Health and Medical Privacy
Health and medical information (including medical records, prescription histories, patient data, surgical records, and so on) is one of the most obvious of those types of information that have long been considered to be personal and deserving of privacy protection. Not only are the intuitions of most people nearly universal regarding the need for privacy in the medical and health arena, but the need to keep private the information about a patient’s health has also been recognized as a requirement since the time of the Hippocratic oath. Yet trends in the collection, storage, and use of health information collectively have made this area one of the most worried about by those who believe that privacy is being eroded.
INFORMATION AND THE PRACTICE OF HEALTH CARE
Information has traditionally been a central aspect of health care, touching the science, the practice, the equipment, and the business of medicine. Health and medical information is also basic to the interpersonal and institutional relationships of individuals (e.g., involving expectations about sharing intimate health information with close friends or undergoing health exams for employment). Moreover, advances in the science of medicine have led to more types of information being relevant to patient care.
Health care information also has particular relevance apart from an individual’s health. Taken in the aggregate over many people, long-term large-scale population studies allow the discovery of statistical correla-
tions between environmental factors and disease and are also used to help assess the efficacy of treatments, to determine the overall costs of particular kinds of treatment regimes, and to conduct epidemiological research that can generate insight into the genesis, development, and spread of disease.
In addition, advances in the integration of computing with sensing devices have led to new generations of instruments for the medical profession, from enhanced magnetic resonance imaging devices to improved equipment for testing blood chemistry. These devices now generate information about individuals which would, in a very real sense, not have been possible to obtain without the information revolution, and the information they provide is more revealing than what was available in the past. Such advances are the latest manifestation of an evolution of medical practice from a near-exclusive focus on the present-day symptoms of a patient to a search for root causes of those symptoms, and an increasing ability to determine predispositions and susceptibility, in advance, for preemptive medical action.
The greater availability of more types of patient information has changed how medicine is practiced. The model of 50 years ago, where each person had a single physician who dealt with all of the medical aspects of the patient, has been replaced with group practices and health maintenance organizations in which groups of specialists work together to deal with the needs of a patient. Even if an individual has a primary health care provider, that provider may be a nurse practitioner as well as a physician, and may well be the agent of referral to other specialists rather than the single source of medical care. In turn, the need for medical specialists is directly related to the growth in medical knowledge—much more is known now about disease and treatment than was understood in the not-so-distant past, and no single doctor can be asked to know all of the complexities and details associated with all of this information or to keep up with the ongoing rapid changes in knowledge.
The new information environment for medicine has been driven both by new instrumentation and new information technology. New instruments enable new kinds of information to be gathered about patients, and the increasing volume of information can be managed only with the use of information technology. Furthermore, the ability to store, retrieve, and transfer information from caregiver to caregiver supports the continuity of care that has to be maintained from one specialist to another, as patient records can be collected, collated, and interpreted by all of the members (perhaps geographically dispersed) of the medical team.
These changes in the practice of medicine have correlates in changes in the business of medicine that also have been enabled and encouraged by the use of information technology. The expanding number of
people involved in providing medical care to an individual has been more than paralleled by the growing number of those involved in paying for that care. The payment trails from office and hospital practice through insurance company and employer all make extensive use of information technologies.
PRIVACY IN MEDICINE
Privacy has been a part of medical practice since the 4th century B.C. The classical version of the Hippocratic oath for physicians states, “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”1
It is not surprising that medical practice requires privacy. The patient is the source of much of the information that relates to his or her health, and if the physician (or more generally, the caregiver) is to obtain the information needed to make good medical decisions about the patient, the patient must be persuaded to provide it. Put differently, patient candor is an essential element of health care and depends heavily on the patient’s confidence that the information provided will indeed be kept private. Patient cooperation is also needed for laboratory testing and analysis and for treatment, particularly when treatment is ongoing.
From the patient’s perspective, medical information is often the most privacy-sensitive personal information that they provide. For these reasons, protecting medical privacy has long been recognized as an essential element of any regulatory system in health care.
As a point of departure, consider the issue of privacy as it relates to certain medical issues. Using the anchoring vignette approach described in Section 2.4 (see Box 2.2), a possible survey question might be, To what degree does [your/ “Name’s”] doctor respect [your/his/her] privacy? Here are a number of possible vignettes:
[Renée] is ill and goes to the hospital to consult with the doctor. After she steps into the consultation room, the doctor closes the door and tells her that everything she says is confidential.
[Alioune] is ill and goes to the hospital to consult with the doctor. While he is in the consultation room, a nurse opens the door several times
The modern version reads as follows: “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.” For both versions, see http://www.medterms.com/script/main/art.asp?articlekey=20909.
to give messages to the doctor, allowing people in the waiting room to catch parts of his conversation with the doctor.
[Chandikha] is ill and goes to the hospital to consult with the doctor. The doctor forgets to close the door of the consultation room. As a result, individuals in the hallway or waiting room are able to hear their conversation.
[Ben] is ill and goes to the hospital to consult with the doctor. The doctor takes notes of their conversation and orders a number of tests to be done. The doctor misplaces this file, including the notes and orders for tests, among the magazines in the waiting room. Individuals in the waiting room are thereby able to see the file.
[Paul] is ill and goes to the hospital to consult with the doctor. The hospital maintains an electronic database of all diagnoses, tests, and treatments. The database is hacked and all the information, including that of [Paul’s] visit, is posted online.
By design, this set of anchoring vignettes constitutes one specific domain of privacy, capturing some of the essential issues that face patients, doctors, hospitals, and public policy makers. Due to changes in information technology, for example, protecting medical privacy is more difficult today than just a few years ago for many reasons:
More patient information is collected, both in volume and in types of information.
More people have access to patient information, including medical caregivers, researchers, and administrators in the health care system and, in many cases, employers and government agencies outside it.
Patient information is more easily accessible because it is increasingly stored in digital form (and so it can be transmitted more easily than in paper form).
Patient information is held for very long periods of time, and the longer it remains in existence the greater the opportunities for abuse.
More patient information is being collected by types and in volumes that are intended to aid medical practitioners in predicting future medical conditions with greater accuracy.
Patient information (such as DNA information) is being (or soon will be) collected that has relevance to individuals related to the patient (parents, siblings, current and future offspring), thus raising the potential for significant violations of medical privacy and complicating both the technical and ethical issues involved in managing such information.
Such factors make individuals nervous about their medical privacy, since in a very real sense the individual is no longer in control of what
persons, or even what organizations, have access to their medical records. Box 7.1 provides additional discussion.
These concerns are enhanced by the fact that the collected medical records provide a storehouse of information that can be used in a variety of ways other than those intended when the information was first collected. These records can also be used for the marketing of particular drugs, or for the denial of medical health insurance coverage. Such uses, often seen as invasions of privacy, are more than just hypothetical possibilities; actual cases in which medical information has been used and misused in such ways have been reported in the press, leading to fears about the overall privacy of medical information. In an industry that combines business, treatment, and research, it is often difficult to draw clear lines delineating where information gathered for one of these purposes slips into being used for another.
The issue of the repurposing of personal information in areas unexpected by the individual recurs as a theme throughout this report as it affects a variety of domains of privacy, and it is no less important here. As a point of departure, consider the issue of privacy as it relates to the repurposing of personal health information. Using the anchoring vignette approach, a possible survey question might be, When obtaining a medical diagnosis from [your/“Name’s”] doctor, how much privacy [do you/does he/she] have about that medical condition? Here are a number of possible vignettes:
[Alexandra] is diagnosed with diabetes. Her doctor makes a note of the diagnosis in his own patient database.
[Margareta] is diagnosed with diabetes. Her doctor makes a note of the diagnosis to the insurance company, which uses the information to calculate reimbursements and then discards the diagnosis.
[Gerard] is diagnosed with diabetes. His doctor makes a note of the diagnosis to the insurance company, which uses the information to calculate reimbursements and then adds it to an internal database of all medical histories of its clients.
[Bobbie] is diagnosed with diabetes. His doctor makes a note of the diagnosis in the university hospital database. This information is available to university researchers, and [Bobbie] receives several solicitations for participation in a diabetes study being conducted by the university’s public health school.
[Danny] is diagnosed with diabetes. His doctor makes a note of the diagnosis in the hospital database. The hospital then enters into a joint venture with a multinational drug company, and [Danny] receives numerous sample diabetes drugs via mail from that company.
[Joanna] is diagnosed with diabetes. Her doctor makes a note of
Personal Health Information, the Availability of Health Insurance, and Privacy
The privacy of personal health information looms large in many policy debates, and most people believe that such information is entitled to a very high degree of privacy. The essential public policy argument is over whether personal health information should be available to companies that offer health insurance, for use either as a screening device or as a mechanism to set rates for the primary provider of information or even for relatives who are tied to that information. (For purposes of this discussion, the health care payers’ needs for specific information related to payments for medical procedures already performed are not at issue; there is little controversy associated with the need for personal health information to prevent fraudulent billing.)
The argument against allowing insurance companies to have access to such information often asserts that nothing is more personal than personal health information, and holds that an individual should not be forced, either explicitly (as a requirement for coverage) or implicitly (by being given possible rate incentives) to reveal this information to outside parties such as health insurance companies.
Moreover, the argument goes, individuals—based on their genetic propensity toward a disease or on their personal medical history—might be denied health coverage and thus effectively health care, which without insurance would be prohibitively expensive. Since these are the people who are most likely to need access to that health care system, denial of coverage is inherently improper and should be contrary to public policy.
The health insurers argue that their economic well-being depends on their being able to use personal health information to assign each applicant to the appropriate risk pool, thereby enabling them to run their business in a more accurate and efficient manner. In this view, DNA information or HIV status or mental health history or family history should be treated no differently than any other kind of personal health information.
Further, health care insurers fear a world in which those seeking insurance have more information about their future health probabilities than is available to the insurance companies. In that case those unlikely to have health care problems could remove themselves from the shared risk pool, whereas those at a high risk for future disease would enroll. Insurance companies denied access to personal health information would be unable to do the actuarial assessments necessary to set their rate structures differentially so as to provide service to a broad population and to prosper as companies. Conversely, health care insurers believe it is to their advantage to be able to “cherry pick,” by providing coverage preferentially or at lower cost to those unlikely to use a great deal of medical care, and the availability of personal health information helps them to identify such individuals.
Seen in this light, the fundamental underpinnings of the health care privacy/health
the diagnosis in the hospital database. The database is hacked and the information is posted online. A software company extracts the information and sells the database on CD to pharmaceutical companies.
A key issue here is the repurposing of information in unexpected areas. The importance of medical information to individuals, businesses, researchers, and doctors explains why this is such a sensitive issue. More-
insurance debate concern whether or not access to medical care is a basic right that should be guaranteed for all. Those arguing for the privacy of certain kinds of personal health information (at least with regards to denying access to health insurance companies) tend to believe that health insurance is a requirement for access to medical care, and that such access is a basic need that should not be denied to anyone. The insurers, on the other hand, see health insurance as a product being offered by profit-making companies, which can obtain an adequate return on their investments only if they are able to set rates based on the future risk calculated on the individual being insured. If this risk is too high, then the individual can be denied coverage, or given coverage only at very high prices.
From the standpoint of an individual wondering about providing personal health information, the relevant issue is a matter of privacy. That is, given the lack of national consensus on whether or not health care is a basic right, his or her only decision—as an individual—is whether or not to provide information that might ultimately result in the denial or excessive pricing of health care services. But at the policy level, there is in addition to the debate over privacy another debate about the right to and the mechanisms for access to the health care system in this country. The latter debate is important and is being discussed in many venues. However, these two debates should not be conflated.
The addition of DNA information to the personal health information of an individual creates complexities of a different order. Indeed, sensitivities have arisen in recent years due to the possibility—indeed the high likelihood—that medical records will soon contain increasing amounts of information about a person’s DNA.
The expected benefits of DNA information are large, because it can be used to predict the probability of future disease in an individual or the success of any given treatment for that individual. But DNA information can be extraordinarily revealing about a person’s medical predispositions. Perhaps more significantly, the DNA information of an individual reveals genetic truths (and secrets) not just about that individual, but also about his or her relatives—a dimension much less present for other kinds of personal health information. This is not to say that DNA information is necessarily more sensitive or more deserving of protection than information about an individual’s HIV status, for example. But DNA information and to a much lesser extent familial history raise the question of the party or parties that should be identified as the providers or the owners of such information, and therefore whose interests are compromised when an individual chooses to release “his” or “her” DNA information.
As an illustration, consider that it is controversial today to base coverage decisions on conditions beyond an individual’s control; such a case would surely involve DNA information as an instance. Consider also the implications that an individual’s father or child might be denied medical coverage on the basis of the individual’s provision of DNA information.
over, the trend toward increased collection of medical data, coupled with increased sharing of that information for a multitude of purposes, is accelerating. The vignettes given above, ordered from most to least protective of privacy, help to provide a context that is relevant for informed decision making about what level of privacy is acceptable or required in the medical domain.
The recent mapping of the human genome, which would have been
impossible without the increased power of information-processing equipment, continues to open new areas for the collection of data about each of us that has the potential to aid in the prevention, diagnoses, and treatment of disease as well as to increase the knowledge of medical science concerning the genetic components of health and longevity. However, the possibilities for the abuse of such information are immense and of great concern to those who want to ensure the privacy of personal health information. Although the technology for obtaining this information is being developed rapidly, we have yet to answer the important questions of who should have access to that information and for what purposes—and the longer such questions go unanswered, the greater the long-term risk of irreversible consequences.
ADDRESSING ISSUES IN ACCESS TO AND USE OF HEALTH DATA
This section examines four approaches to addressing the challenges posed by questions regarding access to and use of individuals’ health and medical information: industry self-regulation, legislation and regulation, consumer/patient awareness, and official advocacy. Of course, these are not necessarily mutually exclusive, but we provide examples from each to demonstrate the variety of strategies being explored in this space.
A direct attempt to deal with issues about the privacy of medical information is the Ethical Force program of the American Medical Association (AMA),2 which lays out principles for the ethical treatment of patients and information about those patients. In addition, the program seeks to formulate performance measures to enable evaluation of whether or not those principles are being followed.
As would be expected from a program staffed by and directed toward professionals in the health care industries,3 the Ethical Force program reflects a keen awareness of the tensions and requirements of
Ethical Force Program, Protecting Identifiable Health Care Informationl Privacy: A Consensus Report on Eight Content Areas for Performance Measure Development, American Medical Association, December 2000, available at http://www.ama-assn.org/ama/pub/category/7726.html.
The Ethical Force program is intended to apply to every individual or organization that has access to or uses identifiable health care information. However, the primary constituency of the AMA is physicians, thus leaving open the question of comparable efforts by professional organizations related to nurses, laboratory technicians, hospital administrators, and so on.
the business, treatment, and science aspects of medicine. As such, its principles for the privacy of individually identifiable information are both complex and nuanced. Based on the concepts of informed consent for the collection and use of information, limitations on the information collected, and limitations on the use to which the collected information is put, each of these principles is seen not as an absolute, but rather as a starting point from which exceptions can be identified.
The notion of informed consent is justified by an appeal to “well-accepted principles of autonomy and respect for persons.”4 Informed consent for the collection or use of personally identifiable information should be obtained “whenever feasible”; however, the AMA report on the Ethical Force program then goes on to note that there are circumstances in which such consent is either not feasible or not needed. Cases where the consent is not feasible should be reviewed by some “formal, authoritative, and publicly accountable process.” Furthermore, in cases where the sharing of identifiable health information “confer[s] direct therapeutic or diagnostic benefit on the person whose information is at issue,” no informed consent is needed at all. Interestingly, the sharing of information with an insurance company for the payment of medical claims is considered to confer a direct therapeutic effect on the individual, and hence does not require any form of informed consent.
A second principle of the Ethical Force guidelines is that of limiting the information collected to that which is “required for current needs, or reasonably projected future needs, which are made explicit at the time consent is obtained.” This principle is reinforced in the notion of use-limitation; even when limits have been observed in the collection of information, the use of that information should also be limited to those purposes for which the information was originally obtained. (Of course, because modern information technology facilitates the long-term storage of information, the future will almost certainly see many possible uses of information that cannot be foreseen today.)
A third principle is that patients should have access to their records and be able to amend or append information to such files (although not necessarily to delete information, even if that information is found to be in error).5
The Ethical Force guidelines also recognize that there will be excep-
tions to the principles established. One such exception, having to do with the ability to release information when it is for the direct therapeutic benefit of the individual, is noted above. In addition, the guidelines recognize that legal requirements from law enforcement or public health agencies sometimes require the release of personally identifiable information without the consent of the individual. In addition, information can be released if it is released in a form that allows only statistical study and not the identification of the individuals whose data are released (Box 7.2 addresses this topic in more detail). Finally, the guidelines allow the release and use of such information that would otherwise be in violation of the guidelines if that use has been approved by an agency (such as an institutional review board) that has followed some well-defined, publicly accountable process of review.
The nuances in the Ethical Force principles echo the complexities of the balance between medicine as a business, as a service to individuals, and as a science. The need to share information freely with other medical professionals for the therapeutic good of the patient is a clear reflection of the overriding concern of treating the patient, along with the specialization in and collaborative nature of current medical practice. The inclusion of sharing information with insurers to allow payment for the treatment received reflects the business aspect of medicine. But the exceptions for access in accordance with the law reflects the history of public health in this country, where laws have been passed that recognize the need to violate the privacy of the individual in cases where the health of the general public is put at risk. Finally, the ability to override the privacy of the individual if allowed after review by a publicly accountable board ensures the possibility of using information in medical records for the purpose of scientific studies.
In most cases, the normative preferences of many individuals would allow some consideration of the balance between the privacy of the individual’s medical information and the advances in scientific knowledge possible for society if that information is available to researchers. But this is not a trivial issue in the medical domain, and the issue can be put quite starkly: If it weren’t for prohibitions on access to information due to privacy concerns, it might be possible to help many people live longer and more healthy lives. Determining what portions of individual information are acceptable to protect or distribute then becomes a critical issue.
To illustrate, consider the issue of privacy as it relates to researchers obtaining personal health information. Using the anchoring vignette approach, a possible survey question might be, During [your/“Name’s”] [most recent] hospital treatment, how much privacy did [you/she/he] have from medical researchers? Here are a number of possible vignettes:
[George] is a cancer patient at the university hospital. The hospital maintains a policy of complete separation of research and treatment, and assures him that his file will never be accessed by anyone but his doctor.
[Elaine] is a cancer patient at the university hospital. As a condition of being a patient, she must let data on her recovery be used anonymously in a study of several thousand cancer patients nationwide. Her tests will only be reported as a small part of an average across all patients.
[Tinika] is a cancer patient at the university hospital. As a condition of being a patient, she must release her file to the hospital, to be used as an anonymous case study for the hospital training manual.
[Mark] is a cancer patient at the university hospital. The hospital requires that all patients allow their medical files to be used for research purposes. Any medical researcher may obtain [Mark’s] file.
Legislation—HIPAA and Privacy
The most comprehensive legislative attempt to address the issues around the uses of individual health information is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This act, one of the outcomes of the Clinton administration’s attempt to deal with the overall state of health care in the United States, had as its purpose the protection of health insurance coverage for workers and their families when workers changed or lost their job. However, as is often the case in such bills, the attempt to provide portability of coverage grew to encompass a number of other areas, as well.
Portability required that the insurance companies adopt a common way of representing the medical information about the insured. This common format was also seen as a way of introducing efficiencies in the transmission and payment of claims from health care providers to the insurance companies, and so the effort toward portability also included establishing standards for electronic health care transactions, as well as national identifiers for providers, health plans, and employers. The hope was that by enabling a common format, the industry could adopt electronic means of transmitting and settling claims, which would in turn allow a reduction in the administrative costs of the health system. This administrative cost has been estimated to be 25 percent of the overall cost of the health system in the United States, and so reductions of such costs could have a significant impact on the overall cost of health care.
Although using standardized format for medical information to enable electronic transfer of information was intended to lead to considerable savings and efficiencies, legislators also realized that such standardization and transmission opened the possibility of misuse and privacy invasion. Because of this, the HIPAA legislation addressed the concerns of privacy
The Anonymization and De-identification of Data
Both the American Medical Association’s Ethical Force guidelines1 and the privacy regulations related to the Health Insurance Portability and Accountability Act (HIPPA) make a distinction between the use of personally identifiable medical information and the use of that same information put into a form that cannot be traced back to the individuals associated with that information. If this is possible, questions of personal privacy having to do with access to that information become moot. However, it turns out that it is very difficult to draw a bright or even a stable line between these two kinds of information.
There is a class of information that is obviously identifying of individuals, such as their Social Security number, the combination of their name and address, or a listing of the names of the immediate family members. (Under HIPAA, personal identifiers include name, address including city and zip code, telephone number, fax number, e-mail address, Social Security number, date of birth, medical record number, health plan identification number, and dates of treatment.) The excising of such information from a listing of medical data is generally what is thought of by most when they think of de-identification of a medical record.
However, statistical techniques can be used to determine the identity of individuals given far less obvious markers. For example, given the location of residence at the level of granularity of a voting district, and the date of birth of a subject (both the day and the year), there is a high probability that a single individual will be identified. This is surprising to many, but is simply an outcome of the statistical distribution of birth dates and the size of voting districts.
and security. While the bill itself did not include any provisions governing the privacy and security of personal health information, it did contain language committing Congress to pass legislation addressing those concerns. Further, if Congress was unable to pass such legislation within 3 years of the passage of the HIPAA bill itself, the legislation directed the Department of Health and Human Services to draw up a regulation covering those areas.
The HIPAA bill was passed and signed into law in 1996. By 1999 it was clear that Congress was not going to be able to draft and pass a bill that addressed the privacy and security concerns that had been outlined in the original bill. At that time, the Department of Health and Human Services began drafting regulations designed to improve the privacy of personal health information and the security of such information as it was
The ability to perform such statistical identification has a significant impact on medical research that mines historical data. Researchers in this area are generally unable to obtain informed consent from those whose records are being used because of the large sample sizes that are mined in such studies. Often many of the subjects are unavailable to provide such consent, either because they are deceased or because the contact information in the record is out of date. Without such consent, both the ethics of the profession and current federal privacy regulations mandate that the information be rendered anonymous.
There are technologies for anonymization that have been developed for statistical disclosure limitation. As noted in Chapter 3, the core concept behind such technology is to randomly scramble the information in complex records in such a way as to make it impractical to correlate an individual record and a particular person while maintaining the statistical relationships between those parts of the record being analyzed. However, such technologies can often mask just the kinds of relationships that medical research is trying to discover. When the information to be correlated is known before the anonymization occurs, such techniques are often valuable. However, often these studies are an attempt to discover correlations that are not known before examining the data. In such cases, de-identification can mask the very correlations that are the goal of the study.
Part of the problem with the notion of anonymization of records is that the regulations regarding the use of anonymized information treat the notion as a binary relation—either the record has been anonymized, or it is individually identifiable information. However, since much of the information is such that it lends itself to statistical correlation, the notion of anonymization is more accurately represented as a probability that the collection of information can be used to identify an individual out of a target population at an affordable cost. If the probability must be zero, much of the wealth of medical information that is available for long-term statistical study will be far more difficult to obtain or use in such research.
A further confusion is that guidelines and regulations often speak of “de-identified” information even though a close reading suggests that they mean anonymized (i.e., information for which re-identification is for practical purposes impossible).
stored and transmitted by those entities covered by the HIPAA law. These regulations became final in 2002, and their phased introduction began in April 2003.
Like the policy set forward by the AMA Ethical Force program, the privacy regulation that is part of HIPAA is based on the principle of informed consent. With certain statutory exceptions (such as use of information for the purposes of treatment, payment, or health care operations, or for law enforcement or research purposes), consent of the individual must be obtained for all uses and disclosures of personally identifiable health information. In addition, the HIPAA privacy regulations require that all covered entities (a category that includes all government health plans, private sector health plans and managed care organizations, health care providers who submit claims for reimbursement and payment clear-
inghouses—effectively, all members of the health care industry other than certain small self-administered health plans) must train every member of their workforce in privacy protection, must appoint a privacy officer, and must provide notice of their privacy policies to all of their members and patients. Individuals can request copies of health care information kept about them, and can request corrections and amendments of that information.
The privacy regulation acknowledges that the burden of receiving informed consent may be unreasonable for researchers attempting to do large-scale studies based on collections of personally identifiable medical information. Both the use of de-identified information and the use of personally identifiable information whose use has been approved by an institutional review board are allowed by the HIPAA privacy regulations, although the latter is the case only if the conditions for waiver specified under the so-called Common Rule are met,6 or under a few other limited circumstances. However, the guidelines for when such use is allowed are not clear to practitioners in the field. Nor are they without cost; protecting patient privacy is an overhead expense that might not be incurred absent HIPAA regulations.
While the privacy regulation focuses on the rights of the individual, it does not give the individual the right of action against those that are claimed to have violated the regulation. Individuals who believe that their privacy rights under the regulation have not been met must first complain to the Health and Human Services Office of Civil Rights, which is the government agency charged with enforcing the regulation.
The HIPAA privacy regulation was met with considerable trepidation by members of the health care industry. The regulation was complex enough (at 31 pages) that it was difficult to know what was required for compliance; some of the requirements that were understood (such as those having to do with training of staff or mass notification of patients about their privacy rights under HIPAA) involved considerable cost.
The overall efficacy of informing patients of privacy policies seems minimal, much as has been the case in the financial industry with the similar requirements of Gramm-Leach-Bliley, and there has been some degree of confusion among care providers about the nature and extent of personal health information that may be provided, and to whom and
under what circumstances.7 Whether this confusion merely reflects a transitional effect between pre-HIPAA and post-HIPAA regimes remains to be seen.
The requirement for training has been seen by some as a way of changing the culture of the medical provider profession in a way that is positive albeit costly. The impact on researchers, especially those wishing to do large-scale and long-term investigations across sets of medical records, is currently unknown; however, the formulation of the privacy regulation has created a mechanism for dialog between researchers and regulators.
Finally, there remains the question of enforcement of HIPAA’s privacy regulations. In June 2006, the Washington Post reported that in the 3 years since the HIPAA regulations went into force, thousands of complaints alleging violations have resulted in two criminal prosecutions, no civil fines, and many agreements to fix problems that may have occurred without any penalty.8 These complaints have included allegations that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained, and that patients were frustrated in obtaining their own records. One administration official was quoted as saying that “our first approach to dealing with any complaint is to work for voluntary compliance.” Critics have asserted, however, that a lack of aggressive enforcement has made providers and insurers complacent about complying.
In the long run, an enforcement regime of some sort is likely to be needed to ensure substantial compliance with the regulations. But as with the confusion about the circumstances under which what personal health information may be provided to which parties, the long-term results of the current approach to compliance remain to be seen.
Patient Perspectives on Privacy
As noted above, HIPAA mandates a number of privacy protections for personal health information. The concept of informed consent is important to these protections, and thus health care providers are required to
Rob Stein, “Patient Privacy Rules Bring Wide Confusion: New Directives Often Misunderstood,” Washington Post, August 18, 2003, available at http://www.washingtonpost.com/ac2/wp-dyn/A7124-2003Aug17.
Rob Stein, “Medical Privacy Law Nets No Fines: Lax Enforcement Puts Patients’ Files at Risk, Critics Say,” Washington Post, June 5, 2006, available at http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672_pf.html.
provide privacy-relevant information to patients about how their personal health information will be used.
However, patients have been notified of privacy and information-handling policies in forms that are largely incomprehensible to the average patient. For example, a readability analysis of HIPAA privacy notices indicated that they were written at a level that requires college-level reading skills. The analysis concluded that the writing styles use too many words per sentence, too many complicated sentences, and too many complicated and uncommon words.9 Going beyond this analysis, the concepts (or implications) of non-perishable data, quasi-unidentifiable data, semi-permeable security systems, and information-sharing principles that allow abrogation of privacy for business (insurance reimbursement) or research reasons, are likely to be beyond the experience or expertise of most people who will have to make decisions based on these concepts. Under such circumstances, it is not unreasonable to expect that many people will ignore such notices rather than seek assistance in understanding them.
Privacy Implications of Greater Patient Involvement in Health Care
Information technology is now beginning to be used as a market differentiator in health care by HMOs and private health care partnerships to allow patients to view some or all of their medical information over the Internet, e-mail their caregivers with questions, or send in their blood glucose readings by e-mail or fax so that the caregivers can evaluate the quality of the patient’s disease management. This trend benefits patients by helping them to better understand their state of health, and by reinforcing their role as an active member of the health care team, which has been shown to correlate with better patient self-care.
One consequence of this active partnership with the patient is that personal health information will increasingly be made available to the patient outside the confines of the health care setting per se (e.g., at home). To the extent that this information is made available online, many concerns about the end user’s ability to manage security on his or her own come to the fore. Considering the high vulnerability of many end users to Nigerian scam letters and “phishing” attacks, a substantial amount of health information could be compromised directly from end users.
A related point is that search engines are capable of storing individual search histories (identified by the IP address originating the search).
Mark Hochhauser, “Why Patients Won’t Understand Their HIPAA Privacy Notices,” Privacy Rights Clearinghouse, April 10, 2003, available at http://www.privacyrights.org/ar/HIPAA-Readability.htm.
Given that the Internet gives individuals the ability to search the Web for information about specific medical conditions and treatments, an extensive search history can be quite revealing about the health conditions of the individual searching for those terms. Note that such information would not, in general, be protected by any health care privacy legislation, although it might enjoy some protection under more general statutes.
Improper Interpretation and Unintended Consequences of HIPAA Privacy Regulations
In the early days of HIPAA implementation, confusion was common over what was and was not allowed under HIPAA. HIPAA privacy regulations were designed to prevent the inappropriate transfer of personal health information. However, as health care establishments sought to implement these regulations, they often went overboard and withheld information even when they would have been authorized to provide it. For example, in one instance, and citing HIPAA regulations, a hospital refused to release the medical records of a heart donor on privacy grounds to the physicians treating the heart recipient.10 In other instances, patients and their family members have been unable to access their own personal health information because health care providers were erring on the side of caution in providing such information. In some such instances, patients have been exposed to unnecessary medical risk.
As health care providers have developed more experience with HIPAA regulations, such incidents have become fewer in number. But they still do occur from time to time, and the early days of HIPAA implementation provide a cautionary tale of some of the things that can go wrong when privacy legislation or regulation is first implemented.
More recently, HIPAA privacy regulations have impeded the efforts of patients to untangle problems associated with their medical records or payments for medical services received.11 In particular, some patients have been the victim of medical identity theft, in which another person assumes a patient’s identity for the purpose of receiving medical services. Medical identity theft has both a medical and a financial impact on the victim, whose health care records come to contain health information that is not associated with the victim and whose finances are compromised by liability for medical services never received. However, victims of medical identity theft report many difficulties in obtaining their
records so that they can investigate what might have happened. In some cases, the victim’s investigations are stymied because a victim’s medical record now has personal health information on another person (the thief), and some hospitals argue that HIPAA prevents them from turning over documents that contain information on other people even under these circumstances.
Spillover Privacy Implications of Receiving Health Care Services
In April 2005, the Target Corporation (operators of a large chain of department stores that often include pharmacies) began to require photo identification for the purchase of certain over-the-counter cold medicines. Identity information is recorded in a database along with the purchase so that Target can limit customers to two packages every 2 weeks and can see if they have purchased other cold medicine from Target. The stated reason for the policy is that these medicines contain pseudoephedrine, which can be converted to methamphetamine (also known as crystal meth)—an addictive and illegal drug.12 Although Target states that it obeys all federal and state laws regarding the privacy of such information, this policy was promulgated by Target on its own initiative and not at the behest of any state or federal law.
For many years, medication has been provided by prescription or over the counter, and the privacy implications of such medications were clear. Prescription drugs required the presentation of identification under the rationale that such medications were specifically prescribed for the individual in question by a physician who had examined him or her and made a determination about the appropriateness and safety of the drug. Over-the-counter medications could be purchased by essentially anyone, without presenting identification.
Whether or not Target’s purpose in adopting this policy is appropriate or socially beneficial, the policy changes this traditional paradigm by requiring presentation of identification and storage of such information for over-the-counter drugs in pursuit of non-medical goals. As a rule, consumers have many choices about where to purchase over-the-counter medications, but Target’s policy regarding cold medicines does illustrate how privacy can be eroded in a service as vital as health care.
C. Benjamin Ford, “Target Wants Photo ID for Cold Medicine,” The Gazette, February 15, 2006, available at http://www.gazette.net/stories/022406/polia%20s195144_31962.shtml.
The notion of institutional advocacy most commonly arises when there is no natural constituency for a certain perspective. For example, there are many short-term incentives for exploiting the environment for economic reasons, but few similar incentives to refrain from exploiting the environment. Thus, the Environmental Protection Agency was established in large part to reduce this imbalance.
In the domain of health care, there are similarly many incentives to use patient information, and very few to refrain from using it. The issues involved with health care privacy are also complex and highly conditional and situational. Under these circumstances, some privacy analysts suggest that an institutional advocate is needed to help balance the scales. Indeed, there are today chief privacy officers in many corporations that deal with personal information on a large scale. The role of such officers is to ensure that adequate attention to privacy is paid in decision making that might have an effect on privacy, and HIPAA itself stipulates that organizations covered by the act must designate a “privacy official” responsible for the “development and implementation” of the policies and procedures necessary for compliance with the HIPAA privacy requirements.
Similar arguments could be made on a larger scale as well. On this view, issues related to medical privacy are too complex for the average consumer to understand, let alone take informed action about. Thus, an institutional advocate for medical privacy in the U.S. government, or in state governments, would help to ensure that adequate attention to privacy is paid in policy making that might have an effect on privacy.
Although the questions surrounding privacy have been discussed for years in the context of individual health information, it is not clear that any of the issues in this area are either less controversial or less murky as a result. The traditional approach, in which the privacy of the patient could be controlled by that patient’s doctor and in which the information about that patient was kept in files owned and controlled by the doctor and not easily shared physically, is no longer a viable model. This model has been made impractical by changes in how the information itself is stored and how medical treatment is paid for and delivered. Adding in the growing realization that medical information traditionally regarded as private holds promise for changing the way the science of medicine can be conducted, it is clear that there are additional pressures on the traditional notions of medical privacy and that the rules of practice relevant to medical information will continue to evolve.
Because of the way medicine has evolved, it is helpful though sometimes difficult, to distinguish clearly the following aspects:
The practice of medicine, which is concerned with the medical care of individuals and communities, both to maximize current and future health and to track and monitor current disease;
The science of medicine, which is concerned with the advancement of medical knowledge and technique;
The business of medicine, which determines how and where medical care is provided and how best to ensure that the costs of medical care are held to a reasonable level, as well as what is reasonable in highly competitive profit-driven sectors of the business; and
The regulation of medicine, which is society’s way of ensuring that medicine is practiced competently and in safe settings.
Even within this very particular domain, there are multiple contexts—business, practice, science, and law and regulation—in which privacy considerations as well as other concerns have to be evaluated, and each entails different tradeoffs. For example, it is easy to imagine a patient who is perfectly willing to share very sensitive information for the purpose of improving her medical care but is far less comfortable with providing that information for inclusion in a longitudinal research study. She might also be made uneasy by realizing that the same information might be entered into records that will make their way to an insurance company that will than make decisions about the extent and nature of her coverage (or that of her relatives), or might be made available to a public health laboratory for epidemiological purposes.
There are even subcontexts that are relevant. In the general context of medicine as business, one might identify the business of medicine per se and the business of the fields that surround medicine. The pharmaceutical industry is commonly seen as an adjunct to the health care industry, but pharmaceutical companies are often held to business and ethical standards very different from those that apply to such clearly health-related businesses as hospitals or medical clinics. Insurance companies, which are more and more the payer of the costs of medical treatment, provide yet another subcontext, given that it is the rare person in the United States who is able to obtain consistent medical care without the use of these insurance companies and abiding by their sometimes-onerous information requirements.
To illustrate, consider the issue of privacy as it relates to the availability of health insurance. Using the anchoring vignette approach, a possible survey question might be, How much privacy [do you/does “Name”] have from [your/his/her] health insurance provider? Here are a number of possible vignettes:
[Jordan] wants to sign up for health insurance. The application requests basic information such as his name, address, age, and prior medical insurance providers.
[Suzanne] wants to sign up for health insurance. The application asks her for basic personal information as well as an immunization record.
[Mandy] wants to sign up for health insurance. The application asks her for basic personal information, as well as a detailed description of all prior illnesses.
[Andrew] wants to sign up for health insurance. The application requires him to list all doctors who have treated him, to answer specific questions about his behaviors, and to give permission for a financial background check.
[David] wants to sign up for health insurance. The application consists of a copy of his full files from prior insurance providers and doctors, a detailed medical history, and an interview as well as a physical examination that includes blood and urine tests.
[Joanna] wants to sign up for health insurance. The application consists of a copy of her full files from prior insurance providers and doctors, a detailed medical history, and an interview as well as a physical examination that includes blood and urine tests. In addition, the health insurance company purchases customer information from local grocery store membership programs so that it can consider her dietary habits.
Given such a variegated landscape, the lines between proper and improper use of health information are unclear. The use of information for the treatment of an individual is generally accepted, but the scope of the set of people who might need to use the information for that purpose is becoming less and less clear. The right of a society to ensure the public health of all its members has long been seen as taking precedence over the privacy of the individual when it comes to the incidence of infectious disease, as illustrated by the tracing by public health authorities of an infected person’s sexual contacts in the case of sexually transmitted disease. Some see the release of health information to insurance companies to allow payment for services to the individual as having direct benefit to the patient and therefore not subject to the informed consent required for other kinds of release of that information, but do not see direct benefit in the release of such information to pharmaceutical companies.
Determining the proper balance between access to information and protection of privacy in the business, practice, and science aspects of medicine under the new realities of medical treatment is not something that can or should be done casually or by some small group either inside or outside the industry. The decisions made in this area will have an impact on the lives of everyone, and will affect the cost, efficacy, and range
of treatments. Greater clarity regarding what the tradeoffs are between individual privacy and the use of this information would allow more informed discussion of alternatives for decision making. There is a certain urgency for making these decisions, as every day the techniques of medical information gathering and sharing improve. Although we now have some handle on the notion of what constitutes personal health information, a time will come when current notions surrounding those ideas will not be adequate.
Perhaps the largest policy driver in the near term is the push for substantially greater use of electronic medical records. The privacy issues associated with such records are well understood in a theoretical sense,13 although how these issues will play out in the ubiquitous national deployments of electronic medical records envisioned in current policy plans is quite uncertain. What can be said with confidence is that they will play out, and policy makers cannot assume that the existing policy regime will necessarily be adequate in an era of widespread deployments.