Roundtable: Medical Privacy
Medical information conveys power over people, but it can also enhance medical research and improve public health. –Schwartz
This roundtable is an abridged version of a discussion that took place in September 1999 as part of a meeting of the President’s Circle of the National Academy of Sciences, National Academy of Engineering, and Institute of Medicine. Janlori Goldman directs the Health Privacy Project at Georgetown University’s Institute for Health Care Research and Policy. Before that, she was involved with the Center for Democracy in Technology, which she cofounded, and worked at the American Civil Liberties Union, where she was part of their Privacy and Technology Project. Paul Schwartz is professor of law at Brooklyn Law School and an international expert in the field of informational privacy. Paul Tang is Medical Director of Clinical Informatics at the Palo Alto Medical Foundation and vice president of the EPIC Research Institute. Before he joined these organizations in 1998, he was an associate professor of medicine at Northwestern University Medical School and the Medical Director of Information Systems at Northwestern Memorial Hospital.
Schwartz: I will begin by making four broad points about privacy in the age of computer medical records. The first is that access to medical information is about power. Obviously, access to this information conveys power over people, but it can also enhance medical research and improve public health. Second, there is no longer is such a thing as a simple medical record. Each of us has a fluid kind of dossier that is neither open nor closed but is more or less available to a variety of people and institutions. Third, information is now multifunctional, and the privacy of that information will depend on its use. Finally, fair information practices are needed to cover a multitude of situations. These include consent procedures for release of information, notification of who sees your information, access to your own information, and redress for violations of the rules.
Our two panelists will now make brief introductory statements, and then I will pose a few questions to flesh out some areas of disagreement or ambiguity.
Tang: Two goals stand before us. One is to facilitate informed decisionmaking by physicians, caregivers, researchers, and policymakers. The second is that we must fulfill our ethical and legal obligation to protect confidentiality of patient data. In my mind, these two goals are inextricably linked, and consequently the bills that are being debated in Congress today about protecting confidentiality of patient data will directly affect the care that I as a physician can give to my patients.
I would like to discuss these goals by addressing three questions. One, what is wrong with the status quo right now? Second, how can we fix it? Finally, what are the implications and the pitfalls of creating legislation regarding patient confidentiality?
In a study we did at Stanford, we found that for physicians making decisions during ambulatory care visits, on average 81 percent of the time they didn’t have all the information that they needed in order to make decisions for that person that day. In fact, even though they had the paper record in front of them, on average they were missing four pieces of information for each visit. In one case, the physician was missing 20 pieces of information. That means that physicians are routinely put in the position of having to choose between rescheduling an appointment and searching for the information, repeating the test, or simply making the decision with available information. Put simply, the status quo of using paper records is not acceptable.
At the same time that too little relevant information is available to the physicians making care decisions, too much information is available to people who don’t need it. When someone requests the paper record, it is an all-or-nothing proposition. Once someone has the record, there is no way to control what parts of the record that person reads.
Fortunately, both of these problems can be addressed by following the recommendation of an Institute of Medicine committee by using computer-based patient records (CPR). My experience with the CPR at Northwestern and the Palo Alto Medical Clinic convinced me that it improves the quality of medical decisionmaking. In addition to helping physicians provide better care, the CPR can substantially increase our ability to protect confidential information. Our guiding operational principle is that health care providers and others who use the record should have access to only that information that they have a professional need to know. The CPR makes it possible to define and enforce very precise access boundaries and to raise the bar of protection for confidential health information.
Congress is in the process of considering confidentiality legislation. We need to be careful as we draft this legislation not to let our good intentions interfere with good care. For example, one approach to protecting information is to enumerate all the potentially sensitive pieces of personal information and to segregate that from the rest of the record, rendering it more difficult to access. Unfortunately, to the extent that we are successful at hiding that information, I think we will undermine the very benefits that we hope to achieve by computerizing the record in the first place. In effect, we will recreate the problem of incomplete information associated with the paper record. I prefer that we give physicians and patients the benefit of making decisions with complete information but at the same time raise the overall bar of protection for all data.
What should not be allowed? Any use of information for discriminatory purposes, such as denying insurance or employment based on health information. Discrimination should be addressed by antidiscrimination legislation, not by omitting information from the patient record.
Goldman: Paul’s presentation was very interesting, in that it focused primarily on the doctor-patient relationship and the flow of health care information in a health care setting in which people are providing care. What I want to do is step back for a moment and talk more generally about privacy and the use of health information.
In talking about privacy, I think it is important to look at how the right to privacy and the societal value of privacy have evolved over time. Although it is a value that is entrenched in our constitutional principles, privacy is not a word that you see used until about 100 years ago, when Warren and Brandeis wrote an article about the right to be left alone and referred to it as one of the most comprehensive rights known to man. They were trying to set out a theory that allowed people to step back from the prying eyes of society, to step away from the hubbub in the community, and to try to have some of their activities and some of their thoughts in seclusion. They talked about how the ability to step back was critical to the development of the self, to autonomy, to the pursuit of liberty and democracy.
In the past 30 years, the right to be left alone isn’t enough to safeguard privacy, because most of us either don’t want to be left alone or we cannot live that way. Alan Westin of Columbia University introduced the idea that privacy needed to be thought of as the ability to control information about yourself even after you have given it to someone else. You still should have some ability to decide who should have access to that information and under what circumstances.
Clearly you have to step forward and participate in society to get health care, which means releasing information about yourself. There is no federal law protecting the privacy of that medical information. The desire to improve the quality of care, accompanied by advances in information technology, has resulted in the accumulation of much more personal medical data. The problem is that we haven’t thought about privacy up front. We are coming to this issue late; most of the talk has been about how much we can do with this computerized information. We are not talking about privacy.
The Institute of Medicine’s For the Record report concluded that one reason for the lack of attention to privacy is that there is no market incentive. Another reason is the fear that too much privacy will be a barrier to achieving many of the goals that we hope to reach with computerized patient records.
— Tang
A 1999 report released by my organization found exactly the opposite to be true. A survey sponsored by the California Health Care Foundation and performed by Princeton Survey Research Associates found that one out of every six people in this country is engaging in some form of privacy-protective behavior because they are worried about how their information is going to be used and who is going to know what about them. They are lying to their doctors, or they are asking their doctors to misrepresent information in the medical record or on a claim form. They are paying out of pocket for care for which they are entitled to be reimbursed, or they doctor-hop, because that gives them the illusion that the information stays within the four walls of their doctor’s office. Later medical decisions are then made with incomplete information, and public health researchers have unreliable data. The worst-case scenario is where people are so afraid of how the information might be used that they don’t seek care at all. They don’t go for the tests. They don’t go for the treatment. In the area of HIV and AIDS, we have seen a huge public health response that is relying on anonymous treatment and testing, but in general health care we have not seen that kind of response.
We need to start to think about how do we give people back some trust and confidence in the health care system. I am in full agreement with Paul that we need to acknowledge the importance of access to information as we address confidentiality, but we need to think about it differently from how we have been thinking about it. Protecting privacy and getting access to health information are not goals in conflict. One does not necessarily undermine the other, and in fact what we are finding now with some of this new survey data is that they are dependent on each other. If you want good-quality data, you had better protect people’s privacy. If you want people to come in for care and you want them to be honest, you had better assure them that there is a reason for them to have trust and confidence in the health care setting.
In the interest of developing consensus on this issue, we created a health policy working group composed of health care providers, employers, privacy advocates, ethicists, and the accreditation people. In July 1999, the group issued a report with guiding principles, including that everyone should see his or her own medical record (only half the states give people that legal right now) and that there should be limits on uses of health information, particularly once it leaves the health care setting, and that those limits for the most part should be controlled by patient decisions. There should be some exceptions to those limits, so that we don’t have an absolute right that then chokes the flow of information when we really need it; for example, for public health purposes or in an emergency or if law enforcement has presented a warrant. In the controversial area of researcher access, the committee recommended that the same rules apply to publicly and privately funded researchers.
Schwartz: Having listened to your presentations, I have several questions on which I think you two will disagree, and I would like to hear you discuss your positions. Let’s start with a scene in a doctor’s office. A patient says, “I am willing to share with you some personal information related to my health, but I don’t want it included in my medical record. I don’t want anyone but you to have this information. Not even my wife and family should know it.” If you were the physician, what would you do?
Tang: If it is relevant to making decisions about your health care, then it is relevant for me and the other people taking care of you to know. There is no reason why your wife or anyone else needs to know, and there are no regulations that force me to reveal that. If it is important to your care, then it is an important part of the record.
Goldman: Given that I am not a doctor, I guess I could answer as the patient. I would go to another doctor. Once the information is in the record, the health plan can have access to it, which means the employer can have access to it because the employer is considered the customer because it is paying the bill. There is no way to guarantee privacy, as much as you want to do it. It is not satisfactory to say, “I won’t write it down.” That is not a good result from the physician’s standpoint, but it is not satisfactory to say, “I have to write it down, and I will be able to protect the information,” because that is not true.
Tang: As long as patient and physician agree that the information is critical to health care decisions, then I have to stand by it because I am obligated to consider the data that is important to the patient’s health care, and I am obligated to document the basis upon which I make decisions.
Goldman: What if the patient says that he will not share the information?
Tang: I would then make sure that the patient understands that that would mean making decisions with incomplete information.
Schwartz: Next question: What form of oversight do you want to have within the health care system and outside?
Goldman: One way to set it up is to involve a lot of different people, because oversight means a lot of different things. One very simple technique with electronic networks would be to automatically record the name of everyone who looks at a patient’s record and to make that information available to the patient. That is absolutely feasible, and a number of health care institutions are doing that now. This is not practical with paper records.
You want to make sure that there are written policies that govern internal procedures in hospitals, health plans, and other health care institutions; that there are people responsible for implementing these policies; that all health care professionals receive training in these policies; and that the policies are reflected in the technology. The government should have procedures to investigate complaints.
This is pretty standard stuff, but the patient involvement is something that we haven’t seen yet and that would be helpful.
Tang: I agree with Janlori. Basically, I think holding people accountable for their actions is the primary way of overseeing this. I need to be accountable to my patients, my profession, and to the organization with which I am associated. Maintaining audit trails in computer-based patient records holds all of us to new levels of accountability–something we could never do with paper records. The strongest pressure to do the right thing will come from patients. Physicians have an obligation to their patients.
Schwartz: What about law enforcement access to patient records?
Tang: As practicing physicians, we have always felt that we have had privileged communication with our patients, and certainly it should not be easy for law enforcement officers to get access to the medical record. I can actually think of very few cases where access is appropriate by law enforcement.
Goldman: In most states and at the federal level, law enforcement needs nothing to get access to medical records except a request. There is no federal law and very few state laws that require law enforcement to provide a court order or a warrant or a subpoena before they get access to medical records, even though we have restrictions on law enforcement access to many other kinds of personal information such as financial records, education records, and video rental lists. We do have some good privacy laws, just not in this area.
If a police officer comes into an emergency room and says, “Have you seen anyone who was recently treated with a smashed hand?” the response could be “Yes, and here is her record,” or the response could be “I cannot tell you. Go get a warrant.” The burden is on the clerk to decide.
Most doctors, researchers, health plan officials, drug company executives, and consumer groups (but not the FBI) agree that we need to have some federal restrictions on law enforcement access to medical records. We’ll see if it’s possible to overcome FBI resistance.
Tang: At first I couldn’t think of many reasons to divulge medical record information, but we are required to disclose information about gunshot wounds, and I think that is reasonable.
Schwartz: What about child abuse?.
Tang: Yes, child abuse and elder abuse as well.
Schwartz: Finally, do we want to have state legislation as a floor or a ceiling?
Goldman: This issue boggles my mind, because right now the status quo is that we have 50 different states and 50 different sets of rules. We did a survey of the states to find out their view of issues and problems. We found that very few states have comprehensive law in this area. Where the states have moved forward is in the very condition-specific areas such as mental health, HIV, and abuse and neglect.
I hope that Congress passes a law that provides a baseline, a set of minimum requirements that will be more stringent than what currently exists in most states. This should provide the uniformity that is necessary if information is to be shared among the states.
Tang: If what you accomplish creates uniformity, then I think we are okay, and I agree that the federal floor should be more restrictive than what is now found in the states. Uniformity is necessary to practice good medicine. Without it, I wouldn’t know how to treat information about an out-of-state patient.
Audience: What is wrong with the idea of total privacy in which no information is released without an individual’s express permission?
Goldman: We don’t have a system that grants absolute privacy rights. There are circumstances where others’ needs override a person’s privacy.
Schwartz: Okay, let us make it as close as possible.
— Goldman
Goldman: Right, I think we should make it as close as possible. I think the presumption should always be that information shouldn’t be shared unless the individual says that it should be shared, but we do have to spell out exceptions such as a medical emergency or a public health threat.
Audience: As an employer, what rights do I have to know about a potential employee who perhaps has an infectious disease that could affect a whole community?
Goldman: The Americans with Disabilities Act prohibits you from discriminating in employment and promotion based on somebody’s disability status. However, even though there is this antidiscrimination law, there is very little in that law that restricts your access to health information. The law allows you to have access to information and even allows you in certain circumstances to make decisions about a person’s suitability for some jobs on the basis of an employee’s physical condition.
Tang: You cannot make a hiring decision on the basis of an individual’s health information. After making the hiring decision, you can ask about health conditions relevant to a person’s job requirements, and if the information reveals that the employee would endanger the health of others, you can probably terminate that person or change that person’s job function so that it doesn’t endanger the health of others.
Schwartz: I think that this discussion raises another point that you have made. We have an unusual system for financing and paying for health care in this country–namely, we have third-party payments. Employers typically pay for their employees’ health insurance, so they have a great incentive to seek out people whom they think will have less expensive health care needs.
Audience: Professor Goldman, under what circumstances should researchers have access to identifiable records that are not going to be used for individual treatment decisions? You said that organizations should use an objective and balanced process in making this decision, but I don’t know what that means.
Goldman: One critical requirement is that the individual be notified that this information has been requested and that the individual give informed consent. Another important step is to provide data with a person’s name only when that is absolutely necessary.
Tang: In the paper world, it is logistically almost impossible to remove identifiers when information is shared. With electronic records, it is easy to remove identifiers or to encrypt the identifiers, which makes it possible to track an individual over time without revealing the identity of the person.
Audience: How does this relate to medical liability?
Goldman: Using Paul’s example, what if the person decides not to give the physician some information, and then something goes wrong because the physician acted without the benefit of that information? Some members of Congress have introduced legislation that would shield from liability a physician who had to treat a person without having access to full information.
Tang: I need to clear my name a little bit about this topic. I took a definitive position earlier in order to foster discussion, but I think that it is actually possible to create an electronic record of an encounter that is viewable only by me. Thus it can satisfy the patient’s request to shield certain information from access by others as well as satisfying my responsibility to document information used in making medical decisions. This method may not be solve all the problems, but it could help.
Audience: What are the laws on what the health care plan can do with medical information? If they find that you have a particularly expensive disease, can they just drop you? Are there any protections against that?
Schwartz: Federal law prevents employer-provided insurers or health plans from discriminating against individuals because of a medical condition. But if the health care insurer decides not to provide health care for a specific ailment such as breast cancer or Alzheimer’s disease, that is allowed because it applies to everyone in the plan. What they are not allowed to do is to single out an individual and say that we are not going to cover you for this condition.