It's not as if no one raised this concern. But the train was leaving the station regardless.
If one overlooked (not to say, ignored) consequence of HITECH's agressive promotion of not-quite-ready-for-prime-time electronic medical records technology is now that the risk of having my medical records compromised has increased (which it surely has if almost 60% of administrators have no confidence in their security), can I, the patient, sue the government for damages when my records are lost, stolen or hacked? Probably not. So the benefits of electronic medical records flows to govt, big insurance and big medicine, but the risks, damages and costs go to the patient and the healthcare institution.
Spending $2B after the fact, "managing security breaches" does not ensure that the actual damages of these reported breaches have been rectified. That's just what it cost to try to comply with regulations. As a patient, I may never know the real cost and consequences of my medical records being breached in terms of hiring decisions (for example, "increased insurance cost for existing diabetic condition"), promotion ("father had heart condition - too much risk"), social stigma ("been to a psychiatrist twice for depression"), etc., decisions which could all be made behind closed doors and never disclosed to me. I could never recoup damages because I could never prove they happened. Notifying me that a breach occurred doesn't come close to fixing it.
In addition, a "significant number" of breaches (like maybe "most"?) are probably unreported. So the damages are actually even higher. Which certainly means that the unforeseen costs of eventually increasing security to an appropriate level are not in the already marginal ROI calculations offered by advocates of aggressive EMR adoption.
Believe it or not, I am decidedly FOR EMR adoption for a whole lot of good reasons, but the implementation so far, politically driven with a penchant for simply ignoring any downsides because the votes to do so are there, is extremely frustrating.
