322. "Our medical records are about to get more privacy," USA Today, (January 25, 2000), page 15A.
I was at a Johns Hopkins Hospital outpatient clinic talking to a genetic counselor because, as an Ashkenazi Jew, I belong to one of those groups whose members tend to carry a gene predisposing them to a specific genetic illness. In my case, it was colon cancer, which had killed my father. What the counselor told me was stunning -- even though it had to do with my privacy, not my health.
"If you do not pay cash, the results of the tests will be all over the place," the counselor warned. "Future employers may well find out about them."
The counselor, I found out, was correct: No federal law protects our medical privacy, and state privacy laws are a haphazard patchwork of statutes often ignored with impunity by Internet sleuths.
This now is supposed to end. The Clinton administration has proposed regulations concerning medical privacy that are open for public comment until Feb. 17. Congress limited the reach of these proposed regulations to electronically stored records, but those are a rapidly growing proportion of all records.
These new regulations would be the first large-scale introduction of government controls into cyberspace, laying to rest the fantasy that cyberspace could be a new world in which people would govern themselves without state intervention, a utopia nourished by libertarians and cyber-idealists.
Surprisingly, the public has had little to say about the suggested regulations. The Department of Health and Human Services reported that about 200 comments were made by the end of last year; 6,000 had been expected.
One of the greatest virtues of the suggested regulations is that they eschew the libertarian philosophy that information about us is our property and so we must consent for each specific use, secondary use and sale to a third party. Given that each of the hundreds of pieces of information about us is used numerous times, we would be spending half of our days clicking "yes," "no" and "first pay me" if we took that approach.
We also would need lawyers to understand the privacy "contracts" offered us. (Did you notice that the consent form you regularly sign in doctors' offices and hospitals to release your medical information to your HMO or health insurance company does not limit what they can do with the data?)
Instead, the suggested regulations rely on the government to protect us. Personal medical information, officials say, can be shared with health care professionals and health insurers, but not with employers, banks, marketers and others who have no legitimate business seeing it.
Regulations often have weak teeth, but the penalties for violating the suggested new regulations are quite hefty.
An unintended violation may lead to a $ 25,000 penalty. A willful violation doubles the fine and can land one in the pokey for a year. Someone attempting to sell information for "commercial advantage, personal gain or malicious harm" may be hit with a $ 250,000 fine and have to serve 10 years in prison. These teeth are likely to leave their marks on potential violators of medical privacy.
Another attractive feature of the new regulations is that they call for releasing only the minimally needed information rather than the whole record. Thus, an employer processing an insurance claim for a work-related injury would not receive the employee's entire medical history. The employer, for example, has no need -- or right -- to know whether the person has herpes or had an abortion.
Critics have been up in arms about one feature of the suggested regulations: They will allow patients to see their medical records and demand that their doctors correct the records if the patients feel that the information is invalid. Doctors who refuse must go through an administrative review process. Critics claim that this feature alone will cost health care providers $ 4 billion over five years. The government, which assumes that only 1% of patients will want to see their records, says the cost, at most, will be $ 2 billion for the same period.
My concern is different. Ever since recommendation letters written by professors became documents their students could scrutinize, many professors have become rather leery about saying anything unflattering. Consequently, these letters have lost much of their value. If the same happens to medical records, physicians soon will cease to note that someone has alcoholic tendencies and instead may note that the patient has a "fine appreciation of wine." The notation "obese" will be replaced with "well nourished," and so on.
Doctors already feel beleaguered and flooded by paperwork. The last thing they want to do is quarrel with their patients over file notations. "I'll put in anything they want," said my wife, Dr. Patricia D. Kellogg, who practices in Rockville, Md.
This issue could be minimized if patients were allowed to augment their files, adding their own views but not requiring the physicians to change theirs. Regulations also should require that these comments accompany the patient's file wherever it travels. Readers who favor the administration's approach on this point better let their views be known, because, so far, this aspect of the regulations has received largely critical comments. (To read the regulations on the Internet, go to www.hhs.gov/hottopics/healthinfo/index.html.)
Another feature of the proposed regulations that needs to be recast concerns a problem that often arises when privacy is better protected: It undermines some common good. In this case, medical research is seriously threatened.
The regulations require personal identifiers (names, addresses, phone numbers, Social Security numbers) to be removed from medical data and destroyed "at the earliest opportunity . . . unless there is a health or research justification for retaining the identifiers." If this loophole were to be used frequently, it would subvert the intent of the regulation. If the loophole is ignored and most personal identifiers are destroyed as the regulation requires, it will be impossible to combine new data with most existing data, which are built around such personal identifiers.
Instead, it would make sense to create a small number of medical data "Fort Knoxes" in which personal identifiers are held and in which bonded personnel would combine new data with old ones. Medical research is too important for all of us to be severely hobbled in order to strengthen medical privacy.
All in all, in an age when we are often critical of what the government does -- and for good reason -- these regulations seem a giant leap forward, the largest since the right for privacy was created.
Oh, do you want to know the results of my genetic test? Boot up your PC; at the moment, it is still legal for you to pull them up.