The privacy threat that didn't go away

Last July, when the public suddenly became aware of a controversial provision of the 1996 Kennedy-Kassebaum health care law, the reaction was swift and indignant. Buried deep within the otherwise innocuous bill, the proposal called for the creation of a permanent electronic health record--or "unique health identifier," as it would be known--for every American. Each person's record would have a complete medical history, and all of the records would be stored together in a central electronic vault with access controlled by the government. According to its proponents, this wonderfully efficient method of medical record-keeping would not only help doctors make better decisions--it would open vast new possibilities for research and cost-cutting.

The plan was quickly denounced by those who worried that we might be racing headlong into an Orwellian nightmare. Fine, the government would control access to the files. But according to what criteria? Within days, Vice President Gore announced a moratorium on the development of the unique health identifier until such time as strong patient-privacy legislation was securely in place. Then Congress, not to be outdone, put real teeth in the recommendation by cutting off all resources for the implementation of the unique health identifier until the close of the fiscal year.

The uproar ended there, but the story didn't. Indeed, under the original terms of the Kennedy-Kassebaum law, if Congress doesn't pass a patient-privacy protection bill by August 21, Health and Human Services Secretary Donna Shalala must draw up a list of regulations on her own, potentially clearing the way for a return of the identifier. And, although nobody is quite sure what patient protections Shalala has in mind, a look back at a tentative, 90-page proposal she submitted to Congress in September 1997 provides a less than comforting impression.

Although Shalala asserted that there exists an "age-old right to privacy" and called for some important protections, she also argued in favor of allowing law enforcement officials or, under certain circumstances, "official[s] of the U.S. Intelligence Community" easier access to individual records. In addition, she provided a long list of others who could gain access to health records--from next of kin to researchers to insurance company clerks--whenever they cited "health care and payment purposes." In other words, Shalala's guidelines would allow for all sorts of access to these confidential records by all sorts of people--and, unless Congress or the administration intervenes, those guidelines will likely shape the final privacy regulations. "We are really at a crossroads," says Richard K. Harding, M.D., a child psychiatrist and privacy advocate who serves on the citizen's committee advising Shalala. "Centuries of medical practice, founded upon such strong ethical principles as patient-physician confidentiality and informed patient consent, are in the process of being tossed out the window, but no one seems to realize it or even be paying any attention."

There are several rationales for allowing such wide access to personal information. One argument is that rapid transmission of information would enable health care providers to look quickly at a patient's complete medical history in an emergency and discover, say, a past disease or medical allergy that might help identify an otherwise ambiguous affliction. In addition, it would enable better--and faster--research of health care in the aggregate. "We could look at cost-effectiveness carefully--analyze who has access to the various health services and what kind of services they are," says Georgetown University law professor Larry Gostin, an expert in the field of public health and a proponent of the unique health identifier. "We could also look at hospitals in terms of how well they are functioning, and we could assess the efficacy of various kinds of medical procedures. There would be many clinical benefits, both for patients and for research." Proponents of the unique health identifier also assert that it will help prevent fraud and abuse, since the government would have an easier time tracking claims records, just as it would produce efficiency gains for insurance companies--electronic billing is less costly than paper billing. (Not surprisingly, some of the identifier's loudest advocates on Shalala's advisory board represent the insurance, data collection, software, and research industries.)

These are all worthy goals--but they'd be purchased at a steep price. Consider, for example, the identifier's repercussions for psychiatry. Who, after all, would confide his or her deepest fears, embarrassments, fantasies, and dilemmas to a clinician knowing that these most intimate secrets would be shipped off electronically to Washington, where any of a variety of people could access them for any of a variety of purposes? There are also aspects of physical treatment that a patient might understandably prefer to keep confidential--such as being tested for a sexually transmitted disease, having an abortion or a mastectomy, or suffering from a terminal illness. Medical technology is discovering all sorts of ways to identify who's at risk for genetically transmitted diseases. In the wrong hands, though, that information could cost somebody his or her insurance coverage--or even a job.

Of course, medical privacy has been under attack for a while, thanks to the increasing computerization of patient records and the growth of managed care, which relies on detailed information to make decisions about treatment and coverage. Once a patient has signed a standard insurance release in order to get benefits, his health records become available to electronic file clerks, case managers, and insurance administrators, not to mention the physicians and nursing staff working in that patient's HMO or employer-owned insurance plan. Frequently, employers are also privy to medical histories: according to a 1996 University of Illinois survey, more than one-third of the Fortune 500 corporations that responded admitted to having used their employees' medical files in the course of making job-related decisions, such as promotions. (Moreover, it's possible that many respondents had done so but didn't admit it, making the true number even higher.)

This is why many psychotherapy patients, alerted to the current privacy threat, already elect to go outside their health plans and pay for treatment out of their own pockets. These individuals don't want the things they say in therapy to be used against them in the future; often, they don't even want it known that they've sought psychological treatment at all. But, if a unique health identifier is put into play, there won't even be a secure place "outside the system." As Robert Pyles, president of the American Psychoanalytic Association, puts it, a national identifier would function as a kind of "national tattoo." He explains: "Many people have the comfortable notion that if you're not a celebrity--someone like Bill Clinton, whose intimate life became a national spectacle--your personal information won't ever get you into much trouble. But it's the ordinary citizens who need to realize that there are very serious ways in which access to their medical information can impact upon their lives and their careers."

If, for example, someone with a health problem applies for a job--and if his potential employer can see his medical records--he may not stand a chance against a healthy applicant, who'd be less likely to drive up the firm's insurance premiums. Or, if a person with a very substantial salary is applying for a home loan and someone has figured out how to access her medical history, she may be refused that mortgage because she has suffered from depression or gone through a bout of cancer. Such fears may sound outlandish, but anecdotes of compromised privacy are not hard to find even now, without the unique health identifier. In one incident described in the November 23, 1995, New England Journal of Medicine, a Maryland banker who was sitting on a state health commission used data about his bank's debtors to figure out which ones were suffering from cancer--and then called in their outstanding loans.

An even more infamous episode, reported on the front page of the October 8, 1992, New York Post, occurred when the medical records of congressional candidate Nydia Velázquez were faxed anonymously to a number of media outlets three weeks after she had won the Democratic primary in her district in 1992. The records showed that Velázquez had, one year earlier, voluntarily admitted herself to a Manhattan hospital after a serious suicide attempt. As the congresswoman (she went on to win the election and now represents New York's twelfth congressional district) later testified in a Senate hearing on high-tech privacy issues: "For the press, it was a big story. For me, it was a humiliating experience over which I had no control.... Very few people knew about my situation, and I [had] made the decision of not sharing it with my family.... My father and mother, eighty years old, they did not understand. They still do not understand."

Velázquez is simply one of the more high-profile victims of what Brandeis University medical ethicist Beverly Woodward has termed "record browsing." As Woodward has noted, "Documented cases of browsing by insiders in large computer networks indicate that the behavior is not uncommon ... and that it may be carried out for such diverse reasons as curiosity (e.g., about friends, neighbors, relatives, or celebrities), perversity (e.g., sexual interests), anger (e.g., on the part of an employee who is about to be or has recently been dismissed), or a desire for financial or political gain." With fully computerized records stored in a central bank, the opportunities for such abuse would almost certainly multiply--and so would the actual incidence, particularly without sufficiently strict privacy protection.

Surely the most compelling argument for the use of identifiers is the potential gain for research. If it would really save thousands of lives down the road, surrendering a bit of privacy doesn't seem like such a sacrifice. But the true irony here is that the reams of information a unique health identifier would generate might not even be all that reliable in the long run. That's because, as privacy advocate Paul Appelbaum, M.D., says, "if we were to implement unique identifiers, you'd soon find everyone engaged in subverting the system in every way they could." For example, doctors uncomfortable in their role as government informers might conspire with patients by reporting as little accurate medical information as possible, and patients, once they'd wised up to the privacy threat, might withhold important data from physicians.

The real problem with the research argument, though, is that it stands in direct opposition to the most fundamental principle of research involving human subjects: informed consent. If all of our health information becomes part of a vast national database--freely available for medical studies and for business-related cost-cutting analyses--none of us would have a shred of choice when it came to our willingness to participate, or our wish not to participate, in such research. We would all, in effect, become "human subjects."

Alas, such lofty abstract arguments are not likely to persuade the other groups lobbying for the creation of identifiers--large computer, data bank, and telecommunications corporations. These wealthy, powerful companies see vast profit potential in the collection, organization, and sale of health care data. According to a May 10 article in the Los Angeles Times, drug companies and hospitals already spend up to $15 billion a year on technology to acquire and exchange medical information about us, such as our blood pressure and the psychiatric medications we may be using.

Huge profits can be realized by easing legal access to our health data; and, as Charles Welch, M.D., the chairman of the task force that developed the Massachusetts Medical Society's patient-privacy and confidentiality policy, recently said, "There is a long gravy train forming around our medical records." Eager investors, including database companies, insurers, and the managed care industry, stand to reap millions--while the rest of us stand to lose not only our insurance, our jobs, and our money, but our privacy and our personal dignity as well.

This article originally ran in the July 12, 1999, issue of the magazine.