A bill proposed by Sen. Stuart Reid, R-Ogden, would do little, if anything, to prevent another data breach like the one last year in which the personal information of 780,000 Utahns was obtained by hackers from a state database. And it would not protect patients from the abominable practice of clinics and hospitals sharing such information outside their doctors' offices.
Nearly a quarter-million Utahns' Social Security numbers, along with names, addresses and ages are now available to scammers and identity thieves, and there isn't much they or the state can do about it.
But Reid's proposal, to require hospitals and clinics to disclose on privacy notices that patients' personal information may be shared with the state, is not enough. In fact, it contains nothing meaningful at all except a directive to the Utah Department of Technology Services for routine audits to ensure its servers are up to national security standards.
Although it passed the interim Health and Human Services Committee unanimously, the Legislature should amend this bill so that it actually protects patient privacy or scrap it altogether.
Many of the victims of the state data breach had private insurance, Medicare coverage or money to pay their medical bill and were not eligible for Medicaid. But clinics and hospitals sent their information, including Social Security numbers, to the state agency that administers Medicaid anyway, without their knowledge.
Reid and his colleagues in the Legislature should pass a measure that would prevent clinics and hospitals from sending patient information to the state without discussing the patient's financial situation with him or her first.
If a patient does not have private insurance or Medicare, or if he has failed to pay a bill, the medical institution should let that patient know it may request the state to determine eligibility for Medicaid benefits before it goes ahead on its own.
Merely notifying patients in the fine print of a privacy notice, which many patients feel they must sign in order to see a doctor, is no solution. It's not surprising that the Utah Hospital Association supports Reid's bill, as it lets its members off the hook entirely.
There is no excuse for clinics and hospitals to use personal information of patients in any way they wish without talking to a patient first. State lawmakers should make sure they don't.
Any other bill would be a waste of time.