By Chris Lane
By Jeff Balke
By Aaron Reiss
By Angelica Leicht
By Dianna Wray
By Aaron Reiss
By Camilo Smith
By Craig Malisow
Changes in how health care is delivered have created a demand for patient records by a wide range of interests that collect and analyze health information. At the heart of modern medicine is the electronic medical record that allows the accumulation and sharing of information among providers, health plans, insurance companies, claims processors, researchers and government agencies. According to the Health Privacy Project at Georgetown University Medical Center in Washington, D.C., about 30 percent of patient medical records are in electronic form
Computerized records have saved the lives of people brought unconscious to hospital emergency rooms. They help managed-care organizations measure the quality of care and, in some cases, even improve it, while controlling costs. Also, the availability of patient data is a boon to researchers studying how to improve treatment for particular diseases, and the government reviews electronic health records to detect fraud and waste in Medicaid and Medicare.
But the sheer amount of sensitive information that's transmitted electronically raises obvious concerns among privacy advocates. For one thing, much of the information is "patient-identifiable," that is, it contains enough data to identify someone. State and federal agencies are required by law to maintain databases of certain medical information, such as reports of sexually transmitted diseases, incidents of child abuse and injuries involving firearms.
For another, there's no telling how many people have access to the information and what they might do with it. Pharmacies sell prescription information to drug companies, who use it to market their wares. Companies that run their own health insurance programs often assert the right to review employee medical records. According to a 1997 survey of Fortune 500 companies conducted by the University of Illinois, a third of the 84 respondents had used the information to make personnel decisions.
Some people might welcome information about new medications, and even fewer might have their livelihoods threatened by a prying employer. Yet they might be surprised to know how easily their health secrets are spread around.
Say you're employed by a company that offers a standard managed-care plan. Over a two-year period, you visit your primary-care physician a half-dozen times. You've submitted to routine examinations, given blood, filled prescriptions at the local pharmacy and, on one occasion, were referred to a specialist. Meanwhile, you've married, started a family and purchased life insurance.
The details of all treatments and procedures, as well as an ongoing medical history of you and your family are stored in a computer network maintained by your HMO. In addition, all or parts of your health record are in the possession of your primary-care physician, the local pharmacy and, perhaps, a third-party pharmacy benefits manager. Information has also been collected and stored by the specialist, the hospital where your child was born, the state bureau of vital statistics, the hospital accrediting agency, the life insurance company and the Medical Information Bureau, a clearinghouse maintained by the insurance industry.
Most of these entities have information that identifies you by name or Social Security number. Some of them sought your permission, explicit or otherwise, to share your records; others did not, nor were they required to do so. What's more important, formal policies to protect the information from further disclosure may or may not be in place. Some organizations may have imposed an administrative or technological limitation on who can see your records. Others may simply be relying on the integrity of their employees.
No wonder the issue of medical privacy is often discussed in Orwellian terms. Patient confidentiality has clearly gone beyond the medical profession's duty to ensure it.
"It's not your corner doc anymore," says Mark Rothstein, director of the Health Law and Policy Institute at the University of Houston. "It's nameless, faceless people who could be anywhere in the country, and your records can be anywhere with the click of a mouse. It's not something new. It's just a problem that's getting worse."
Solutions have been difficult to come by. Even physicians can't agree on what limitations should be imposed on access to medical records, particularly when it comes to patient-identifiable data. For instance, the American College of Physicians takes the position that in some cases identifiable information should be available to medical researchers without patient consent. Others, however, including the American Medical Association, argue that patients should always have a say in who sees their health records and for what reason.
The difficulty in balancing the various interests at stake is evident in the debate over a federal medical privacy law. In August Congress missed its own deadline for passage of such legislation, mandated by the Health Information Portability and Accountability Act of 1996. Despite the introduction of nearly a dozen separate bills since then, not one has made it through a congressional committee.
Critics blamed insurance companies, managed-care organizations and law enforcement agencies for lobbying to preserve access to sensitive information on patients. But some privacy advocates were happy to see Congress fail; in their view, none of the proposed bills offered adequate protection of patient-identifiable health records.
The only privacy provision to reach a vote this year was part of a bill that allows affiliated banks, insurance companies and security firms to share financial information. However, the privacy section was taken out after lawmakers were barraged with complaints that it would leave patients more vulnerable than they are today.