Options for Promoting Privacy on the National Information Infrastructure. Medical Record Privacy


Cost concerns are driving the nation's health care delivery system to a more cost-conscious, competitive, managed care environment. The health care industry is increasingly committed to computer networks that can collect, aggregate, and disseminate personal medical information on a nationwide basis. Use of the NII may help provide better care for less, and better use of information technology generally can make an important contribution to this effort. Existing and potential applications include telemedicine (remote medical diagnosis/care), unified electronic claims, personal health information systems, and computer-based patient records.138 The Physician Computer Network, Inc. (PCN), for example, has developed software that links physicians to insurance companies, clinical laboratories and hospitals. The system benefits doctors and patients by cutting the cost and delays associated with processing medical claims, receiving test results and changing medications and orders for hospitalized patients. In exchange for providing discount computers, PCN acquires aggregated patient records, including diagnoses and treatments, which it compiles and then sells to pharmaceutical companies and insurers.139

Public concern about medical privacy is quite high.140 Medical records often contain highly sensitive and personal information and can reveal more about an individual than virtually any other type of record.141 In response to public concerns, companies like PCN have implemented internal security measures and engaged a public accounting firm to certify that their data is maintained securely.142 In 1994, the Institute of Medicine called upon Congress to enact preemptive legislation to assure the confidentiality and protection of privacy rights in personally-identifiable health data.143 The National Research Council recently reported that computerized medical records are "vulnerable to misuse and abuse" and likewise called for the creation of additional incentives to ensure that healthcare industry employees protect patient information.144

Medical privacy concerns are not new. As early as 1977 the Privacy Protection Study Commission recognized that the trend toward computerization of medical record information posed "new problems" from a "privacy protection viewpoint."145 Among other things, the Commission concluded that medical records contained more information and were available to more users than ever before. Additionally the Commission found that changes in the medical profession, increased population mobility, and increased demands by third parties for medical record information had greatly diluted the control that medical care providers had once exercised over such information. The Commission predicted that the demand for access to such information by third party users would increase over time, observing:

[T]he importance of medical-record information to those outside of the medical-care relationship, and their demands for access to it, will continue to grow. Moreover, owing to the rising demand for access by third parties, coupled with the expense of limiting disclosure to that which is specifically requested by the non-medical user, there appears to be no natural limit to the potential uses of medical-record information for purposes quite different from those for which it was originally collected.146

The Commission's 1977 prediction is a 1997 reality. Today, industry amasses and shares staggering amounts of medical information.147 Health care providers are now able to develop centralized profiles on the medical condition of patients, as well as the treatment of that condition in order to facilitate care, research, and insurance billing and coverage.148 Another example is the Medical Information Bureau (MIB), a non-profit trade organization that serves life and disability insurance companies by maintaining extensive databanks of medical and other information on millions of Americans and Canadians.149 This information has been referred to as "the medical equivalent of a credit report."150

As the Privacy Protection Study Commission predicted in 1977, medical information is routinely shared with and viewed by third parties who are not involved in patient care. Secondary users of medical information include educational institutions, the civil and criminal justice systems, life and health insurers, rehabilitation and social welfare programs, credit agencies, public health agencies, and medical and social researchers.151 The American Medical Records Association has identified twelve categories of information seekers outside of the health care industry who have access to health care files, including employers, government agencies, credit bureaus, insurers, educational institutions, and the media.152

Traditionally, health care and health insurance providers have guarded patient privacy in accordance with professional codes of ethical behavior, such as doctor-patient confidentiality. But no federal statute generally protects the confidentiality of medical records in the private sector.153 As an OTA report observed, existing law allows development of private-sector databases and data exchanges of patient information without regulation, statutory guidance, or recourse for individuals harmed by misuse of the data.154

Not surprisingly, technology and market pressures are beginning to erode the traditional protections for medical records. Consensus is emerging that doctor-patient confidentiality practices and the widely varying protection afforded under individual state laws no longer adequately protect the privacy of medical information. The Computer-based Patient Record Institute (CPRI), for example, drafted principles that call for federal standardization of patient confidentiality safeguards including stiff penalties and fines for those who knowingly breach the confidentiality of patient records.155

Some health organizations and companies have adopted voluntary privacy standards based on fair information principles.156 Major model codes and statutes in this industry include, for example, the American Health Information Management Association's Health Information Model Legislation language.157 As a practical matter, however, model codes and statues have woven only a loose web of protection: they may apply to limited types of information, may not address secondary users of health information, lack enforcement powers, or simply have not been adopted (only a handful of States have comprehensive health-care information confidentiality statutes).158

The FTC recently entered into an agreement with the Medical Information Bureau (MIB) under which insurance companies must notify consumers when information provided by MIB plays a part in a decision to deny coverage or to charge a higher rate. Under these circumstances, MIB will give consumers a free copy of their medical information report, in order to verify that all information is correct.159

In its 1993 report, OTA concluded that the current system fails to address privacy issues in a borderless, computerized environment.160 Rep. Gary Condit, (D-Calif.) has echoed this conclusion: "[B]ecause health information increasingly moves from a computer in one state to a computer in another state, uniform federal rules are needed."161 State privacy advocates have voiced similar concerns.162

The nation is some years away from full computerization of the traditional patient record used for clinical care, but is moving swiftly in that direction. Organizations such as the Computer-based Patient Record Institute are coordinating policy development in this area.163 Meanwhile, a large volume of medical data is already computerized in the context of insurance payment, managed care, and internal management in health care facilities.

The 104th Congress considered these issues in some detail, particularly with respect to Senate consideration of S. 1360, The Medical Records Confidentiality Act. No general health record confidentiality legislation was enacted, but the House companion bill to S. 1360 has been reintroduced in the 105th Congress as HR 52.164

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996,165 includes an administrative simplification subtitle to encourage the development of a health information system based on uniform technological standards for the electronic transmission of financial and administrative health care data. The Secretary of Health and Human Services is required to establish standards to facilitate such transactions. The standards are to include security standards as well as standards for a unique identifier.

HIPAA established a National Committee on Vital and Health Statistics to advise the Secretary of HHS on these standards issues and on medical records privacy. The Committee has held a series of hearings addressing different uses of medical records (e.g. providers, insurers, law enforcement, etc.).166

Another provision of the Act requires the Secretary to submit detailed recommendations to the Congress with respect to the privacy of individually identifiable health information (i.e. general health record confidentiality legislation applicable to health care providers, insurers, and others) by August 1997. If Congress does not itself act by August 1999, the Secretary must issue privacy standards applicable to electronic transmission before the transmission standards are implemented.167

138. See Al Gore & Ronald H. Brown, The national Information Infrastructure: Agenda for Action 14-15 (1993).

139. See Office of Technology Assessment (OTA), Protecting Privacy in Computerized Medical Information 33-34 (1993) (hereinafter OTA Report); Physicians Computer Network, Inc., Company Information (updated Feb. 5, 1997) <http://www.pcn.com>.

140. Eighteen percent of the respondents to the 1996 Equifax Survey consider use of the patient records -- even for medical research -- "very acceptable." Thirty nine percent consider this use "somewhat acceptable." Both groups considered its use appropriate without prior permission only as long as no information released identifies an individual patient. Nearly one-third of the survey respondents characterized even that use as "not at all acceptable." Lou Harris & Associates, Inc., supra note 24.

141. Alan Westin has noted that information contained in medical records can have "an enormous impact on people's lives" and that such information "affects decisions on whether they are hired or fired, whether they can secure business licenses and life insurance, whether they are permitted to drive cars, whether they are placed under police surveillance or labeled a security risk, or even whether they get nominated for and elected to political office." Jeffrey Rothfeder, Privacy for Sale 181 (1992) (quoting comments of Alan Westin).

142. See Medicine: No Restrictions on Drug Data, L. A. Times, May 18, 1994, at A12.

143. See Institute of Medicine, Nat'l Academy of Science Health Data in the Information Age - Use Disclosure and Privacy 190-91 (1994).

144. National Research Council, Report of Privacy and Computerized Records (1997). See, Warren E. Leary, Panel Cites Lack of Security on Medical Records, N.Y. Times, Mar. 6, 1997, at A1.

145. See Privacy Protection Study Commission, supra note 3, at 290.

146. Id. at 290-91.

147. See John Riley, Changes in Health Care are Eroding Medical Records Privacy Protection, Com. Appeal (Memphis, Tenn.), Apr. 23, 1996, at A5, available in 1996 WL 9903637; Jay Greene, Your Medical Records - Perhaps Your Most Personal Information - Also are the Most Vulnerable to Public Scrutiny, Orange County Reg. (CA.), April 24, 1996, at C01, available in 1996 WL 7023964.

148. See Leary, supra note 144.

149. MIB maintains health records on 15 million Americans for 600 member insurance companies. See Greene, supra note 144.

150. See Melanie Hirsch, Protecting Your Privacy - Make Sure Your Medical Records Are Accurate and Confidential, The Syracuse Post-Standard, Mar. 25, 1994, at C1, available in 1994 WL 5620138.

151. See OTA Report, supra note 137, at 2. One study found that consumers were unaware of the extent to which health insurance companies shared information concerning employees' health claims with their employers and were also unaware of the amount of information now being required in the health claims review process. See Smith, supra note 27, at 148; Leary, supra note 144.

152. See Rothfeder, supra note 139, at 180; see also, Commentary: Keeping Medical Secrets a Secret, Chi. Trib., Apr. 5, 1996, at 17, available in 1996 WL 2659263 (reporting on the erosion of medical records privacy with the growth of HMOs and health networks, the rise of commercial information companies and medical information increasingly becoming a commodity); Mike Woods, Plug Leaks on Medical Records, Plain Dealer (Clev.), Feb. 6, 1996, at 6E, available in 1996 WL 3534915, (reporting on specific examples of misused medical record information appearing in a recent article in Medical Economics).

153. Medical records held by federal government agencies are protected by the Privacy Act of 1974, 5 U.S.C. § 552a. Section 543 of the Public Health Service Act (42 U.S.C. § 290dd-2) provides protection for records of patients in federally-assisted treatment programs for alcohol or drug abuse. Additionally, medical records generated by the Department of Veterans Affairs for the treatment of alcohol or drug abuse, sickle-cell anemia, or H.I.V. are accorded special confidentiality under 38 U.S.C. § 7332. One survey of this area, however, noted that only about five percent of all medical records in the United States come under these limited federal statutory protections. See Paul M. Schwartz, The Protection of Privacy in Health Care Reform, 48 Vand. L. Rev. 295, 315 (1995). But see discussion infra page 34, discussing proposed legislation.

154. See OTA Report, supra note 137, at 11.

155. CPRI is a non-profit membership organization representing all stakeholders in health care focusing on clinical applications of information technology. See Computer-based Patient Record Institute (last modified Mar. 3, 1997) <http://www.cpri.org/msngls.html>.

156. See OTA Report, supra note 137, at 77.

157. See AHIMA'S Role in Health Information Confidentiality Issue (visited Apr. 11, 1997) <http://www.ahima.org/media/press.releases/history.html>.

158. While 34 states have laws covering the use and dissemination of medical information, most are not comprehensive. for example, only 28 such laws enable the patient to review their records and correct errors. See, Leary, supra note 144.

159. See Consumer Rights Expanded Under Reporting Rule Effective in October, FTC News Sept. 29, 1995, at 1; Greene, supra note 147.

160. OTA Report, supra note 137, at 44.

161. See Debra Beachy, A Private Matter/Reform Raises Worry About Medical Records, Hous. Chron., Nov. 21, 1993, at 1, available in 1993 WL 9634705.

162. For example, although Wisconsin has strong medical confidentiality laws, computerized medical data flows freely to other states that may not have similar protection. Mary Zahn and Eldon Knoche, States' Public Records Policies Inconsistent, Milwaukee J. & Sentinel, Jan. 21, 1995, at A1, available in 1995 WL 2968305. This led Wisconsin privacy advocate Carole Deoppers to comment: "[i]f your prescriptions are sent electronically to some sort of company in Battle Creek, Mich., which processes HMO claims, are they protected from re-release? I don't know the answer. Federal protections are needed. You can't legislate the practices of national companies on a state level." Id. Likewise a Massachusetts state law gives residents of that state the right to challenge the data maintained by the Medical Information Bureau. Josh Kratka, an attorney with the Massachusetts Public Interest Research Group stated that "[i]n Massachusetts, we have a very strong privacy protection law for life and health insurance applicants" but also noted that "[n]o one else in the nation is covered by the law." Id.

163. See Computer Based Patient Record Institute (last modified Mar. 3, 1997) <http://www.cpri.org>.

164. Other bills addressing these issues in the 104th Congress included the Fair Health Information Practices Act of 1995, H. R. 435 (introduced by Rep. Condit ) and the Medical Privacy in the Age of New Technologies Act of 1996, H.R. 3482 (introduced by Rep. McDermott).

165. Pub. L. No. 104-191 (1996) (Kassebaum-Kennedy Act).

166. See National Committee on Vital and Health Statistics (visited Apr. 13, 1997) <http://aspe.hhs.gov/ncvhs/index.htm>.

167. Pub. L. No. 104-191 § 264.