Rx for Medical Privacy
by Noah Robischon
September 3, 1997
Web posted at: 10:16 a.m. EDT (1416 GMT)
Earlier this year, a man in Florida copied the contents of an HIV registry from the clinic where he worked onto a disc, headed for the local bar with his laptop and proceeded to identify the people in the bar who were infected.
Years' worth of horror stories like this one finally prompted the U.S. Department of Health and Human Services to craft new rules to protect the privacy of patient medical records. On September 11, HHS Secretary Donna Shalala will submit a set of medical record privacy guidelines to Congress. But privacy rights advocates say the proposal is going to be pure mockery.
Right now your video rental card has more federal privacy protection than your health care records do. In fact, there are barely any standards, state or federal, that protect your medical records at all. Which maybe wasn't so bad back when everything was simply scribbled on paper, collated into a manila file folder and alphabetized into your doctor's filing cabinet. But in this age of mass computerization, it's a very frightening prospect indeed. And the health information trade is already a $40 billion industry.
Shalala's 90-page draft proposal, largely based on recommendations of the National Committee on Vital and Health Statistics and the final chapter of a book published by the National Research Council, maintains that while individual privacy is important, accessible medical records will ultimately improve the quality of health care even as it reduces its costs, thus strengthening the troubled health care system overall.
For example, giving researchers access to a database of health records might speed the discovery of drug-related disorders such as that caused by DES, a hormone that was originally used to reduce the incidence of miscarriage. It took researchers 20 years to track down afflicted patients and learn that DES caused a rare form of vaginal cancer in the daughters of women who took the drug. If everyone's record were in a database, the discovery would have come much more quickly.
Does the greater good of computerized information outweigh our individual rights to privacy? In Jaffee, Special Administrator For Allen, Deceased v. Redmond et al. the Supreme Court ruled 7-2 that communications between a psychotherapist and patient are protected from discovery in a civil lawsuit. The court found that an individual's right to privacy actually "serves the public interest" because without it, the patient would never seek treatment in the first place.
"History has shown that you need privacy in order for people to continue to seek health care," says medical privacy lawyer Jim Pyles. Unfortunately, the court's ruling "only protects a person against intrusions by the government, not the insurance company."
As it stands, if your insurance company wants your medical records, they need consent. But there is little choice -- you either sign the insurance company's release form or pay for your own health care. One of the most frightening aspects of the new recommendations would legislate out the need for patient consent.
"If everybody who's asking for access to the medical records is getting consent for access, then the notion of privacy is out the window," says A.G. Breitenstein of the Justice Resource Institute.
But proponents of the new recommendations counter that today's consent controls are meaningless. "I don't think informed consent is either informed or consensual today. Everybody signs it and nobody reads it," says Robert Gellman, a veteran privacy and information policy consultant. "If you want to change the consent form, who do you tell? The receptionist? Your doctor?"
Although the new recommendations dismiss the need for consent, Gellman points out that they also more clearly define what medical records can be used for, and punishes those who misuse them. If someone needs to process a bill, "your records will be used for payment and only payment," he says.
Privacy advocates remain skeptical, in part because the health care industry is becoming so insular. Drug companies now help manage HMOs, so they would have access to patient medical records for treatment as well as direct marketing. And insurance companies haven't exactly proven themselves trustworthy. More than 200 cases of health insurance discrimination against families with genetic disorders have been uncovered by Stanford and Harvard medical school researchers.
Furthermore, the new unique health identifier number, which critics compare to the oft-misused Social Security number, will make it even easier for insurance companies to carve out at-risk populations with troubled medical histories.
"The only remaining barrier to being able to link across proprietary databases is a common identifier, and the unique health ID will be the key to unlock that," says Breitenstein.
Perhaps the technology that created these new problems could also solve them. Amazingly enough, most health organizations have little or no computer security measures in place. At one of the country's largest HMOs, Kaiser Permanente, any employee can pull up the entire medical history of any patient.
In one case, a Maryland banker who sat on the state's public health commission used his access to medical records to cross-check people with cancer who he'd given loans to and then called in their loans. (He was never even punished in the incident.)
One way to safeguard against this type of abuse would be to implement security measures similar to those used on the Net. Give each employee a logon and password and restrict access to certain files. Maintain a log file and allow auditors to track usage, with stiff penalties to those who are caught abusing their privileges.
"Computerization can provide just as much protection as it does threats," says Gellman. "You can have finer controls so that people in the finance office can only see certain kinds of records."
But privacy advocates remain unconvinced. "Passwords and user IDs and secure logins are a red herring," says Breitenstein. In fact, the ACLU is protesting the digitization of medical records in the first place.
"Do you have a right to say no to computerization and control so that you don't have the vulnerabilities and still get paid or treated?" asks ACLU legislative counsel Donald Haines. Right now, the answer is no.
Although the privacy advocates may seem to be taking extreme positions, "a lot of the decisions that need to be made are zero sum choices," says Breitenstein. And the public would seem to agree: Public polls conducted by everyone from CNN to Equifax have shown that people overwhelmingly believe that permission should be required every time their medical information is accessed.
"In an effort to enhance the quality of health care in the country, we may be on the verge of destroying it," says medical privacy expert Jim Pyles.
But as one member of the Health and Vital Statistics Committee told The Netly News, "Sure we can have more privacy, but who wants to pay for it? You simply cannot say that there's this sort of pie-in-the-sky notion that our privacy is paramount, whatever it costs we can afford it. We can't."
Watch these shows on CNN for more sci-tech stories:
CNN Computer Connection | Future Watch | Science & Technology Week
© 1997 Cable News Network, Inc.
All Rights Reserved.