Electronic medical records: great, but not very private

FORTUNE -- If you live in Texas, your medical records are definitely up for sale by the state. If you live anywhere else in the United States, they probably are for sale there, too.

Medical health records provide key information to researchers, who have lobbied hard to keep them accessible, despite government concerns about the privacy of patient data. The controversy dates back to 1996, when Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to protect patients. "Researchers have very broad access rights to health care records under HIPAA," says Pam Dixon, director of a non-profit called the World Privacy Forum "The rules are pretty loose, and there are a lot of ways to get around them." That's especially true since the act wasn't designed to cover common scenarios today: records stored online in a vast, hackable cloud. In the rush to digitize all electronic health records, Dixon says not everyone is taking the proper steps to de-personalize the data and protect patients.

All medical records will turn digital by 2014, according to a provision in President Obama's economic stimulus package. This would allow physicians to store patient data in the cloud, making it much easier to connect fragmented medical records, saving time and money. Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act alongside the stimulus, which is meant to reinforce security as those records go digital. The 2009 stimulus bill also offers financial incentives for companies that create electronic records.

The money in medical records

That has caused health care facilities to scramble to find companies that will help them store electronic data. "When there's money, everybody comes out," says Kurt Long, CEO of FairWarning, a company that monitors privacy breaches in electronic health records. But the effort to offer electronic health record services might have outpaced efforts to secure the data. Long says "we've got a wild west here in health care."

A report last week in a Texas watchdog publication called the Austin Bulldog outlined the problems with electronic medial records in the state. According to the report, the Texas Department of State Health Services (DSHS) has been selling de-identified patient data to groups who can prove they would use it for research. Some of the roughly 100 buyers from January 1, 2009, through April 1, 2010 included Blue Cross Blue Shield of Texas, Los Angeles business consulting firm EconOne, and Sanofi Pasteur, the vaccines arm of French pharma giant Sanofi-Aventis. The Texas DSHS charges between $2100 and $5600 per year for data collected after 2007 and under $1000 per year for data collected between 2004 and 2006. Data collected before 2003 is free, and available online.

But de-identification is far from foolproof. The de-identification process can mean changing some of the digits in the patients' zip code, withholding the dates of the hospital visit, and providing an age range instead of patients' actual age. But most records still include diagnoses, gender, address, billing information, and information about patients' next of kin. This leaves plenty of ways to re-identify patients by cross-referencing it with other information on the web. That's easy to do, Long says, "it's certainly not rocket science."

It's not a problem unique to Texas either, according to Deborah Peel, psychiatrist and founder of a watchdog group called Patient Privacy Rights, "I am very certain this is happening in every state," she says. But there's no way to know, says World Privacy Forum's Dixon. The Department of Health and Human Services could launch a national study, but probably doesn't have the resources. Also, states--not the federal government--regulate digital medical record security.

"The problem is that states are massively underfunded," Peel says. They don't have the resources to do this, so they do this stuff without getting any kind of expert advice. They've been incredibly casual with this sensitive data."

Most researchers who buy the data - key to their work -- don't do so with the intention of selling it to bad guys. But the problem is that unencrypted medical data is easily hackable and there's no way of knowing how researchers are safeguarding the data once they buy it. Breaches happen often, says Long, can include anything "as innocent as looking at your neighbor's medical records to employees stealing the identities of patients so they can produce false federal tax returns."

Many hackers are curious, trying to figure out whether their neighbors, celebrities or athletes have a history of alcoholism or mental illness. "We always bust people looking at all those records whenever there's a Super Bowl," Long says.

Past breaches in electronic health record security have also resulted in identity theft, false Medicare and Medicaid claims, and credit card scams.

Cyber security has been playing catch-up, says Long. "There were no laws until HIPAA," which wasn't enforced when it passed in 1996. "It's not until the HITECH stimulus bill passed in 2009 that all of these things became more serious."

Now that safety is starting to be a priority, "there has to be a better balance between privacy needs and researchers needs," Dixon says. "Technology has moved quickly, the regulation was weak to begin with, and now we're in a free for all."