Your Medical Records Online

um... Lucas writes "Apparently, Intel's teaming with the AMA to help post patient records online. It's way too early to tell what they're thinking, but I want to know if I can opt-out now." This could be a good thing if it's done right ... or a privacy disaster if it's done wrong.

HIPAA - You need to know this

[the+red+pen]

Healthcare Information Portability and Accountability Act. It's not just a good idea, it's the law (in the USA). Within the next two years, agencies dealing in personalized medical records will be forced to submit to HIPPA regulation. This includes hospitals, "health web sites," pharmaceutical companies and so forth. If they have your medical data, they must conform to HIPPA.

What does that mean?

• Medical data must be stored in a secure manner. Yes, there is no perfect security, but let's just say that Windows NT is about to suffer greatly in the medical marketplace...
• Medical data must be protected in transit. That means RC4-128bit or 3DES. Even on a hospital LAN. That's right: sanity at last.
• There must be published and audited policies and procedures governing storage, transit and disclosure of electronic medical records. That may sound like a drag to Slashdotter's who work in chaotic, fast-paced tech companies, but this bureucratic overhead means clear liability concerning your personal data.
• Included in the auditability guidelines is non-repudiation. This means digital signatures and X.509 certificates. This is an excellent technology which has been resisted due to cost and complexity. Not anymore.

Bottom line: nobody is going to be putting your medical records on a public website.