265. "Medical Records: Enhancing Privacy, Preserving the Common Good," The Hastings Center Report, March-April 1999, pp. 14-23.

The privacy of medical records, which contain highly intimate information that people legitimately are keen to keep from others, often is violated. Some of these violations are random, while others are systematic and are said to serve the common good, including quality control, cost reduction, medical research, public health, and public safety. Yet these goods can be served to a considerable extent even if medical privacy is enhanced in ways discussed below. And, to the extent that common goods must be sacrificed to better respect medical privacy, these intrusions can be minimized. This, I shall show, requires a shift from relying largely on individualistic doctrines reflected in the notions of informed consent to relying much more on communitarian institutions. These institutions provide a special bonus: because they primarily are proactive and preventive, they mainly rely not upon new legislation, prohibitions, and penalties for violators, but upon arrangements that render violations of privacy less likely.

I. Are Violations of Medical Privacy Macroscopic and Significant?

a. Unauthorized Use

The notion that one's personal medical information could be obtained by others, not involved in the person's care and not authorized to receive it, and used to harm the person, is frightening. A few examples of the many that could be given: a database created by the state of Maryland in 1993 to keep the medical records of all its residents for cost containment purposes was used by state employees to sell confidential information on Medicaid recipients to health maintenance organizations (HMOs), and was accessed by a banker who employed the information to call in the loans of customers who he discovered had cancer.1 A medical student in Colorado sold the medical records of patients to malpractice lawyers.2 In Newton, Massachusetts, a convicted child rapist working at a local hospital used a former employee's computer password to access nearly 1,000 patient files to make obscene phone calls to young girls.3 In Florida, a state health department worker used state computers to compile a list of 4,000 people who tested positive for HIV and forwarded it to two newspapers, The St. Petersburg Times and The Tampa Tribune.4

All such incidents have several attributes in common: they typically are, isolated acts, often committed by a single person; they are as a rule in violation of the policies and ethical codes of the institutions in which they take place; and in some occasions they violate federal or state laws. Hence I refer to them as "unauthorized abuses." As troubling as some of these incidents are, the scope of their ill-consequences pales in comparison to what might be called "authorized abuses." However, before I can turn to this massive form of abuse, I must digress briefly to discuss recent developments that make these abuses possible.

b. Privacy-Diminishing Developments

There has been a trend in recent years to gather and record greater and more detailed information in medical records, including genetic information and lifestyle details.5 And the health insurance industry now collects much larger amounts of information from physicians than it gathered in the past, amassing large databases of personal information.

Also, until recently insurance companies usually received only an abstract of a patient's record, containing information on diagnoses, tests performed, and treatment provided. Nowadays, it is not uncommon for insurers to gain a patient's entire record.6 Especially, the shift to managed care programs has generated considerable additional demand for detailed patient information by groups other than the treating personnel.7 For instance, representatives of managed care companies have required psychiatrists, as a condition for payment, to reveal considerable details about, their patients to verify that treatment was necessary.8

Equally important are technological developments, especially a switch by health care organizations from traditional paperbased files to computerized records that are stored in online databases.9 Electronic medical records make retrieval and access much easier than with paper records.

Increasing linkages are formed among various health care databases. These, in effect, turn numerous databases into one. A report issued by the Congressional Office of Technology Assessment (OTA) states that "as a result of the linkage of computers, patient information will no longer be maintained, be accessed, or even necessarily originate with a single institution, but will instead travel among a myriad of facilities. As a result, the limited protection to privacy of health care information now in place will be further strained."10 Additional concerns are raised by the fact that once online, health information can be linked with non-health data sets, such as an individual's credit report, to create still more encompassing personal dossiers."11 In 1995, Equifax, the giant consumer credit reporting agency, announced it would supply computerized medical records systems in addition to consumer credit reports.12 Information brokers obtain and sell individual, personal data: $400 will buy 10 years' medical history, $40 to $80 will uncover stock, bond, and mutual fund holdings, $450 will glean a credit card number, $80-$200 will bring telephone records, and between $10 and $20 will buy a divorce search, death claim search, fictitious name search, or bankruptcy search.13

The Institute of Medicine concluded that these developments

raised numerous issues, including (1) worries on the

part of health care providers and clinicians about use

or misuse of the information health database

organizations will compile and release, and (2) alarm

on the part of consumers, patients, and their

physicians about how well the privacy and

confidentiality of personal health information will be


The main issue that these developments raise, though, is not an

explosion of unauthorized use, but a much more widespread and systematic violation of privacy via what might be called "authorized abuse."

c. Authorized Abuse

Most violations of medical privacy seem due to the legally sanctioned, or at least tolerated, unconcealed, systematic flow of medical information from the orbit of the physician-patient health insurer and health management corporations to other, nonhealth care parties, including employers, marketers, and the media. Reference is not to the occasional slip-up or the work of a rogue employee, but to daily, continuous and numerous disclosures and usages that are quite legal but of questionable value and intent.

One-major problem area is the disclosure of information by some health insurance companies to employers15 which employers then use to the detriment of prospective or current employees. In 1996, 35 percent of the Fortune 500, companies acknowledged that they draw on personal health information in making employment decisions.16

Also, corporations that self-insure draw on their personnel departments or medical claims divisions for privacy violating data. A 1991 survey by the OTA found that one-third of employers used their personnel departments to examine the medical records of their employees, without notifying them.17

In addition, there is, as Kathleen A. Frawley, vice president of the American Health Information Management Association, puts it "... a whole market of people buying and selling medical information."18 Indeed there are firms that specialize in collecting and selling medical information about many millions of people, including IMS America, the Medical Information Bureau, and MetroMail.19

The medical information obtained in this way is used in hiring and firing and other employment decisions, including information about the person's genetic attributes, mental illness, drug abuse and other conditions,20 even if these conditions have not affected their work performance.

Medical information is also sought by marketers to hock their wares. Pharmaceutical companies have obtained medical records to discover which prescription drugs individuals use and which physicians prescribe them, allowing these companies to solicit physicians to prescribe different drugs sold by the company.21 For about $.30 per name, large drug companies pitch their products directly to angina sufferers, diabetics, or arthritics.22

Given such facts, the National Committee on Vital and Health Statistics, a committee of health-care experts, not given to hyperbole, concluded that the "United States is in the midst of a health privacy crisis" and urged the Administration to "assign the highest priority" to dealing with the matter.23

Large proportions of patients are troubled by the matter as well. For instance, a 1993 Harris/Equifax survey on the privacy of medical records found that half of respondents were concerned about the effects of computers used by health care providers; 60 percent were worried that the use of computerized medical records would result in mistaken information regarding medical conditions being placed in patient records; and 75 percent said they were concerned that a computerized health information system will be used for many non-health care purposes.24 85 percent of those surveyed said that protecting the confidentiality of medical records was "absolutely essential" or "very important."25

d. Big Brother or Big Bucks?

While the concern for privacy is widespread, the same cannot be said about people's understanding of the source of the new threats. The evidence about the nature of privacy violations suggests that Americans now need protection against the abuses and intrusions of private enterprises as much or more so than from government agencies. Still, leading libertarians persist in their focus on the government as the greatest enemy to individual privacy. Writing about this issue (although without specific reference to medical records) in the libertarian publication Reason, Brian Taylor states, "While private-sector surveillance is commonplace and widely accepted . . . the trends of placing cameras in public areas for use by law enforcement is a new and disconcerting variation on the established practice."26 Solveig Singleton stakes out this anachronistic position more starkly in a Cato Institute report:

We have no good reason to create new privacy rights.

Most private-sector firms that collect information

about consumers do so only in order to sell more

merchandise. That hardly constitutes a sinister motive.

There is little reason to fear the growth of private-

sector databases. What we should fear is the growth of

government databases.27

Fortunately, we shall see that the tension between the competing concerns of privacy and the common good in this area can be sharply curtailed, allowing us to avoid the full brunt of the political opposition that so far has sidetracked several efforts to protect privacy in this area. To put it in the terms followed here: privacy violations of medical records constitute a significant problem. The next question is, are these violations justified by some major service to the common good, and can this service be rendered even if these abuses are greatly curtailed? These questions are examined next in to four particular common goods.

II. The Common Goods Served By Electronic Medical Records

a. Public Safety

In 1997, the Clinton Administration suggested legislation that would allow law enforcement authorities "quick, confidential, unhindered"28 access to medical records; that is, access without prior consent of the patient whose records are being combed and without notifying the patient that his or her

records are being examined. Two main reasons are given to support this stance: first, it would facilitate time-sensitive cases in which law enforcement officers may need to search emergency room records to look for someone who has just fled a crime scene.29 Second, such examination would allow the government to scan records to curb medical and financial fraud.30 Hence, health and Human Services Secretary Donna Shalala recommends that actions taken to better protect the privacy of medical records impose no new hindrances on law enforcement access to medical records.

Two-different relevant situations need to be considered. One occurs when there is a specific indication that a crime has been committed. Here the American legal tradition already allows the search of records if a reasonable case can be made. Currently if the FBI or a local police force seeks to examine any private records, say a person's or a corporation's financial files, they must provide evidence to a magistrate that there is reasonable suspicion that a crime has been or is being committed. There seems to be no reason that medical records, correctly considered more intimate and hence having a higher claim for privacy, should be accessed more easily. Her to, if there is a legitimate need, a warrant can be obtained.

The second situation arises under some special conditions where there is no time to gain a warrant. For instance, the police may be looking for a killer on the loose who is believed to have been stabbed and treated in an emergency room and the police are anxious to comb records before he disappears. The law, however, already provides for such instances and allows such "hot pursuit" searches that can be justified after the fact.

A rather different situation arises when law enforcers need to comb a large number of records to determine whether or not fraud has been committed. Because the "suspects" in these cases typically are not the patients but the health care providers, law enforcement authorities can be limited in the scope of their search so that they can obtain the facts they need without violating the privacy of patients, as I will show below.31 If patients are suspected of having committed or participated in committing the crime, say by having conspired with a physician to defraud an insurance company, the rules of specific suspicion would apply. In short, there seems to be no reason to conclude that better protection of the privacy of medical records would significantly undercut public safety. The mechanisms for setting it aside--when justified--are already in place.

b. Quality Control, Cost Control, and Research

Three related, but far from identical, health care goods are served by accessing medical records. Quality control seeks to ensure that care is given in line with established practices. Hospitals typically maintain internal mechanisms to ensure quality of care. For instance, committees routinely review charts of patients to determine whether the performed surgery was required, if the correct procedure was performed, and if the proper aftercare was provided. Some outside agencies, such as accreditation organizations and some HMOs, review data for the same purpose.

Cost control seeks to curb waste and fraudulent use and to promote the utilization of effective and efficient products and procedures. Such "utilization reviews" are conducted routinely by HMOs, health insurance companies, federal and state government agencies, and encompass numerous items of information from the costs and nature of drugs prescribed to the number of days a patient stayed in a hospital, from the specialists the patients were assigned to the number of X-rays conducted.

Medical records research also enables researchers to monitor a population's health, identify populations at high risk for disease, determine the effectiveness of treatments, assess the usefulness of diagnostic tests and screening programs, conduct cost-effectiveness analysis, support administrative functions, and monitor the general adequacy of care.32

The fact that these three health care goals benefit greatly from access to medical records of individual patients is selfevident. One point, though, should be emphasized: all three goals stand to gain a great deal from precisely the same technological and organizational developments that constitute a major source of the new threats to privacy. Instead of laboriously piecing together information from thousands of paper records maintained in physicians' private offices or in numerous hospitals and clinics, new electronic databases in principle provide a much more expeditious and efficient resource to those who seek to evaluate care, control cost, and advance knowledge. One area of benefit will stand for all the others.

The quality of medical care has long suffered from grossly deficient evaluations of the efforts of its practitioners.33 Medical treatments often still rely on notions transmitted from masters to apprentices (during medical training), notions whose effectiveness have been poorly evaluated, if at all. Medical history, including within the most recent decades, is rich with accounts of interventions used on a mass scale and for long periods, that later have been discovered to be useless, if not harmful, while other procedures, tools, or medications are more effective. The Rand Corporation estimated in 1991 that as much as one-third of the financial resources devoted to health care is being spent on providing ineffective or unproductive care.34 Many of the interventions take place in physicians' offices in which small numbers of people are treated, and hence it is often impossible statistically to assess the outcomes of the interventions.

Medical evaluators long have sought to collect information from numerous private practices and hospitals to determine which interventions are effective, in order to foster improvements in the quality of care. This often has proved rather difficult because of access and other problems. In the new electronic world, such "outcome" studies are becoming much easier, promising great advances in the quality of care.35 All this seems to suggest that ready access to medical records, while not essential for public safety and economic considerations, is essential for the advancement of major health care goals, and that privacy may have to yield if these important common goods are to be better served. However, now that the specific common goods at issue have been identified, I leave it to the following sections to show the

specific ways that to a large extent, these health care goals can be achieved and privacy can be better protected.

III. Non-Intrusive Changes

a. The Underlying Principles: informed Consent or

institutionalized Reforms?

Oddly, both the prevailing suggestions for dealing with the tension between privacy and health care goals, and a major source of the tension itself, are based on the same legal-ethical doctrine, that of informed consent. While it is rarely explicitly stated as such, the prevailing doctrine implies that if a person is informed and then voluntarily consents to release information from his or her medical records, privacy is not violated and the tension between privacy and the common good has been resolved.

I am hardly the first one to observe that the agreements patients routinely endorse are neither voluntary nor informed. Very often, for an individual to receive health insurance or join a HMO plan, the person is required to sign a form that authorizes the provider of health care36 to disclose any medical information that is requested for the payment of the individual's claims.37

As the OTA report notes, "usually no restriction is placed on the amount of information that may be released, the use to which these parties may put the information, or the length of time for which the consent form is valid.38 Once an individual has signed a payment provider's blanket consent/authorization form, the floodgates have been opened. From this point on, the individual exercises no control over how much health information may be disclosed from his or her records to other parties, parties that do not come to mind when consent forms are endorsed, and loses control over what these parties do with that information once they receive it.39 This may take the form of sharing an individual's medical records with different departments of a single organization (e.g., the health and life insurance divisions of a single company) or between different organizations (e.g., between the insurance company and an employer that provides the insurance). Moreover, once in the hands of external parties, the information may be redisclosed again (e.g., from an individual's current employer to a potential new one).40 Given such blanket and open-ended consent forms, as the Institute of Medicine correctly points out, "consent cannot be truly voluntary or informed . . . because the patient cannot know in advance what information will be in the record, who will subsequently have access to it, or how it will be used."41

Furthermore, redisclosures to external parties "are [also] rationalized as being conducted by consent of the patient or a patient representative."42 Because "many patients are neither granted access to their medical records, nor apprized of which portions of the record are accessible to others, most patients are ill equipped to make intelligent choices about authorizing disclosures.43

Theoretically, one can refuse to endorse a consent form, and, as the libertarians say, live with the consequence, which is to forego health care insurance. However, as an OTA report confirms,"Individuals for the most part are not in a position to forego such benefits, so that they really have no choice whether or not to consent to disclose their medical information."44 The Institute of Medicine similarly notes that in the final analysis, "consent [to disclosure of medical information] is so often not informed or is given under economic compulsion that it does not provide sufficient protection to patients."45 As the OTA report put it, the idea of informed consent is "largely a myth and the mechanism of informed consent has no force."46

As a solution, civil libertarians have suggested a remedy, which is also based on the consent theory, that would require Patients to grant a specific consent for each use of information about themselves. The Academy advocates the development of authorization forms that make it clear to patients the organizations to which their medical information will be released and that limit the time period for which the authorization is valid. The 1973 Code of Fair Information Practices, and legislation based on it, already require that when the federal government collects information of any kind in a database, specific consent must be given for every usage of information (not for every item of information, but for every purpose for which information is used). The privacy act proposed by the Clinton Administration in 1997 seeks to apply the same notion to collection of information by private agencies. American people strongly support this version of consent. Most Americans (87 percent) believe patients should be asked for permission every time any information about them is used.47

The difficulties in relying on this approach are rather evident. When medical researchers are expected to gain consent for each specific use of medical records, they have found that a significant segment of the population does not return the needed forms. The researchers, such as those at the Mayo Clinic who have undertaken such an effort, then need to spend considerable resources contacting those who did not respond. Some remain hidden or refuse to participate, which distorts the database. The difficulties multiply when one needs to deal with old data (to find people who have moved, for example) and with data about deceased patients. Obtaining needed consent "would be impossible to accomplish in the retrospective studies that are so vital for assessing trends in disease over time and the long-term outcomes of treatment; such studies often involve thousands of subjects who may have last been seen many years ago."48 In addition, studies conducted using only live patients (because the deceased cannot consent, or their living kin may not consent or may be unreachable) may produce distorted results, reflecting outcomes primarily among the younger and living population.49

Alarmed by the damages specific consent imposes upon health care goals, medical authorities have advanced a third notion of consent, that of implied, presumed, or constructed consent. According to this doctrine, anyone who comes to a physician's office or health care facility is treated as if he or she gave consent for the data that is generated to be used and released, without a need for explicit consent. Some versions of this concept at least sound rather non-threatening to privacy and autonomy. For instance, Arnold J. Rosoff defines the concept of implied consent as ". . . that which arises by reasonable inference from the conduct of the patient."50 A physician at the health sciences research department of the Mayo Clinic suggests that "since the vast majority of patients agree to the broad use of their medical-records data for research . ... the overwhelming preponderance of agreement is consistent with the notion of 'constructed consent' from the whole patient population."51

While a widespread introduction of concepts such as constructed or implied consent would serve various health care goals, they may not so much diminish or redefine privacy as abolish it. While some may not abuse the privilege these concepts grant, others may convince themselves all too readily that what ever they seek to do with the data is something the patients would have consented to. Still others would simply build on such concepts to conduct experiments and introduce interventions to which they know patients would be unlikely to consent if they were asked.

If none of these forms of consent--old fashioned, specific, and presumed--are likely to provide the desired balance between health care goals and privacy. Before I turn to what might be done, I should stress that I am not calling for an end to consent forms; they can serve as a limited, secondary source for protection of privacy. I merely argue that the main stay of medical privacy is to be found elsewhere.

b. Institutional reforms

The communitarian approach I favor here is based on the concept that people, far from being free-standing agents able to form and follow their own preferences at will, are profoundly affected by social institutions that prevail in the societies in which they are situated.52 As Robert Bellah and his colleagues note,

Institutions form individuals by making possible or

impossible certain ways of behaving and relating to

others. They shape character by assigning

responsibility, demanding accountability, and providing

the standards in terms of which each person recognizes

the excellence of his or her achievements. Each

individual's possibilities depend on the opportunities

opened up within the institutional contexts to which

that person has access.53

When these institutions affect people in ways that offend our values or raise considerable resentment or opposition, often the most effective way to treat such an ethical or socio-political problem is to modify or recast these institutions rather than to rely solely or even chiefly upon the aggregation of millions of actions by newly informed individuals. To provide but one example of this general principle from a non-health related area, if the savings rate of a nation must be raised, and this has been agreed upon following a proper societal dialogue54 and by the proper elective institutions, it is much more effective to reduce the public deficits (or to run a budgetary surplus) than to convince or create an incentive for millions of individuals to change their behavior, to save more.

Another of the grand advantages of drawing on institutional changes is that they tend to be preventive. American individualism favors a cop-and-robber approach to social issues, in which the culture prescribes waiting for individuals to transgress and then trying to catch them and penalize them. In contrast, institutional changes seek to encourage people to do what is right in the first place.

I provide next an elementary outline of institutional reforms that could produce more effective protection of the medical privacy without significantly setting back desired health care goals. This is a highly complex matter, one that is affected by numerous technical, economic, and political considerations I cannot examine here. Moreover, all such suggestions should be subject to experimentation and further development before they can be adopted, which cannot be undertaken here. I should, though, note that the suggested arrangements are based on at least some current practice.

Throughout the ensuing discussion, I refer to the inner circle as all those who are directly involved in the treatment of the patient. These people obviously require ready access to medical records, although some layering of access is called for even in this circle. (Already, this often is done regarding HIV tests, which are treated as more confidential than other information even in the inner circle.55) While these inner circle personnel are far from immune to financial considerations, they share a culture that respects confidentiality and is sensitive to privacy issues.

The intermediary circle includes health insurance and managed care corporations. They are much more driven by profit considerations and much less imbued with the said medical culture. However, unless the current reimbursement system is changed radically, those in the intermediary circle need detailed and specific information about individual patients.

The outer circle includes parties not directly involved in health care, such as life insurers, employers, marketers, and the media, whose access to medical records may be legal but raises grave concerns because such access, as a rule, does not advance the health care goals either of the patients or society.

Drawing on these distinctions among the three circles, the following remedies are suggested:

(i) Institutional Remedy A: Layered Records and Graduated Release. In the past, a typical paper record, or "chart," included medical history, records of treatment, and lab results. Similar records are kept in hospitals, where they are typically centrally filed. When a patient is moved from department to department, the whole chart typically accompanies the patient.

The implicit assumption, reflected in this highly institutionalized arrangement, is that this inner circle is an extension of the personal physician, and is bound by the same legal, ethical, and socially-enforced mores of confidentiality. Violations of privacy by the inner circle seem to be few and largely of the unauthorized kind. However, the setup, which has not changed for generations, does little to prevent curious members of the medical staff from rummaging through patient charts.

The introduction of electronic medical records into the inner circle makes it possible to enhance the privacy within this circle by layering the records. Various segments of the records could be assigned different passwords with the understanding that certain segments would be open only to the treating physician(s), while others might be more accessible to people such as rehabilitation workers or dietitians.

(ii) Institutional Remedy B: Audit Trails. Audit trails are computer technologies that record all accesses of a record, including information identifying the person gaining access. For instance, to access information, the user would have to log his or her unique password.56 Some suggest that patients will be able to review these audit trails, in addition to the privacy committees of the medical facilities involved. This would provide a built-in, privacy-protecting enforcement mechanism.

In general, passwords and audit trails constitute a fine example of how privacy can be protected, especially from unauthorized use, with minimal losses to the common good--and without waiting for each patient to act, consent, or even be involved personally.

(iii) Institutional Remedy C: Smart cards. Smart cards are credit card-sized devices that can store health information and/or serve as the key to accessing personal health information

stored in a computer network. Thus, if a patient visits a physician, clinic, or emergency room, the patient would hand the card to the treating personnel, who would display the information on their computer screens and encode in the card additional information, say, new test results. As the technologies improve, visuals such as X-rays, EKGs, and sonograms also could be included and encoded. If such a card remains in the possession of the person whose medical record is encoded in or accessed by the card, smart cards have the potential to greatly enhance privacy by affording patients effective control over who has access to their medical information.57 Access by those other than the patient can be made only with the active collaboration of the individual to whom the information pertains. Further enhancing privacy, the card itself can be layered so that the patient can determine which segments to open to whom.

In emergency situations, of course, difficulties might arise if the patient is not carrying the card or is unable to provide the needed accessing passwords for some of the segments. (One would expect patients not to password-protect elementary information.) This should not prove to be too detrimental, however; after all, patients today typically do not carry with them their charts when they are rolled into the ER. And a person may share key passwords with a next of kin or a friend, whose names and phone numbers would be noted on the card's open segment.

A serious consideration is the very likely need for a backup database, which would be accessible without the card and thus subject to many of the privacy considerations raised for linked online databases.58 Such backup databases could be well sequestered, however. Another significant consideration is that smart cards may severely curtail researchers' and health care professionals' ability to serve the common goods of quality and cost control as well as medical research, because of limitations on access to the data. They are hence less desirable than audit trails.

(iv) Institutional Remedy D: Interface and U.P.I.s. Probably the most encompassing measure would be the introduction of an interface that turns most of the information in medical records into "unidentifiable" information at the point it is transmitted beyond the inner circle. This would greatly enhance privacy but would not curtail most services to several, albeit not all, common goods at issue.

An "interface" refers to processes and individuals that transmit information contained in medical records to users other than members of the inner circle by conducting various coding procedures, and in the process removing patients' names, addresses, phone and Social Security numbers, and a few other such items that could enable outsiders to identify the individuals. The information that is transmitted is coded instead by unique patient identifiers (U.P.I.s).

Unidentifiable information may at first seem useless, but for many purposes this type of information is all that is needed. For instance, for many medical research purposes it is sufficient to know from a patient's record that the individual scored X on variable Y, what the same person scored on a certain number of other variables, and so on. True, many of the personal attributes may need to be known, such as race, gender, age, but not the individual's identity--the name, address, and other such details that identify a specific person.

In the rare cases that information contained in the address of the patient or some other such highly personal details are critical to the research, those who provide the interface could "code" these details as well. Thus, instead of including the person's address as, say, 240 Central Park West, New York City, the person could be coded as living in a highly affluent, urban neighborhood in the northeastern United States. Instead of providing birthdays, the month and year of birth would suffice. It should be noted, though, that if the interface leaves out personal numbers such as the Social Security number and of course names, it will be difficult, although far from impossible, to correlate these databases with data from non-health care databases.

To the extent that such correlations are legitimately called for, special provisions would need to be made to allow interdatabase analyses by computers, releasing only the correlations and not individuals' identities. Special bonded inter-databank agents could be employed to carry out such correlations.

The information needs of quality control often are similar. A typical question is: If the patient's condition was X, Y, and Z, were proper procedures A, B, and C undertaken and in the correct sequence, given the patient's age, gender', and so on? To address these questions, still no personal identification is needed. The same can be said about several cost control procedures. For a patient with condition X, and other attributes including Y and Z, was a less costly or more costly procedure used? Most often, one would seek to establish a rate or identify a pattern of diagnoses, procedures, and referrals (how often does the particular physician or hospital err in the direction of expensive and unneeded procedures, for example), rather than try to second-guess every case.

A major concern might be that if a patient is treated at different medical facilities, data could not be collated if personal identifiers are removed. However, this issue largely can be resolved by giving each patient a unique identifying number he or she would provide in all encounters with medical care personnel. When the same patient is seen by different professionals or hospitals, and the data are aggregated by researchers or quality assurance programs, it will be known that the information is about one and the same person--but not who he or she is.

One may suggest that it will be all too easy for those who command considerable financial and technical resources, and who have access to the data that contain only information without individual identifiers, to correlate the U.P.I.s with data from other databases that contain individual identifiers, and thus establish who the persons are whose medical privacy is being protected. This may well be true. Still, U.P.I.s will limit many kinds of unauthorized use because they will prevent casual perusal of records.

Moreover, the introduction of an interface of the kind suggested establishes a new, clear line between legal and (what from then on will be) illegal uses of the data. Members of the intermediary and especially outer circles can no longer simply use (commit authorized abuse of) data that is legally generated by tapping into existing databases. If they persist, under the new arrangements they will have to engage in an activity whose one and only purpose will be to violate the confidentiality built into the data; in effect, to engage in code-breaking. Granted, even after such activities are defined as a violation of the law, abuse will not cease; completely airtight databases cannot be created. But the introduction of the interface will largely halt such illicit penetrations.

(v) Institutional Remedy E: Capping as an Option. U.P.I.s will not work for those reimbursement programs that pay providers on the basis of procedures performed, time spent with the patient, and drugs or equipment handed out to the patient. The simple reason is that these programs work by linking the identity of the person who purchased the insurance policy, is enrolled in the particular HMO, or is entitled to Medicare or Medicaid, and the one for whom the said measures were taken. As a result, in the currently prevailing system, payment to providers is often conditioned on delivering highly detailed, specific, and individually identified medical information to members of the intermediary circle. Indeed, precisely because reimbursement differs according to the nature of the intervention, payers engage in the cumbersome and costly procedure of either seeking to approve before the fact the right of specific patients to gain specific interventions, or to haggle with the provider over how much of the intervention they may provide.

However, the particularly costly reimbursement arrangements of -the American medical care system are not one of the common goods that have been identified. Indeed, they are a major reason the United States spends a much greater proportion of its health care dollars on administration than most other developed nations. Many would regard a simplification and streamlining of these arrangements a service to the common good. It should be noted, though, that within the existing medical care system there is a way to protect privacy much more effectively while still relying on the existing reimbursement system.

U.P.I.s can be employed in those reimbursement schemes that use "capitation," that is, that provide a fixed payment per member, per month to a health provider or plan for each member, regardless of the amount or type of care that person receives. In capitated systems there is no need to report the specifics of care given.

Whatever its other advantages or disadvantages, in principle, capping is much more compatible with privacy than other prevailing medical care payment systems. Hence, a privacy minded polity could enact a law requiring that whenever people are provided by an employer or government program (such as Medicare) with a menu of alternative forms of health care insurance, the capped option must be included. It then would be up to the patients, who could draw on advice from different sources, such as consumer unions, health care newsletters, or their labor union, to decide if they prefer a program that provides more privacy but is capped or one that is leakier but not capped. One might suggest that here we are failing back on the individualistic model of choice. In effect, though, what is proposed is a change in the institutionalized options the public is offered, which will significantly restructure the choices available to it.

For those reimbursement schemes that are uncapped, one can imagine an approach that would minimize the potential for authorized abuse, but one must acknowledge that it flies in the face of the currently dominant approach of setting up leaky systems and then trying to ferret out abuses after the fact. In the envisioned system, whenever a group is insured and all its members pay the same premium for the same kind of insurance (or are given the same benefit by their employers), the reimbursable services provided to them would not be traced to a person but to a U.P.I. The insurance company would still be able to check whether service was excessive or inappropriate, given the attributes of the case on file. True, under the envisioned system insurance companies would not be able to draw on data from other sources about the same person (unless coded by the U.P.I.) to get information given to the companies by the treating professions that often take the side of the patient. This might be handled by indicating conditions under which the veil of U.P.I.s might be partially lifted, or better yet, a third, neutral body could investigate such matters. In any case, insurance companies' cost controls would be set back only to a limited extent, if at all, under the said system. However, they would no longer be able to sell these data to members of the outer circle, who would find it useless without personal identifiers.

All this is not to suggest that changes in the laws governing medical privacy should not be considered. Some such changes are needed to backup the suggested institutional reforms. And new legal limitations might be set on commercial trafficking in personal medical information. However, reliance on law is best activated when social arrangements do not suffice, and the needed legislation faces great political difficulties. This further points to the merits of building primarily on technological changes and institutional reforms.59


1. Booth Gunter, "Its No Secret: What You Tell Your Doctor - and What Medical Documents Reveal About You - May Be Open to the Scrutiny of Insurers, Employers, Lenders, Credit Bureaus, and Others," The Tampa Tribune, 6 October 1996, 1.

2. Donna E. Shalala, U.S. Secretary of Health and Human Services, speech delivered at National Press Club, Washington, D.C., 31 July 1997.

3. Matthew Brelis, "Patients' Files Allegedly Used for Obscene Calls," The Boston Globe, 11 April 1995, 1.

4. Bill Siwicki, "Health Data Security: A New Priority," Health Data Management, September 1997; Doug Stanley and Craig S. Palosky, "HIV Tracked on Unauthorized Lists," The Tampa Tribune, 35 October 1996, 1.

5. Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy, (Washington, D.C.: National Academy Press, 1994), 140.

6. Prepared Statement of A.G. Breitstein, J.D., Director, JRI Health Law Institute, Before the Senate Committee on Labor and Human Resources, 28 October 1997; Sen. Patrick J. Leahy, Testimony Before Hearing of the Senate Labor and Human Resources Committee on Confidential Medical Information.

7. National Academy of Sciences, op. cit ., 22-3.

8. Carol Hymowitz, "Psychotherapy Patients Pay a Price for Privacy," Wall Street Journal, 22 January 1998, B1; John Riley,"When You Can't Keep a Secret/Insurers' Cost-Cutters Demand Your Medical Details," Newsday, 1 April 1996, 7A.

9. See National Academy of Sciences,op. cit., which is devoted to the subject.

10. Office of Technology Assessment, op. cit., 6.

11. Office of Technology Assessment, op. cit., 11.

12. John Riley, "Know and Tell: Sharing Medical Data Becomes Prescription for Profit," Newsday, 2 April 1996, A06.

13. International Research Bureau, Inc., available: http://www.irb-online.com/services.html; Nina Bernstein, "On Line, High-Tech Sleuths Find Private Facts," The New York Times, 15 September 1997, A1.

14. Institute of Medicine, op. cit., 3.

15. Workgroup for Electronic Data Interchange, "Appendix 4: Confidentiality and Antitrust Issues," in Report to Secretary of U.S. Department of Health and Human Services, July 1992, 19.

16. David F. Linowes, "A Research Survey of Privacy in the workplace," unpublished white paper available from University of Illinois at Urbana-Champaign.

17. U.S. Congress, Office of Technology Assessment, Medical Monitoring and Screening in the Workplace: Results of a Survey (Washington, D.C.: U.S. Government Printing Office, October 1991).

18. "New Medical Privacy Law to be Proposed," Medical Industry Today, 12 August 1997. Also cited in Robert Pear, "Clinton to Back a Law on Patient Privacy," The New York Times, 10 August 1997, 22.

19. Gina Kolata, "When Patients' Records Are Commodities for Sale," The New York Times, 15 November 1995, A1. National Academy of Sciences, op. cit., 32.

20. See, for example, L.N. Geller et. al., "Individual, Family, and Societal Dimensions of Genetic Discrimination: A Case Study Analysis," Science and Engineering Ethics 2 (1996): 71-88, cited in National Academy of Sciences, For the Record: Processing Electronic Health Information (Washington, D.C.: National Academy Press, 1997), 77; Samuel Greengard, "Genetic Testing; Should You Be Afraid?" Workforce, July 1997; Suzanne E. Stipe, "Genetic Testing Battle Pits Insurers Against Consumers," Best's Review--Life/Health Insurance Edition, August 1996; Testimony of Sen. Olympia Snowe on Genetic Information Technology Before the Hearing of the Senate Labor and Human Resources Committee, 21 May 1998.

21. National Academy of Sciences, op. cit., 77. "Who's Reading Your Medical Records?" op. cit.

22. "Who's Reading Your Medical Records?" op. cit., 31.

23. National Committee on Vital and Health Statistics, "Health Privacy and Confidentiality Recommendations," 25 June 1997. Available: http://aspe.os.hhs.gov/nchvs/privrecs.htm.

24. Health Care Information Privacy, Louis Harris and Associates poll conducted for Equifax, 1993.

25. "Who's Reading Your Medical Records?" Consumer Reports, October 94, 628-32. Reprinted in Robert Emmet Long, Rights to Privacy (New York: H.W. Wilson Company, 1997), 71-80 at 72.

26. Brian J. Taylor, "The Screening of America: Crime, Cops, and Cameras," Reason, May 1997, 44.

27. Solveig Singleton, "Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector," Cato Policy Analysis No. 295 (Washington, D.C.: Cato Institute), 22 January 1998, 1.

28. Robert Pear, "Plan Would Broaden Access of Police to Medical Records," The New York Times, 10 September 1997, A15.

29. Both recommendations are outlined in "Confidentiality of Individually-Identifiable Health Information," Recommendations of the Secretary of Health and Human Services to the Committee on Labor and Human Resources and the Committee on Finance of the Senate and the Committee on Commerce and the Committee on Ways and Means of the House of Representatives, 11 September 1997. Available: http://aspe.os.dhhs.gov/admnsimp/pvcrecO.htm.

30. Ibid.

31. See discussion of interface/inter-databank agents, below.

32. L. Joseph Melton III, "The Threat to Medical-Records Research," New England Journal of Medicine 337 (1997): 1468.

33. Robert H. Brook and Kathleen N. Lohr, "Will We Need to Ration Effective Health Care?" Issues in Science and Technology 3 (1986): 68-77, Barry Meier, "Rx for a System in Crisis," The New York Times, 6 October 1991, 18; Stephen C. Schoenbaum, "Toward Fewer Procedures and Better Outcomes," JAMA-The Journal of the American Medical Association 269 (1993): 794-796. Schoenbaum states: "It should be disturbing to us as a profession that we have so few outcomes data and use so few in our practices. Most of us do not learn enough in our training to collect or analyze our own data or to interpret consistently the work of others."

34. Robert H. Brook and -Kathleen N. Lohr, "Will We Need to Ration Effective Health Care?" Issues in Science and Technology 3 (1986): 68-77. Reprinted as RAND Report N-3375-HHS.

35. See, for example, Richard S. Dick and Elaine B. Steen, eds., The Computer-Based Patient Record: Essential Technology for Health Care (Washington, D.C.: National Academy Press, 1991): 13-19, 24; S.L. Yenney, "Solving the Health Data Management Puzzle," Business Health, September 1990, 41-49, cited in Lawrence O. Gostin, et al., "Privacy and Security of Personal Information in a New Health Care System," JAMA--The Journal of the American Medical Association 270 (1993): 2488, 2493.

36. Office of Technology Assessment, op. cit., 59.

37. Workgroup for Electronic Data Interchange, "Appendix 4," op. cit., 1.

38. Office of Technology Assessment, op. cit., 59.

39. Janlori Goldman and Deirdre Mulligan, Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality (Washington, DC: Center for Democracy and Technology, 19.06), 5-6.

40. Institute of Medicine, op. cit., 158.

41. Institute of Medicine, op. cit., 150. See also Glenn McGee, "Subject to Payment? Cash and Informed Consent, " Penn Bioethics 3 (1997): 3, 5.

42. Institute of Medicine, op. cit., 150. Emphasis added.

43. Office of Technology Assessment, op. cit., 56.

44. Office of Technology Assessment, op. cit., 60.

45. Ibid.

46. Office of Technology Assessment, op. cit., 60.

47. Christine Gorman, "Who's Looking at Your Files?" Time, 6 May 1996. Reprinted in Robert Emmet Long, ed., Rights to Privacy (New York: H.W. Wilson Company, 1997), 81-94 at 62-3.

48. L.J. Menton III, "The Threat to Medical-Records Research," New England Journal of Medicine 337 (1997): 1467,

49. Ibid., 1467-8.

50. Arnold J. Rosoff, Informed Consent: A Guide for Health Care Providers (Rockville, Md.: Aspen Systems Corporation, 1991), 5.

51. Melton, op. cit., 1467.

52. Robert Bellah, et al., The Good Society (New York: Alfred A. Knopf, 1991); Michael J. Sandel, Liberalism and the Limits of Justice (Cambridge: Cambridge University Press, 1982); Etzioni, The New Golden Rule, op. cit.

53. Bellah, et. al., op. cit., 40.

54. Etzioni, The New Golden Rule, op. cit., 93ff.

55. Prepared Statement of Yank D. Coble, Jr., M.D. for the American Medical Association before the House Committee on Commerce Task Force on Health Records and Genetic Privacy, Subject: Privacy, Confidentiality and Discrimination in Genetics. Dr. Coble states: "(P)hysicians and other entities regularly deal with categories of extra-sensitive information which have been afforded specific legislative projections above and beyond that applicable to more generalized records (e.g., HIV/AIDS information...)."

56. National Academy of Sciences, op. cit., 8, 93-7.

57. Office of Technology Assessment, op. cit., 48-9.

58. Office of Technology Assessment, op. cit., 6.

59. For documentation see Amitai Etzioni, The Limits of Privacy, forthcoming (New York: Basic Books, 1999).

© 1999 The Hastings Center. Reprinted by permission. This article originally appeared in the Hastings Center Report vol. 29, no.2, March-April 1999. The Hastings Center Report is sent six times a year to members of The Hastings Center. For information regarding membership, please be in touch with Membership Department, The Hastings Center, Route 9D, Garrison, NY 10524; phone (914)424-4040; fax (914) 424-4931.

This essays draws on my book The Limits of Privacy to be published by Basic Books in 1999.


The Communitarian Network
2130 H Street, NW, Suite 703
Washington, DC 20052