By Chris Lane
By Jeff Balke
By Aaron Reiss
By Angelica Leicht
By Dianna Wray
By Aaron Reiss
By Camilo Smith
By Craig Malisow
"You can imagine what went through the minds of all the people taking this medication," says Francisco, adding that TMA brought the matter to the attention of state lawmakers during the most recent legislative session, but the issue was left unresolved.
Earlier this year, lawmakers did make changes to the law that regulates the Texas Health Care Information Council, an agency created in 1995 to collect data from hospitals and HMOs on health care costs and treatment. The council's goal, according to executive director Jim Loyd, is to create a computerized system that would "give consumers information about the quality of health care services that are available."
However, how the council defines "consumer" -- as physicians, individuals, employers, researchers, insurance companies, legislators and policy makers -- suggests the information will be widely available. Indeed, state law requires the council to provide "computer-to-computer access" to a database set up and maintained by a private contractor.
One of the strongest supporters of the council is Consumers Union, a public advocacy group. Lisa McGiffert, a lobbyist for the group, says Texas lags far behind other states in providing information about health care to consumers. The council is simply a way to allow the public to access information that hospitals and health care providers have been collecting for years, yet have refused to make available.
"We're a long way from giving people enough information to do some real quality assessment," McGiffert says. "Without it, there's no real incentive for hospitals and physicians to improve the quality of care. The pressure can only come from the public."
Loyd says the information sent to the council by HMOs and health plans arrives in aggregate form, which he describes as a "bunch of numbers." As for the data received from hospitals, Loyd says, the council has an "elaborate security system" to protect the confidentiality of patients. First, names and addresses are stripped from the data and replaced with a "uniform identifier." That coded information is password-protected and available to the council's eight employees on a "need-to-know basis."
Patient-identifiable data will be available only to researchers, Loyd says, who must be approved by a scientific review panel that will adhere to strict ethical guidelines. Still, lingering concerns over the confidentiality of patient records earlier this year prompted legislators to increase the penalties for unauthorized use of the council's data. Violations are now a felony.
"I think there was the fear that, for example, an insurance company could hire someone to crack the code and use it to determine patient medical histories or other information that people would not want released publicly," says Helen Kent Davis, a lobbyist for TMA. "The intent is certainly not to identify anyone, but I guess if someone can hack into the Pentagon, they can hack into a state-level database."
McGiffert understands those fears but believes the greater good to the public outweighs the possibility that the council's data will be used to hurt people.
"Certainly, with computers it's harder for people to know where their information is going," she says. "But I don't think we're ever going back to pushing paper around. The genie is out of the bottle. I think there can be a balance between the right to privacy and getting information about a service that everyone uses."
The question is, can any law protect the confidentiality of patient records, particularly in light of the technology that gives so many people easy access to them?
In 1995 the federal Computer Science and Telecommunications Board did a study on the threats to privacy of electronic medical records, as well as what security measures were used by the health care industry. Among the report's conclusions was that health care organizations have been slow to adopt strong security practices. That's apparently because, to date, there has been no incentive to do so. In other words, there has been no catastrophic security breach that has jarred either the public or the industry to demand stronger technological protections.
Today there is a greater sense of urgency among both consumers and the health care industry, in large part because of the Clinton administration's stated intention to create a nationwide medical records system using a "unique patient identifier" similar to a Social Security number. The goal of the system would be to improve communication between public and private entities involved in health care.
While the administration halted development of the records system more than a year ago, an industry has grown up around the use of electronic medical records. Yet the federal computer board's report, released in 1997, found that most health care organizations employ only basic security measures, such as password access and audit trails, which record information on who saw what records, when and from what location. More sophisticated security techniques, such as data encryption, are rarely in use in the health care industry.
An obvious reason is that such methods are expensive. Another is that security also represents something of a double-edged sword. While they might create a certain comfort level, stricter security measures also tend to be inconvenient and could impede access to information.
Finally, until a federal law tells the health care industry what information will need to be protected, no one knows what security measures to implement.