Privacy in a Free Country: In Search of Reasonable Principles

Policy Reports | Privacy

No. 243
Monday, April 30, 2001
by Solveig Singleton

Information Sharing and Health Care

"Medical ethics for centuries have respected patients' need for confidentiality."

Medical privacy is unlike consumer privacy or employer/employee privacy because of the special relationship between doctor and patient. It is not an arms-length contract, but more like a fiduciary relationship.59 Medical ethics for centuries have respected patients' need for confidentiality.60 During the 19th century, state statutes created a doctor/patient privilege requiring a patient's consent before the doctor could reveal medical information in a court of law.61 Because of this history, patients have some reason to expect that what they tell their doctors will be kept confidential - the normal rule of freedom of information does not apply. On this basis, courts may find that the agreement between doctor and patient implicitly contains an obligation to keep information confidential even when the doctor has not expressly agreed to do so.62

However, since the Middle Ages authorities have sought the disclosure of certain contagious illnesses to preserve public health.63 The tension between the public need to separate the sick from the well and private desire to avoid the stigma of illness is obvious.64

The Changing Business of Medicine

The last several decades have seen major changes in the practice of medicine. Customary concepts of confidentiality are under siege from several directions.

The Creation of a Federal National Medical Database. One natural and probably inevitable change has been computerization. Increasingly, medical records are stored electronically. This often means that people other than doctors and insurers can obtain access to records for purposes beyond treatment and payment.65 Electronic databases and medical sites on the Internet raise new security issues, and the press has brought public attention to several leaks from government and private companies.66 The latest major development in this area was in 1996, when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) called for the creation of a controversial national medical database, in which each patient would have a unique medical identifier like a Social Security number.67 To ease concerns about security and privacy, the legislation stipulated that the Department of Health and Human Services protect this health information. Out of this change come the new HIPAA rules for medical privacy, discussed in detail below.

The Use of Health Information in Marketing. Another controversial practice is the use of health care information in marketing. In 1998, the Washington Post incorrectly reported that CVS and Giant Food had sold their drug customers' names to drug companies. The Post corrected the error the next day; but the public outcry caused CVS and Giant to drop out of the patient treatment compliance program in which they were participating.68 In response, the National Association of Boards of Pharmacy put together "Guidelines for the Confidentiality of Patient Health Care Information as It Relates to Patient Compliance and Patient Intervention Programs."69

"The third-party-payer system has tended to erode the traditional promise of confidentiality between doctor and patient."

The Impact of Third-Party Payments on Confidentiality. Another factor has been the longer trend in America to a third-party-payer system of health care financing. Today, most patients obtain health care from a private insurance plan paid for by their employer, or from Medicare or Medicaid. Because someone else is paying, patients have little or no reason to monitor the costs of their treatments.70 As a result, costs and fraud have risen drastically in the health care area. To protect themselves, third-party auditors seek access to medical records showing details of treatment and symptoms. And because third parties, not patients, are the source of doctors' incomes, health care institutions have become more attuned to the demands of the auditors than to the demands of patients for privacy. This change is inevitable without significant reforms to restore free markets to medicine.71 Until then, auditors will delve deeper and deeper into medical records to cut costs and control fraud. The third-party-payer system has tended to erode the traditional promise of confidentiality between doctor and patient.

The Growing Use of Medical Information by Law Enforcement. As noted above, the tension between public health authorities and advocates for medical privacy is not new. What is new is the spread of mandatory reporting requirements to benefit law enforcement rather than public health. For years, hospitals and doctors have turned patient records over to the police virtually upon demand, having little legal right to object should they be served with a subpoena. The intrusion on privacy probably would not bother people if the police were hot on the trail of a serial killer wounded by a victim. But what about a recreational nonviolent drug user trying to kick the habit? The wider the police net, the more willing people will be to hide their condition rather than risk being turned in. This risk is not just theoretical. For example, under South Carolina's mandatory child abuse reporting law, a significant percentage of pregnant drug abusers stopped using in-state prenatal care and drug treatment programs for fear of being arrested for child abuse.72 In areas with mandatory reporting for domestic violence, even seriously injured women have been known to go to battered women's shelters rather than to hospitals to evade reporting.73 Medical associations resist this type of reporting, which creates an ethical dilemma for physicians and makes it difficult for them to gain patients' trust. Turning doctors into arms of law enforcement seems inappropriate and unnecessary.

"The new medical privacy rules are controversial."

Medical Privacy and the New HIPAA Rules. In response to these developments, medical privacy has become a key policy issue. In December 2000, the Department of Health and Human Services issued final privacy rules under HIPAA. These rules will be the first comprehensive federal law on medical privacy. The new rules are effective as of April 14, 2001, with health care providers expected to comply in February of 2003. The Bush administration ultimately decided to keep the rules largely intact despite the controversy, with the likelihood of some minor changes.74

The text of the HIPAA rules is 350 pages long; the rules and commentary together amount to 1,500 pages. In sum, the rules:

  • Cover "protected health information" (PHI) in oral, written or electronic form.
  • Protect health information that relates to a person's physical or mental health, treatment or payment.
  • Require the patient's written consent for use of PHI for treatment, payment or health care operations (defined as activities directly related to treatment and payment, including credentialing, auditing, reinsurance, population studies, fundraising, medical training, quality assurance and peer review).
  • Require the patient's explicit written consent for use of PHI for fundraising or other purposes other than treatment, payment or health care operations - that is, marketing.75
  • Give the patient the right to ask for restrictions on the use of his PHI, to access PHI about himself, to ask for amendments to his PHI and to be notified how his PHI will be used.
  • Allow public health officials, law enforcement, judicial and administrative authorities and emergency services to access PHI without consent. Medical researchers may also access information without consent, with the permission of a review board. In this respect, HIPAA will simply formalize what many institutions did before HIPAA.

The new HIPAA rules are controversial. Representatives of the health care industry believe that the government has seriously underestimated the cost of the new rules.76 The government's estimate of the cost was $18 billion, with $30 billion in savings expected from standardization. The industry's estimate of the cost is over $40 billion.77 Advocates for more privacy continue to push for stricter rules, opposing the rules' toleration of the use of medical information in marketing.78 Privacy advocates are also alarmed at the ease with which law enforcement may access medical records, although the rules do not give the police easier access to data than federal agencies already had.79

Even with the new rules, HIPAA gives the government more access to and control of medical information because it creates a centralized health information network and a system of national codes to ease intranetwork communication. It also assigns patients, health plans, employers and health care providers unique identifiers - national IDs for the health care system.80

"Under new rules, every patient will have a national ID."

The Future of Medical Privacy: Will More Openness Bring Health Benefits to Patients? Two key conclusions follow from the analysis above. First, the forces of change are impelling us further from the understanding of doctor/patient communications as inviolable, an understanding which seems to be widespread among the public and which can be partly justified given the history of medicine. Second, the new HIPAA regulations confirm the trend toward more sharing of medical information throughout the medical industry. Issues of medical privacy become particularly complex because the government is involved in some intrusions - bringing in a constitutional element - but not in others.

All of these changes come as something like a glass of cold water in the face - one initially recoils from them. And medicine faces the same problem that it always has; that is, that patients may keep their health problems to themselves if they cannot trust their doctors to keep private communications private.81 On the basis of this concern alone, there are grounds for sticking to a traditional view of medical privacy. Yet there is a strong counterargument that the medical industry should not be constrained by that tradition.

As Medical Advances Bring New Cures, Some Sensitivity about Medical Information Will Be Reduced. Privacy in medicine has been valued in part because a stigma has been attached to so many illnesses. Most people do not mind others knowing about their arthritis or common cold. And modern medicine has eliminated the stigma attached to other ailments and reduced the shame attached to being ill. For example, when depression and bipolar disorder were virtually untreatable, few wanted to be publicly identified as depressed. If one's mind had been identified as not functioning properly, it would be harder to find friends, potential mates and good jobs. But as more and more illnesses are conquered, hiding vulnerabilities and suffering plays a lesser role in medical policy, although it is unlikely to disappear entirely.

This observation holds even for the highly controversial issue of genetic privacy. In recent years, the privacy of one's genetic information has been a key topic, driving states to adopt legislation regulating the use of such information and prohibiting its use in certain insurance and employment decisions that are deemed "discriminatory." But in another 20 years, the issue of genetic discrimination may become a non-issue. The reason: genetic knowledge will potentially not just identify a risk of illness, but also create new cures and usher in a new age of powerful preventive medicine. In the meantime, the main danger is that the information that researchers will need to develop these cures will be closed off because of well-meaning legislation that sticks to a rigid model of privacy.

"Marketing can help patients compare the virtues of competing medical products."

In this changing world, the medical profession should remain unencumbered by legislation that forces it either to share information (for those areas where continued privacy turns out to be critical) or to keep it private (for those areas where tremendous health benefits could be realized from sharing). Some patient groups will be able to adapt more quickly than others to information sharing that brings wider medical benefits.

The Surprising Benefits of Marketing and Medicine. One of the most potentially beneficial aspects of information will turn up where we least expect it - in marketing. For a long time, we lived in a world of patent medicines, where advertising was the realm of quacks and con artists. But in today's world not only are there effective treatments, but these treatments compete with each other. One medication might relieve all symptoms but have difficult side effects. Another might relieve only some symptoms but have few side effects. In a competitive world, advertising and targeted marketing are enormously valuable to consumers. Consumers are the audience to the ongoing debate about the virtues of comparable products. Stopping the information flow between drug companies and patients means impeding competition among pharmaceuticals. Without marketing, patients have only doctors as information sources, while doctors are pressured to spend less and less time getting to know their patients or may have some non-medical reason for favoring one treatment over another. Finally, there is little danger to patients from the use of medical information in marketing. The most threatening thing likely to happen is that they would be sent coupons or some other unsolicited offer in the mail.

Medicine and Government. This is not to say that all information-sharing should be welcomed with open arms. Both the American constitutional tradition and the lessons of history suggest that privacy is one part of a sensible long-term strategy to control the risks associated with the unique powers of government. Growing government access to medical information remains a valid concern. Practices such as massive scrutiny of medical records by law enforcement are unrelated to medical benefits and may indeed be medically harmful.

So long as the federal government is entangled in our health care system, it is hard to argue against some federal actions on privacy. But they need not push health costs higher or restrict competition. It may simply be time to explore new private-sector uses of medical information. Our health care system desperately needs some informed decisions.

Read Article as PDF