Protecting Privacy to Improve Health Care

Health Affairs

Volumn 17, Issue 6, 1998, Pages 47-60

  Goldman, Janlori ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

ARTICLE; HEALTH CARE AND PUBLIC HEALTH; HEALTH CARE QUALITY; HUMAN; LEGAL APPROACH; LEGAL ASPECT; MEDICAL RECORD; POLICY; PRIVACY; PUBLIC HEALTH; UNITED STATES;

HEALTH CARE AND PUBLIC HEALTH; LEGAL APPROACH;

HUMANS; MEDICAL RECORDS; PRIVACY; PUBLIC HEALTH; PUBLIC POLICY; QUALITY OF HEALTH CARE; UNITED STATES;

EID: 0346072233     PISSN: 02782715     EISSN: None     Source Type: Journal    
DOI: 10.1377/hlthaff.17.6.47     Document Type: Article

References (52)

1. The public's fear of losing privacy is not unique to health care. In a joint statement last year President Bill Clinton and Vice-President Al Gore acknowledged this fear: "Americans treasure privacy, linking it to our concept of personal freedom and well-being. Unfortunately, the [Global Information Infrastructure's] great promise that it facilitates the collection, re-use, and instantaneous transmission of information can, if not managed carefully, diminish personal privacy. It is essential, therefore, to assure personal privacy in the networked environment if people are to feel comfortable doing business."
2. Opposing views were played out recently in a USA Today editorial debate. "Privacy? At Most HMOs You Don't Have Any," 13 July 1998, 12A. The counterview was provided by Karen Ignagni, president and chief executive officer, American Association of Health Plans, in "Do Not Retard Progress."
3. See the Center for Democracy and Technology's Web site, www.cdt.org/privacy; testimony of Janlori Goldman before the Federal Trade Commission, "Privacy and Individual Empowerment in the Interactive Age," 20 November 1995; and J. Quittner, "Invasion of Privacy," Time, 25 August 1997, 28.
4. As described in a recent report, "Health information and the medical record include sensitive personal information that reveals some of the most intimate aspects of an individual's life. In addition to diagnostic testing information, the medical record includes the details of a person's family history, genetic testing history of diseases and treatments, history of drug use, sexual orientation and practices, and testing for sexually transmitted disease. Subjective remarks about a patient's demeanor, character and mental state are sometimes a part of the record." U.S. Congress Office of Technology Assessment, Protecting Privacy in Computerized Medical Information, Pub. no. OTA-TCT-576 (Washington: U.S. Government Printing Office, September 1993).
5. Recent studies bear this out. See J. Goldman and D. Mulligan, Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality(Washington: Center for Democracy and Technology, 1996).
6. Louis Harris privacy surveys (New York: Harris, 1992, 1995, 1996).
7. Louis Harris and Associates, Health Information Privacy Survey, 1993 (New York: Harris, 1993). The survey was conducted for Equifax Inc.
8. Harris's 1996 survey elicited a disturbing public view of researchers' use of medical records. The public's comfort level rose if the information released did not identify individual patients, but one-third found it not at all acceptable for researchers to use nonidentifiable information without consent.
9. R. O'Harrow, "Prescription Sales, Privacy Fears," Washington Post, 15 February 1998, Al; R. O'Harrow, "Giant Food Stops Sharing Customer Data," Washington Post, 18 February 1998, Al; and R. O'Harrow, "CVS Also Cuts Ties to Marketing Service," Washington Post, 19 February 1998, El. Shortly after this became public, CVS, Elensys, and Glaxo Wellcome were named as defendants in a classaction suit filed in Massachusetts Superior Court, Civil Action no. 98-0897-F. The use of personal health information for marketing purposes appears to be widespread. Recent press reports of disclosure include Patient Direct Metromail, which advertises in a pharmaceutical industry journal that it has 7.6 million names of persons who suffer from allergies, 945,000 who suffer from bladder-control problems, and 558,000 who suffer from yeast infections: "Medical Privacy Is Eroding, Physicians and Patients Declare," San Diego Union-Tribune, 2 February 1998, Bl; and personal examples such as an Orlando woman who, after routine tests, received a letter from a drug company touting a treatment for her high cholesterol: "Many Can Hear What You Tell Your Doctors: Records of Patients Are Not Kept Private," Orlando Sentinel, 11 November 1997, Al.
10. R. O'Harrow, "Prescription Sales, Privacy Fears," Washington Post, 15 February 1998, Al; R. O'Harrow, "Giant Food Stops Sharing Customer Data," Washington Post, 18 February 1998, Al; and R. O'Harrow, "CVS Also Cuts Ties to Marketing Service," Washington Post, 19 February 1998, El. Shortly after this became public, CVS, Elensys, and Glaxo Wellcome were named as defendants in a classaction suit filed in Massachusetts Superior Court, Civil Action no. 98-0897-F. The use of personal health information for marketing purposes appears to be widespread. Recent press reports of disclosure include Patient Direct Metromail, which advertises in a pharmaceutical industry journal that it has 7.6 million names of persons who suffer from allergies, 945,000 who suffer from bladder-control problems, and 558,000 who suffer from yeast infections: "Medical Privacy Is Eroding, Physicians and Patients Declare," San Diego Union-Tribune, 2 February 1998, Bl; and personal examples such as an Orlando woman who, after routine tests, received a letter from a drug company touting a treatment for her high cholesterol: "Many Can Hear What You Tell Your Doctors: Records of Patients Are Not Kept Private," Orlando Sentinel, 11 November 1997, Al.
11. R. O'Harrow, "Prescription Sales, Privacy Fears," Washington Post, 15 February 1998, Al; R. O'Harrow, "Giant Food Stops Sharing Customer Data," Washington Post, 18 February 1998, Al; and R. O'Harrow, "CVS Also Cuts Ties to Marketing Service," Washington Post, 19 February 1998, El. Shortly after this became public, CVS, Elensys, and Glaxo Wellcome were named as defendants in a classaction suit filed in Massachusetts Superior Court, Civil Action no. 98-0897-F. The use of personal health information for marketing purposes appears to be widespread. Recent press reports of disclosure include Patient Direct Metromail, which advertises in a pharmaceutical industry journal that it has 7.6 million names of persons who suffer from allergies, 945,000 who suffer from bladder-control problems, and 558,000 who suffer from yeast infections: "Medical Privacy Is Eroding, Physicians and Patients Declare," San Diego Union-Tribune, 2 February 1998, Bl; and personal examples such as an Orlando woman who, after routine tests, received a letter from a drug company touting a treatment for her high cholesterol: "Many Can Hear What You Tell Your Doctors: Records of Patients Are Not Kept Private," Orlando Sentinel, 11 November 1997, Al.
12. R. O'Harrow, "Prescription Sales, Privacy Fears," Washington Post, 15 February 1998, Al; R. O'Harrow, "Giant Food Stops Sharing Customer Data," Washington Post, 18 February 1998, Al; and R. O'Harrow, "CVS Also Cuts Ties to Marketing Service," Washington Post, 19 February 1998, El. Shortly after this became public, CVS, Elensys, and Glaxo Wellcome were named as defendants in a classaction suit filed in Massachusetts Superior Court, Civil Action no. 98-0897-F. The use of personal health information for marketing purposes appears to be widespread. Recent press reports of disclosure include Patient Direct Metromail, which advertises in a pharmaceutical industry journal that it has 7.6 million names of persons who suffer from allergies, 945,000 who suffer from bladder-control problems, and 558,000 who suffer from yeast infections: "Medical Privacy Is Eroding, Physicians and Patients Declare," San Diego Union-Tribune, 2 February 1998, Bl; and personal examples such as an Orlando woman who, after routine tests, received a letter from a drug company touting a treatment for her high cholesterol: "Many Can Hear What You Tell Your Doctors: Records of Patients Are Not Kept Private," Orlando Sentinel, 11 November 1997, Al.
13. R. O'Harrow, "Prescription Sales, Privacy Fears," Washington Post, 15 February 1998, Al; R. O'Harrow, "Giant Food Stops Sharing Customer Data," Washington Post, 18 February 1998, Al; and R. O'Harrow, "CVS Also Cuts Ties to Marketing Service," Washington Post, 19 February 1998, El. Shortly after this became public, CVS, Elensys, and Glaxo Wellcome were named as defendants in a classaction suit filed in Massachusetts Superior Court, Civil Action no. 98-0897-F. The use of personal health information for marketing purposes appears to be widespread. Recent press reports of disclosure include Patient Direct Metromail, which advertises in a pharmaceutical industry journal that it has 7.6 million names of persons who suffer from allergies, 945,000 who suffer from bladder-control problems, and 558,000 who suffer from yeast infections: "Medical Privacy Is Eroding, Physicians and Patients Declare," San Diego Union-Tribune, 2 February 1998, Bl; and personal examples such as an Orlando woman who, after routine tests, received a letter from a drug company touting a treatment for her high cholesterol: "Many Can Hear What You Tell Your Doctors: Records of Patients Are Not Kept Private," Orlando Sentinel, 11 November 1997, Al.
14. Confidentiality of Health Records: Hearings before the Subcommittee on Technology and the Law of the Senate Judiciary Committee, 104th Cong., 2d sess., 27 January 1994. Additional reports of abuse or misuse of people's health information include the following: Harvard Community Health Plan, a Boston-based health maintenance organization (HMO), admitted to maintaining detailed notes of psychotherapy sessions in computer records that were accessible by all clinical employees (the HMO subsequently revamped its computer security practices): A. Bass, "HMO Puts Confidential Records On-Line," Boston Globe, 7 March 1995, 1. In Maryland eight Medicaid clerks were prosecuted for selling computer printouts of recipients' and dependents' financial resources to sales representatives of managed care companies: B. McMenamin, "It Can't Happen Here," Forbes, 20 May 1996, 252.
15. Confidentiality of Health Records: Hearings before the Subcommittee on Technology and the Law of the Senate Judiciary Committee, 104th Cong., 2d sess., 27 January 1994. Additional reports of abuse or misuse of people's health information include the following: Harvard Community Health Plan, a Boston-based health maintenance organization (HMO), admitted to maintaining detailed notes of psychotherapy sessions in computer records that were accessible by all clinical employees (the HMO subsequently revamped its computer security practices): A. Bass, "HMO Puts Confidential Records On-Line," Boston Globe, 7 March 1995, 1. In Maryland eight Medicaid clerks were prosecuted for selling computer printouts of recipients' and dependents' financial resources to sales representatives of managed care companies: B. McMenamin, "It Can't Happen Here," Forbes, 20 May 1996, 252.
16. Confidentiality of Health Records: Hearings before the Subcommittee on Technology and the Law of the Senate Judiciary Committee, 104th Cong., 2d sess., 27 January 1994. Additional reports of abuse or misuse of people's health information include the following: Harvard Community Health Plan, a Boston-based health maintenance organization (HMO), admitted to maintaining detailed notes of psychotherapy sessions in computer records that were accessible by all clinical employees (the HMO subsequently revamped its computer security practices): A. Bass, "HMO Puts Confidential Records On-Line," Boston Globe, 7 March 1995, 1. In Maryland eight Medicaid clerks were prosecuted for selling computer printouts of recipients' and dependents' financial resources to sales representatives of managed care companies: B. McMenamin, "It Can't Happen Here," Forbes, 20 May 1996, 252.
17. David Korn, senior vice-president, Association of American Medical Colleges, testified before Congress recently that "claims of 'privacy' cannot be absolute in contemporary society. Rather, they must be tempered in a limited number of specific instances where public well being and responsibility require access to individuals' health information." Protecting Health Information: Legislative Options for Medical Privacy, 1998: Hearings before the Subcommittee on Government Management, Information, and Technology of the House Committee on Government Reform and Oversight, 105th Cong., 2d sess., 19 May 1998.
18. Commenting on a recent Minnesota law requiring patient consent for the use of medical records in research, a researcher with the Mayo Clinic argued that "efforts to protect the confidentiality of medical records may seriously impair the ability of investigators to carry out such studies in the future. That, in turn, would have the potential to slow improvements in medical and surgical care, disrupt the clinical-research enterprise, and compromise medical education programs nationally." J. Melton, "The Threat to Medical-Records Research," New England Journal of Medicine (13 November 1997): 1466-1469.
19. See remarks of Rep. William M. Thomas (R-CA), Patient Confidentiality, 1998: Hearings before the Subcommittee on Health of the House Committee on Ways and Means, 105th Congress, 2d sess., 24 March 1998.
20. Charles N. Kahn III, chief operating officer, Health Insurance Association of America, testified before Congress recently that "[h]ealth records are used to improve health care quality, reduce health care costs, expand the availability of health care services, protect public health, and assure the accountability of the health care system. Confidentiality, when taken in its purest form - by putting firewalls around information - potentially undermines all of these objectives. Congress must strike a careful balance between assuring confidentiality and maintaining accessibility to medical records." Protecting Health Information Legislative Options for Medical Privacy, 1998.
21. A. Rubin, "Gore to Propose More Privacy Safeguards for Public," Los Angeles Times, 31 July 1998, A4. See also S.G. Stolberg, "Health Identifier for All Americans Runs into Hurdles," New York Times, 20 July 1998, A1.
22. A. Rubin, "Gore to Propose More Privacy Safeguards for Public," Los Angeles Times, 31 July 1998, A4. See also S.G. Stolberg, "Health Identifier for All Americans Runs into Hurdles," New York Times, 20 July 1998, A1.
23. Bernadine Healy, former director of the National Institutes of Health, commented in an editorial that "[t]he unease is that [the identifier] would be an invasion of an individual's most intimate personal life. . . . The Government does a lot of things well, but keeping secrets is not one of them." "Hippocrates vs. Big Brother," New York Times, 24 July 1998, A25.
24. See National Research Council, For the Record: Protecting Electronic Health Information (Washington: National Academy Press, 1997); National Academy of Sciences, Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy (Washington: National Academy Press, 1994); OTA, Protecting Privacy in Computerized Medical Information; and Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington: U.S. GPO, 1977).
25. See National Research Council, For the Record: Protecting Electronic Health Information (Washington: National Academy Press, 1997); National Academy of Sciences, Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy (Washington: National Academy Press, 1994); OTA, Protecting Privacy in Computerized Medical Information; and Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington: U.S. GPO, 1977).
26. See National Research Council, For the Record: Protecting Electronic Health Information (Washington: National Academy Press, 1997); National Academy of Sciences, Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy (Washington: National Academy Press, 1994); OTA, Protecting Privacy in Computerized Medical Information; and Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington: U.S. GPO, 1977).
27. "Medical Files or Fishbowls?" Washington Post, 23 September 1997, A16.
28. Harris's Health Information Privacy Survey, 1993, found that the majority of the public (56 percent) favored the enactment of strong, comprehensive federal legislation to protect the privacy of health care information. In fact, of that majority, 85 percent responded that protecting the confidentiality of medical records was absolutely essential or very important to them. An overwhelming percentage wanted penalties imposed for unauthorized disclosure of medical records (96 percent), guaranteed access to their own records (96 percent), and rules regulating third-party access to personal health information.
29. See R. O'Harrow, "White House Effort Addresses Privacy," Washington Post, 14 May 1998, El;
30. J. Broder, "Gore to Announce 'Electronic Bill of Rights' Aimed at Privacy," New York Times, 14 May 1998, A16; and remarks of Vice-President Al Gore, "Vice President Gore Announces New Steps toward an Electronic Bill of Rights," The White House, Office of the Vice-President, Press Briefing, www.whitehouse.gov (31 July 1998).
31. See A. Goldstein, "Clinton Backs 'Bill of Rights' for Patients: President Seeks Law to Enforce Standards," Washington Post, 20 November 1997, A1.
32. National Conference of State Legislatures, Health Policy Tracking Service Issue Brief (Washington: NCSL, 1 July 1998).
33. L. Gostin et al., Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization (Unpublished final report presented to U.S. Centers for Disease Control and Prevention, Council of State and Territorial Epidemiologists, Task Force for Child Survival and Development, Carter Presidential Center, Washington, D.C., 1996), 2, available on the Internet at www.epic.org/ privacy/medical/cdc_survey.html.
34. L. Gostin et al., "The Public Health Information Infrastructure: A National Review of the Law on Health Information Privacy," Journal of the American Medical Association (26 June 1996): 1921-1927.
35. K. Hudson et al., "Genetic Discrimination and Health Insurance: An Urgent Need for Reform," Science (20 October 1995): 391-393.
36. Minnesota Statute, Department of Health, sec, 144.335 (1997).
37. A comprehensive health privacy bill introduced in the Senate in the 104th Congress (S. 1360, "The Medical Records Confidentiality Act of 1996") by Senators Robert Bennett (R-UT) and Patrick J. Leahy (D-VT) quickly garnered broad bipartisan support, including cosponsorship by Senators Bob Dole (R-KS), Thomas A. Daschle (D-SD), Nancy L. Kassebaum (R-KS), Edward M. Kennedy (D-MA), Jim M. Jeffords (R-VT), and Bill Frist (R-TN). In support of particular legislative proposals to safeguard health privacy, diverse interests such as the American Association of Retired Persons (AARP), IBM, American Civil Liberties Union (ACLU), American Medical Association (AMA), Blue Cross and Blue Shield Association, CATO Institute, Center for Democracy and Technology, Electronic Privacy Information Center, and American Psychiatric Association have signed letters together, evincing agreement on broad health information privacy principles.
38. A more in-depth discussion of HIPAA and other relevant laws can be found in J. Goldman, "Privacy and Health Information: A Legal Framework" (Paper presented at a Robert Wood Johnson Foundation-sponsored conference, 14 January 1998, Washington, D.C.). The paper is included in the conference summary published by Health Systems Research, Inc., Washington, D.C.
39. Legislation introduced in the 105th Congress includes the following: "Medical Privacy in the Age of New Technologies Act of 1997" (H.R. 1815), sponsored by Rep. Jim McDermott (D-WA); "Fair Health Information Practices Act of 1997" (H.R. 52), sponsored by Rep. Gary Condit (D-CA); "Consumer Health and Research Technology Protection Act" (H.R. 3900), sponsored by Rep. Christopher Shays (R-CT); "The Medical Information Privacy and Security Act" (S. 1368), cosponsored by Sen. Patrick J. Leahy (D-VT) and Sen. Edward M. Kennedy (D-MA); and "Health Care Personal Information Nondisclosure Act of 1998" (S. 1921), cosponsored by Sen. Jim M. Jeffords (R-VT) and Sen. Christopher J. Dodd (D-CT).
40. Confidentiality of Individually-Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, pursuant to Section 264 of the Health Insurance Portability and Accountability Act of 1996 (U.S. Department of Health and Human Services recommendations submitted to Congress 11 September 1997, available at aspe.os.dhhs.gov.admnsimp. Hereinafter referred to as "Shalala report."
41. Prepared by the Congressional Research Service, Library of Congress, tor Sen. Robert Bennett (R-UT), October 1995.
42. For further discussion, see National Research Council, For the Record.
43. Many of the bills include a third category of activities labeled "health care operations." Largely undefined, the category would establish a giant loophole in which providers, health plans, and others can compel authorization tor a wide variety of uses and disclosures of personal health information.
44. For a practical discussion about using non-personally identifiable data see L. Sweeney, "Weaving Technology and Policy Together to Maintain Confidentiality," Journal of Law, Medicine, and Ethics (Summer and Fall 1997): 98-110.
45. 45 CFR 46, subpart A, known as the "Federal Common Rule."
46. U.S. Department of Health and Human Services, Protecting Human Research Subjects: Institutional Review Board Guidebook (Washington: U.S. GPO, 1993).
47. A New York Times editorial decried on 11 September 1997, "The exemption for law enforcement agencies is a huge loophole. . . . The need to combat fraud in the nation's trillion-dollar health care industry is indisputable. But it hardly justifies granting less privacy protection to the intimate information contained in medical records than existing Federal statutes now extend to the records of banks, cable television, video rental stores, or E-mail users, as the Administration's plan bizarrely contemplates."
48. The Health Privacy Project is in the process of researching and writing a comprehensive compendium of state health privacy laws, which is expected to be completed by early 1999.
49. Patient Protection Act, 105th Cong., 2d sess., H.R. 4250. The section discussed is Tide V, "Confidentiality of Health Information." The bill was passed by tne House of Representatives 24 July 1998.
50. See J. Schwartz, "Bill Would Allow Sale of Patient Data, Washington Post, 24 July 1998 F1. Editorials in major newspapers also warned of the threat to privacy in H.R. 4250. See, for example, "Congress Prepares to Strip Away Your Privacy Protections," USA Today, 31 July 1998, 12A.
51. See J. Schwartz, "Bill Would Allow Sale of Patient Data, Washington Post, 24 July 1998 F1. Editorials in major newspapers also warned of the threat to privacy in H.R. 4250. See, for example, "Congress Prepares to Strip Away Your Privacy Protections," USA Today, 31 July 1998, 12A.
52. The Health Privacy Project is convening a Health Privacy Working Group to achieve such a set of best principles. The group's final report is scheduled to be released by the summer of 1999.