Introduction, Summary, and Options 1 Computerization of health care information, while offer- ing new opportunities to improve and streamline the health care delivery system, also presents new chal- lenges to individual privacy interests in personal health care data. Technical capabilities to secure and maintain confiden- tiality in data must work in tandem with legislation to preserve those privacy interests while making appropriate information available for approved uses. BACKGROUND AND STUDY APPROACH Previously, the Office of Technology Assessment has ex- plored the need to protect the confidentiality and integrity of data and information that is processed and transmitted using commu- nications and computer technology.1 OTA's objectives for this study were to: o examine the technology enabling the comput- erization and networking of medical informa- tion, o identify privacy issues arising from computeri- zation, o examine the law dealing with privacy in medical information, and o examine models and rules to protect privacy, and determine whether new technologies can ensure privacy in the area of medical records. To accomplish these objectives, OTA sought the opinions, attitudes, and perceptions of the stakeholders in academia, medicine, and the legal profession; researchers in computer and informa- tion system security; government agencies; and public interest groups. This was accomplished through interviews, correspondence, and public participation in two workshops.2 OTA explored the issue of privacy in comput- erized medical information by addressing ques- tions such as: o What are the issues with respect to privacy in paper systems for health information? How will these issues change with computerization? What new issues will arise? o To what extent can technology address the confidentiality and privacy of computerized health care information? What are the limita- tions of the technologies? Are the most serious threats to privacy internal to the computer systems designed for this information, external to them, or both? o What is the impact of creating a large databank of easily accessible health care information? What kind of uses will there be for the information? Will additional demands for in- formation be spurred by its ready availability? How must these demands for information be dealt with? o How must underlying issues, such as the perceived need for a unique patient identifier, the content of the patient record, and patient consent to disclosure of information, be ad- dressed? o How has the law traditionally dealt with concerns about privacy in medical informa- tion? What role might new legislation play in addressing these concerns? What Is Health Care Information? The Institute of Medicine report, The Computer- Based Patient Record: An Essential Technology for Health Care3 (hereinafter referred to as the "IOM report") recommends that health care professionals and organizations should adopt the computer-based patient record for use in online systems as the standard for medical and all other records related to patient care. Computer-based patient records would replace the present system of paper records. Whether on paper or in elec- tronic form, the information contained in patient records is the core of what is often understood to be "health care information," information about patients generated and maintained throughout the health care industry in providing health care services (see figure 1-1). But the patient record, generated and maintained by the health care provider and the patient in the course of the patient's health care, is only a part of the health information collected and maintained on individ- uals.4 Parties who are not directly involved in patient care also gather and maintain health care information, and are often referred to as second- ary users of the information. (For further discus- sion of secondary users of health care informa- tion, see box 2-F, and ch. 2). Among these are educational institutions, the civil and criminal justice systems, pharmacies, life and health insur- ers,5 rehabilitation and social welfare programs, credit agencies and banking centers, public health agencies, and medical and social researchers (see figure 1-2). As a result, in exploring appropriate ways to protect privacy, proposed definitions of what constitutes "health information" or "health care information" vary, but tend to consider health care information to be inclusive of more than the patient record itself. The American Medical Association's (AMA's) Proposed Revisions to its Model State Bill on Confidentiality of Health Care Information defines the term "confidential health care information" as: . . . information relating to a person's health care history, diagnosis, condition, treatment, or evalu- ation, regardless of whether such information is in the form of paper, preserved on microfilm or stored in computer-retrievable form. The American Health Information Management Association's Health Information Model Legisla- tion Language refers to "health care informa- tion" even more broadly as: . . . any data or information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient or other record subject; and 1) relates to a patient's health care; or 2) is obtained in the course of a patient's health care from a health care provider, from the patient, from a member of the patient's family or an individual with whom the patient has a close personal relationship, or from the patient's legal representative. This report will refer to health care information as defined in this manner. This definition includes a range of medical information generated, gath- ered, and stored about individuals. It recognizes that the full range of health care information must be protected. THE NEED FOR PRIVACY IN HEALTH CARE INFORMATION Health information and the medical record include sensitive personal information that re- veals some of the most intimate aspects of an individual's life. In addition to diagnostic and testing information, the medical record includes the details of a person's family history, genetic testing, history of diseases and treatments, history of drug use, sexual orientation and practices, and testing for sexually transmitted disease. Subjec- tive remarks about a patient's demeanor, charac- ter, and mental state are sometimes a part of the record. The medical record is the primary source for much of the health care information sought by parties outside the direct health care delivery relationship, such as prescription drug use, treat- ment outcomes, and reason for and length of hospital stay. These data are important because health care information can influence decisions about an individual's access to credit, admission to educational institutions, and his or her ability to secure employment and obtain insurance. Inaccuracies in the information, or its improper disclosure, can deny an individual access to these basic necessities of life, and can threaten an individual's personal and financial well-being. Yet at the same time, accurate and comprehen- sive health care information is critical to the quality of health care delivery, and to the physician- patient relationship. Many believe that the effi- cacy of the healthcare relationship depends on the patient's understanding that the information re- corded by a physician will not be disclosed. Many patients might refuse to provide physicians with certain types of information needed to render appropriate care if patients do not believe that information would remain confidential.6 (For a discussion of the distinction between the terms "privacy" and "confidentiality" and for defini- tions of these terms for purposes of this report, see box 1-A) In addition to serving the physician- patient relationship and the delivery of personal health care, this information is a source of important data for insurance reimbursement. When aggregated, it can assist in monitoring quality control of health care delivery by providing re- sources for med- ical research. The lack of proper protections for privacy could lead to (and has, in some cases) the physician's with- holding informa- tion from a re- cord, maintaining a second complete record outside of the computerized system, or at the extreme, creating a market for health care deliv- ered without computer documentation.7 Safe- guards to privacy in individual health care information are imperative to preserve the health care delivery relationship and the integrity of the patient record. Many interests compete in the collection, use, and dissemination of medical records. In the case of United States of America v. Westinghouse Electric, the Court of Appeals for the Third Circuit set guidelines to be used by a court in weighing the individual's privacy interest in medical records against the need for public agency access to information. Thus, as in most other areas of the law, we must engage in the delicate task of weighing competing interests. The factors which should be considered in deciding whether an intrusion into an individ- ual's privacy is justified are the type of record requested, the information it does or might contain, the potential for harm in any subsequent nonconsensual disclosure, the injury from disclo- sure to the relationship in which the record is generated, the adequacy of safeguards to prevent unauthorized disclosure, the degree of need for access, and whether there is an express statutory mandate, articulated public policy or other recog- nizable public interest militating toward access.8 Similarly, whatever the technology employed to computerize medical information, decisions about data privacy also involve striking a balance, in this case between the individual's right to privacy against the cost of security, the inherent impedi- ment security measures present to the ready accessibility of data, and the societal benefits of access to information. On the basis of the Institute of Medicine's report and the consensus among stakeholders that computerization will go for- ward, OTA did not analyze the question of whether computerization of patient information is appropriate to the interests of individual privacy. THE COMPUTERIZATION OF MEDICAL RECORDS While some aspects of the health care industry continue to rely on a paper record system, in recent years, individual medical practices and institutions have computerized parts of their recordkeeping. Computer software vendors have developed systems to streamline record-keeping and administrative functions. Traditionally, how- ever, computer systems for patient information have been largely associated with medical cen- ters, hospitals, or offices. Departments within these facilities have been linked to provide for access and exchange of information among prac- titioners and administrators within an institution. Currently, however, the health care industry is moving toward linking these institutions through a proposed information infrastructure (comput- ers and information system) and the communica- tions networks. The IOM report advocates computerization of patient records and health care information in online systems to improve the quality of patient care, advance medical science, lower health care costs, and enhance the education of health care professionals. It envisions that the computerized patient record will "provide new dimensions of record functionality through links to other data- bases, decision support tools and reliable trans- mission of detailed information across substantial distances."9 Linkages would allow transfer of patient data from one care facility to another (e.g., from physician office to hospital) to coordinate serv- ices, and would allow collation of clinical records of each patient over a period of time among providers and at various health care sites.10 This would provide a longitudinal record, one that forms a cradle-to-grave view of a patient's health care history.11 The IOM report further envisions extraction of data by secondary users (poli- cymakers and clinical researchers) from data in the computer-based patient record. The Report of the Workgroup for Electronic Data Interchange12 similarly envisions electronically connecting the health care industry by an integrated system of electronic communication networks that would allow any entity within the health care system to exchange information and process transactions with any other entity in the industry. This capability, the workgroup asserts, could lead to a reduction of administrative and health care deliv- ery costs. As a result of the linkage of computers, patient information will no longer be maintained, be accessed, or even necessarily originate with a single institution, but will instead travel among a myriad of facilities. As a result, the limited protection to privacy of health care information now in place will be further strained. Existing models for data protection, which place responsi- bility for privacy on individual institutions, will no longer be workable for new systems of computer linkage and exchange of information across high-performance, interactive networks. New approaches to data protection must track the flow of the data itself. Smart cards have been proposed as a means to computerize and maintain health care informa- tion. A smart card is a credit card-sized device containing one or more integrated circuit chips that can store, process and exchange information with a computer (see figure 1-3). Smart card systems are used on a limited basis in some areas of the United States for medical purposes. They are used on a wide scale in France, and are being tested in other European countries to facilitate delivery of health care services. Smart cards can function in two ways: 1) to store information, which can be accessed when a patient presents the card to a health care practitioner, and/or 2) as an access control device, carrying out security func- tions to maintain a more secure and efficient access control system for health care information computer systems. Some describe smart cards as the ultimate in a distributed database that can meet the needs for access control and consent to disclosure, but critics cite shortcomings of the cards with respect to patient privacy. Among these is the proposal that such a system involve a backup database of information that is contained on each card, which would arguably present many of the same privacy problems that an online system would have.13 (For a discussion of the privacy challenges presented by online systems and smart card systems, see box 1-B). Some are concerned that individuals may not even know the content of the information they are carrying on the card.14 Others worry that the card marks a step in a move toward a national identification card, and that individuals will at some point be asked to present a card for identification purposes that contains a tremendous amount of highly personal informa- tion.15 Computerization of Health Care Information by Private Companies In addition to efforts by the health care industry to establish an online computer network of patient records, private companies have begun to act on the commercial incentive to collect health care data. Information is, in some cases, gathered on specific individuals to assist the insurance under- writing industry; in other cases, companies offer such computer services as health insurance claims- processing, office management, or patient billing. (See box 2-F.) These companies use the medical information made available to them by gathering and selling aggregate information, usually with- out patient knowledge or consent (although with the knowledge of a participating physician). These practices, for the most part, are currently legal, although the businesses in question operate under no regulatory guidelines regarding security measures, use of patient identifiers, requirements for training of personnel about privacy concerns, company confidentiality policies, or protocols for gathering, selling, or transferring data. Aware of public concerns about privacy, these companies have taken steps to address the issue of confiden- tiality in the data through security and confidenti- ality measures, employee education, and person- nel and confidentiality policies. Security and Confidentiality Measures For online computer systems, security is gener- ally provided by use of user identification names and passwords, and by user-specific menus to control access to functions and to limit access of the user to the information he or she legitimately needs. In addition to these measures, some systems use audit trails to record significant events on a system that may be inspected and traced to when a suspicious event occurs. Supple- menting these technological measures, organiza- tional education, policies, and disciplinary ac- tions attempt to ensure that confidentiality is maintained within the system. Smart cards can also play a role in system secu- rity, functioning as an access con- trol device, serv- ing the security functions that are normally carried out by the user, including entering passwords and PINs (personal identification numbers). A more extensive dis- cussion of the use of smart cards for access control is in chapter 3, and a further discussion of computer security measures is in appendix A. A major focus of security and confidentiality measures is preventing privacy invasion by trusted insiders. Prosecutions of U.S. Federal Govern- ment employees for unlawful disclosure of per- sonal information indicate the risk of invasion of privacy perpetrated by trusted insiders, who, motivated by financial incentives to supplement their income, sell personal information. While resources can be directed toward minimizing risk of abuse of information by insiders, no system can be made totally secure through technology, and the greatest perceived threat to privacy in medi- cal information exists in the potential for abuse of authorized internal access to information by persons within the system, whether paper or computer based. PROTECTION FOR PRIVACY IN HEALTH CARE INFORMATION Privacy in health care information has been protected through primarily two sources: 1) in the historical ethical obligations of the health care provider to maintain the confidentiality of medi- cal information; and 2) in a legal right to privacy, both generally and specifically, in health care information. The present system of protection for health care information offers a patchwork of codes; State laws of varying scope; and Federal laws applicable to only limited kinds of informa- tion, or information maintained specifically by the Federal Government. The present legal scheme does not provide consistent, comprehen- sive protection for privacy in health care infor- mation, whether it exists in a paper or computer- ized environment. Ethical Sources The physician's16 confidentiality obligation can be found in the Oath of Hippocrates, written between the Sixth Century B.C.E. and the First Century B.C.E. The Hippocratic Oath provided that what the physician saw or heard in the course of treatment "which should not be published abroad" would be kept in confidence. Later codes of medical ethics included language addressing the issue of confidentiality of information. The American Medical Association's Code of Ethics has evolved since its adoption; the obligation to preserve patient confidentiality remained in the 1980 code, but without guidelines about how to respond to requests for information from second- ary users of medical information, such as re- searchers, police, and Federal agencies. Recent AMA policy statements set forth in more detail the responsibilities of physicians with regard to confidentiality of patient information and issues surrounding the medical record. In its Code of Medical Ethics, Current Opinion, 1992, the AMA states its belief that the information disclosed to a physician during the course of the relationship between the doctor and patient is confidential to the greatest possible degree, and outlines particu- lar instances when the obligation to safeguard patient confidences is subject to exceptions for legal and ethical reasons. Professional ethical codes do not possess the force of law, but may be enforced through bodies such as the disciplinary board of the professional organization, or may serve as evidence of a provider's breach of his or her legal duty to maintain confidentiality. Legal Origins Although the Bill of Rights does not specifi- cally set forth a right to privacy, a right to privacy in information has been upheld by the Supreme Court in a series of cases beginning in the 1950s. The Court looked to the first amendment and due process clause, the fourth amendment protection against unreasonable searches and seizures and the fifth amendment protection against self in- crimination as sources of the right. A later case, Griswold v. Connecticut17, talked of the zone of privacy created by the first, third, fourth, fifth and ninth amendments. However, in two cases de- cided in 1976, the court did not recognize a constitutional right to privacy that protected erroneous information in a flyer listing active shoplifters, or one that protected the individual's interest with respect to bank records. (For further discussion of the Supreme Court's analysis of a right to privacy, see box 2-B). FEDERAL LAW While some Federal laws address the question of privacy in certain information collected and maintained by the Federal Government, no Fed- eral statute defines an individual's specific right to privacy in his or her personal health care information held in the private sector and by State or local governments. At the Federal Govern- ment level, the Privacy Act of 197418 specifically endorses the finding that privacy is a fundamental constitutional right. Designed to protect individu- als from Federal Government disclosure of confi- dential information, the Privacy Act prohibits Federal agencies (including Federal hospitals) from disclosing information contained in a sys- tem of records to any person or agency without the written consent of the individual to whom the information pertains, and stipulates that Federal agencies meet certain requirements for the han- dling of confidential information. In addition to the requirements of the Privacy Act, Federal law, by statute and implementing regulations, prescribes confidentiality require- ments for records of patients who seek drug or alcohol treatment at federally funded facilities. As these regulations have the full force and effect of Federal law, they supersede State laws on confidentiality in the area of drug or alcohol treatment. Provisions of the Social Security Act also prohibit disclosure of information obtained by officers or employees of the Department of Health and Human Services, except as prescribed by regulation. STATE LAWS AND REGULATIONS At common law, States have recognized an action for invasion of privacy in the tort law. Individuals may bring an action for defamation when medical records containing inaccurate in- formation are disclosed to an unauthorized per- son, when that information would tend to affect a person's reputation in the community adversely. Courts have also demonstrated a willingness to apply the ethical standards of the medical profes- sion to compel physicians to maintain the confi- dentiality of information they obtain in the course of treating their patients, by enforcing those standards as part of the contractual relationship between physicians and their patients. There is significant variation in the nature and quality of State laws regarding privacy in health care information. Among the States that have regulations, statutes, or case law recognizing medical records as confidential and limiting access to them, these are not consistent in recognizing computerized medical records as legitimate documents under the law, and gener- ally do not address the questions raised by such computerization. The range of medical privacy laws does not address the practice of compiling medical information about patients (with or without their consent or the identification of personal information) for sale to businesses with a financial interest in the data. This patchwork of State and Federal laws addressing the question of privacy in personal medical data is inadequate to guide the health care industry with respect to obligations to protect the privacy of medical information in a computerized environment. It fails to confront the reality that, in a computerized system, informa- tion will regularly cross State lines, and will therefore be subject to inconsistent legal stand- ards with respect to privacy. The law allows development of private sector businesses dealing in computer databases and data exchanges of patient information without regulation, statutory guidance, or recourse for persons who believe they have been wronged by abuse of data. These laws do not address the questions presented by new demands for data prompted by computeriza- tion, and the obligations of secondary users in accessing and maintaining data. Lack of legisla- tion in this area will leave the health care industry with an uneven sense of their responsibilities for maintaining privacy. The Effect of Computers on the Question of Privacy All health care information systems, whether paper or computer, present confidentiality and privacy problems. Among these problems are administrative errors that release, misclassify, or lose information; compromised accuracy of infor- mation; misuse of data by legitimate users; malicious use of medical information; unauthor- ized break-ins to medical information systems; and uncontrolled access to patient data. Comput- erization can re- duce some con- cerns about pri- vacy in patient data and worsen others; but it also raises new prob- lems. While computers offer security measures that are not available to paper systems, computer- ization also presents concerns about privacy and confidentiality that fall into the following catego- ries: o Computerization enables the storage of a very large amount of data in a small physical space, so that an intruder can systematically obtain large amounts of data (more than could likely be stolen on paper records) once access to the electronic records is gained. o Networking of computer information systems makes information accessible anywhere at any time to anyone who has access. Computers and computer networks enable a large number of people to handle or have access to information and allow for surreptitious modification, dele- tion, copying, or addition of data. o New databases can be created, maintained, and expanded with ease, and computers make it possible to link data sets in ways that produce new information that was not originally in- tended.19 o The computer's ability to transmit large vol- umes of data instantaneously make the poten- tial dissemination of medical information limitless, so that the distribution of private information will be easy and inexpensive. The increased quantity and availability of data and the enhanced ability that computerization provides to link these data raise privacy concerns about new demands for information for purposes beyond providing health care, paying for it, or assuring its proper delivery. Among these con- cerns is that information more easily gathered, exchanged, and transmitted will be sought and acquired by more parties for uses not connected to health care delivery--parties that may have little concern about the confidentiality of the data in their possession and individual privacy. SPECIAL POLICY PROBLEMS RAISED BY COMPUTERIZATION A computer-based patient record of the type recommended by the Institute of Medicine study-- in which the record is linked among records or record systems of different provider institutions and to other databases and sources of information, including medical practice guidelines, insurance claims, and disease registries/and databases that contain scientific literature, bibliographic and administrative information20--requires resolution of policy issues, such as the use of a unique patient identifier, informed patient consent to information disclosure, standardization, and new demands for access by secondary users. It is important to resolve these issues at the outset of the computerization process, so that system designers can build into software the appropriate mechanisms to implement privacy policy. The Unique Patient Identifier Proponents of computerized medical informa- tion recommend the use of a unique patient identifier to be assigned to a patient at birth and remain permanently throughout the patient's lifetime. A unique patient identifier, it is believed, would assure appropriate, accurate information exchange among approved parties, prevent fraud and forgery in reimbursement, and ensure accu- rate linkage of information. While a variety of approaches to establishing such an identifier have been proposed, the one most often mentioned is the use of the Social Security number as the most efficient and cost-effective way of identifying patients. Privacy advocates strongly object to this proposal. They cite the increasing use of the number in the private sector, and the power of the number to act as a key to a variety of information in both the public and private sector and to facilitate linkage of information.21 Proponents of its use believe that, with appropriate precautions, the integrity of the Social Security number can be maintained. Although there is a belief that the Social Security number is now a de facto national identifier (even though this is prohibited by law), use of the number as a unique patient identifier still requires close examination. The use of the Social Security number as a unique patient identifier has far-reaching ramifications for indi- vidual health care information privacy that should be carefully considered before it is used for that purpose. Informed Patient Consent to Information Disclosure Because computerization of medical informa- tion creates the potential for increased demands for data for purposes beyond providing health care, paying for it, or assuring its proper delivery, computerized medical information challenges present practices for providing informed consent to disclosure. Informed consent to disclosure of information generally involves four main elements: 1. information about what data is to be dis- closed must be given to the patient, 2. the patient must understand what is being disclosed, 3. the patient must be competent to provide consent, and 4. the patient's consent must be voluntary. The present approach to providing "informed consent" challenges the concept with respect to disclosure to the patient, patient competence, and patient comprehension about what is being dis- closed. In spite of the requests made of them to authorize disclosure of medical information for medical and nonmedical purposes, patients tradi- tionally have difficulty gaining access to inspect their own medical records, and laws governing patient access to records are neither universal nor uniform. It is argued by some that without knowledge of what is contained in the record, patients' consent to disclosure cannot be said to be informed per se. In taking responsibility for the care of a patient, physicians have been granted broad discretion to withhold information from the patient that he or she deems to be potentially harmful. Recent articles indicate a change in thinking about this approach, and the position of the American Health Information Management Asso- ciation (AHIMA) reflects the balance of opinion as reflected by the literature. AHIMA's position is that the computerized health care record, and its potential for increased use both within and beyond the health care relationship, requires that patients have greater access to their medical record, coupled with a general atmosphere of increased patient education and involvement in his or her own health care. Resolution of the question of patient access to one's record so that consent to disclosure is, in fact, informed, is critical to confronting privacy concerns about the computerized health record. The element of voluntariness is also challenged by the present scheme of providing informed consent. Medical information is usually required to provide health care reimbursers with sufficient information to process claims. Since individuals are, for the most part, not able to forego health care reimbursement benefits, they really cannot make a meaningful choice whether or not to consent to disclosure of their health care informa- tion. Some commentators suggest that alternative schemes to deal with the need to disclose patient information might be adopted. Standards Industry organizations are developing stand- ards for patient-record content, data exchange formats, vocabulary, patient-data confidentiality, and data systems security. Standardization of medical information in both content and format is believed to be important to the computerization effort. Content uniformity would assure data completeness for medical practitioners. In addi- tion, third-party payers could process claims readily on the basis of the medical, financial, and administrative information at their disposal; and secondary users of the information, such as researchers, utilization review committees, and public health workers, could anticipate the nature of the information available to them. Format standards would assure uniform and predictable electronic transmission of data. Standards for patient-data confidentiality and data systems security would ensure that patient data are protected from unauthorized or inadver- tent disclosure, modification, or destruction. Pri- mary and secondary users of health care data are working to agree on common levels of data protection so they can benefit from use of automated patient information. Outbound Linkages to Secondary Users and the Problem of Increased Demand The Institute of Medicine report foresees broad connectivity in a computerized records system, meaning that the record or record system will establish links or interact effectively with provid- ers' systems and databases. In addition to link- ages that will connect clinical records of a single patient to create a longitudinal pa- tient record, the report foresees external linkages to other databases and other sources of information. These linkages might include databases that contain scientific literature and bibliographic in- formation, ad- ministrative information, medical practice guide- lines, insurance claims, and disease registries. The IOM report acknowledges that outbound linkages create additional concerns about main- taining privacy and require tight security measures. In addition to the question of security and privacy in the linked information, the larger question arises as to the appropriateness of access to information by certain parties. Policy decisions at the Federal and State levels have, over time, made medical records and health care informa- tion, as it exists in paper record form, available to utilization review agencies, medical researchers, judicial proceedings, public health agencies, li- censing agencies and, in some cases, employers. The power of computers to allow gathering, storage, exchange, and transmission of data could prompt increased demands for use of medical information beyond the traditional uses. MODELS FOR PROTECTION OF COMPUTERIZED MEDICAL INFORMATION Health professional organizations, privacy ad- vocates, and academics specializing in health information privacy have proposed legislative schemes and practice guidelines to protect pri- vacy in medical information. These initiatives are generally based on fundamental principles of fair information practices. These principles, which have been implemented in the Privacy Act for the protection of federally maintained information, are as follows: 1. No personal data recordkeeping system may be maintained in secret. 2. Individuals must have a means of determin- ing what information about them is in a record and how it is used. 3. Individuals must have a means of prevent- ing information about them obtained for one purpose from being used or made available for other purposes without their consent. 4. Individuals must have a means to correct or amend a record of identifiable information about themselves. 5. Organizations creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuses of the data. Health care information protection schemes usually provide individuals with certain rights: 1. The proposals address concerns about pri- vacy in personal medical information on individuals. 2. Individuals are given the right to access much of the personal information kept on them. 3. Limits are placed on the disclosure of certain personal information to third parties. 4. Health care personnel are required to re- quest information directly from the individ- ual to whom it pertains, whenever possible. 5. When health care personnel request per- sonal information from an individual, the individual must be given notice as to the authority for the collection of data, whether the disclosure is mandatory or voluntary. 6. The individual may contest the accuracy, completeness, and timeliness of his or her personal information and request an amend- ment. 7. The health care personnel must decide whether to amend the information within a fixed time, usually 30 days after receiving a request. 8. The individual whose request for change is denied may file a statement of disagree- ment, which must be included in the record and disclosed along with it thereafter. 9. The individual is given a means of seeking review of a denied request. Chapter 4 discusses the provisions of the Massachusetts State Code on Insurance Informa- tion and Privacy Protection, Ethical Tenets for Protection of Confidential Clinical Data, the Uniform Health Care Information Act (imple- mented in Montana and Washington), and Model Legislation Language of the American Health Information Management Association, and their applicability to new health care information privacy legislation. While these principles form the foundation for information privacy protection, any new legislation must also reflect the develop- ment of distributed processing, sophisticated database management systems, and computer networks; and the wholesale use of microcomput- ers that characterize the kind of system envi- sioned for health care information. New legisla- tion must also take into account access to records and security of information flows. Current legislation at the State and Federal level for protection of privacy in medical infor- mation is limited in its application to individual institutions; the ease with which information will be transmitted between institutions requires that the law track the information, wherever it may reside. Technology may facilitate the policy goals of such a protection system. A system of audit trails and user identification codes can assist in the identification of points of unauthorized ac- cess. CONGRESSIONAL OPTIONS As computerization of patient records goes forward, Federal legislation is necessary to address issues of patient confidentiality and privacy.22 The present system of protection is a patchwork of State laws, which do not take into account a computerized system in which informa- tion will be frequently and easily transferred across State borders. Option 1a. Congress may wish to allow comput- erization to go forward under the present State and Federal systems of protection. No computer system can be made entirely secure. Privacy in health care information, whether electronic or paper, is protected by a range of various Federal23 and State laws. These laws are often inadequate, and in some States do not exist. The introduction of computerized medical re- cords entails transfer of that information among participants in the health care delivery system located in different States and operating under different State laws. If not modified, the present patchwork of laws regarding patient health care information will likely require that resolution of issues of individ- ual privacy and improper use of medical informa- tion be left to State legislatures and State courts. They would also require that the health care industry educate itself, on a State-by-State basis, about its obligations to secure and keep confiden- tial medical records. After a period of allowing the system to work in this way, Congress may find itself re-evaluating the question of State versus Federal legislation. Option 1b. Enact a comprehensive health care information privacy law. As the greatest concerns about privacy lie in the potential for abuse of information by authorized parties with appropriate access to a computer system, legislation providing criminal and civil recourse for illegally obtaining or disclosing records containing individually identifiable infor- mation to persons not entitled to receive it could address the problem of information brokering and illegal trafficking of health care information. The law would provide appropriate sanctions to deter such activities. Such legislation would: 1. Define the subject matter of the legislation, "health care information," broadly, includ- ing the range of information generated, collected and maintained about individual patients; 2. Provide criminal and civil sanctions for improper possession, brokering, disclosure, or sale of health care information with penalties sufficient to deter perpetrators; 3. Establish rules for patient education about information practices as applied to health care information, including access to infor- mation, amendment, correction and dele- tion of information, and creation of data- bases; 4. Establish requirements for informed con- sent by patients to disclosure of health care information; 5. Structure the law to track the flow of health care information, incorporating the ability of computer security systems to alert super- visors to leaks and improper access to information so that the law can be applied to the information at the point of abuse, not simply to one "home" institution; and 6. Establish protocols for access to health care information by secondary users, and deter- mine their rights and responsibilities in the information they access. As part of this legislative effort, Congress may want to commission an investigation of abuses of medical information to pinpoint the nature and scope of abuses in this area, and to provide empirical evidence of the problem in the United States. Option 2. Monitor standard setting Congress may wish to monitor and/or partici- pate in efforts to set standards for the content of the medical record and the minimum level of security and confidentiality in computerized med- ical record systems, to assure that technological standards will facilitate privacy policy goals. This task could be delegated to a special task force made up of technology, privacy, and health information experts. Or it could be delegated to a committee charged with ongoing review of medi- cal information privacy issues. Option 3. Establish a special committee or commission to oversee the protection of health care data; to provide ongoing review of privacy issues arising in the area of health care informa- tion; to keep abreast of developments in technol- ogy, security measures, and information flow; and to advise the Congress about privacy matters in the area of health care information. Computer systems for medical information and the security measures available for those systems are in constant development, and legislation is challenged by a technology that changes quickly. Demands for data change with "need" and tend to increase over time; simply relying on each individual's efforts to monitor and protect his or her privacy are useless because, in most cases, they can act only after damage has occurred. A committee or commission to oversee data protec- tion in medical data could be modeled on proposals for a broader Data Protection Board,24 but with a focus on health care information. A committee or commission could monitor and evaluate implementation of statutes and regula- tions enacted to protect privacy in health care information; it could continue research into areas of concern about privacy in health care informa- tion to supplement mechanisms by which citizens could question propriety of information collected and used by the health care industry. In this way, it would provide a measure of protection prior to the establishment and development of new data- bases and new uses for medical data. Such an entity would add a layer of protection to a legislative scheme by serving as a watchdog for potential encroachment on individual privacy in medical information, and serve as an early warning system to ensure that the legislative process is dynamic enough to deal with emerging problems.25 One function of such a committee or commis- sion might be to formulate guidelines for parties involved in computerization of medical informa- tion, whether for purposes of health care delivery or for commercial use of data, including an outline of the responsibilities of secondary users of information in maintaining security and confi- dentiality of the data. Computer security measures can only provide a certain level of protection for data in a computer system. Technology alone cannot completely secure a system, but appropriate operation stand- ards and data security policies can further im- prove the protection of data. A regulatory scheme mandating such measures could establish a thresh- old of protection for computerized medical data. Such a scheme could include procedures for informing the patient about record keeping prac- tices, disclosure of patient information, release of data to secondary users, examination, correction and amendment of the patient record by the patient, as well as provisions for internal and external review. Secondary users of information, such as medical researchers and public health agencies would be required to meet certain criteria in handling information it receives. Crim- inal sanctions could exist for failing to comply with regulations for maintenance of the system according to regulations. Various efforts have been made in the private sector to gather and aggregate medical data. As such compilation of data is largely invisible and done without the knowledge or permission of the patient, a committee or commission could exam- ine the propriety of the activity in terms of individual privacy. If the activity is considered appropriate, a regulatory scheme would be neces- sary to protect individual privacy. 1. In 1986, the Senate Committee on Governmental Affairs and the House Committee on the Judiciary, Subcommittee on Courts, Civil Liberties and the Administration of Justice, requested that OTA examine the impact of new technological applications, such as the computerized matching of two or more sets of records, networking of computerized record systems, and computer-based profiles on individuals for balancing the privacy of citizens with management efficiency and law enforcement. In response to that request, OTA prepared the report Electronic Record Systems and Individual Privacy, OTA-CIT- 296 (Washington, DC: U.S. Government Printing Office, June 1986). That report found that privacy is a significant and enduring value held by Americans, and that the courts have not determined adequate constitutional principles of information privacy. It concluded that the advances in information technology enable Federal agencies to process and manipulate information with great speed. A 1987 Office of Technology Assessment report, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, OTA-CIT-310 (Washington, DC: U.S. Government Printing Office, October 1987), examined the vulnerability of communica- tions and computer systems, and technology for safeguarding information. The report recognized that government agencies, the private sector, and individuals are using sophisticated communications and computer technology to store, process, and transmit information that needs to be protected. 2. OTA workshops, "Emerging Privacy Issues in the Computerization of Medical Information," July 31, 1992; and "Designing Privacy in Computerized Health Care Information," Dec. 7, 1992. 3. Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, Richard S. Dick and Elaine B. Steen, eds., (Washington, DC: National Academy Press, 1991), p. 51. This is a publication of the Committee on Improving the Patient Record, Division of Health Care Services. 4. Joan Turek-Brezina, Chair, Department of Health & Human Services Task Force on the Privacy of Private Sector Health Records, personal communication, April 1993. 5. Some commentators contend that health care claim reimbursement processing has become such a major and integral part of the delivery of health care that health care insurers are among the primary users of patient information. In figure 1-1, the American Health Information Management Association shows billing and reimbursement as a primary use of patient records. 6. U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, DC: U.S. Government Printing Office, 1977), p. 28. 7. OTA Workshop, July 31, 1992, op. cit., footnote 2. 8. 638 F.2d 570 (3rd Cir. 1980). 9. Institute of Medicine, op. cit., footnote 3, p. 51. 10. Ibid. 11. Ibid., p. 45. 12. U.S. Department of Health and Human Services,Workgroup for Electronic Data Interchange, Report to the Secretary, July 1992. 13. Criticism of the smart card approach stems largely from the proposal that such a system involve a backup database of information that is already contained on the card. In and of themselves, smart cards may well offer some solutions to protecting privacy if information contained on them is properly segmented. Sheri Alpert, "Medical Records, Privacy and Health Care Reform," prepublication draft, June 29, 1993. A version of this paper will appear in the November/December issue of The Hastings Center Report. For further discussion of smart cards, see ch. 3. 14. Marc Rotenberg, Director, Washington Office, Computer Professionals for Social Responsibility, personal communication, December 1992. 15. David Flaherty, "Privacy, Confidentiality and the Use of Canadians Health Information for Research and Statistics," Canadian Public Health Administration, vol. 35, No. 1, p. 80, 1992. 16. The Oath of Hippocrates applies to physicians. Psychologists, nurses, and others referred to as "health care providers" operate under different, perhaps less comprehensive, strictures. Steven Brooks, Manager, Medical Information Management, Aetna Health Plans, personal communication, April 1993. 17. 381 U.S. 479, 85 S. Ct. 1678 (1965). 18. The Federal Privacy Act of 1974, 5 U.S.C. Sec. 552a (1988). 19. Ontario Commission of Inquiry into the Confidentiality of Health Information, Report of the Commission, Ontario, Canada, September 1980, vol. 2, pp. 160-166. 20. Institute of Medicine, op. cit., footnote 3, p. 44. 21. William M. Bulkeley, "Get Ready for Smart Cards in Health Care," The Wall Street Journal, May 3, 1993, p. B11. 22. OTA Workshop, Dec. 7, 1993, op. cit., footnote 2. 23. Federal law protects privacy in only those medical records maintained by the Federal Government, e.g., records maintained on Medicare and Medicaid patients. Those Federal laws do not protect the records of the same patients maintained by their private physician or held by their hospital. 24. Hearing before the Subcommittee on Social Security and Family Policy of the Committee on Finance, U. S. Senate, on Privacy of Social Security Records, Feb. 28, 1993, U.S. Government Printing Office, Washington, DC: 1992, testimony of Marc Rotenberg, Director, Washington Office, Computer Professionals for Social Responsibility. See also, David H. Flaherty, "Ensuring Privacy and Data Protection in Health and Medical Care," prepublication draft, Apr. 5, 1993. Such a board has been established in several foreign countries, including Sweden, Germany, Luxembourg, France, Norway, Israel, Austria, Ireland, United Kingdom, Finland, Ireland, the Netherlands, Canada, and Australia. For an analysis of data protection in certain of these countries, see David A. Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill, NC: The University of North Carolina Press, 1989). 25. Discussion of a larger scale Data Protection Board reviewing data privacy issues generally is beyond the scope of this inquiry. However, literature discussing proposals for a Data Protection Board is illustrative of the nature and function of oversight bodies for privacy in personal data. ----------------------------------------------- The Right to Privacy in Health Care Information 2 The report of the Institute of Medicine (hereafter referred to as "the IOM report"), claims that computers, high-performance networks, and technologies that allow electronic storage, transmission, and display of medical images will improve the quality of patient care, advance the science of medicine, lower health care costs, and enhance the education of health care professionals. The IOM study cites ways in which computerization of patient records could improve the quality of patient care by offering a way to improve the ease of access to patient care data. Computerized patient records could facilitate integration of patient information over time and from one care provider to another. They could make medical knowledge more accessible to practitioners, and they could support decision making by practitioners.1 With respect to medical research, the IOM report states that computerization could improve data and access to data by researchers, and research findings could be provided to practitioners over medical information computer systems.2 Computerization is seen also as a way to assist in lowering health care costs. The IOM report argues that improved information could reduce redundant tests and services carried out when test results are not available to the practitioner. Administra- tive costs could be reduced by electronic submission of claims and the ability to generate reports automatically. Practitioner productivity could be improved in three ways: o reduce the time required to find missing records or to wait for records already in use, o reduce the need for redundant data entry, and o reduce the time needed to enter or review data in records.3 The Computer-based Patient Record Institute (CPRI), an organization of public and private sector entities concerned with the computeriza- tion of patient records, was established in re- sponse to a recommendation of the IOM report.4 Its purpose is to facilitate development, imple- mentation, and dissemination of the computer- based patient record, and its vision is the use of a comprehensive, longitudinal patient record to provide all clinical, financial, and research data. The computer-based patient record would con- tribute to more effective and efficient care through: o access to lifetime health data collected and contained across the continuum of care; o support for quality of health care delivery; o ready access to knowledge bases to support clinical practice, administration, education, and research; o patient participation in health status determina- tion; and o wellness and disease prevention. The Workgroup for Electronic Data Inter- change (hereafter referred to as "WEDI") envi- sions electronically connecting the health care industry by an integrated system of electronic communication networks that would allow any entity within the health care system to exchange information and process transactions with any other entity in the industry. According to its report, such a system could reduce administrative and health care delivery costs. Electronic process- ing of insurance and managed-care administrative transactions, such as claims, eligibility checks, and coordinating benefits, could streamline pay- ers' operations and reduce the administrative tasks of providers. Clinical applications, such as computerized patient records, test results, and outcome studies, might assist providers in ensur- ing high-quality care without unnecessary or duplicate procedures.5 While endorsing the adoption of the computer- based patient record and electronic data inter- change for health care, these reports acknowledge the concerns about privacy that such systems raise. The IOM study notes that, "the computeri- zation of most types of record keeping, as well as the recent well-publicized cases of inappropriateaccess by computer hackers, has increased con- cerns about the misuse of personal information."6 Among the concerns cited by the IOM study are security features of computer-based patient re- cord systems, the lack of generally accepted standards for protection of computer-based medi- cal data across States, and the potential for invasion of patient privacy presented by a per- sonal identification number for all patient rec- ords. The Report of the Work Group on Computeri- zation of Patient Records to the Secretary of the U.S. Department of Health & Human Services7 echoes the concerns of the IOM study. The Work Group on Computerization Report asserts that linkages between systems will significantly en- hance access to patient information, thereby offering tremendous potential for improving the quality and efficiency of health care delivery. With enhanced access, however, come concerns about confidentiality and the protection of patient privacy. While patient data is already shared among those who deliver and pay for care, the health information infrastructure envisioned by the Work Group on Computerization Report would make patient information accessible to care givers, payers, and others, and would create new opportunities for abuse unless protection for patient privacy is built into its design and use. The WEDI Report discusses in depth the serious implications for privacy raised by the use of computer databases linked electronically for information exchange. The report clearly states that: [t]he electronic technology itself holds intrinsic threats to maintenance of personal privacy. The same technology that made it possible to transmit data from one computer to another, whether those computers are in the same room or on opposite sides of the globe, also permits violations of data integrity and data security. It goes on to assert that: [t]he establishment of the types of data reposito- ries envisioned for health care claims processingto effect administrative savings should be accom- panied by promulgation of significant patient rights regarding the accuracy of personal infor- mation maintained and the extent to which it is shared with others. The need for security and confidentiality of patient information should not be subject to individual organizational determina- tion of need. Security and confidentiality must be preserved and protected. They must not be compromised for expedience or the "bottom line." The WEDI Report examines the complex state of the law regarding privacy and confidentiality in such information, and cites the need to streamline the protection of patient information as one of the key steps the industry must take to implement electronic data interchange efficiently. Recent surveys demonstrate that the concerns voiced in these reports reflect a broad concern among the American public about privacy in their personal information. A joint Lou Harris/Equifax survey indicated that 79 percent of Americans feel their personal privacy is threatened, and some seg- ments of the population fear that consumer information will be more vulnerable by the year 2000. Most Americans also specifically acknowl- edge the dangers to privacy of present computer uses. According to the survey, two-thirds of the public believes that personal information in computers is not adequately safeguarded, and a significant portion of the American public no longer has confidence in the way industry treats personal information. Almost 9 of 10 Americans surveyed believe that computers have made it much easier for someone to improperly obtain confidential personal information about individu- als.8 In an earlier poll, conducted by Time and CNN in 1991, 93 percent of respondents asserted that companies that sell personal data should be required to ask permission from individuals in advance. California's Privacy Rights Clearing- house, the first privacy hotline in the Nation, logged more than 5,400 calls within 3 months of it inception in November 1992.9 These concerns are well founded. A market exists for the sale of personal information fromboth public and private sources, encouraged by financial incentives for staff to supplement their income through unauthorized disclosures of per- sonal information. Prosecutions of U.S. Federal Government employees for unlawful disclosure of personal information indicate the risk of invasion of privacy perpetrated by trusted insid- ers. Those indicted include current or former employees of the Social Security Administration, the Internal Revenue Service, local police officers accessing the FBI's National Crime Information Center, and a number of information brokers. In most of these instances, employees were bribed by information brokers and private investigators representing private clients.10 Anecdotal evi- dence in this country, and formal investigative work overseas, indicates that abuse of informa- tion, and specifically medical information, is widespread. (See boxes 2-A, 2-B, and 2-C) In addition, increasingly interconnected, af- fordable, fast, online systems enable the building of electronic dossiers. Macworld magazine re- ported that it investigated 18 business leaders, politicians, Hollywood celebrities, and sports figures, primarily in the State of California where most public records are online. The investigation sought all legally accessible data available from four commercial and two governmental data suppliers. Investigators were able to obtain the following kinds of information: birth dates, home addresses, home phone numbers, social security numbers, neighbors' addresses and phone num- bers, driving records, marriage records, voter registration, biography, records of tax liens, campaign contributions, vehicles owned, real estate owned, commercial loans and debts, civil court filings, corporate affiliations, public records for criminal court filings, fictitious business names, records of bankruptcies, insider trading transactions, trusts, deeds, and powers of attor- ney. To obtain this information, investigators spent an average of only $112 and 75 minutes per subject.11 WHY IS PRIVACY IN HEALTH CARE INFORMATION IMPORTANT? Health care information relates to profoundlypersonal aspects of an individual's life. The medical records kept by physicians and hospitals about patients may include identifying informa- tion, x-ray films, EKG and lab test results, daily observations by nurses, physical examination results, diagnoses, drug and treatment orders, progress notes and post-operative reports from physicians, medical history secured from the patient, consent forms authorizing treatment or the release of information, summaries from the medical records of other institutions, and copies of forms shared with outside institutions for insurance purposes. But in addition to objective observations, diagnoses, and test results, medical records may also contain subjective information based on impressions and assessments by the health care worker. Medical records may also include impressions of mental abilities and psy- chological stability and status; lifestyle informa- tion or suppositions (including sexual practices and functioning); dietary habits, exercise and recreational activities (including dangerous ones life insurers would want to know about); religious observances and their impact on treatment deci- sions; alcohol and drug use; and comments on attitudes toward illness, physicians, treatments, compliance with therapy and advice, etc.12 Staff comments about the patient's character or de- meanor are sometimes included in the record. Increasingly sophisticated diagnostic tools yield more and more detailed, and potentially sensitive information about a person's body--genetic re- search and testing results in information that not only indicates a patient's present condition but also enables prediction of his or her future medical condition and the prospect of developing specific medical problems. Medical information can affect such basic life activities as getting married, securing employ- ment, obtaining insurance, or driving a car.13 Medical conditions have served as the basis for discriminatory practices, making it difficult to participate in these activities.14 Because of its highly sensitive nature, improper disclosure of medical information can result in loss of business opportunities, compromise to financial status, damage to reputation, harassment, and personal humiliation. However, defining what is "sensi-tive" in a record may be difficult, since the definition may depend on the intended use of a record.15 Yet at the same time, the integrity of the patient record and the disclosure by the patient to the physician of information necessary to establish an accurate diagnosis is desirable to attain the best clinical outcome. Simply stated, disclosure of medical information by the patient, free of the fear of improper disclosure, is necessary to obtaining good quality medical care. An environment must be maintained in which this kind of disclosure is possible. In its testimony to the U.S. Privacy Commission, the American Medical Association stated, "Patients would be reluctant to tell their physicians certain types of information, which they need to know in order to render appropriate care, if patients did not feel that such information would remain confidential."16 More recently, the AMA Code of Medical Ethics stated: The confidentiality of physician-patient commu- nications is desirable to assure free and open disclosure by the patient to the physician of all information needed to establish a proper diagno- sis and attain the most desirable clinical outcome possible. Protecting the confidentiality of the personal and medical information in such medical records is also necessary to prevent humiliation, embarrassment, or discomfort of patients. At the same time, patients may have legitimate desires to have medical information concerning their care and treatment forwarded to others.17 UNREGULATED COMPUTERIZATION AND MARKETING OF HEALTH CARE INFORMATION In addition to the widespread problem of information brokering and abuse of authorized access to computerized information within a large public sector database of sensitive information, the private sector has begun now to respond to a strong commercial incentive to aggregate medical information. In some instances, such as that of the Medical Information Bureau,18 information is gathered and banked solely for the purpose of assisting the insurance industry in making cover-age exclusions in their policies. In other cases, companies offering such computer services as health insurance claims processing, office man- agement, or patient billing, take advantage of their access to medical information (see box 2-D). In these instances, aggregate information is gath- ered and sold, usually without patient knowledge or consent. At this time, there is no law prohibit- ing these practices.19 The businesses involved in these ventures operate under no regulatory guide- lines regarding security measures, employee prac- tices, or licensing requirements. POTENTIAL FOR INCREASED DEMANDS FOR COMPUTERIZED INFORMATION The IOM study discusses in some detail the increasing demand by multiple users for access to patient care data.20 According to the report, information must be shared among many profes- sionals who are involved in delivery of health care. In addition to these persons, administrators and managers of health care institutions require information to monitor quality of care and allo- cate resources. To develop budgets, measure productivity and costs, and assess market posi- tion, managers of institutions seek to link finan- cial and patient care information. Quality assurance activities also involve access to information. Among those organizations in- volved in such activities are the Joint Commis- sion on Accreditation of Healthcare Organiza- tions (JCAHO). Third party payers carry out quality monitoring and evaluations. The best known is perhaps the Medicare peer review organization program administered by the Health Care Financing Administration. Increased Fed- eral involvement in health care has resulted in greater need by the government for medical information. Programs that pay for health services legitimately require review of individual medical information as part of the payment process. In 1992, Medicare alone paid over $126 billion dollars for health services.21 Related programs for quality control and to limit fraud, abuse, and waste have needs for medical records. In addition, records are main-tained by agencies that operate health programs such as the Department of Veterans Affairs, the Department of Defense, Indian Health Service, and the Public Health Service.22 Demands for information come not only from review bodies, third-party payers, outside billing and computer services, and government, but also from employers, insurers, and others who use health care information for nonhealth purposes. Some suggest that, as the supply of computerized personal medical information increases, there may be a demand for access to information that is not currently authorized. Will investors seek "medical reports" on the chief executive officers of companies in which they are considering investing? Will the media seek to determine what prescription drugs celebrities are taking? Will direct marketers, or market researchers, have access to information about patients' prescription and nonprescription drug use, either from medical records or from pharmacies? To what extent might employers demand medical information?23 The Report of the Work Group on Computeriza- tion of Patient Records recognizes that: as capability for storage and analysis of personal records increases and the cost of collection decreases, the demand for such information by providers, payers, policymakers, and researchers will likely multiply. There may be pressure to collect more data than is strictly necessary for a given purpose--collected data may then be main- tained in a large database where it may be vulnerable to misuse.24 Others are concerned that extensive access to medical records and health care information may pose a threat to privacy, and that safeguards against unauthorized access are meaningless if authorized access is so broad.25 Still others point out that, once any kind of information is compiled for whatever legitimate goal, the impulse to access that information for another well-meaning purpose is strong.26 The technology of com- puterization and security makes it possible to monitor information flow in computer systems, and enables society to enforce clear value choices as to whom information should properly be madeavailable.27 Some suggest that this presents an opportunity for a reassessment of the question of authorized access, who should have it, and under what circumstances.28 Resolution of these issues would allow software developers to design sys- tems in which access and security provisions for appropriate secondary users become a part of the computer system.29 ISSUES RAISED BY COMPUTERIZATION In view of the report by the Krever Commis- sion, discussed in box 2-B, and from anecdotes of the kind presented in box 2-A it is clear that it is easy to gain access to, copy, remove, and destroy paper patient records. However, computers create new and more clearly defined problems about confidentiality and privacy than exist in paper record systems, and also bring longstanding confidentiality and privacy issues into sharper focus. Computerization of data with appropriate security measures can address the problem of confidentiality in sensitive medical information. Security alone, however, cannot solve the prob- lem of patient privacy. The maintenance of medical information on computers also worsens some problems and raises new and complex issues not confronted in a paper environment. Legislation to address concerns about privacy in this information must apply to paper records, to computerized ones, and to the period of transition between paper and computers. As discussed earlier, electronic storage and management of medical information is believed to provide certain advantages in the delivery of health care: o It could allow for greater mobility of patient treatment within the health care system, which could foster competition for patients among health care providers. o Use of an electronic system could potentially increase the speed with which patient medical histories could be accessed, thereby speeding treatment, particularly in medical emergencies. o It has been suggested that computer records arebetter protected through computer security measures, thus eliminating the potential for abuse presented by paper records. o Some suggest that the computer record allows greater control by part of record-keepers over patient information so that information based on need-to-know can be released to third-party payers, utilization review boards and other appropriate parties, replacing the current prac- tice of releasing the entire patient record to process one insurance claim.30 However, computerization of health care infor- mation raises other concerns: o Computer technology makes the creation of new databases and data entry easy, so that databases can be created and maintained read- ily. This could result in a proliferation of data and information that is easily searchable. o Computerization allows for storage of large amounts of data in a very small physical medium. An intruder into a database can retrieve large amounts of data (most likely far more than could be stolen on voluminous paper records) once access is gained. o Computers provide for the possibility of "in- visible theft"--stealing data without taking anything physical--so that patients and provid- ers remain unaware that the data has been stolen, altered, or abused. o Computers allow for the possibility of "invisi- ble" modification, deletion, or addition of data.31 o Computers create the potential for the easy linking of data that were not intended to be collated.32 o Computers allow a large number of people to handle or access data; the potential vulnerabil- ity of the data to large-scale intrusion is significantly increased in a computerized envi- ronment.33 In sum, computer systems create easy opportu- nities to compile and maintain large amounts of information and to use it in ways that were never intended by the person who provided it.34 The compilation of data and the ease with which the information contained in the databank can be transferred by computer make access to that information easier and more attractive to a wider group of people.35 RIGHT TO PRIVACY IN HEALTH CARE INFORMATION Privacy in health care information has tradition- ally been protected through ethical codes and through State and Federal laws. In addition, the Supreme Court has found sources for a right to privacy in health care information in the Constitu- tion (see box 2-E). Ethical Origins The historical origin of the health care pro- vider's obligation to protect the confidentiality of patient information is traced to the Oath of Hippocrates, written between the Sixth Century B.C.E. and the First Century A.C.E. which states: What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself. . . Confidentiality requirements for physicians were formulated differently in later ethical codes. Thomas Percival's code of medical ethics, pub- lished in 1803 included the language: Secrecy and delicacy, when required by peculiar circumstances, should be strictly observed. And the familiar and confidential intercourse, to which the faculty are admitted in their professional visits, should be used with discretion and with the most scrupulous regard to fidelity and honor. The first code of Ethics of the American Medical Association, adopted in 1847, was based on Percival's Code. The Code's provisions on confi- dentiality repeated the language of Percival'sCode without substantive change, and continued: The obligation of secrecy extends beyond the period of professional services--none of the privacies of personal and domestic life, not infirmity of disposition or flaw of character observed during professional attendance, should ever be divulged by [the physician] except when he is imperatively required to do so. The force and necessity of this obligation are indeed so great, that professional men have, under certain circum- stances, been protected in their observance of secrecy by courts of justice. The American Medical Association's ("AMA") Principles of Medical Ethics expand on the ethical confidentiality obligation, requiring phy- sicians to "safeguard patient confidences within the constraints of the law."36 In addition, the AMA's Council on Ethical and Judicial Affairs issued guidelines for maintaining confidentiality of health information in the Electronic Data Interchange environment. These guidelines re- quire that the physician and patient consent to release of patient-identifiable clinical and admin- istrative data to any entity outside the medical care environment. The guidelines also state that the release of confidential health information should be confined to the specific purpose for the release, and the recipient of the information should be advised that further disclosure is not authorized. The AMA's Code of Ethics evolved from 1847 until the version drafted in 1980, in which confidentiality is covered in the fourth of eight principles. A physician shall respect the rights of patients, colleagues, and of other health professionals, and shall safeguard patient confidences within the constraints of the law. The obligation to preserve patient confidentiality remained in the 1980 code, without any specific guidelines about how to respond to requests for information from researchers, police, Federal agencies, or other potential users of information. Nor is the term "patient confidence" defined. Recent policy statements of the AMA more clearly detail the responsibilities of physicians to protect patient rights to confidentiality and the medical records. In the Code of Medical Ethics (Current Opinions, 1992), the AMA expresses its belief that the information disclosed to a physi- cian during the course of the relationship between physician and patient is confidential to the greatest possible degree. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential communications or informa- tion without the express consent of the patient, unless required to do so by law. The document sets forth particular instances when the obligation to safeguard patient confi- dences is subject to exceptions for legal and ethical reasons: Where a patient threatens to inflict serious bodily harm to another person and there is a reasonable probability that the patient may carry out the threat, the physician should take reasonable precautions for the protection of the intended victim, including notification of law enforcement authorities. Also, communicable diseases, gun shot and knife wounds, should be reported as required by applicable statutes or ordinances.37 Other providers and organizations maintaining records have established standards to protect the confidentiality of health information. The Ameri- can Hospital Association's Patient's Bill of Rights states that the patient has the right: . . . to expect that all communications and records pertaining to his/her care will be treated as confidential by the hospital and any other parties entitled to review certain information in these records. FEDERAL LAW PROTECTING PRIVACY IN MEDICAL RECORDS The Federal Privacy Act: The Federal Pri- vacy Act of 1974, 5 U.S.C. Section 552a (1988) protects individuals from nonconsensual govern- ment disclosure of confidential information. The Act prohibits Federal agencies, including Federal hospitals, from disclosing information contained in a system of records38 to any person or agency "without prior written consent of the individual to whom the record pertains" unless the disclo- sure or further use is "consistent with" the purpose for which the information was col- lected.39 The purpose of the Privacy Act is "to provide certain safeguards for an individual against an invasion of privacy."40 The Act contains major requirements concerning collec- tion, maintenance and dissemination of personal information. Agencies must: 1. Permit an individual the right to determine what records pertaining to him are col- lected, maintained, used, or disseminated by such agencies. 2. Permit an individual to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent. 3. Provide a procedure by which an individual may request the correction or amendment of information pertaining to them. 4. Be subject to civil suit for damages that occur as a result of willful or intentional action that violates any individual rights under the Act. The Privacy Act permits exemptions from the requirements for re- cords provided in the Act only in those cases where there is an important public policy need for such exemption as determined by statutory authority (e.g., law enforcement). Thus, the Privacy Act requires Federal agen- cies to collect, maintain, use, or disseminate any record of identifiable personal information in amanner that ensures that such actions are for a necessary and lawful purpose, that the informa- tion is current and accurate for its intended use, and that adequate safeguards are provided to prevent its misuse. Hospitals operated by the Federal Government are bound by the Privacy Act's requirements with respect to the disclosure of the medical records of their patients. Also, medical records maintained in a records system operated pursuant to a contract with a Federal agency are subject to the provisions of the Privacy Act. For example, hospitals that maintain regis- ters of cancer patients pursuant to a Federal contract or to federally funded health mainte- nance organizations are subject to the Privacy Act.41 Alcohol and Drug Abuse Laws: Two Federal statutes prescribe special confidentiality rules for the records of patients who seek drug or alcohol treatment at federally funded facilities.42 These statutes and their implementing regulations apply strict confidentiality rules to oral and written communications of "records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any" educational, rehabilitative, research, training, or treatment program relating to drug or alcohol abuse.43 The regulations define a patient's record as "any information, whether or not relating to a patient, received or acquired by a federally assisted alcohol or drug program."44 In essence, these restrictions provide for a higher level of confidentiality and allow limited excep- tions for release of patient information. These exceptions, however, allow disclosure with the prior written consent of the patient (if the consent meets certain requirements prescribed by regula- tion).45 These regulations have full force and effect of Federal law, so that they supersede State laws on confidentiality. Section 1106 of the Social Security Act: This statute prohibits disclosure of any file, record, or other information obtained by the officers or employees of the Department of Health and Human Services except as prescribed by regula- tion. This prohibition also applies to officers and employees of any agency, organization, or institu-tion that contracts with the Secretary (intermedi- aries and carriers) during the course of carrying out the contract. The regulations that implement section 1106, 42 C.F.R. secs. 401.101-401.152, supplement and are consistent with the regula- tions that implement the Federal Freedom of Information Act.46 SOURCES OF THE CONFIDENTIALITY OBLIGATION--STATE COMMON LAW Defamation. Defamation is the false written or oral communication to someone other than the defamed of matters that concern a living person and tend to injure that person's reputation.47 Medical records may contain information that is inaccurate and that, if published, would tend to affect a person's reputation in the community adversely. Thus, conceivably, disclosure by a hospital to an unauthorized person would result in an action for defamation. A qualified privilege may exist where information is transmitted to a third party with a proper motive or purpose and with the exercise of reasonable care that the information was true.48 Breach of Contract. Courts have, of late, demonstrated a willingness to apply the ethical standards of the medical profession to compel physicians to maintain the confidentiality of information they obtain in the course of treating their patients. As discussed above, the ethical standards of the AMA prohibit physicians in most situations from revealing a confidence entrusted to them by a patient during treatment. Further, the Medical Practice Acts of many States require physicians to maintain the confidentiality of their patients' medical information, and the AMA has published standards of hospital conduct that require hospitals to protect their patients' pri- vacy.49 Some courts now appear willing to enforce these standards as part of the contractual relationship between physicians and their pa- tients. In Hammonds v. Aetna Casualty and Surety Co., 50 the court held that a physician breached an implied condition of his physician-patient con- tract when he disclosed medical information to ahospital's insurer without the patient's consent. The court emphasized the rights of patients to rely on the ethical standards of confidentiality as on an express warranty. Similarly, in Doe v. Roe51 the court found both breach of contractual covenant to keep statements in confidence and a tortuous invasion of privacy when defendant published a book including an extensive transcript of state- ments made by the plaintiff patient during treat- ment. SOURCES OF CONFIDENTIALITY OBLIGATION--STATE STATUTES There is tremendous variation in the number and quality of State laws on medical confidential- ity. While it may be difficult to generalize about the adequacy of State medical confidentiality laws, a report of the Committee on Government Operations of the House of Representatives concluded in 1980 that "most States do not have well defined, modern laws on the confidentiality of medical records."52 A survey of State statutes governing privacy in medical records published by Robert Ellis Smith emphasizes this point.53 These statutes, however, do not address the flow of medical information to secondary users outside the treatment process, who are deemed to legitimately have access to the information. They do not address the responsibilities of third-party payers in handling this information, nor do they impose rules about the use of medical information by secondary users of that data: parties that use medical records for nonmedical purposes. This patchwork of law addressing the question of privacy in personal medical data is inadequate to guide the health care industry in carrying out its obligations in a computerized environment. Furthermore, States are not consistent in their acknowledgment of the computerized medical record, and do not confront the problems pre- sented by computerization. Some States continue to require that patient records be maintained in writing. Moreover, State law does not address the growing segment of the information industry that seeks to compile (whether with or without patient names or identifiers) medical information aboutpatients for sale to interested corporations.54 As the WEDI Report to the U.S. Department of Health and Human Services states: Myriad laws and regulations require providers to maintain health information in a confidential manner. . . [C]onfidentiality has historically been addressed at the state level, with each state crafting its own unique approach. The state rules are superimposed on a federal regulatory frame- work. The result: a morass of erratic law, both statutory and judicial, defining the confidentiality of health information.55 INADEQUACY OF EXISTING PROTECTION SCHEME AND THE NEED FOR FEDERAL LEGISLATION Legal and ethical principles currently avail- able to guide the health care industry with respect to obligations to protect the confidentiality of patient information are inadequate to address privacy issues in a computerized environment that allows for intra- and interstate exchange of information for research, insurance and patient care purposes. Lack of legislation in this area will leave the health care industry with little sense as to their responsibilities for maintaining confiden- tiality. It also allows for a proliferation of private sector computer databases and data exchanges without regulation, statutory guidance, or re- course for persons wronged by abuse of data. The scheme, as it exists, does not adequately take into account the tremendous outward flow of information generated in the health care rela- tionship today (see box 2-F and figure 2-1). This problem has always existed, but was not as serious because medical records were only occa- sionally used outside the medical treatment proc- ess. The expanded use of medical records for nontreatment purposes exacerbates the short- comings of existing legal schemes to protect privacy in patient information. The law must address the increase in the flow of data outward from the medical care relationship by both addressing the question of appropriate access to data and providing redress to those that have been wronged by privacy violations. Lack of suchguidelines, and failure to make them enforceable, could affect the quality and integrity of the medical record itself. Further, the reservation of regulation of these matters to the States does not address the growing reality that this information will increasingly be transferred or accessed across State lines. As a result, health care providers, third party-payers, and secondary users of medical information will remain uncertain as to the law under which they are operating. The WEDI Report echoes this concern: The regulatory framework governing providers' disclosure of patient-identifiable health informa- tion is flawed. It dictates different disclosure rules for different types of providers. These rules may conflict within a given state and among different states. The great variance in disclosure rules creates inconsistent standards for providers and offers inconsistent protection to patients. Some states offer little protection for health informa- tion, while others offer protection for the initial disclosure of information but ignore the problem of subsequent disclosures.56 This lack of clarity could lead to increased litigation over medical confidentiality issues and the obligations of parties with access to the information. Patient awareness that records are maintained on computers, absent the assurance of a clear law protecting the confidentiality of those records, could lead to deterioration of the traditionally confidential "physician-patient" relationship.57 Some contend that this breakdown could well lead to patients' withholding information critical to their care, thus jeopardizing their own health as well as denying the health care system (including physicians, nurses, hospitals, third-party payers, and researchers) information they may legiti- mately want and need, and that society has already deemed appropriate to give them. It could also place physicians in the difficult ethical position of deciding whether or not to enter sensitive information into the record at the patient's request (or maintaining a separate,noncomputer-based record), or the extreme of this situation, the development of a "black market" health care system that does not participate in the computerized exchange of patient information.58 Yet others argue that while patients do express concern about the privacy of their records in general, there is a body of medical literature that has found no significant patient concerns with the privacy of computerized medical records within private medical settings.59 While patient concerns may be lessened when their medical records are stored in the computers of their personal physi- cians, patients may be more concerned with records stored in the large, national databases that are proposed as a part of recent health care initiatives.60 1. Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, Richard S. Dick and Elaine B. Steen, eds., (Washington, DC: National Academy Press, 1991) p. 24. This is a publication of the Committee on Improving the Patient Record, Division of Health Care Services Institute. 2. Ibid. 3. The Institute of Medicine study cites a 1991 report of the U.S. General Accounting Office (GAO) on automated medical records. That report identified three ways that such records could benefit health care. GAO stated that automated records could improve delivery of health care by providing medical personnel with better data access, faster data retrieval, higher quality data, and more versatility in data display. Automated records could also support decision making and quality assurance activities and provide clinical reminders to assist in patient care. According to GAO, automated records could enhance outcomes research by electronically capturing clinical information for evaluation and could increase hospital efficiency by reducing costs and improving productivity. 4. Membership of CPRI includes representatives of health profession organizations such as the American Medical Association, the AmericanHospital Association, the American Medical Informatics Association, American Nurses Association, the American Health Information Management Association, the American Association for Medical Transcription, computer and telecommunications companies, and health maintenance organizations. 5. U.S. Department of Health and Human Services, Workgroup for Electronic Data Interchange, Report to the Secretary, July 1992, Executive Summary, p. iii. 6. Institute of Medicine, op. cit., footnote 1, p. 103. 7. U.S. Department of Health and Human Services, Work Group on Computerization of Patient Records, Report to the Secretary, "Toward a National Health Information Infrastructure," April 1993. 8. Harris-Equifax Consumer Privacy Survey 1992, conducted for Equifax by Louis Harris and Associates in association with Alan F. Westin, Columbia University. See also, Joel Reidenberg, Associate Professor of Law, Fordham University School of Law, testimony before the House Committee on Energy and Commerce, Subcommittee on Telecommunications and Finance, Oversight Hearings on Issues Related to the Integrity of Telecommunications Networks and Transmissions, Apr. 29, 1993. 9. Charles Piller, "Privacy in Peril," Macworld Special Report on Electronic Privacy: Workplace and Consumer Privacy Under Seige, July 1993, p. 8. 10. David Flaherty, "Ensuring Privacy and Data Protection in Health and Medical Care," prepublication draft, Apr. 5, 1993, p. 8 (citing Michael Isikoff, "Theft of U.S. Data Seen as Growing Threat to Privacy," The Washington Post, Dec. 28, 1991, and "Dealing Federal Information to Private Resellers," Privacy Journal, vol. 17, No. 3, January 1992, pp. 1, 4). 11. Charles Piller, op. cit., footnote 9, pp. 11-12. 12. Madison Powers, Joseph and Rose Kennedy Institute of Ethics, Georgetown University, personal communication, May 1993. 13. Alan Westin, Computers, Health Records, and Citizen Rights (Washington, DC: U.S. Government Printing Office, 1976) p. 9. 14. S. Rept. 101-116, on The Americans With Disabilities Act of 1989, 42 U.S.C. Sec 12101, P.L. 101-336, sets forth in detail the kinds and extent of discrimination that can result on the basis of a medical condition. The report cites specifically the testimony of a woman who was fired from the job she held for a number of years because the employer found out that her son, who had become ill with AIDS, had moved into her house so she could care for him. It also cited testimony of former cancer patients and persons with epilepsy, among others, who had been subjected to similar types of discrimination. Among the report's conclusions is that "[h]istorically, individuals with disabilities have been isolated and subjected to discrimination and such isolation and discrimination is still pervasive in our society." While the Americans With Disabilities Act can address the problem legally, it does not solve the problem of social stigma and social ostracism that can result when a person's medical condition becomes known. 15. For example, is information on chronic health conditions, when used to determine whether or not to employ specific individuals, sensitive? Different persons will also vary in their perceptions of what is sensitive, and thus what constitutes an invasion of privacy may vary from person to person. Joan Turek-Brezina, Chair, Department of Health and Human Services Task Force on the Privacy of Private Sector Health Records, personal communication, April 1993. Some commentators suggest that medical information is so sensitive that it deserves a special standard for protection under the law, one higher than that provided for say, financial or consumer information. Jeff Neuberger, Brown, Raysman and Millstein, New York, NY, personal communication, April 1993. 16. U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, DC: U.S. Government Printing Office, 1977), p. 28. 17. American Medical Association, Code of Medical Ethics, Current Opinions, Prepared by the Council on Ethical and Judicial Affairs, 1992, sec. 5.07. 18. For further discussion of the Medical Information Bureau, its purpose and activities, see further discussion in box 2-E. 19. Commentators note that this practice contributes to inadequate healthcare coverage for many Americans. Margaret Amatayakul, Associate Executive Director, Computer-based Patient Record Institute, Inc., personal communication, April 1993. 20. Institute of Medicine, op. cit., footnote 1, p. 21. 21. HCFA Data Compendium, Health Care Financing Administration, Fiscal Year 1992, U.S. Department of Health and Human Services, Bureau of Data Management and Strategy, Office of Statistics and Data Management, p. 28. 22. Federal Privacy of Medical Information Act, Report 96-832 Part 1, Mar. 19, 1980, p. 30. 23. Gerry D. Lore, Associate Vice President and Director, Government Affairs, Hoffmann-LaRoche Inc., personal communication, April 1993. 24. Report of the Work Group on Computerization of Patient Records, op. cit., footnote 7, p. 14. 25. If individuals perceive that personal medical information is at risk of broad authorized access, individuals may forego medical treatment. Gerry D. Lore, op. cit., footnote 23. 26. OTA workshop, July 1992. One example of this phenomenon is the use of taxpayer information to track parents whose child support payments are delinquent. 27. Alan Westin, Professor of Public Law and Government, Columbia University, personal communication, February 1993. 28. Gerry D. Lore, op. cit., footnote 23. 29. It is well established that computer security systems are best integrated into systems as the software is developed. Kevin McCurley, SeniorMember of Technical Staff, Algorithms and Discrete Mathematics Department, Sandia National Laboratories, personal communication, November 1992. 30. OTA Workshop, July 31, 1992. Insurers' requests may be specific while the response to the request may be much broader than the request would require. Steven Brooks, Manager, Medical Information Management, Aetna Health Plans, personal communication, April 1993. 31. Ontario Commission of Inquiry Into the Confidentiality of Health Information, "Report of the Commission," 1980, vol. II, pp. 160-166. 32. This linkage of data is further facilitated by identification of data by Social Security Number, if it is used. 33. Steven Brooks, op. cit., footnote 30. 34. Ontario Commission of Inquiry Into the Confidentiality of Health Information, op. cit., footnote 31. 35. OTA Workshop, July 31, 1992. Some argue that once data is compiled for a particular purpose, the desire to use it for some other "laudable goal" becomes irresistable. Janlori Goldman, Director, Privacy and Technology Project, American Civil Liberties Union, personal communication, July 1992. 36. AMA Principles of Medical Ethics, Principle IV. 37. Code of Medical Ethics, Current Opinions, The American Medical Association, 1992. The AMA addresses these concerns again in its Policy Compendium: Current Policies of the American Medical Association, House of Delegates through the 1991 Interim Meeting. In its Policy Compendium of 1991 the AMA Council on Long Range Planning and Development discusses "Fundamental Elements of the Patient-Physician Relationship." Among these are the patient's right to confidentiality ("The physician should not reveal confidential communications or information without the consent of the patient, unless provided for by law or by the need to protect the welfare of the individual or the public interest."), and the patient's right to obtain copies or summaries of their medical records. (Section 140.975,Fundamental Elements of the Patient-Physician Relationship, subsections [4] and [1], respectively.) Special sections of the document state specifically the AMA's support for continued efforts to ensure the confidentiality of information on medical records, and encourages consideration of AMA drafted model state legislation, as well as its support for appropriate efforts to protect the confidentiality and privacy of information contained in electronic medical records.(Section 315.993, 998). It also addresses concerns about confidentiality of information requested by third party payors and utilization review groups. (Section 320.979 and 320.986). 38. Section 552a(a)(4) of the Privacy Act defines, for purposes of the Act, the term "record" as "any item, collection or grouping of information about an individual that is maintained by an agency, including but not limited to his education, financial transactions, medical history and criminal or employment history and that contains his name, or the identifying number, symbol or other identifying particular assigned to the individual such as a finger or voice print or a photograph." The Act defines the term "system of records" as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 39. Ibid. Section 552a(b). Agencies have expanded upon the notion of "consistent with" to justify further uses of personally identifiable information. 40. Public Law 93-579, sec. 2(b). 41. Medical Records and the Law, William H. Roach, Jr., Susan N. Chernoff, Carole Lange Esley, eds., (Rockville, MD: Aspen Systems Corp., 1985) p. 78. 42. 42 U.S.C. secs. 290dd-3, 290ee-3 (1988). 43. 42 C.F.R. secs. 2.1 et seq., (1990). 44. 42 C.F.R. sec. 2.12(e)(4), (1990). 45. See 42 C.F.R. sec. 2.31 (1990). 46. 5 U.S.C. sec. 5552 (1988). 47. W. Prosser, Law of Torts secs. 111, 116 (1984). 48. In Gilson v. Knickerbocker Hospital 280 App. Div. 690, 116 N.Y.S. 2d 745 (1952), plaintiff sued the hospital for libel, claiming that, by complying with a subpoena, the hospital had maliciously allowed the publication of false and defamatory matter contained in the medical record. The record contained an observation that the plaintiff was under the influence of alcohol. The court granted the hospital's motion for summary judgment, stating that the defendant's act was absolutely privileged in that it was acting pursuant to lawful judicial process. 49. American Medical Association, A Patient's Bill of Rights (1972). 50. 237 F.Supp. 96 (N.D. Ohio 1965) and 243 F. Supp. 793 (N.D. Ohio 1965). Applying Ohio law, the court held that a physician breached an implied condition of his physician-patient contract when he disclosed medical information to a hospital's insurer without patient's consent. 51. 193 Misc. 2d 201, 400 N.Y.S. 2d 68 (Sup. Ct. 1977). 52. H.R. Rep. No. 832 pt. I, 96th Cong., 2d Sess. 30-31 (1980). 53. Compilation of State and Federal Privacy Laws, published by the Privacy Journal, Providence Rhode Island, 1992. For another review of the State law governing this issue see Medical Records and the Law, op. cit., footnote 4 app. B, State-by-State Analysis of Medical Records Statutes and Regulations. 54. Two such enterprises, PCN Inc. and PCS Health Services, Inc., are discussed in box 2-E. 55. Workgroup for Electronic Data Interchange, op. cit., footnote 5, app. 4, p. 5. 56. Ibid., p. 17. 57. OTA Workshop, July 31, 1992. 58. Ibid., Robert M. Gellman, "Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy," North Carolina Law Review, vol. 62, 1984. 59. See, A. Potter, "Computers in General Practice: The Patient's Voice," Journal of the Royal College of General Practice, vol. 31, 1981, pp. 83 to 85; M. Pringle, S. Robins, and G. Brown, "Computers in the Surgery: The Patient's View." British Medical Journal, 1984, vol. 288, pp. 289-291. G. Brownbridge, G. Hermark, and T. Wall, "Patient reactions to doctors' computer use in general practice consultations." Social Science Medicine, 1985, vol. 20, pp. 47-52. J. Rethans, P. Hoppener, G. Wolfs, J. Diederiks, "Do personal computers make doctors less personal?" British Medical Journal, 1988, vol. 296, pp. 1446- 1448. Because medical computerization is further advanced in England than in the United States, these studies are predominantly surveys of patient opinion within the British working class. Similar findings have been reported in American work. See, J. Legler, R. Oates. "Patient Reactions to Physician Use of Computers During Clinical Encounters." Prepublication draft. 60. James D. Legler, M.D. Assistant Professor, Department of Family Practice, University of Texas, Health Science Center at San Antonio, personal communication, April 1993. -----------------------------------------Systems for Computerized Health Care Information 3 Implementation of a system for computerized medical information involves technological and nontechnological elements. Among the technological aspects of such a system are the online or off-line approaches to maintain- ing and processing information, computer security systems, and standards for computerization of medical information and the content of the medical record. From an administrative and policy standpoint, computerization of health care information requires foolproof identification of patients and patient information, policies to clarify questions of ownership and access to patient records, and practices for obtaining informed consent from patients for release and use of their personal data. E TECHNOLOGY OF COMPUTERIZED HEALTH CARE INFORMATION Early research into computerization of medical information focused on administrative record keeping, laboratory manage- ment, and electrocardiographic analysis. In addition to these uses, one of the goals of this research has been the creation of an electronic, computer-based patient record. Computer systems for health care information records consist of four essential ele- ments: Hardware, including a central processing unit, mass storage devices, communication channels and lines, and remotely located devices (e.g., terminals or microcomputers with or without local area networks) serving as human/computer inter- faces; Software, including operating systems, database management systems, communication and application programs; Data, including databases containing patient information; and Personnel, to act as originators and/or users of the data; health care professionals, paramedical personnel, clerical staff, administrative person-nel, and computer staff.1 These elements have traditionally been con- tained within each medical institution, and each department within the medical facility has been linked to provide access to information by health care practitioners and administrators working at the facility. Privacy and security concerns have been addressed by the individual institution. Recently, however, faced with rising costs and increasing demands for more cost-effective deliv- ery of services, the medical community is consid- ering a system that links computers among institutions. Such an approach, an online system, would tie together computer systems in hospitals, private practitioners' offices, health maintenance organizations, health libraries and research re- sources, and third-party payers. Information about the individual patient could be transferred among these facilities, with the intent of eliminating paperwork and lowering administrative costs, while raising the level of patient care.2 Linkage of these computer systems would expand access and broaden security and privacy concerns. A smart card system has also been considered as the primary means of storing and maintaining the patient record, or for use as an access control device to assure confidentiality in an online system, or some combination of the two.3 Smart card systems for health care have been implemented extensively in France. Other Euro- pean countries have pilot projects to test this technology for maintenance of health care data. Smart cards can be used in two ways: for storage of medical information, and for enhancing secu- rity of online computer systems. Smart cards are considered by some as a way of giving the patient maximum control over the confidentiality of his or her health care information. However, depend- ing on how smart cards are used, they too raise concerns about privacy. Whatever the technology employed to maintain medical information, decisions about privacy in data involve balancing the individual's right to privacy against the cost of security, and the impediment that security measures impose on theaccessibility of data. Individual rights must also be balanced against public interests in informa- tion such as those for medical research.4 Technol- ogy controls improper access from outside the system, but the greater concern for abuse is improper actions by persons authorized to access the computer system from within an institution.5 No system can be made totally secure through technology. Online Systems The Institute of Medicine (IOM) report dis- cusses the potential for linking data in terms of "connectivity"--a term denoting the potential to establish links or to interact with any source or database that may improve the care of the patient. The report identifies three interfaces important for such interactions: 1) the interface between the record and other repositories or potential reposi- tories of information that may be useful in providing patient care, 2) the interface between the record systems of different provider institu- tions, and 3) the interface between the record and a practitioner. The ability to link these kinds of data depends on new network technologies that are built on communications, computing, information and human resource capabilities, and integration of computing and communications technologies to enable transmission of text, images, audio and video. The information infrastructure enabling these developments include communications net- works, computers, information and the people who use these resources and create information. Communications networks are interconnected and interoperable public and private communica- tions networks ("public" networks refer to those networks, such as the public switched telephone network, that are open to use by anyone (common carriers); "private" networks refer to those that are limited to use by a specific group of people meeting certain criteria, such as corporate net- works or "value added networks") providing services ranging from high to low speed, allowing a range of uses anytime, anywhere. They also involve agreed-upon technical standards for piec-ing together the network and having all the elements work together; the capacity to transmit information at both low and high speeds, in a variety of data formats, including image, voice, and video; and multiple mechanisms to support the electronic transfer of funds in exchange for services received. Computers include specialized computers resi- dent on the communications networks to provide intelligent switching and enhanced network serv- ices, personal computers and workstations, in- cluding machines that respond to handwritten or spoken commands and portable wireless devices that are easy to use and that can be easily accessed by users, and distributed computer applications that are widely accessible over the network. Information includes public and private data- bases and digital libraries that store material in video, image, and audio formats, and information services and network directories that assist users in locating, synthesizing and updating informa- tion. From a health care perspective, a high- performance computing network is believed to allow linkage of hospitals, doctors' offices, and community clinics through high-speed networks. Patient records, including medical and biological data, would be available to authorized health care professionals anytime, anywhere over these net- works, allowing health care providers to access immediately, from any location, the most up-to- date patient data. This data would in the future include not only textual records but would also incorporate medical images (e.g., x-ray and mag- netic resonance imaging) from clinical or labora- tory tests. From an administrative standpoint, such a system could enable efficiency gains and cost savings. Most often cited is the projected savings in administrative costs involved in proc- essing an estimated five million health care claims per day. It is believed that a network would allow improved management of and access to health care-related information and reduce costs for processing insurance claims through elec- tronic payment and reimbursement. High-speed networks would also enable medical collabora-tion through use of interactive, multimedia tele- medicine technologies over distances.6 The exten- sive linking of computers through high performance, interactive networks that enable instantaneous exchange of information challenges existing schemes for data protection, which place respon- sibility for confidentiality on each institution. Information will no longer be maintained, ac- cessed, or even necessarily originate from a single institution, but will instead travel among a myriad of institutions, so that new systems for data protection must track the flow of the data itself. SECURITY IN ONLINE SYSTEMS In online systems, security is generally pro- vided through the use of user identification names and passwords. User identification names can be defined in a variety of ways, including different combinations of segments of the patient's name and number sequences. Passwords are, theoreti- cally, known only to the user and are periodically changed. More advanced technological solutions to the problem of access control include use of smart cards, or biometric control devices such as scanners that read finger-prints, retinas, or speech patterns. These devices provide heightened secu- rity, but at higher cost.7 In addition to user identification names and passwords, systems may also be equipped with user-specific menus to control access to functions and thereby limit user access only to particular parts of the patient record that the user legiti- mately needs to carry out his or her job. Thus, an administrator may have the ability to view only accounting and demographic data and have no access to medical data. Indicators, or flags, can be used to define the level of interaction in a particular functional or domain area. For exam- ple, flags can control whether data can be accessed to be read or updated only; whether data can be corrected only on the same date of entry; whether data can be updated at a later date; and whether data can be validated or a process activated. Policy decisions may be made that certain kinds of information need not be accessi- ble to all health care personnel. Thus, softwarecan be implemented that suppresses and restricts access to certain categories of data.8 Because a networked system allows access to data from a number of terminals, terminals may be left by the operator during a data entry session after the password has been entered and at a sensitive point in a query of the data entry process. This problem may be addressed by a mechanism for quick storage of information, and time-out features so that any idle terminal unused for input for a fixed period of time will automati- cally revert to the password entry screen.9 Some systems make use of audit trails, records of significant events (login, user authentication, and authorization, activities of specific users) that may be checked when something of a suspicious nature occurs. Audit trails can reveal irregular patterns of access and allow detection of improper behavior by legitimate or nonlegitimate users.10 Equally as important in supplementing the technological measures taken to address the problem of maintaining a secure networked system are organizational education efforts, poli- cies, and disciplinary "actions" to ensure the ethical behavior of persons inside the computer system who have authorized access to the infor- mation. In addition, organizational committees are often established to oversee and make deci- sions about compliance with regulations about data, legal concerns, and ethical considerations regarding the transfer and release of information. Smart Cards A smart card is a credit card-sized device containing one or more integrated circuit chips, which perform the functions of a microproces- sor,11 memory, and an input/output interface. Smart cards can perform two major roles: 1.they can provide a medium for storing and carrying personal information; and 2. they can process information that enhances the security of many online computer sys- tems, thus acting as a means for accessing information in a network of computers.12 Definitions of what constitutes a smart card differ. Generally, a smart card encompasses off-line technology that is able to activate devices at the point of use. The traditional smart card, invented in 1974, is embedded with a microchip, which allows it to exchange information with a computer. The super smart card is battery- powered, contains a keyboard and display, and has a 64K EEPROM (Electrically Erasable Pro- grammable Read Only Memory)13 reprogramma- ble memory chip and microprocessor for internal power.14 The smart card reader/writer device is also a major component of the smart card system. The main purpose of the reader/writer device is to provide a means for passing information from the smart card to a larger computer and for writing information from the larger computer into the smart card. The reader/writer device provides power to the smart card and physically links the card's hardware interface to the larger computer. Since the smart card's microprocessor can control the actual flow of information into and out of the card's memories, the reader/writer device's role may be minimal. Some smart card systems incorporate reader/writer devices that perform calculations and other functions. It is generally the smart card itself that determines if and when data will be transferred into and out of the smart card's memories. SMART CARDS AS A MEANS OF INFORMATION STORAGE.15 The capacity of smart cards to store informa- tion has increased to 800 printed pages. In addition to this expansive memory, the smart card can ensure that the information stored in its memory is secure. The memory of a smart card can be divided into several zones, each with different levels of security and requirements for access, as required for a specific application. The smart card microprocessor and its associated operating system can keep track of which mem- ory addresses belong to which zones and the conditions under which each zone can be ac- cessed (see figures 3-1 and 3-2). A confidential zone could be used to store an audit trail listing all transactions, or attempted transactions, made with the card. The confidential zone could have a password known only to the card issuer, who could examine the history of the card for evidence of misuses of the system. To prevent any attempts to modify the card's audit trail, the confidential zone could have a read-only access restriction, so that the system could write to the zone, but information could not be changed from the outside. A usage zone could be used for storage of information that is specific to the smart card application and that requires periodic updates and modification. For example, the date of the card bearer's last access to the host computer or the amount of computer time used could be stored in the usage zone. Depending on the sensitivity of the data, a password could be required for this zone. The usage zone could have both read and write access protected by a password. A public zone could hold nonsensitive infor- mation, such as the card issuer's name and address. The public zone could have read-only access, without a password. Crucial secret information can be maintained in separate protected memory locations through the use of the smart card's memory zones. It may also be possible to produce a smart card that would ensure that the entire secret zone will be destroyed if any attempt is made to access the data in that zone; information located in that zone could be used only by the microprocessor itself. Informa- tion such as passwords, cryptographic keys, and other information which should never be readable outside of the smart card could be located here. The smart card's capacity for distinct memory zones also allows for the allocation of separate memory zones for individuals so that, for exam- ple, only the card bearer could access the usage zone, and only the card issuer could access the confidential zone. Care providers would be equipped with areader, microcomputer, and necessary software. Each provider would be given an accreditation card to gain access to the smart card of patients. This card defines the zones to which access is allowed. A Personal Identification Number (PIN) would also have to be entered before the smart card could be accessed (like those used by bank automatic teller machines and credit cards.) SMART CARDS AS A MEANS OF ACCESS CONTROL A smart card can be used as part of an access control system to protect sensitive data. Appendix A discusses generally the basic access control concepts of cryptography, user authentication, and device authentication. A smart card can be used to perform the encryption operations needed for authentication rather than a cryptographic device attached to (or inside of) a terminal (see figure 3-3). A smart card is intended to remain in the possession of its sole user, who is responsible for its protection, as opposed to a cryptographic device kept at the site of the terminal, which may be vulnerable to tampering. The cryptographic operations performed by a smart card are believed to possess the potential to improve security. In addition, the smart card is capable of encrypting short strings of data used in authenti- cation procedures. Several encryption algorithms are currently available in smart cards and imple- mentations of the Data Encryption Standard have been developed for smart cards. E SMART CARD AS A CARRIER OF MEDICAL DATA The concept of a patient card and the portable medical record was originally born in the 1970s, but it took several years, until the mid 1980s, to implement the operation.16 The frequently used definition of a patient card is: . . . a plastic card of credit-card size upon which is printed legible information; it may also carry part or all of the patient's medical record in micro or digital form. A card that carries only medical information is referred to as a "dedicated"patient card. Non-dedicated cards may carry insurance information, financial or credit data, educational data, etc., in combination with medi- cal information.17 Several countries are currently attempting to implement such a health care card (see box 3-A on the French Smart Card System for Health Care). In Australia, proposals for implementation of such a system provide that: Patients will be able to elect to have a life-long health care record in electronic form, which will contain a summary of all relevant health care information from the date of birth until death. Included will be entries from general practition- ers, specialists and consultants, radiologists, labo- ratories, nursing care, hospitals, physiotherapists, psychologists, occupational therapists, dental care etc. The total record will be carried by the patient on a "Health Card" the size of a plastic credit card. Copies will also be kept by the last doctor seen and by a "national back-up service" (a non government organization) which will maintain a network of back-up centers throughout the coun- try. This electronic record will have several levels of security restriction which will control who will have access to what part of each encounter.18 In the Australian approach, the smart card will collate all patient information--administrative, hospital, and doctor related records. Pilot projects have been implemented in France, Great Britain,19 Sweden, and Italy, which use the smart card in a different manner, storing limited kinds and amounts of information (see box 3-B). In the United States, card systems are proposed as one solution to the need to contain costs, streamline paperwork, and increase availa- bility of health care services.20 Smart card technology is often cited as a possible solution to the problem of privacy in computerized medical data. In lieu of a computer- ized, central database, or a linked network of information, smart cards would allow individual patients to maintain their own medical records, and would empower the patient with the ability to consent to any access to the data by authorization of access to the card. The smart card, as a patient-borne record, would represent a distrib- uted database with the advantage that real-time access to information is available only with the informed consent of the patient (with the excep- tion, probably, of emergency information).21 This is contrasted with the acknowledged risk of computer network penetration by the determined "hacker" who, if successful, could have access to thousands, even millions, of clinical records. The restriction of access to different kinds of data of different levels of sensitivity enabled through use of security codes arguably heightens the patient's personal control over the data.22 However, critics of such a system cite short- comings of the card's ability to protect patient privacy in medical information. Concerns have been raised about patient compliance with carry- ing the card.23 The proposed solution to such compliance problems is the creation of a back-up database containing the patient information, such as that proposed in the Australian plan (see discussion on pages 58-61).24 Such a database would, arguably, present many of the same problems as an online computerized system. Others have noted that while the smart card allows for control over the information while it is in the patient's possession, it is entirely possible that the patient will not know the nature of the information he or she is carrying.25 In addition, without further laws to the contrary, the carrier of the patient card could be completely dependent on the judgment of health care administrators to determine what information should be accessed by which health care provider, insurer or other third party.26 Concerns remain, also, about secu- rity of information at the host.27 Yet another concern is that patients will not want information about psychic and mental diseases, AIDS tests, abortions, venereal diseases, or genetic anomalies recorded on the card. As a result, there is concern about whether a smart card will contain a comprehensive medical record, or an abbreviated version of the record with its attendant limita- tions. Some also contend that, while the patient data serves to document the process of patient care, it would be inappropriate to eliminate the hospital or office-based record of care because that record is also part of the process information of the health care provider. The proposed 1994 Accredi- tation Manual for Hospitals released by the Joint Commission on Accreditation of Healthcare Or- ganizations (JCAHO) emphasizes the eve