Printer Friendly

Smart cards, smarter policy: medical records, privacy, and health care reform.

In the months ahead, policymakers in the United States will continue to debate how to control the ever-increasing cost of our nation's health care system. Several legislative proposals introduced in the 102nd Congress included provisions intended to reduce the cost of administering the system,[1] and similar proposals have already been introduced in the 103rd Congress.[2] Indeed, the President has recently unveiled his health care reform proposal.

A key feature of most of these reform proposals is the heavy reliance on computer technology to facilitate the flow of sensitive medical records (potentially on a national scale) to achieve administrative savings. A major impetus for relying on computerized medical records is the mobile nature of U.S. society. Census figures indicate that 44 percent of the American population changed their place of residence between 1985 and 1990. Approximately 25 percent of these people changed residences across state lines.[3]

Because the health care system is to be reformed on a national scale, conforming to a minimum set of standards, it is crucial that patients' right to privacy and the confidentiality of their medical records also be standard across the nation. Yet thus far, the fact that die law currently does not provide consistent protection for most medical records has been conspicuously absent from reform discussions. Only a handful of states have adopted any laws to protect these records, an d those vary in scope and applicability. For instance, most states recognize a provider-patient privilege (discussed in more detail later). Some states also have specific laws to deal with highly sensitive medical information, such as mental health records and/or AIDS test results. A few states--for example, California, Washington, and Montana--have enacted laws defining access to health information generally, while others deal more with insurance transactions. In addition, different states may have laws governing patient medical records within their statutes dealing with licensing of medical providers and facilities, insurance transactions, or public health reporting. Moreover, state laws often contain provisions more favorable to information exchange than to patient privacy.[4] With the exception of records relating to substance abuse or records in the custody of the federal government, federal law does not protect the confidentiality of medical information. In fact, video rental records are afforded more federal protection than are medical records. As the law now stands, while the unauthorized disclosure of medical records may be ethically reprehensible, in the majority of states in this country it is not illegal.

A patient's fundamental need to provide sensitive medical information to a practitioner without fear of the consequences should be fixed arid not fluid--it must be consistent across every state. This will be especially critical with the advent of standardized and automated medical records and insurance claims. As a report to the secretary of health and human services noted,

Historically, providers have stored

medical information and filed

health insurance claims on paper.

The paper medium is cumbersome

and expensive, two factors

that led to the call for the use of

EDI [electronic data interchange].

Ironically, it is this

"negative" aspect of the paper

medium (its cumbersome nature)

that has minimized the risk of

breaches of confidentiality. Although

a breach could occur if

someone gained access to health

records or insurance claim forms,

the magnitude of the breach was

limited by the sheer difficulty of

unobtrusively reviewing large

numbers of records or claim


From the provider perspective,

EDI changes the environment

dramatically. . . . Stringent security

protocols may make it more

difficult for intruders to access

patient-identifiable data. If the

security measures are overcome

and access is attained, however,

the electronic medium will potentially

allow for remote and unauthorized

review of unlimited

health information. It will greatly

increase the dimension of inadvertent

and intentional breaches

of confidentiality.[5]

If the disclosure of medical records is not legally bound and protected by enforceable standards, the security measures built into these systems will not prevent harm to the patient when records are released.[6]

This lack of protection for medical records has led to a situation in which people cannot be certain that the personal medical information they share with a care provider will remain confidential. This uncertainty on the part of the patient could undermine a physician's ability to provide treatment, because the patient may be reluctant to provide information crucial to his or her care. The introduction of vast computerized data bases (as are being proposed under several of the health care reform proposals) could further exacerbate this situation, because care providers may have even less ability to ensure the confidentiality of patient information.

The prospect of national health care reform, then, highlights the need to provide legal recognition of the value of privacy in the medical arena and legal protection for all medical records--paper and electronic. Federal laws to protect the confidentiality of medical records, regardless of the medium in which they occur, will become even more crucial to the integrity of our health care delivery system.

Reform Proposals in an Electronic Age

As stated earlier, most of the health care reform proposals currently circulating rely heavily on computer technology to facilitate the flow of medical records. Most envision a comprehensive electronic "cradle to grave" medical file on every individual in the United States covered by health insurance. These files would be contained in one or more data bases. Additionally, the proposals will introduce the use of "electronic" or "smart" cards to allow providers to gain access to a patient's medical information via telecommunications networks. While the magnitude of the proposed application of this technology is untried and unproven in this country, sufficient information is known about the capabilities of the technology to warrant careful examination of this use.

There are currently two types of card technologies available. One is similar to an automated teller (ATM) card or regular credit card. The other is known as the "smart" card. The proposals envision that individuals would carry their cards with them at all times to facilitate access to information in case of medical emergencies.

The ATM-type card is the size of a credit card, is often embossed on the front with the patient's name and health care identification number, and has a magnetic stripe across the back. The stripe stores only a minimal amount of information, such as name, birth date, health insurance policy number, coverage codes, and deductibles. This kind of card could be used, in turn, to gain access to a patient's complete file of insurance and medical information from data base(s) maintained by someone other than the health care provider.

In contrast to the ATM-type cards, smart cards are essentially microcomputers. They are plastic cards that contain either one or more integrated circuit chips or employ laser technology. Smart cards are the only card technology that can process as A ell as store information (potentially the equivalent of several hundred pages). They are also typically the size of a credit card and function via a reader/writer device and a terminal that provides access to a host computer. The information stored on the smart card microchip must be customized for every individual and would contain comprehensive medical and insurance information.[7] The cost of using smart cards is a factor to be considered as well, of course. (The average cost of a smart card in 1988 was $10-$20.[8] In a recently initiated Houston health care application, the smart cards cost about $5 each.[9] The cost of the cards will not likely become any cheaper because of the probability that increased functionality will be incorporated into the cards.[10])

There is usually an enormous amount of personal information in a medical record, some of which can be quite sensitive. Aside from the patient's name, address, age, and next of kin, there also may be names of parents; date and place of birth; marital status; religion; history of military service; Social Security number; name of insurer; complaints and diagnoses; medical, social, and family history; previous and current treatments; an inventory of the condition of each body system; medications taken now and in the past; use of alcohol and tobacco; diagnostic tests administered; findings; reactions; and incidents.[11] Clearly, medical records contain extensive amounts of information that has nonmedical uses, and access to that information could be of interest to many parties. As the Workgroup for Electronic Data Interchange has noted, providers' obligation to maintain the confidentiality and integrity of that information "does not change with the medium of health information transmission or storage, whether paper or electronic. The provider's ability to carry out its obligation to ensure that confidentiality is maintained, however, can be greatly affected by use of the electronic medium to store and transmit health information."[12]

We cannot fully appreciate the privacy implications of this technology, however, without discussing aggregation of data bases. The capability of disparate electronic data bases to be aggregated has been a major concern to many for several years. Stand-alone electronic files are today quite easy to link. This linkage is further facilitated if there is a unique identifying element common to each data base, such as a Social Security number (SSN). In fact, most federal and many state and local government agencies use the SSN as the means to identify recipients of services or benefits. For instance, roughly thirty-six states use the SSN as the driver's license identification number.[13] Additionally, some of the existing health care reform proposals would mandate the use of the SSN as the patient identifier.

The use of the SSN is not restricted to the public sector. Most credit-granting institutions (e.g., banks, credit card companies, department stores, etc.) require the SSN as their unique identifying number. Many physicians and insurance companies also use the SSN as their patient/customer identifier.

The implication of the proliferating use of the SSN or any universal identifier is simply this: once access to someone's SSN or identifier is gained, a floodgate of information about that individual is opened. The amassing of information from various data bases can result in very detailed dossiers on individuals. This can form the basis of adverse decisions about an individual, although the individual often knows nothing of this unless injury is done. Even then, the person may not become aware of the damage for years. Under current law, restrictions on the matching and aggregating of data bases apply mostly to records maintained by the federal government. Under the existing health care reform proposals, the custody of most of the electronic medical records would probably remain with the private sector.

Third Party Access to Medical Records

Much has been written in the last twenty years about third parties wanting and gaining access to medical records, without necessarily informing the patient of this access.[14] Private employers, for instance, have a strong incentive to see medical information, especially if they are paying for employees' health insurance.

There is a recent example of an employer beginning the process of computerizing its employees' medical records, ostensibly to improve the efficiency of its health insurance operation. A self-insuring company, it issued a release form to each of its approximately 9,000 employees:

To all physicians, surgeons and

other medical practitioners, all

hospitals, clinics and other health

care delivery facilities, all insurance

carriers, insurance data

service organizations and health

maintenance organizations, all

pension and welfare fund administrators,

my current employer, all

of my former employers and all

other persons, agencies or entities

who may have records or evidence

relating to my physical or mental


I hereby authorize release and

delivery of any and all information,

records and documents

confidential or otherwise) with

respect to my health and health

history that you, or any of you,

now have or hereafter obtain to

the administrator of any employee

benefit plan sponsored by

Strawbridge & Clothier, any provider

of health care benefits

offered or financed through a

benefit plan sponsored by Strawbridge

& Clothier, and any insurance

company providing coverage

through any benefit plan

sponsored by Strawbridge &


Not surprisingly, some of the employees were uncomfortable with die sweeping nature of the release authorization. Only about a dozen employees, however, challenged the form and succeeded in getting the company to add a clause (to their forms only) specifying that the medical records could only be used by the insurance companies to process medical claims. In subsequent years, the remainder of the 9,000 employees will also have their authorization forms amended in the same way. That change may have no impact on information the employer will already have collected under the current year's consent form.

It is quite likely all but these dozen employees either did not think to challenge the validity of their employer's claim for such a broad authorization for access to their medical records, or were afraid of the potential repercussions. This may be especially true because the company in question, a self-insurer exempt from many of the state regulations otherwise protecting patients' interests, has the power to threaten the employees' livelihood, if it so chooses. Those who did complain expressed concern over how their employer might use their medical information. Indeed, there have been cases of employers using medical information in making hiring and other employment decisions. The results of a comprehensive survey of employer practices regarding employee information conducted at the University of Illinois showed that 50 percent of the surveyed companies use medical records about personnel in making employment-related decisions. Of these, 19 percent do not inform the employee of such use.[16] Similarly, a 1991 study by the Office of Technology Assessment found that many companies will not hire people with a preexisting medical condition.[17]

Another little-known fact is that information on nearly half of the 1.6 billion prescriptions filled each year in the United States is passed along to data collectors who, in turn, sell the information to pharmaceutical companies.[18] Merck, the world's largest pharmaceutical manufacturer, recently announced plans to purchase the Medco chain of discount pharmacies. Merck plans to use Medco's pharmacy purchase data base information to promote Merck products.[19] Additionally, many physicians routinely allow information from their patients' records to be obtained by companies that provide computer hardware and software services. These companies provide the technology at a fraction of what it might otherwise cost in exchange for access to patient records. Typically, these exchanges of patient information take place without the knowledge or the consent of the patient. Most of the data is purchased to improve a company's direct marketing of its products and services. Indeed, one of the companies, while not including patients' names in the records it sells, does include the patients' age, sex, Social Security Number, as well as their physicians' Federal ID numbers."[20] A goal of one company, which automates private physicians' insurance claims and files the forms for physicians (and keeps electronic copies of all claims filed), is to sell the records to drug marketers, insurance reviewers, and other companies. At the federal level and in most states, there is nothing to preclude these activities. In fact, in a few cases, state laws actually mandate some of them.

Concerned about the sale and exchange of prescription transaction information, Representative Pete Stark (D-Calif.) introduced H.R. 5615, "Prescription Drug Records Privacy Protection Act of 1992," on 9 July 1992. The bill would have restricted the disclosure of pharmacy records and allowed for civil remedy for unauthorized disclosure of such records. (No companion legislation was introduced in the Senate, nor was any action taken on H.R. 5615 during the 102nd Congress.)

Another type of access to medical records occurs through the Medical Information Bureau (MIB), a nonprofit association based in Massachusetts formed to exchange underwriting information among its members as an alert against insurance fraud. MIB is a significant source of medical information for almost all insurance granting companies. With a current membership of about 750 life insurance companies, its members "include virtually every major company issuing individual life, health and disability insurance in the United States and Canada."[21] According to its literature, "MIB's basic purpose was (and continues to be) to make it much more difficult to omit or conceal significant information."[22] It maintains computerized coded medical summaries on over 12 million American and Canadian policyholders, although its existence is not widely known. While Social Security numbers are not now included in MIB reports, "this may change."[23]

The information in MIB's data base is obtained when someone applies for life insurance. If the person has a "condition significant to health or longevity," then member companies are required to send a brief coded report to MIB. More than just medical information is reported, however. Information on adverse driving record, participation in hazardous sports, and aviation activities is also reported, presumably because these activities affect a person's insurance risk.

When an individual applies for insurance, he or she is given an MIB notice as part of the forms to be completed. This notice informs the individual that the insurance company may make a report to MIB, which will then exchange the information with all its member organizations to which the individual applies for insurance. The notice also informs the person that the insurance company may also release the information in its files directly to other life insurance companies to whom insurance applications have been made. Applicants must sign an authorization that reads:

I hereby authorize any licensed

physician, medical practitioner,

hospital, clinic or other medical

or medically related facility, insurance

company, the Medical Information

Bureau or other organization,

institution or person,

that has any record or knowledge

of me or my health, to give the

--Life Insurance Company,

or its reinsurer(s) any such information.[24] Like the Strawbridge & Clothier authorization form, not many organizations or people would be excluded under this authorization from giving any medical or life-style information to an insurance company. This includes MIB, lab technicians, hospital workers, an employer, or a nosey neighbor. And because the underwriting process can sometimes result in erroneous information about an individual, information given to one MIB-member insurance company (which must be reported back to MIB) may well find its way to any of the 750 member companies. "The MIB does not investigate on its own, nor does it attempt to verify any information reported to it"[25] Information accuracy will only be investigated when a consumer requests a copy of his or her MIB file and formally challenges its contents.[26] It is the prerogative of the insurance company that filed the information with MIB to decide whether to change the file.

Information originating in medical or insurance files, then, may circulate widely through networks or data bases. Jeffrey Rothfeder has noted that,

In fact, the medical records environment

is so open-ended now

that the American Medical [Records]

Association has identified

twelve categories of information

seekers outside of the health care

establishment who regularly peek

at patient files for their own purposes,

among them employers,

government agencies, credit

bureaus, insurers, education institutions,

and the media. Tack

onto this list unauthorized data

gatherers such as private investigators

and people with a vested

interest in uncovering all they can

about someone they want to turn

a dirty deal on, and it's clear the

amount of medical information

making the rounds these days is


The Effects of Information Technology on Medical Records

Electronic filing of medical claim information will allow for greater mobility of patients in the health care system, which could foster competition for patients among health care providers. Additionally, the electronic cards would probably increase the speed with which patients' medical histories could be retrieved, thereby speeding treatment, particularly in the case of medical emergencies. Finally--and one of the major reasons electronic records and cards are being considered within comprehensive health care reform proposals--administrative costs should be reduced when claims are filed electronically. In Australia, for instance, where similar proposals have been suggested for using smart card technology, the estimated cost of processing claims with smart cards is about nine cents per claim, versus the current twenty-nine cents.[28]

But these electronic technologies can have negative effects as well:

It is 1994. You are picking up an

antibiotic at your local pharmacy.

Your prescription and your insurance

information are contained

on a small plastic "smart"

card that you give to the pharmacist.

As she is filling your order,

she calls out to you: "I see that

your doctor says you have a mild

case of eczema. Would you like to

pick up a tube of 1 percent hydrocortisone

cream on the way

out?"[29] In this illustration, the Boston Globe identified one of the more benign consequences of retrieving medical records by electronic cards. That pharmacist might just as easily have had access to information about a venereal disease or psychiatric treatment. The quote at least illustrates the fact that people other than the physician may be able to read medical records contained on or accessible through electronic cards, while the individual will probably have little control over what information is revealed. While new technology could hold the key to enhancing security procedures that restrict unauthorized access to and disclosure of medical and insurance records, the technology could also allow further erosion of patients' privacy, and on a much broader scale. New medical information systems should be designed to allow patients discretion in limiting access to portions of their most sensitive medical information, particularly where there is no compelling reason to allow access. This control could probably be exercised through the electronic cards, but realistically would probably only affect instances of information access at which the patient is present.

In and of themselves, smart cards could offer the technical capability to give die patient more control over medical information access than any other technology because the patient could most effectively control access to all or any part of his or her data--but only if the medical data is completely and solely resident on the smart card.[30] Yet none of the proposals suggests that medical data only reside on smart cards because of the possibility of loss or damage to the cards.

Depending on how the overall system is designed, the ATM-type card may or may not allow the patient to set any restrictions for access to his or her information. Absent any laws to the contrary, the patient could conceivably be totally dependent on the judgment of the designers and administrators of these various medical and insurance systems and data bases to determine what information should be accessible to which health care provider, insurer, or other third party.

Additionally, other uses will be made of the medical information, many of which will retain patient identifiers. Some of these uses are: administering the health care system, performing audits of health care providers and insurers, and performing research on the adequacy and cost effectiveness of medical treatment and insurance. (Statistical and epidemiological studies of medical information can often be accomplished without the use of patient identifiers.) The individual patient may have little or no voice in how his or her information is used in these cases.

Each of the current proposals also calls for one or more massive data bases on the other end of medical and insurance transactions, keeping track of every claim filed and every medical procedure administered. This prospect may be particularly pernicious given the tremendous demands by third parties for access to personal medical information. Indeed, electronic cards may do nothing to control access to data once the information resides in a data base. So, in reality, the cards could provide a false sense of security to a patient trying to control how much of his or her records someone else sees.

The electronic records environment may also expand a care provider's legal accountability to the patient because the provider would be directly responsible for ensuring the accuracy of the medical information placed in the system, as well as authenticating the identity of the patient presenting his or her electronic card. If either the medical information is entered incorrectly and a patient is harmed, or someone fraudulently uses an electronic card to receive medical care, the care provider may be held responsible in the eyes of the patient (and possibly the law).

Physicians have also expressed concern over the effect the electronic medical record will have on the physician-patient relationship and patient confidentiality. Some are concerned that the electronic record will interfere with physicians' ability to practice the "art" as well as the "science" of medicine. As one doctor wrote,

Many physicians fear progressive

emasculation of the special physician-patient

relationship and

greater erosion of confidentiality.

Our medical record threatens to

become less clinically useful as we

are forced to include needless

"necessary" details while we hesitate

to include important information.

Likewise, physicians fear

patients will become less inclined

to share needed facts.... We are

entering a critical period as physicians.

Our once sacred relationship

with patients is engaged to

marry the technology of the Information

Age. We must serve as

our patients' advocates and challenge

this technology to evolve in

a fashion which will promote their

best interests. We must oppose

any attempt by third parties to use

this technology to further invade

the privileged and confidential information

trustingly given to us by

our patients.... We must become

literate with the emerging technologies

of medical information

management. We cannot allow

information within the medical

record to further threaten patient

privacy or access to health care.[31]

Why Privacy Matters

Over the past century there has been much written about die nature and value of privacy--as a general concept, in relation to computerization of personal information, and in the health care context. For most of us, privacy is related to notions of solitude, autonomy, and individuality Privacy is, thus, a very personal notion. Within some socially defined limits, privacy allows us the freedom to be who and what we are. The very fact that we are able to interact with others as we might like to is because our privacy allows us that choice. Legal philosopher Anita Allen writes that privacy "denotes a degree of inaccessibility of persons, of their mental states, and of information about them to the senses and surveillance devices of others."[32] Ruth Gavison speaks of privacy in terms of our limited accessibility others, arguing that it is related to "the extent to which we are known to others [secrecy], the extent to which others have physical access to us [solitude], and the extent to which we are the subject of others' attention [anonymity]"[33]

Privacy has also been described as being fundamental to respect, love, friendship, and trust; indeed, some argue, without privacy these relationships are inconceivable.[34] Gavison explains that we enjoy our privacy "not because of new opportunities for seclusion or because of greater control over our interactions, but because of our anonymity, because no one is interested in us. The moment someone becomes sufficiently interested, he may find it quite easy to take all that privacy away."[35] When privacy is invaded, we are hurt because we are exposed, which may cause us to lose our self-respect and thus our capacity to have meaningful relations with others. In a similar vein, Edward Bloustein has argued that we should regard privacy as a "dignitary tort." He notes, "[T] he injury is to our individuality, to our dignity as individuals, and the legal remedy represents a social vindication of the human spirit thus threatened rather than a recompense for the loss suffered."[36]

Arnold Simmel likewise holds that privacy is related to solitude, secrecy, and autonomy, but argues that it also "implies a normative element: the right to exclusive control to access to private realms."[37] The difficulty with that argument, as Gavison sees it, is the way in which it suggests that the important aspect of privacy is "the ability to choose it and see that the choice is respected."[38] To her, this implies that once people have voluntarily disclosed something to one party, they can maintain control over subsequent dissemination by others--and that is generally not the case. Gavison argues therefore that the legal system should make a strong and explicit commitment to privacy as a value. She writes,

Privacy has as much coherence

and attractiveness as other values

to which we have made a clear

commitment, such as liberty. Arguments

for liberty, when examined

carefully, are vulnerable

to objections similar to the arguments . . .

for privacy, yet this

vulnerability has never been considered

a reason not to acknowledge

the importance of liberty, or

not to express this importance by

an explicit commitment so that

any loss will be more likely to be

noticed and taken into consideration.

Privacy deserves no less

(p. 378). In health care, the critical issue is the consequence to the patient when possibly very sensitive information is revealed. Vincent Brannigan and Bernd Beier contend that "[i]n the case of medical privacy, it is arguable that it is not the number of persons given the information, but their relationship to the patient that determines the scope of concern; there may only be a small number of persons interested in the particular patient, but disclosure to any one of them could be devastating."[39] They argue that the wide circle of persons many states consider to be "legitimately interested" in a person's health, such as a spouse or employer, can effectively destroy any right of privacy.

In the area of medical information, patients, for the most part, have the expectation that their communications with their health care provider are and will remain confidential. Because patients may presume that such communications have strong legal protection, they generally feel comfortable providing intimate details (if needed) in order to advance their medical treatment. As George Annas notes," [p]atients are not likely to disclose these details freely unless they are certain that no one else, not directly involved in their care, will learn of them."[40]

Brannigan, however, stresses the fact that there are competing interests in privacy involved in the design and implementation of clinical information systems: the patient wants to ensure that no one has unnecessary access to his data; the hospital administrator sees privacy as an impediment to getting access to data needed for management; physicians view it as a time-consuming limitation on medical practice; and information system developers find it expensive, inelegant, an d time consuming. He warns, however, that the balancing needed between privacy and the demand for information systems is not a medical or technical question--it is a political one. Because patients are not well represented in the design, development, and operation of information systems, the political process must ensure that their interests are protected in these activities.[41]

Even the doctor-patient privilege does not necessarily keep communications between doctors and patients confidential. The privilege, legally recognized by some forty states, is generally only applicable in a court of law. These laws do not apply to the many situations in which a doctor is allowed or compelled by law, regulation, or long-standing practice to reveal information about the patient to outside parties. Additionally, privilege statutes apply only in cases governed by state law. The Federal Rules of Evidence, which govern practice in federal courts, provide only a psychotherapist-patient privilege, not a general doctor-patient privilege. Therefore, the doctor-patient privilege is actually a narrowly drawn rule of evidence, not recognized at common law (as is, for example, the attorney-client privilege), and available only where it is specifically provided by statute.[42]

If privacy is the right individuals have to exercise their autonomy and to limit the extent of their personal domain to which others have access, in the "Information Age" this concept is largely defined by how much personal information is available from sources other than the individual to whom it pertains. The less ability individuals have to limit access to their own personal information, or to limit the amount of personal information they must give up to others (either voluntarily or by coercion), the less privacy they have.

Security, on the other hand, encompasses a set of technical and administrative procedures designed to protect or restrict access to information. The procedures are applied to the information and the technology handling, storing, and disseminating that information. Security measures are applied to information and the operation of information systems because of the need or desire to protect the privacy of individuals.

Security measures alone do not ensure privacy protection, however. As a result, legal recognition of the status of the information is needed, along with a delineation of an individual's rights vis-a-vis that information. To date there has not been a consistent public policy formulated, much less articulated, with equal applicability to all Americans, that protects the patient's and society's interest in privacy or in the confidentiality of an individual's medical information.

The major U.S. Supreme Court case addressing medical information privacy is Whalen v. Roe.[43] In Whalen, a unanimous Court determined that a New York state data base of lawful users of abusable drugs was allowable because the prohibitions on public disclosure of the information in the data base were adequate to prevent any constitutional harm to the persons listed in the registry. In reaching this decision, the Court looked at all the provisions in place to protect the data base. The stringent physical and administrative procedures protecting the patient's interest in privacy played an important role in the Court's finding. The Court did not address whether compilation of the information was itself a violation of privacy, however. They said, in part, that "New York's statutory scheme, and its implementing administrative procedures, evidence a proper concern with, and protection of, the individual's interest in privacy. We therefore need not, and do not, decide any question which might be presented by ... a system that did not contain comparable security measures" (pp. 605-6).

Many interests compete in the collection, use, and dissemination of medical (or any personal) records. The Third Circuit Court of Appeals, in its 1980 decision in United States of America v. Westinghouse Electric,[44] tried to set out specific standards to be used by a court in weighing privacy rights in medical records against the need for information to be reported to public agencies. They held,

The factors which should be considered

in deciding whether an

intrusion into an individual's

privacy is justified are the type of

record requested, the information

it does or might contain, the

potential for harm in any subsequent

nonconsensual disclosure,

the injury from disclosure to

the relationship in which the record

was generated, the adequacy

of safeguards to prevent unauthorized

disclosure, the degree

of need for access, and whether

there is an express statutory mandate,

articulated public policy or

other recognizable public interest

militating toward access (p. 578). A judicial commitment to privacy as a societal value is not enough, however. Indeed, to date, judicial decisions have been highly inconsistent and often hostile. Specific enforceable standards and procedures are needed to protect those privacy interests where the individual has no direct influence over the dissemination of information by and to others (generally secondary and tertiary dissemination). This notion plays an important role in the rationale for federal legislation to protect these interests, as well as in the recommendations laid out later in this paper.

Current Federal Law and the Confidentiality of Medical Records

In 1974 the Privacy Act became law in the United States. It provides a set of mandates for records in the custody of the federal government and delineates the fights individuals have with respect to those records. The act encompasses a code of five fair information practices originally set forth in the 1973 report by the Department of Health, Education, and Welfare Secretary's Advisory Committee on Automated Personal Data systems, Records, Computers, and the Rights of Citizens.[45] These principles are: (1) there must be no personal data record-keeping systems whose very existence is secret; (2) there must be a way for individuals to find out what information about them is in a record and how it is used; (3) there must be a way for individuals to prevent information about them that was obtained for one purpose from being used or made available for other purposes without their consent; (4) there must be a way for individuals to correct or amend a record of identifiable information; and (5) any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.[46]

The Privacy Act covers only the federal government, not other state or local governmental entities (with the exception of state and local government record systems using the Social Security number) or private sector entities.[47] In addition, it allows other uses of these records, if the purpose of the use is consistent with the reason the information was collected. This can (and does) lead to disclosures of personal information to other entities. As implemented, the Privacy Act has three major deficiencies: (1) it places the burden on individuals to protect their own interests; (2) its enforcement scheme provides remedies only after misuses have occurred; and (3) it is not sensitive to the existing power imbalance between individuals and federal agencies.[48]

Once valuable outcome of the passage of the Privacy Act was die creation of the Privacy Protection Study Commission, which, in 1977, made several recommendations for federal legislation to protect public and private sector records, including medical records. The commission articulated three objectives for effective privacy protection, upon which all their recommendations were grounded:

to create a proper balance between

what an individual is expected

to divulge to a record-keeping

organization and what he

seeks in return (to minimize intrusiveness);

to open up record-keeping

operations in ways that

will minimize the extent to which

recorded information about an

individual is itself a source of unfairness

in any decision about him

made on the basis of it (to maximize

fairness); and to create and

define obligations with respect to

the uses and disclosures that will

be made of recorded information

about an individual (to create

legitimate, enforceable expectations

of confidentiality).[49] Many of die commission's fourteen recommendations on medical records were incorporated into federal legislation introduced in 1979 and 1980. Unfortunately, no legislation was passed, due to heavy lobbying by the intelligence community, which wanted to ensure easy access to medical records (particularly psychiatric records) in cases of national security.[50] That was the last time Congress seriously considered any measure to protect the confidentiality of medical records, although most of the commission's recommendations are relevant today.

The medical industry is, therefore, operating under the federal legal framework of the mid-1970s with technology anticipating the twenty-first century. The major practical differences between the industry then and now are the extraordinary advances made in medical and information technologies, the medical industry's increased reliance on those technologies, and the increasing incentive for third parties to obtain access to medical records.[51]

According to a report issued by the Department of Health and Human Services,

the regulatory framework governing

providers' disclosure of

patient-identifiable information

is flawed. It dictates different disclosure

rules for different types of

providers.... When protection is

available, the remedy may be

counter-productive. It usually cannot

be obtained without litigation,

an after-the-fact, costly

process that might produce damages

but typically will not prevent

disclosure of the information.

Also, patients have no workable

way to "police" information practices

to ensure that disclosure

rules are being followed.[52] Such flaws are troubling. As David Flaherty, who writes extensively in the area of information privacy, has noted, vital personal interests are at stake in the use of personal data by public and private sector organizations: "Such activities threaten personal integrity and autonomy of individuals, who traditionally have lacked control over how others use information about them in decision making. The storage of personal data can be used to limit opportunity and to encourage conformity."[53] He concludes that "the protection of privacy requires the balancing of competing values. Techniques available for legitimate purposes have the secondary effect of being invasive of individuals' perceived right to control their own lives" (p. 8).

Alan Westin gives more specific content to these concerns, noting that

the outward flow of medical data

. . . has enormous impact on

people's lives. It affects decisions

on whether they are hired or

fired; whether they can secure

business licenses and life insurance;

whether they are permitted

to drive cars; whether they

are placed under police surveillance

or labelled a security risk; or

even whether they can get nominated

for and elected to public

office.[54] Given what's at stake, existing legal protection of patient privacy and medical records leaves much to be desired. The very fact that under virtually all of the health care reform proposals put forward so far enormous amounts of standardized medical data on millions of people will be compiled into centralized location(s) demands a centralized approach to the protection of those records. The current patchwork of state laws, court decisions, and limited federal regulation cannot assure a legally guaranteed set of lights that will place the individual patient on a more level playing field with those having access to his or her medical information. Federal protections should be placed on the collection, use, storage, disclosure of, and access to all medical records prior to or as a concurrent effort with health care reform

It is urgent, then, that we reintroduce legislation at the federal level regarding patient privacy and medical information. In keeping with the fair information practices and objectives articulated by the Privacy Protection Study Commission in 1977, such legislation--which should apply to all care providers, researchers, insurers, and insurance support organizations like the Medical Information Bureau--should clearly define the rights patients have with respect to their own medical information; define what constitutes legitimate access to and use of personal health and medical information, as well as specifying prohibited uses; and provide oversight and enforcement mechanisms to ensure compliance. Enforcement strategies must include establishing civil and criminal penalties for prohibited activities to enable patients to collect damages. Moreover, legislation should set schedules for how long medical records may be maintained, and by whom (physicians, hospitals, insurers, etc.).

Similarly, universally applicable, federal legislation should require that patients be notified of the use to which information in health and medical records is put and how patients may obtain their medical records. Mechanisms should also be put in place to audit use of patient records, to track requests for and disclosures of information, including the reasons for which the information was requested. This information should be accessible to the patient to whom it relates.

To help assure that patients' privacy is respected, a unique identifier scheme should be put in place that prohibits all other uses of that identifier for purposes not directly related to providing medical care. To guard against the kinds of discriminatory use of medical information that is a central concern, employers' ability to review employee medical records and use medical or health information to make employment-related decisions should be strictly limited. So too, the marketing of personal health or medical data should be prohibited.

Dignity, Privacy, and Public Policy

Information technologies offer many benefits in a health care application, notably the prospect of lowering the administrative costs associated with health care delivery. However, because there will be one or more data bases capturing all medical and insurance transaction information, patients will probably never have substantial control over their own medical records or who sees them. This is why federal legal recognition of the patient's interest in privacy as well as protections for the confidentiality of medical records (consistent across states), while critical now, will become even more critical in a computerized setting.

Additionally, the lower cost of processing medical claims using an electronic card must be weighed against the cost of providing potentially tens of millions of the electronic cards to accommodate each insured person in the country. This includes the cost of initiating the program, as well as the cost of replacing lost or damaged cards. A further administrative challenge is loading patient information into the data bases and customizing each recipient's smart card with his or her unique medical records (if smart cards are the technology chosen). Mistakes are bound to be made in the process, which compounds the issue of who can have access to the data and the uses to which the data can be put (e.g., the harm that can befall the patient from the erroneous information). The potential for misuse of this data is also enormous, given third-party demands for personal medical information.

Privacy concerns dictate that any health care reform strategy relying on computer data bases and card technologies contain certain restrictions. These include setting limits to bound the types of situations beyond which electronic card access should not be allowed--for instance, whether a job applicant should be required to surrender access to his or her card, and its underlying data, to a potential employer. Enforcement standards should also be established to ensure compliance. This step could become increasingly critical as progress is made in genetic research. Efforts to map the human genome funded through the National Institutes of Health and the Department of Energy have the potential outcome of providing everyone a "personalized map" of their genetic makeup. The temptation to include this information in a health care data base will be great, and without protections, this information will have an even greater potential for misuse.

With the sort of federal legal rights for individual privacy and "technology transparent" protections for medical records outlined in this paper, patients can be more confident that their medical information will be covered by stringent protections that respect their dignity and their privacy. Such legal protections will also enhance the effectiveness of the technical and administrative security measures built into the electronic records environment of the future, and guarantee that existing paper medical records are protected as well.

While the new information technologies carry potential threats to the privacy of our most intimate health and medical information, forward-looking public policy can assure that the enormous power of these technologies is made to serve patients' interests, not confound them.


[1.] These proposals include one by the Bush administration (originally introduced as a nonlegislative proposal, and later, as an amended version introduced in both Houses as H.R. 5464 and S. 2878, "The Medical and Insurance Information Reform Act of 1992") and four legislative proposals: S. 1227, "HealthAmerica: Affordable Health Care for All Americans Act," introduced by Senators Mitchell (D-Maine) and Kennedy (D-Mass.); H.R. 1300, "The Universal Health Care Act of 1991," introduced by Representative Russo (D-Ill.); H.R. 3205, "The Health Insurance Coverage and Cost Containment Act of 1991 " introduced by Representative Rostenkowski (D-Ill.); and H.R. 5936, "Managed Competition Act of 1992," introduced by Representative Cooper (D-Tenn.). [2.] The proposals introduced in the 103rd Congress include H.R. 191, "American Consumers Health Care Reform Act of 1993," introduced by Representative Gekas (R-Pa.); H.R. 200, "Health Care Cost Containment and Reform Act of 1993," introduced by Representative Stark (D-Calif.); and S. 223, "Access to Affordable Health Care Act," introduced by Senator Cohen (R-Maine). [3.] Printed report information from U.S. Bureau of Census Summary Tape 3A, U.S. Summary 1990, CPH-L-80, Table 1, "Selected Social Characteristics for the United States--1990." [4.] For example, only in Colorado is it considered theft to obtain or use medical records, irrespective of the medium in which they occur, without authority to have them. [5.] Workgroup for Electronic Data Interchange, Report to the Secretary of the U.S. Department of Health and Human Services (Washington, D.C., July 1992), Appendix 4, pp. 3-4. [6.] That security measures do not entirely protect patient privacy was borne out during the 1992 election season. A congressional candidate in New York saw her privacy invaded when someone anonymously faxed her potentially damaging hospital records to various news organizations. Whatever measures the hospital had in place to govern access to its records did not deter the person (s) bent on harming this candidate. At a press conference, the candidate said that she hoped the incident would be the subject of a criminal investigation. However, unless the hospital records were obtained from a computerized system, it is probable that no crime related to the medical records themselves was committed--under either New York state or federal law. New York law makes intrusion into a computer system containing confidential personal or medical information a crime, but only under legislation dealing with computer crime, thus protecting only electronic, not paper, records. [7.] The cards are technically capable of storing information on an array of subjects such as finance, government benefits, credit transactions, etc. Most card schemes currently limit themselves to a single area of the card holder's life; however, in the context of health care reform, there have been discussions of including at least some financial record information on the cards as well. [8.] Smart Card Technology: New Methods for Computer Access Control National Institutes of Standards and Technology, September 1988, p. 34. [9.] Joe Abernathy, "City Health Clinics Unveil Controversial |Smart Card,'" Houston Chronicle, 11 October 1992. [10.] Blue Cross-Blue Shield of Maryland recently lost about $14 million in its attempt to introduce "smart" cards on a mass scale. How much of this loss was due to company mismanagement has been under investigation. See Thomas Heath, "The Card That Fizzled," Washington Post, 28 August 1992. [11.] Robert M. Gellman, "Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy," North Carolina Law Review 62, no. 2 (1984): 258. [12.] Workgroup for Electronic Data Interchange, Report," p. 3. [13.] Testimony of Evan Hendricks, editor and publisher of Privacy Times, before the Senate Finance Committee, Subcommittee on Social Security and Family, 28 February 1992, p. 7. The Social Security Administration recently estimated that some 4 million people have more than one SSN. There is no estimate available of the number of single SSNs being used by more than one person. (Letter to Dr. Elmer Gabrieli from Andrew J. Young, Deputy Commissioner for Programs, Social Security Administration, 17 May 1993, p. 3). [14.] What makes this situation particularly intriguing is the fact that in about eighteen states, patients do not have a statutory right to see what is in their own medical records. [15.] Mubarak Dahir,"Your Health, Your Privacy, Your Boss," Philadelphia City Paper 28 May-4 June 1993, p. 11. [16.] David F.Linowes, Privacy in America (Urbana: University of Illinois Press, 1989), p.50. [17.] U.S. Congress, Office of Technology Assessment, Medical Monitoring and Screening in the Workplace: Results of a Survey--Background Paper (Washington,D.C.: Government Printing Office, October 1991). [18.] Michael W. Miller, "Patients' Records Are Treasure Trove for Budding Industry," Wall Street Journal, 27 February 1992. [19.] Elyse Tanouye, "Merck to Exploit Medco's Database," Wall Street Journal, 4 August 1993. [20.] Miller, "Patients' Records Are Treasure Trove. " [21.] "MIB, Inc.: A Consumer's Guide," distributed in March 1991, Westwood, Mass., p. 5. [22.] "The Consumer's MIB Fact Sheet," MIB, Inc., distributed in March 1991, Westwood, Mass., pp. 2-3. [23.] "MIB, Inc.: A Consumer's Guide," p. 6. [24.] "MIB, Inc.: A Consumer's Guide," p. 7. [25.] Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, D.C.: U.S. Government Printing Office, 1977), p. 160. [26.] The nonmedical information (e.g., lifestyle information) in MIB files will be sent directly to the consumer. In some cases, decoded medical information will only be sent to a physician designated by the consumer. [27.] Jeffrey Rothfeder, Privacy for Sale (New York: Simon & Schuster, 1992), p. 180. [28.] Simon Davies, "The Technological Web: A Report to the Australian Doctors' Fund on the Proposed Introduction of Smart Card and Interactive Technology in the Australian Health System," 20 April 1992, p. 15. Because Australia has a universal heath care system (that can be supplemented with private insurance), its overall administrative overhead costs start out lower than in the U.S. In comparison, therefore, the United States could see comparatively greater overall savings in administrative overhead. [29.] Nathan Cobb, "The End of Privacy," Boston Globe Magazine, 26 April 1992. [30.] This could occur through the segregation of information on the card and the setting of multiple Personal Identification Numbers for access to the different sections. This requires that the patient be technically sophisticated enough to understand how the smart card works, how then to segregate information within the card, and to set individual PINS to control access to the sensitive information on the card. It is possible that few patients would exercise these options, deferring instead to the care provider to decide what's best. Additionally, the issues of access, and to what information, in emergency situations need to be considered, because the patient may not be capable of controlling access to information. [31.] Randall Oates, "Confidentiality and Privacy from the Physician Perspective," presented at the First Annual Confidentiality Symposium of the American Health Information Management Association, 15 July 1992, p. 4. [32.] Anita Allen, Uneasy Access (Totowa, N.J.: Rowman and Littlefield Publishers, 1988), p. 3. [33.] Ruth Gavison, "Privacy and the Limits of the Law," in Philosophical Dimensions of Privacy: An Anthology, ed. Ferdinand D. Schoeman (Cambridge: Cambridge University Press, 1984), pp. 346-402, at p. 347. [34.] Charles Fried, "Privacy (A Moral Analysis)," Yale Law Journal 77 (1968): 475-93, at 477. See also James Rachels, "Why Privacy Is Important," in Philosophical Dimensions of Privacy, pp. 475-93. [35.] Gavison, "Privacy and the Limits of the Law," p. 379. [36.] Edward J. Bloustein, "Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser," reprinted in Philosophical Dimensions of Privacy, pp. 156-202, at 187-88. [37.] International Encyclopedia of the Social Sciences, s.v. "Privacy." [38.] Gavison, "Privacy and the Limits of the Law, " p. 349. [39.] Vincent Brannigan and Bernd Beier, "Standards for Privacy in Medical Information Systems: A Technico-legal Revolution," Datenschutz und Datensicherung, September 1991, p. 470. [40.] George Annas, The Rights of Patients (Carbondale: Southern Illinois University Press, 1989), p. 177. [41.] Vincent M. Brannigan,"Protecting the Privacy of Patient Information in Clinical Networks," in Extended Clinical Consulting by Hospital Computer Networks, vol. 670 of the Annals of the New York Academy of Sciences, 1992, pp. 190-201. [42.] Evan Hendricks, Trudy Hayden, and Jack D. Novik, Your Right to Privacy: A Basic Guide to Legal Rights in an Information Society, 2nd ed. (Carbondale: Southern Illinois University Press, 1990), pp. 155-56. [43.] Whalen v. Roe, 429 U.S. 589 (1977). [44.] United States of America v. Westinghouse, 638 F7.2d 570 (1980). [45.] Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens (Washington, D.C.: Department of Health Education and Welfare, 1973). [46.] These principles have also formed the basis of European and Canadian privacy laws, although they have taken the principles much farther than the U.S., in that their laws apply to the private sector. Europeans see the protection of privacy as a fundamental human right. [47.] It has been estimated that only a bout 5 percent of the medical data banks in the United States are covered by the Privacy Act. See Terra Ziporyn, "Hippocrates Meets the Data Banks: Patient Privacy in the Computer Age," JAMA 252 (20 July 1984): 317-19. [48.] Priscilla Regan, "Privacy, Government Information, and Technology," Public Administration Review 46, no. 6 (November-December 1986): 629-34, at 633. [49.] Privacy Protection Study Commission, Personal Privacy in an Information Society, pp. 14-15. [50.] Rothfeder, Privacy for Sale p. 179. [51.] As a gauge of how the American public feels about personal and consumer privacy issues, Lou Harris and Associates and Dr. Alan Westin conducted a poll on the subject in 1990. Nearly four out of five Americans expressed general concern about threats to personal privacy in America today. ("The Equifax Report on Consumers in the Information Age" [Atlanta: Equifax, Inc., 1990], p. vii). [52.] Workgroup for Electronic Data Interchange, Report, p. 17. [53.] David H. Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill: University of North Carolina Press, 1989), p. 8. [54.] Alan F. Westin, Computers, Health Records, and Citizen's Rights (Washington, D.C.: United States Department of Commerce, 1976), p. 60. [55.] The "Uniform Health-Care Information Act," written in 1985 by the National Conference of Commissioners on Uniform State Laws, provides a good foundation for medical record protection. To date, only Montana and Washington have enacted this legislation. This law protects the confidentiality of medical information between care provider and patient, and balances the needs of the medical community for information with the patient's need to preserve his or her privacy. In fact, a 1991 report by the Institute of Medicine on computer-based patient records cited the Uniform Health-Care Information Act as a good example of the type of legislation needed before any consideration is given to a nationwide scheme of computerized patient records. The Computer-Based Patient Record (Washington, D.C.: National Academy Press, 1991), p. 166, fn. 43.
COPYRIGHT 1993 Hastings Center
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Alpert, Sherri
Publication:The Hastings Center Report
Date:Nov 1, 1993
Previous Article:If only AIDS were different!
Next Article:The Remmelink study: two years later.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters