331. "Locking up medical data," The National Law Journal (May 22, 2000), page A22.
There are no federal laws that protect medical privacy in the private sector. Medical records are traded over the Internet. Employers use them to refuse to hire or promote those considered a poor risk. Banks call in loans of people who have had heart attacks. And pharmaceutical companies use information corralled from drug stores to urge patients to ask their doctors for the pills they're pushing.
All this is now supposed to end. The Clinton administration has posted some 600 pages of regulations concerning medical privacy for public comment. Later in the year, these are to become the law of the land. These new regulations also amount to the first large- scale introduction of government controls into cyberspace.
The suggested regulations rely mainly on the government to protect information, rather than on contracts or on individual consent. They do so by designating three different circles: the immediate circle -- those who directly care for the patient; the intermediary circle -- those dealing with reimbursement and management of health care, especially health insurers and HMOs; and the outer circles of employers, pharmaceutical corporations, banks and the media.
The regulations require that the inner circle release to the intermediary circle only the minimum information needed, rather than an entire medical record, as well as banning many disclosures to members of the outer circle, which occur frequently now. Accordingly, personal medical information can be shared with health professionals and insurers but not employers, banks, marketers and others who have no legitimate reason to see it.
Moreover, although regulations often have rather weak teeth, the penalties contained in the new regulations are quite hefty. An unintended violation may trigger a $ 25,000 penalty. A willful violation doubles the fine and, potentially, may land one in the pokey for a year. Someone attempting to sell information for "commercial advantage, personal gain or malicious harm" may be hit with a $ 250,000 fine and serve 10 years in prison.
Fear of reprisal
Critics have been up in arms about one feature of the suggested regulations. It allows patients to see their medical records and demand that their doctors correct the records if the patients feel that their information is invalid. If the doctors refuse, they will have to go through an administrative review process. To use a parallel example: Ever since recommendation letters written by professors have become documents that students can scrutinize, most professors have become leery about saying anything unflattering, so these letters have lost much of their value. If the same happens to medical records, physicians may cease to note that someone has alcoholic tendencies and instead may note that the patient has a "fine appreciation of wine."
This issue could be minimized if patients were allowed to augment their file, adding their own views but not requiring the physicians to change theirs. The regulations should, of course, require that these comments accompany a patient's file wherever it travels.
Another feature of the regulations that needs to be recast concerns a problem that often arises when privacy is better protected: It undermines some common good. In this case medical research is seriously threatened. The regulations require removing personal identifiers (names, addresses, phone numbers, Social Security numbers) from medical data and "destroying them at the earliest opportunity." This would make it impossible to combine such data (which will no longer have personal identifiers) with most existing data that are built around such personal identifiers.
Instead it would make sense to create a small number of medical data "Fort Knoxes" in which personal identifiers are held, and in which bonded personnel would combine new data with the old. Surely some other compromises might be worked out, but medical research is too important for all of us to be severely hobbled so that medical privacy might be strengthened.
All in all, in an age when we are often critical of what the government does, and with good reason, these regulations seem a giant leap forward -- the largest since the right to privacy was created.
Prof. Etzioni is the author of, most recently, The Limits of Privacy (New York: Basic Books, 1999).