively on fundamental privacy and confidentiality issues for many years. Remarkably, many of these privacy concerns were already voiced on high more than a decade ago, in expert testimony that Terry was called to give in 2005 before the U.S. Dep’t of Health and Human Services, National Committee on Vital and Health Statistics Subcommittee on Privacy. This testimony can be found at http://www.ncvhs.hhs.gov/wp-content/uploads/2014/05/050816p1.pdf. Terry’s overall concerns and conclusions remain spot on today. Given the specific suggestions for privacy policy reform, both in the aforementioned paper and elsewhere, we can only hope that Terry does not persist as Cassandra to the government’s Apollo.