Since 2005, some 60 million Americans have had their private health information compromised or disclosed electronically  -  a fact that has privacy experts, political players and consumers alike demanding reform.

In an epoch of health IT, is the government doing enough to address and quell the privacy worries of the American people? Depending on whom you ask, this notion of reform varies significantly. 

Since 2005, some 60 million Americans have had their private health information compromised or disclosed electronically  -  a fact that has privacy experts, political players and consumers alike demanding reform.

In an epoch of health IT, is the government doing enough to address and quell the privacy worries of the American people? Depending on whom you ask, this notion of reform varies significantly. 

James Pyles, an attorney specializing in patient privacy rights and healthcare law, for example, opines that bringing back patient consent should be the federal government's highest priority, but, currently, that doesn't appear to be on the Administration's agenda. 

Under current HIPAA statutes, some 600,000 covered entities and business associates, for specific circumstances, have the legal right to a patient's personal health information without the patient's consent. This, Pyles says, betrays the American people's fundamental right to privacy.

"There really hasn't been an adequate effort by the government to protect that right to privacy that's essential for the trust needed for quality healthcare," says Pyles. 

In 2002, George W. Bush eliminated the right of patient consent as drafted by the Clinton Administration, and still to this day under the Obama Administration, this right has yet to be restored.   

"It's a misnomer of epic proportions," says Pyles. "Nowhere in the entire HIPAA Privacy Rule does it state the patient's actual right to privacy over their health information."

It's crucial, Pyles adds, that the U.S. designs health IT systems to accommodate traditional privacy laws and standards of professional ethics instead of revising privacy laws and standards of professional ethics to fit the current capabilities of health IT systems. 

Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, takes a different stance, arguing that patient consent is secondary when compared to other provisions included in the final rule. 

"Relying disproportionately on consent shifts the burden for protecting privacy to consumers, vs. placing the obligation on data holders to strictly limit access and disclosure of health data," McGraw said. "There is mounting evidence that consent does very little to protect privacy," she adds. "And ideally our policies should be based on the most effective approaches to keeping data private, confidential and secure."

McGraw says patients will not have additional consent rights in HIPAA final rules, firstly because they were not included in the proposed rule, and secondly because federal agencies  -  such as the Office for Civil Rights  -  have limited power to alter or introduce new requirements. 

The most important thing, she says, is to finalize the rules, allowing federal regulators to begin enforcing them. McGraw says the proposed rule includes some "groundbreaking changes" to HIPAA, such as tightening the rules for when data can be used for marketing, in addition to giving patients a right to ask that their health data not be shared with their health plan if they want to pay for a service out of pocket.