The US needs new medical privacy rules as the country moves toward greater use of IT to store health records, a group of health-care experts said today.

“Thousands” of databases that contain US residents’ health records exist, and patients don't have any way to keep their personal information from being shared with third-parties, said Dr Deborah Peel, a psychiatrist and founder of the Patient Privacy Rights Foundation. Private companies have been data-mining prescription records for years, she added.

The Health Insurance Portability and Accountability Act (HIPAA), passed by the US Congress in 1996, sets security standards that health-care providers must follow, but the law leaves major gaps in privacy, Peel said at an electronic health-records privacy forum sponsored by public relations firm Dittus Communications.

HIPAA gave many organisations with ties to healthcare vendors, including offshore transcription vendors, insurance brokers and credit bureaus, authorisation to use healthcare records, she said. “Because of this confusion that HIPAA engendered, data is being exchanged and used for reasons that have nothing to do with people getting well,” she said. “People think this is the wild west because of HIPAA, and every piece of data that’s not nailed down can be used for some other purpose.”

While panelists at the forum seemed to agree that some type of privacy policy for e-health records is needed, they did not agree on how to accomplish it. Peel called for the US government to create a national standard, but David Merritt, project director at the Centre for Health Transformation and the Gingrich Group, called for private groups to develop privacy standards.

The US Department of Health and Human Services has proposed moving a privacy commission to the private sector, but a bill sponsored by Senator Edward Kennedy, a Massachusetts Democrat, would keep that commission in the federal government.

In addition, Kala Evelyn Ladenheim, program director for state health policy leadership at the National Conference of State Legislators, called on the federal government to allow states to develop their own privacy policies. Some states may create stronger protections than a national effort would, she said.

But 50 state privacy policies would be difficult for health providers to comply with, countered Tom Wilder, senior regulatory counsel for America’s Health Insurance Plans, a trade group representing health insurance providers.

In most other industries, private organisations have developed privacy policies, Merritt said. He called on a public and private partnership to create privacy standards.

“The government is really good at creating commissions and creating advisory boards... and studying an issue,” he said. “What the government is not good at, and what we shouldn’t ask it to do, is to lead and to act.”

Peel disagreed, saying health-care providers would have conflicts when creating privacy standards, and HHS employees may not have the public's best interest in mind. “We would actually say the problem is that the government is not in the lead,” she said. “Unelected officials, bureaucrats and conflicted industry representatives shouldn’t be making decisions about privacy.”