Utah hospitals and clinics would have to disclose on privacy notices their practice of sharing patients' personal information with the state under a bill that cleared its first legislative hurdle on Wednesday.
The measure was pitched by Sen. Stuart Reid, R-Ogden as a remedy to last year's massive health data breach. Hackers, exploiting a factory password, broke into a Utah Medicaid server and stole the personal information of about 780,000 Utahns, including nearly a quarter-of-a-million Social Security numbers.
Because of providers' practice of "pinging" the server to test patients' eligibility for Medicaid, the information of countless retirees on Medicare and people with private health insurance was exposed.
Reid's bill would not put a halt to the billing practice. Instead, it would put patients on guard by notifying them that a given provider has, or may, share their "personally identifiable" information with Medicaid.
"Is it right that hospitals ping the system as a matter-of-course, even when patients have private insurance? I'm not sure that it is," said Reid, whose wife's information compromised. "But in some ways they're trapped. A lot of patients don't know what their insurance covers or whether they qualify for Medicaid."
The bill directs the Utah Department of Health to draft model disclosure language and to verify that providers' privacy notices comply.
It also subjects the Utah Department of Technology Services to routine audits to ensure its servers are up to national security standards.
The bill passed the interim Health and Human Services Committee unanimously, despite concerns that it was either overkill or didn't go far enough.
How much it will cost large health systems to change their privacy notices isn't clear. But Reid's bill has the backing of the Utah Hospital Association.