09-02-2000

TECHNOLOGY: Medicine: The Most-Personal Data

When doctors still made house calls and some patients bartered for their
care with chickens or pies, people didn't worry much about their medical
secrets becoming common knowledge. But these days, cost-conscious


managed care health plans, advanced medical technology, and computerized
databases have made sensitive medical information a readily available
commodity.


In the computer age, when you visit a doctor, stay in a hospital, have a
prescription filled, or have a laboratory test, your diagnosis, medical
history, and treatment plan will show up as coded entries on bills and
records that are sent electronically to your insurer-and perhaps even to
your employer.


Life insurance companies that ask detailed health questions and require
medical tests before issuing a policy may share that information with
health insurers. Employers who sponsor a health plan may have access to
medical information about their employees. Whether the information is
shared, sold, or simply not safeguarded, it often leaks to marketers,
hospital fund-raisers, drug companies, and others.


It is even possible to get personal medical information from documents
that profile, but do not name, a patient, according to Latanya Sweeney,
assistant professor of computer science and public policy at Carnegie
Mellon University. Sweeney said she obtained public records from a lawsuit
in Illinois that did not include a patient's name but did show the
person's ZIP code, gender, age, and date of birth. Then, she said,
"You can go to other name lists online and use these data to figure
out who it is by name."


Most people fear the disclosure of personal medical information because,
for example, they do not want others to know they have hemorrhoids or use
Viagra, have had an abortion, have cancer, AIDS, or a venereal disease, or
have a mental disorder. Telemarketers use the information to pitch new
prescription drugs or baby supplies. The most serious consequences include
employers' firing or refusing to hire employees with certain medical
conditions and companies' denying health insurance or credit.


Because of congressional inaction, the federal Health and Human Services
Department has proposed medical-privacy regulations. Industry groups warn
that government regulation or congressional action that gives patients
more privacy could raise health care costs and make it harder to deliver
needed care. But consumer advocates say medical-privacy reforms are
crucial to high-quality health care because people will be more willing to
seek the help they need if their worries about privacy are
removed.


Janlori Goldman, director of the Health Privacy Project of the Georgetown
University Institute for Health Care Research and Policy, and Joanne
Hustead, director of legal and public policy at the National Partnership
for Women and Families, worry that patients with privacy concerns may fail
to get needed treatment. Goldman, in 1998 congressional testimony, offered
a litany of medical-privacy violations:


"New York Congresswoman Nydia Velazquez's confidential medical
records-including details of a bout with depression and a suicide
attempt-were faxed from a New York hospital to a local newspaper and
television station on the eve of her 1992 primary."


In a 1996 survey of individuals who are at risk of developing a
health-threatening genetic condition and parents of children with genetic
conditions, published in Science and Engineering Ethics, 206 of the 917
respondents "reported discrimination as a result of access to genetic
information, culminating in loss of employment and insurance coverage, or
ineligibility for benefits."


The "director of a work site health clinic operated by a large
manufacturing company testified he was frequently pressured to provide
personal information about his patients to his supervisors."


"After some routine doctor's tests, an Orlando woman received a
letter from a drug company touting a treatment for her high
cholesterol."


Such anecdotal evidence has built support in Washington for federal
restrictions on the sharing of personal medical information. Several
congressional committees are working on the issue, although it seems
unlikely that comprehensive legislation will emerge in the few remaining
weeks of this year's legislative session. In 1996, Congress passed a law
directing Health and Human Services to draft limited regulations on
medical privacy if Congress itself had not acted on the issue by Aug. 21,
1999. Congress failed to act by that date, so the department issued a
proposed rule on Oct. 29, 1999. A final version, which may be tougher, is
expected soon.


The Oct. 29 rule would bar health plans, health care providers that
transmit health information electronically, and health information
clearinghouses from revealing any personally identifiable information
about patients without first notifying them and getting their written
consent. Patients could obtain copies of their records and request
corrections. Violators would be subject to fines and other penalties,
although patients could not sue for damages.


However, the draft regulation contains a long list of exceptions to the
patient-consent requirement: Doctors could write prescriptions or give
information to another doctor or health care provider when it's needed to
treat a patient; pharmacists could review medical records to guard against
drug interactions; health care providers could share information needed to
obtain payment from insurers; and health plans could conduct reviews of
patient care. Exceptions are also provided for state public health
programs and for law enforcement agencies.


Insurers and others in the health care industry argue strenuously against
strict privacy rules. Representatives of the Blue Cross Blue Shield
Association told a House Ways and Means subcommittee on Feb. 17 that the
Health and Human Services proposal would cost the health care industry
"over $40 billion over five years." The department had estimated
the costs at $3.8 billion.


Consumer advocates say the Health and Human Services rules do not go far
enough, and medical-privacy advocates are urging Congress to strengthen
protections. Their proposals include a prohibition on the sale of personal
medical information and a narrowing of the list of exceptions to the
patient-consent requirement. Privacy advocates also want patients to have
the right to sue for damages if the rules are violated, and they do not
want any federal law to supersede state laws that provide greater privacy
safeguards.


Insurers and other health industry representatives object to suggestions
that patients should be allowed to sue and that any tougher state laws
should prevail over federal rules, said Alan Mertz, a medical-privacy
expert for the Healthcare Leadership Council, an organization of chief
executives of health care institutions and companies.


At the center of the clash between the health industry and those who want
strict privacy protections is the dispute over which groups, if any,
should have the right to share personal medical information without a
patient's consent.


Mertz and other industry spokesmen argue that in some instances, using
personal information is so crucial to health care delivery that they
should receive an automatic exemption. For example, Mertz said, an insurer
or health plan cannot pay a doctor unless it knows the patient's name, the
diagnosis, and the services provided. And pharmacists and health plans
must be able to cross-check the patient's prescriptions to look for
possible drug interactions.


According to Art Lifson, a vice president of the parent company of CIGNA
Healthcare, one of the nation's largest health insurers, an exemption must
be maintained for insurers' reviews that determine whether patients are
receiving appropriate care. "We don't sell health information. But we
contract with other companies to process bills and do utilization
review," he said. "If we had to go back each time to get
permission" from each patient to reveal their medical records, the
cost and complications would be immense.


Mary Grealy, president of the Healthcare Leadership Council, and Alissa
Fox, of the Blue Cross Blue Shield Association, testified on Capitol Hill
that the Health and Human Services rules are too stringent, would be
expensive to carry out, and would impede health care delivery. The draft
rules would have "a detrimental effect on the quality and safety of
patient care," Grealy said.


But Goldman, a pioneer in the drive for medical confidentiality, favors
giving patients the option of deciding whether they want the contents of
their medical records revealed even for basic reasons like paying bills.
Goldman and other privacy advocates say strong privacy rules will benefit
patients without putting undue burdens on health care providers or
insurers. Patients with conditions such as AIDS, those with genetic
predispositions to certain diseases, and people with mental illness or
substance abuse problems will more readily seek medical treatment.


Some critics suggest that giving patients the right to sue for damages in
cases of unauthorized release of health information is like writing trial
lawyers blank checks. But one advocate of the right to sue, who asked not
to be identified, doubted that there would be large damage awards, because
"you won't have physical injury ... [so] you're less likely to see
big judgments."


Potential losers in the fight over medical privacy are telemarketers,
drugstore chains, drug companies, health plans, and others who use medical
records to make sales pitches to patients. "How is it that a few
months after a doctor says a woman is pregnant, she starts getting
solicitations from diaper companies, kid-food companies, and mail-order
catalogs for children's clothes?" said Goldman. "It's not from
[public] birth records. It's coming from the hospitals and the
doctors."


Spencer Rich

National Journal