Privacy and Peace of Mind
It wasn't supposed to be this way. When the Kennedy-Kassebaum health care bill was signed into law by President Clinton a year ago this month, supporters of the legislation hailed it as a major boon for the country's workers. While its scope paled in comparison to the failed efforts of the president's 1994 comprehensive health care initiative, the legislation would make it easier for people who change jobs to keep their health insurance, while making it more difficult for insurance companies to exclude coverage for those with pre-existing medical problems.A year after it was signed into law, however, the Kennedy-Kassebaum bill is giving privacy advocates across the nation fits. Far from the consumer-friendly statute its backers hoped, it seems everybody is either unaware or pissed off about what could end up as a major assault on how much control patients have over private medical information. And while policy wonks, doctors, lawyers, insurance companies and HMOs battle over the details, it seems the public remains oblivious to legislation that could allow sensitive medical records to be scrutinized by everyone from insurance salesmen to employers, to a local bank teller at the drive-thru window.The concerns of privacy advocates center around the bill's provision for the eventual establishment of a national health-care database of patient medical records. The idea is that the database could help doctors take better care of patients across both distance and time, while saving millions of dollars in health care costs. Doctors who treat travelers would have access to a patient's medical history, different physicians who treated the same patient could all share the same information, and duplication of many treatments could be avoided. In addition, such a database would allow medical researchers to examine vast stores of health care data, a massive resource that could help expand medical findings.As the world is quickly finding out with the Internet, however, such information does not come without risks. Indeed, national privacy advocates say the bill does not adequately set out security and privacy guidelines for access and use of the information that may be put on the network. Already, they say, insurance companies and HMOs are compiling a stable of information that has the potential to be abused, especially in cases involving patients with HIV, AIDS and mental health issues."There needs to be clear rules about who gets access and what is allowed to be used," says Deirdre Mulligan of the Washington D.C.-based Center for Democracy and Technology (CDT). "The laws over access are few and far between."In Idaho, as on the federal level and in almost every other state, there are no comprehensive statutes covering a patient's control over their medical records."I look at all medical information as being abusable," says Dr. Fred Marsh, president of the Idaho Psychiatric Association who works at the Idaho State Hospital South in Blackfoot. "Medical diagnoses can be misunderstood and misused. In applying for jobs, they can certainly be used as exclusionary." Pat Miller, a Boise attorney who handles health care issues insists, "The basic right of confidentiality comes out of the Constitution and the right to privacy É There are specific statutes regarding sexually transmitted diseases, but there is no broad-based law in Idaho."On the national level, a federal bill outlining exactly who has access and what kind of information will be available on the database is expected to be introduced in Congress this fall, says the CDT's Mulligan. Even with more stringent laws, however, consumer advocates worry about an aspect of the bill that would require a "unique identifier," such as a social security number, to catalog patient records. Opponents of the plan argue that if a marker as common as a person's social security number is used, it wouldn't be hard for a video store clerk or travel agent to gain access to a person's medical records.Still, there has been little public outcry for insuring patients know exactly what kind of information has been collected about them. As a National Research Council panel cautioned in March, "There are no strong incentives to safeguard patient information because patients, industry groups and government regulators aren't demanding protection."In Idaho, part of the reason for the lack of interest is the relative absence of HMOs. As one of the last bastions of fee-for-service health care, many consumers in the state have yet to deal with managed care companies -- a source of frustration and ire for many consumers, and the most prolific collectors of information in the health care industry."One of the reasons not a lot of people are aware of this is because of the penetration of managed-care in the area is very small," says local attorney Miller. "Most people still think in terms of having a relationship with a physician. They don't have the mentality that they're dealing with a company, that they're putting this information in the hands of an institution."Julie Taylor, a spokeswoman for Blue Cross of Idaho, the state's largest health insurance provider, says the organization currently enforces strict policies about who can access medical records. Only registered nurses and doctors have access to computer terminals with patient records on them, and all paper records are kept in locked files in locked offices, she says. In addition, every single employee is required to sign a confidentiality statement promising they will not disclose confidential information to anyone.Ironically, perhaps the most lasting effect of the bill and creation of the database is that it could undermine the same health care delivery system it is trying to improve. Voicing the privacy concerns of patients Pat Miller says, "There could be a reluctance by many people to tell their doctor information or to get the treatment they need."Still, some argue all this fuss is over nothing -- not because privacy and patient concerns remain unimportant, but because there is no way a national health care database will ever be established. "I'm really skeptical about it actually being done," says Blue Cross spokeswoman Taylor. "Where is the money going to come from?"According to the CDT's Mulligan, "Right now there are already providers entering into contracts with data clearinghouses, without clear rules about how patients rights will be protected." Echoing the fear expressed by many consumer advocates, Mulligan says that by the time privacy laws are set in place, the data base network will have long been set up with its own protocols.In other parts of the industry, this is already happening. Places such as the Medical Information Bureau in Boston hold files on 15 million people across the country who have applied for health, life or disability insurance. While the company does not keep medical records, this data base illustrates an increasingly eroding sense of privacy that stands as fallout from the Information Age. Like the electronic trails consumers leave everywhere -- from the supermarket to the ATM to the Internet -- medical records may now just form a part of our legacy, a digital shadow following us from cradle to grave.