At the urging of consumer groups and key members of Congress, the Obama administration is rewriting new rules on medical privacy. The expressed concern is that the current rules do not adequately protect the rights of patients. The rules specify when doctors, hospitals and insurers must tell patients about the improper use or disclosure of information in their medical records. The concern, however, is under the current rules, health care providers and health insurance plans would have to notify patients of a privacy breach only if they found that the violation posed “a significant risk of financial, reputational or other harm to the individual.” But, how does a hospital or an insurance company know whether an improper disclosure will harm a person’s chances for promotion or endanger a victim of domestic abuse? The Privacy Rights Clearinghouse, a watchdog group, estimates that more than five million people have been affected by breaches of medical information in the last 18 months. Causes have included the loss of laptop computers and paper records, the posting of data on Web sites, and the curiosity of hospital employees snooping for medical information on celebrities and their colleagues. Interesting, despite the prospect of qualifying for a part of $27 billion in incentives from the federal government, a recent study published online in Health Affairs showed that only about 2% of hospitals had done enough to adopt the necessary elements of electronic medical records to qualify for these future financial incentives.