Health care providers are sorting through the electronic health r...

the Massachusetts eHealth Collaborative, said there'll be a policy lag as providers shift from the paper-based HIPAA rules to the electronic rules in the act because the act passed so quickly. The act has two definitions of electronic health records, he said: one definition that applies if a provider wants Medicare reimbursement, and another, broader definition that applies to the privacy section. While it’s good to protect patient data even in electronic systems that don’t qualify for reimbursement, the definition raises questions about what records the privacy standards apply to, he said. Would they apply to a Microsoft Word document, he asked, that might be sent to a patient seeking records? Kristen Rosati, a partner at Coppersmith, Gorden, Schermer & Brockelman, said the requirement to provide electronic copies of records to patients also raises the question of whether those records will even be readable. Some systems require their own software to read the record, she said. Rosati said lawmakers missed an opportunity to create more straightforward language defining business associates. Under the new law, business associates of HIPAA-covered entities must report breaches of unprotected data. But because the HIPAA definition of business associate is so convoluted, she said, she predicted covered entities will get pushback from partners that don’t want to be defined as business associates. Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, said some of the marketing provisions are still unclear as well. The law requires patient authorization before marketing to people based on their health information can occur, but makes an exception for drugs the patient is already taking. It’s not clear if generics would fall under that exemption, she said. The law also allows state attorneys general to pursue data breach cases, which Rosati said opens the door to “political mischief.”