WHO'S LOOKING AT YOUR FILES?
By Christine Gorman
U.S. Representative Nydia Velazquez, 43, knows how easy it is for medical secrets to find their way out of a doctor's files. When Velazquez was running for Congress in 1992 to represent New York City's 12th Congressional District, someone got hold of hospital records detailing her 1991 suicide attempt and forwarded them by anonymous fax to the press. The New York Post broke the story, and Velazquez was forced to acknowledge publicly something even her family did not know: she had tried to kill herself with sleeping pills and vodka. Despite the painful publicity, she won the election--and now she is suing the hospital for $10 million.
Public figures are not the only ones who should be worried about the confidentiality of their medical records. Last month a coalition of groups that help aids patients in Boston went to court in an effort to stop auditors at the Department of Health and Human Services from passing on the names of patients in various aids programs to other government agencies. And two weeks ago two Marines were court-martialed for refusing to provide the military with samples of their DNA, something the Pentagon now demands of all service personnel.
The Marines' fear was that the information would wind up in the hands of a future employer or insurer. That fear was well placed. Companies and government agencies have already claimed the right to tap individual health files. More than a quarter of Americans responding to a 1993 Harris poll said health information about them had been improperly disclosed. The issue has caught Congress's attention: legislation designed to protect medical-record privacy--but which critics say is too lax--is pending before the Senate.
Medical records contain some of the most sensitive of personal information--including sexual orientation, past drug use and genetic predisposition to various diseases. As part of the Hippocratic oath, physicians promise to keep whatever they learn about a patient to themselves. But it's hard to keep a secret if more than a couple of people are in on it; in a typical five-day stay at a teaching hospital, as many as 150 people--from nursing staff to X-ray technicians to billing clerks--have legitimate access to a single patient's records.
Now hospitals are rushing to computerize those records, raising the fear that medical secrets could be accessed, copied and distributed with a few clicks of a mouse. There are plenty of good reasons to gather such information: to spot previously unknown drug interactions, for example, or to provide early warning of a newly emerging epidemic. But once the records have been digitized, they can be transmitted without a trace all over the globe.
Some hospitals are even talking about storing patient files on the World Wide Web--albeit behind so-called fire walls that use passwords to separate a hospital's "intranet" from the Internet. But passwords are notoriously easy to guess or steal, and fire walls have been breached by hackers who have no motivation other than to see what's on the other side. Others may have strong economic incentives for trolling the medical-record data stream. Pharmaceutical firms building direct-mail advertising lists for a new drug will pay top dollar for the names and addresses of people taking competing medications. And life-insurance companies could save lots of money if they knew in advance which of their applicants were likely to get sick and die.
Often the data traded in what has become a $40 billion health-information industry are provided by the patients themselves, who commonly give blanket access to their medical records when they sign insurance waivers. Sometimes, however, the data collection isn't quite so aboveboard. In 1993 a health-care newsletter reported that a banker serving on a state health commission had pulled up a list of everyone who was battling cancer in his area. The banker then checked it against a list of customers at his bank and called in the loans of the cancer patients. In another case, a dozen Medicaid clerks in Maryland sold (for as little as 50' a record) individual profiles from the state's computerized database to HMO recruiters. The recruiters used the information to target potential customers and sometimes even enrolled customers without their knowledge or consent.
Although the Medicaid clerks were caught and fined, the banker's name was never made public and he was never punished. Patients have little legal recourse. Sixteen states in the U.S. provide no explicit guarantees for medical-record privacy, and the others vary widely in the kinds of disclosure they allow and whether or not patient consent is required.
Last fall two Senators, Republican Robert Bennett of Utah and Democrat Patrick Leahy of Vermont, introduced a bill that would provide a uniform standard for protecting medical records. Much to the Senators' surprise, their bill was quickly attacked by some privacy advocates for setting the bar too low. "The devil is in the details," says Dr. Denise Nagel, head of the Coalition for Patient Rights of New England. "As it's currently written, this bill allows greater, not lesser, access to medical records." Even doctors' groups have expressed concern; in February the American Medical Association announced its opposition to the current Bennett-Leahy measure. The bill is being reworked and may reach the full Senate later this spring.
At the heart of the controversy is the issue of just how much privacy is enough. According to a TIME/CNN poll, most Americans (87% of respondents) believe patients should be asked for permission every time any information about them is used. But some experts, like Lawrence Gostin of Georgetown University Law Center, regard that view as outdated. "I know what I'm suggesting will not perfectly protect privacy," he says, "[but] the widespread collection of health information has enormous benefits for the American public."
One of those benefits could be a national health database. In such a system, detailed information about all 250 million Americans would be available electronically. That way, if a cross-country traveler was knocked unconscious in a car accident, doctors could punch up his or her medical records to determine the best treatment. With such a system, public-health officials could keep better track of epidemics, for example, or the emergence of a drug-resistant strain of tuberculosis. Researchers could scan the population to identify important risk factors that increase a woman's chances of developing breast cancer. AT&T is helping create such a network of linked records for the National Health Service of Britain. Doctors there, however, have strongly opposed the system at every turn. "We don't believe it's prudent to put personal health information on millions of people in the same place," says Ross Anderson, a lecturer at Cambridge University. "It creates too big a target."
A recent investigation by the Sunday Times of London found that for a fee of as little as $225, British detective agencies routinely obtain medical records simply by phoning doctors' receptionists and pretending to be another doctor's secretary. Today a few thousand records may get tapped that way. The fear is that the proposed National Health Service network would multiply the problem. "If the receptionists of all Britain's 32,000 general practitioners have their systems linked up so that any of them can access all the information," says Anderson, "then you've had it. We will do whatever is in our power to make sure that this does not come to pass."
There are ways to make electronic records more secure, but those measures can be expensive, and they must be built into a system at the beginning. At Boston's Beth Israel Hospital, an electronic audit trail keeps track of everyone who accesses the computerized records, and doctors have the option of tagging certain records as particularly sensitive--triggering an alert whenever a request is made to see that information. Even so, the hospital found that once the system was in place, it was impractical to declare any area of the electronic record completely off-limits.
In an effort to stem the unchecked flow of information, some doctors have started censoring themselves. "These days, insurance companies don't want summaries; they want the whole record," says Dr. Nancy Dickey, chairman of the board of trustees of the American Medical Association. "So I think twice about what I include. Then I hope I can remember it all." She is worried that too much data sharing will jeopardize the doctor-patient relationship: "If my patients fear that what they tell me could come back to haunt them, they'll tend to be less forthright. I may come up with the wrong treatment because I was chasing the wrong clues."
The threat to confidentiality will only grow as genetic testing becomes more common. Once doctors learn about potential dangers lurking in their patients' DNA--diseases they don't have but may be at risk of contracting--few will be able to claim a clean bill of health. That is what prompted Corporals John Mayfield of Dallas and Joseph Vlacovsky of Canton, Ohio, to refuse the military's demand for a sample of their DNA. (The Pentagon wants its personnel's DNA on file in case it might ever need help in identifying their remains.) The men faced six months in the stockade and dishonorable discharges. But the military judge apparently found some merit in their concerns; he ruled that they were only to be confined to base for seven days. And that they could keep their DNA.
The soldiers' genetic data are safe for now. Whether their secrets--and those of hundreds of millions of civilians--will be kept tomorrow may depend on the safeguards being proposed today.
--With reporting by Michael Brunton/London
With reporting by Michael Brunton/London