In July 2010, more than 110,000 people in Colorado who receive Medicaid were told that some of their private medical information may be on a computer hard drive that was stolen.
The announcement was an example of new rules the Obama administration is seeking to implement to improve medical privacy laws. But the rules, originally written in 2009, are being rewritten after they were criticized by Democrats and consumer and patient groups as failing to fully protect patients.
The rules are designed to specify when hospitals, physicians, insurance companies and others with patient information must disclose when and if patient medical records have been breached or disclosed. Examples, such as the incident in Colorado, have become more common thanks to improving technology and the Internet.
The rules were initiated in 2009 after Congress approved billions in funding to increase the use of electronic, paperless health records. But they were deemed deficient by many watchdog groups because patients would only be notified if a particular breach was believed to be harmful.
Others in the medical industry, such as insurance companies, prefer to determine when to notify a patient of a breach and no notification would be issued if the medical facility or insurer believed there would be no harm or ill effect to the patient.
The new rules submitted in May included language that allowed providers and insurers to determine if a breach was insignificant and thus not make any disclosure. But criticism from leading Democrats forced the administration to delay final publication to allow for additional comments and changes.
The latest, and final, rules are expected to be issued in this fall in 2010.