By Chris Lane
By Jeff Balke
By Aaron Reiss
By Angelica Leicht
By Dianna Wray
By Aaron Reiss
By Camilo Smith
By Craig Malisow
For example, this summer a managed-care company that Griffith contracts with started using a new patient certification form. Unlike the old form, which required little more than a diagnosis, a brief description of symptoms and a recommended treatment plan, the new form wanted information about his patients' social behavior, the mental and criminal history of their families and any "psychosocial and environmental problems" experienced, such as "interaction with [the] legal system."
While such detail would undoubtedly be helpful to him, Griffith wasn't about to make it available to the managed-care company, at least not without first getting the permission from his patients. Toward that end, Griffith wrote a letter to the company, asking it to explain why such detailed information was required and what it would be used for.
But instead of an answer, the company's "regional professional relations manager" suggested that if Griffith wasn't happy with the new form, he should consider resigning as a core provider for the company.
The response angered Griffith so much that he filed a complaint with the Texas Attorney General's office. The psychiatrist accused the company of demanding information that medical ethics require physicians to keep to themselves. He also suggested that the company was using the expanded form to conduct nonmedical research and might even deny treatment to patients who refused to provide the requested information.
Howard Drescher, a spokesperson for the company, Cigna Behavioral Health, acknowledges that the new form demands a "fair amount of information." He denies the data, which he categorized as "highly protected," is shared with anyone outside the company.
"It goes into our records, but those records are accessible to a limited number of people on a need-to-know and a password basis," Drescher says. "The fundamental purpose is to certify the current condition of the patient in clinical terms."
Griffith doesn't buy that explanation, and, he says, neither do a lot of physicians these days.
"It's like the camel sticking its nose inside the tent," Griffith says. "Every doctor in the country practically has had it happen, and they want the camel to get out of the tent."
Griffith's dispute with Cigna Behavioral Health is one battleground in the war over medical privacy. The principle that a patient's health information cannot be disclosed without permission dates back to the fourth century B.C. and the Hippocratic oath, which states that a physician will never divulge "whatsoever I shall see or hear in the course of my profession holding such things to be holy secrets."
To the extent that a person's medical history has ever been subject to the physician's eyes only, that has certainly not been the case since the American health care system underwent the seismic shift to managed care. Now, by simply signing up for coverage, a person gives HMOs and insurance companies carte blanche to collect whatever information they deem necessary to pay claims.
Nowhere does this accumulation of detail on a patient raise concerns about privacy and confidentiality as in the care of those suffering from mental illness.
"The irony is, the reason they've been able to collect so much information is people actually imagine the Hippocratic oath prevails, and the reason we imagine that is because it's almost intrinsic of human nature that we need privacy to deal with painful things," says Debra Peel, an Austin psychiatrist and legislative chair of the National Coalition of Mental Health Professionals and Consumers. "Not everything is like a broken leg. What people feel about the meaning of getting particular diagnoses is extremely sensitive."
In 1928 Supreme Court Justice Louis Brandeis opined that "the right to be left alone [is] the most comprehensive of rights and the right most valued by civilized men." Evidence suggests people are beginning to realize that when it comes to their health, that right no longer exists. According to a national survey conducted last year by the California Health Care Foundation, one out of six Americans has tried to protect the confidentiality of their medical information, including withholding information from their doctors, paying out-of-pocket for certain procedures and treatments and even avoiding care altogether.
Should the rest of us be as worried? After all, even in the days of paper medical records, patient confidentiality was little more than a myth. Almost any employee in a clinical setting has access to records. Patients visiting a physician, including a psychiatrist, are routinely asked to sign a list at the front desk and then pass the time awaiting their appointment with others seeking treatment. Physicians fax diagnostic data to one another on a daily basis, without considering who might be on the other end.
Typically such practices pose minimal risk to patients, says Paul Handel, a Houston urologist and chairman of the Texas Medical Association's panel on medical economics. "Most of the time, it doesn't make any difference, unless the information falls into the hands of somebody who shouldn't have it," Handel says. "That's a real problem. I have an innate fear that a lot of physicians are so barraged with requests for information that they don't think twice about releasing it."
Changes in how health care is delivered have created a demand for patient records by a wide range of interests that collect and analyze health information. At the heart of modern medicine is the electronic medical record that allows the accumulation and sharing of information among providers, health plans, insurance companies, claims processors, researchers and government agencies. According to the Health Privacy Project at Georgetown University Medical Center in Washington, D.C., about 30 percent of patient medical records are in electronic form
Computerized records have saved the lives of people brought unconscious to hospital emergency rooms. They help managed-care organizations measure the quality of care and, in some cases, even improve it, while controlling costs. Also, the availability of patient data is a boon to researchers studying how to improve treatment for particular diseases, and the government reviews electronic health records to detect fraud and waste in Medicaid and Medicare.
But the sheer amount of sensitive information that's transmitted electronically raises obvious concerns among privacy advocates. For one thing, much of the information is "patient-identifiable," that is, it contains enough data to identify someone. State and federal agencies are required by law to maintain databases of certain medical information, such as reports of sexually transmitted diseases, incidents of child abuse and injuries involving firearms.
For another, there's no telling how many people have access to the information and what they might do with it. Pharmacies sell prescription information to drug companies, who use it to market their wares. Companies that run their own health insurance programs often assert the right to review employee medical records. According to a 1997 survey of Fortune 500 companies conducted by the University of Illinois, a third of the 84 respondents had used the information to make personnel decisions.
Some people might welcome information about new medications, and even fewer might have their livelihoods threatened by a prying employer. Yet they might be surprised to know how easily their health secrets are spread around.
Say you're employed by a company that offers a standard managed-care plan. Over a two-year period, you visit your primary-care physician a half-dozen times. You've submitted to routine examinations, given blood, filled prescriptions at the local pharmacy and, on one occasion, were referred to a specialist. Meanwhile, you've married, started a family and purchased life insurance.
The details of all treatments and procedures, as well as an ongoing medical history of you and your family are stored in a computer network maintained by your HMO. In addition, all or parts of your health record are in the possession of your primary-care physician, the local pharmacy and, perhaps, a third-party pharmacy benefits manager. Information has also been collected and stored by the specialist, the hospital where your child was born, the state bureau of vital statistics, the hospital accrediting agency, the life insurance company and the Medical Information Bureau, a clearinghouse maintained by the insurance industry.
Most of these entities have information that identifies you by name or Social Security number. Some of them sought your permission, explicit or otherwise, to share your records; others did not, nor were they required to do so. What's more important, formal policies to protect the information from further disclosure may or may not be in place. Some organizations may have imposed an administrative or technological limitation on who can see your records. Others may simply be relying on the integrity of their employees.
No wonder the issue of medical privacy is often discussed in Orwellian terms. Patient confidentiality has clearly gone beyond the medical profession's duty to ensure it.
"It's not your corner doc anymore," says Mark Rothstein, director of the Health Law and Policy Institute at the University of Houston. "It's nameless, faceless people who could be anywhere in the country, and your records can be anywhere with the click of a mouse. It's not something new. It's just a problem that's getting worse."
Solutions have been difficult to come by. Even physicians can't agree on what limitations should be imposed on access to medical records, particularly when it comes to patient-identifiable data. For instance, the American College of Physicians takes the position that in some cases identifiable information should be available to medical researchers without patient consent. Others, however, including the American Medical Association, argue that patients should always have a say in who sees their health records and for what reason.
The difficulty in balancing the various interests at stake is evident in the debate over a federal medical privacy law. In August Congress missed its own deadline for passage of such legislation, mandated by the Health Information Portability and Accountability Act of 1996. Despite the introduction of nearly a dozen separate bills since then, not one has made it through a congressional committee.
Critics blamed insurance companies, managed-care organizations and law enforcement agencies for lobbying to preserve access to sensitive information on patients. But some privacy advocates were happy to see Congress fail; in their view, none of the proposed bills offered adequate protection of patient-identifiable health records.
The only privacy provision to reach a vote this year was part of a bill that allows affiliated banks, insurance companies and security firms to share financial information. However, the privacy section was taken out after lawmakers were barraged with complaints that it would leave patients more vulnerable than they are today.
Congress's failure to enact a medical-privacy law triggered a requirement that the secretary of Health and Human Services develop standards to protect health information that is maintained electronically. A draft of the proposed rules was released in late October.
It's not surprising that reaction among those able to wade through the 550-page document was mixed. For instance, the Center for Democracy & Technology in Washington, D.C., said the proposals were a step in the right direction. The center and others were pleased to see that HHS proposed giving all Americans access to their own health information, as well as the right to an accounting of disclosures by physicians and health plans for purposes other than treatment or payment. Also, the new regulations would prohibit health plans from conditioning treatment or physician reimbursement on a patient's agreement to disclose information.
However, mental-health professionals swiftly criticized the proposed regulations, saying they would actually give patients less control over their health records.
Of particular concern is the provision that would allow the use of patient-identifiable information, without consent, for more than a dozen purposes, including law enforcement, judicial proceedings, research and the collection of health data by government agencies. The regulations would also allow patient-identifiable records to be obtained for "health care operations," a term that encompasses a broad range of functions, including "compiling and analyzing information in anticipation of, and for use in, civil or criminal legal proceedings."
While the new rules cover health plans, health care providers and clearinghouses, they do not limit how other entities that receive health information can use and disclose it.
The health care industry's record on privacy is already "atrocious," says Karen Shore, director of the National Coalition of Mental Health Professionals and Consumers. The proposed regulations won't remedy that, she says. In fact, they might make people feel even less secure.
"It's like an interpersonal relationship," she says. "You figure out who you can trust and who you cannot by who tries to gain control and power over you and who treats you with dignity and respect.
"When you add this kind of legislation that says government agencies and researchers should have access to information without the patient's permission and without necessarily even telling them about it, that's a horror show. That's 1984."
The comparison to George Orwell's literary vision of the omnipresent "Big Brother" is an exaggeration, says UH's Mark Rothstein, a member of the National Committee on Health and Vital Statistics, which advises the government on medical records privacy and other health-related issues. Rothstein says the proposed regulations are an attempt to reach a "happy medium" between the right to privacy and the "legitimate needs" of public-health researchers, law enforcement agencies and others.
Under the new rules, for example, physicians and health plans would be required to tell people how their information is used and disclosed, and to put in place physical safeguards to protect patient confidentiality and avoid unauthorized access to electronic records.
Still, Rothstein says, "I think the regulations will be revised in dozens of places" before they are finalized early next year. "Some of the exceptions are too broad and will probably need to be closed up."
Until then, it's not clear how the federal rules will affect state patient-confidentiality laws. All 50 states limit the disclosure of medical information collected by public agencies. In Texas, for instance, the state health department maintains a cancer registry, which includes identifying information. The state Health and Safety Code, however, prohibits public disclosure of data in the registry that could identify whose records were reviewed.
The state also requires that incidents of communicable diseases be reported. That data is also confidential, and disclosure is limited to health officials for the purposes of treating and controlling the disease.
As for overall state protection of confidential medical information, Texas appears to fall somewhere in the middle. Like most states, Texas has no constitutional prohibition against release of personal health data, but instead relies on different statutes. In most instances, privacy is dictated by the state Medical Practice Act, which restricts the disclosure of medical data by physicians, hospitals and HMOs, but not by insurance companies.
Texas also allows disclosure of patient-identifiable data in most court proceedings, including criminal prosecutions where the patient is a victim, witness or defendant. The state also allows disclosure of confidential information to government agencies; for audit and research purposes; and to individuals, corporations or government agencies involved in the collection of fees for medical services.
All that really means is that Texans have no way of knowing how much of their confidential medical information ends up beyond the physician's office and their health plan.
"As a general rule, when you sign up for an insurance plan, whether you know it or not, you have agreed to have your records shared," says C.J. Francisco, senior counsel for the Texas Medical Association.
One area of growing concern for the association is self-insured companies that have access to their employees' health records. Last year employees of a large Texas company received invitations to attend a seminar on depression. Apparently, whoever administered the company's health plan combed through medical records and targeted those who had been prescribed antidepressants.
"You can imagine what went through the minds of all the people taking this medication," says Francisco, adding that TMA brought the matter to the attention of state lawmakers during the most recent legislative session, but the issue was left unresolved.
Earlier this year, lawmakers did make changes to the law that regulates the Texas Health Care Information Council, an agency created in 1995 to collect data from hospitals and HMOs on health care costs and treatment. The council's goal, according to executive director Jim Loyd, is to create a computerized system that would "give consumers information about the quality of health care services that are available."
However, how the council defines "consumer" -- as physicians, individuals, employers, researchers, insurance companies, legislators and policy makers -- suggests the information will be widely available. Indeed, state law requires the council to provide "computer-to-computer access" to a database set up and maintained by a private contractor.
One of the strongest supporters of the council is Consumers Union, a public advocacy group. Lisa McGiffert, a lobbyist for the group, says Texas lags far behind other states in providing information about health care to consumers. The council is simply a way to allow the public to access information that hospitals and health care providers have been collecting for years, yet have refused to make available.
"We're a long way from giving people enough information to do some real quality assessment," McGiffert says. "Without it, there's no real incentive for hospitals and physicians to improve the quality of care. The pressure can only come from the public."
Loyd says the information sent to the council by HMOs and health plans arrives in aggregate form, which he describes as a "bunch of numbers." As for the data received from hospitals, Loyd says, the council has an "elaborate security system" to protect the confidentiality of patients. First, names and addresses are stripped from the data and replaced with a "uniform identifier." That coded information is password-protected and available to the council's eight employees on a "need-to-know basis."
Patient-identifiable data will be available only to researchers, Loyd says, who must be approved by a scientific review panel that will adhere to strict ethical guidelines. Still, lingering concerns over the confidentiality of patient records earlier this year prompted legislators to increase the penalties for unauthorized use of the council's data. Violations are now a felony.
"I think there was the fear that, for example, an insurance company could hire someone to crack the code and use it to determine patient medical histories or other information that people would not want released publicly," says Helen Kent Davis, a lobbyist for TMA. "The intent is certainly not to identify anyone, but I guess if someone can hack into the Pentagon, they can hack into a state-level database."
McGiffert understands those fears but believes the greater good to the public outweighs the possibility that the council's data will be used to hurt people.
"Certainly, with computers it's harder for people to know where their information is going," she says. "But I don't think we're ever going back to pushing paper around. The genie is out of the bottle. I think there can be a balance between the right to privacy and getting information about a service that everyone uses."
The question is, can any law protect the confidentiality of patient records, particularly in light of the technology that gives so many people easy access to them?
In 1995 the federal Computer Science and Telecommunications Board did a study on the threats to privacy of electronic medical records, as well as what security measures were used by the health care industry. Among the report's conclusions was that health care organizations have been slow to adopt strong security practices. That's apparently because, to date, there has been no incentive to do so. In other words, there has been no catastrophic security breach that has jarred either the public or the industry to demand stronger technological protections.
Today there is a greater sense of urgency among both consumers and the health care industry, in large part because of the Clinton administration's stated intention to create a nationwide medical records system using a "unique patient identifier" similar to a Social Security number. The goal of the system would be to improve communication between public and private entities involved in health care.
While the administration halted development of the records system more than a year ago, an industry has grown up around the use of electronic medical records. Yet the federal computer board's report, released in 1997, found that most health care organizations employ only basic security measures, such as password access and audit trails, which record information on who saw what records, when and from what location. More sophisticated security techniques, such as data encryption, are rarely in use in the health care industry.
An obvious reason is that such methods are expensive. Another is that security also represents something of a double-edged sword. While they might create a certain comfort level, stricter security measures also tend to be inconvenient and could impede access to information.
Finally, until a federal law tells the health care industry what information will need to be protected, no one knows what security measures to implement.
"It's like the chicken or the egg," says UH's Rothstein. "If we knew what the technology was, then we might be able to make the laws better. But until the industry has an idea what's going to be required by the law, they are moving cautiously on deciding what technology to use."
Toward that end, the government and health care industry are working together to come up with a set of requirements that will guide the development of security systems. The goal is to create a way for the industry to evaluate the level of security offered by a particular technology.
Ron Ross is the director of the National Information Assurance Partnership, which is leading the government's half of the joint effort with the health care industry. Ross says the "real killer" is trying to develop computer products that can communicate with each other while controlling who has access to what information. The problem, he says, is that no one has been able to agree how much protection should be applied to medical information.
"If I'm protecting my nuclear launch codes, then I'm going to have stronger algorithms, encryption, longer key codes, what have you, than if I just wanted to have some privacy for my e-mail messages," Ross says. "Typically you use just enough security that's appropriate for the information. How much security is appropriate for medical records? I'm not sure we can answer that question yet. The technology is out there. It's just a question of selecting the right stuff."
While more than 400 companies involved in health care are participating in the joint government-industry effort, not everyone is looking forward to the end result. One analysis, by Blue Cross and Blue Shield, predicts that implementing security measures to meet the government's requirements could cost the health care industry more than $40 billion.
Tom Gilligan, director of the American Federation of Health Care Transactions, a lobbying group, says the health care industry has processed billions of electronic transactions in the last 15 years and has amassed a "track record that's hard to improve upon." He says fears that a technological breakdown would lead to a violation of patient confidentiality are "unreasonable."
"Technology is no more guilty than a pet rock," Gilligan says. "Every horror story that's been told, every privacy violation that's occurred, every record that's been published somewhere it shouldn't have been, was caused by an individual who had legitimate access, then abused it. It's a people problem, and no amount of technology applied to this issue is going to solve that."
What's certain, though, is that medical records do end up in the wrong hands, and they are often used to hurt or embarrass someone.
In 1992 an anonymous source released U.S. Representative Nydia Valazquez's psychiatric records to the New York Daily News on the eve of an election. A Maryland banker who sat on a state health commission obtained confidential information from a cancer registry, cross-referenced it with a list of people who had borrowed money from his bank, then called in the loans. The names of 4,000 Florida AIDS patients were leaked to the media, even though they were stored in a computer in a locked room accessible by only three people.
While such incidents are extremely rare, given the massive amount of electronic health information that is becoming available, no amount of legislation or technological wizardry will make everyone feel secure. After all, does it matter who or what is to blame if it happens to you?
"It's creepy," says Karen Shore of the National Coalition of Mental Health Physicians and Consumers. "Even if there is no harm to the patient, it makes people feel creepy, and why are there people so insensitive that they set up a system that makes people feel creepy, that they're being violated?"
There is no easy answer, and it may be too late to hope for one. That's one reason why when Ron Ross speaks to groups about computer security, he brings along two props: a copy of the Constitution and a floppy disc. He says they illustrate the collision course between what is and what should be.
"We're going to have to learn to deal in a digital world with all the things we've come to know and love over the last 200 years," he says.
E-mail Brian Wallstin at email@example.com.