Story by Arthur Allen
One afternoon last November, a managed care supervisor telephoned a psychiatrist in a close-in suburb of Washington and told him to expect a visit from a "utilization reviewer." These days, managed health care companies routinely demand a great deal of information before agreeing to pay for a course of psychiatric care. Therapists are asked questions such as: Is the patient dangerous? Depressed? Guilty? Anxious? A victim of incest? A perpetrator of sexual assault? A utilization review goes even further. In this case, the company had ordered an examination of the records of several of the psychiatrist's patients whose therapy had lasted longer than the insurer felt was normal. The utilization reviewer would enter the therapist's office and pick over charts and notes -- notes that might include details like the name of a patient's sexual tormentor, or the specific nature of his violent fantasies.
As it happened, the patients that the utilization reviewer was concerned about included a wife-beater, a closet homosexual, and two women who were carrying on long-term extramarital affairs, one of them with a prominent Washington personage. And although the patients had all signed blanket consent forms at the beginning of therapy, the psychiatrist says he was quite certain they wouldn't want to let a stranger rummage through their files and their lives with a fine-toothed comb.
"I was in a terrible bind," says the psychiatrist, who discussed the case on condition that he not be identified. If he told his patients about what the insurer intended to do, the patients might become angry or depressed. They might withdraw from therapy -- as a few had in the past when told about the audits -- or threaten to sue him, or badger the managed care company, although any such attempt at recourse would probably only expose their private lives further. On the other hand, if the psychiatrist concealed the audit from his patients, he would maintain tranquillity on the couch and protect his relationship with the managed care company, which might otherwise drop him from the list of physicians it permits its members to consult.
It was an awful decision. "Our whole relationship with the patients is supposed to be based on trust," the psychiatrist says. He agonized -- and in the end chose the path of least resistance, with a guilty conscience. "I have children to put through college," he says. "When I retire, maybe I'll be more brave."
Americans have long assumed that their medical records are their own business. After all, doctors still take the Oath of Hippocrates, which states in part that "whatsoever I shall see or hear in the course of my profession . . . I will never divulge, holding such things to be holy secrets." A solid body of court cases and state laws underlines the tradition of doctor-patient confidentiality and the principle that patients' medical records cannot be disclosed publicly without their permission. But as in so many other areas of American life in the digital age, medical privacy is a tradition under assault. It's not that the laws or ethical codes are being repealed -- it's that broad technological, scientific and economic forces are overpowering the old rules.
Many people would be surprised at just how exposed they are. Millions of individual medical records float around these days in a vast electronic network that serves both commerce and scientific research. The information zips around the country, speeded by computers at every stage. Computers help diagnose disease, monitor patients, organize the data about their conditions, and transmit the information to managed care networks, medical research networks, pharmaceutical benefits managers and other outposts of America's increasingly wired health care system. Along the way, thousands of eyes scan this data. The eyes may belong to health researchers seeking improved treatments, or to corporate managers bent on slashing costs, or to drug company marketers looking for new customers. Some of the records are even available through the Internet, part of a $40 billion medical information industry. In the Information Age, as confidences are entrusted to anonymous datamongers, we are all becoming a little like Blanche DuBois: We rely on the kindness of strangers.
But there are drawbacks, too. The more information available, the greater the opportunity for it to be abused. For one thing, embarrassing records can be leaked. Florida Gov. Lawton Chiles and New York Rep. Nydia Velazquez are two of the more prominent politicians whose psychiatric records circulated without their permission during election campaigns in the last decade. They were victims of a black market in which almost any patient's records can be bought for about $250, according to private investigators. That is how Arthur Ashe's AIDS diagnosis got out, and those of other celebrities as well. High-tech or low-tech, leaks are endemic. A recent informal study in the Annals of Internal Medicine found that in 1 out of 14 elevator rides in Philadelphia hospitals, doctors, nurses or other staff made a major breach of confidentiality in casual conversation. There are employees in the emergency rooms of big-city hospitals who earn more from passing patient information to ambulance-chasing attorneys than they do from their paychecks, says Columbia University professor Paul D. Clayton, who also runs the information systems at Columbia-Presbyterian Medical Center in New York.
Public figures are not the only victims, and the disclosures are not always clearly illegal. Consider Bill Warner, 75, a Baltimore World War II veteran who took a phone call one day in 1995 from his urologist, Horst Schirmer. The agitated doctor reported that Warner's recent prostate surgery, of all things, had just been the topic of discussion at an open court hearing. It turned out that another urologist, Brad Lerner, who was being sued for malpractice, had dug up Warner's records as part of his defense. Schirmer, who was testifying as an expert witness, had been so stunned when a lawyer dangled Warner's confidential pathology report in front of him that he simply refused to discuss it. Ultimately, Warner sued Lerner for invasion of privacy -- his case is pending before Maryland's highest court, the Court of Appeals -- but so far, lower courts have ruled that Lerner had the right to make use of the private records under a loophole in a 1990 state confidentiality law that allows sued doctors to look into any patient's records -- even patients they have never met.
Warner sued because he was teed off, because of the principle of the thing. "It's just a question of, 'Why me?' " he says. "My medical history is no one else's business in this wide world."
But that's not necessarily true any longer. There are thousands of people who consider patient data their business these days. Drug manufacturers such as Merck & Co. have bought pharmaceutical benefits management companies in recent years and have used the patient and prescription lists to tout their products. Companies selling baby products use hospital birth records to market their goods to parents just as they arrive home with their newborns. There have been reports that Internet sites offering information about certain diseases have solicited data from cyber-visitors and then sold that information to companies marketing drugs or therapies.
Finally, of course, there is the routine exploitation of medical records to weed out expensive patients -- the refusal of insurance to the sick or, increasingly, to those whose genes predispose them to illness. American health insurance is based on risk underwriting, which essentially means that the people who pay for health care try, to the extent possible, to avoid taking on the sick. In this often pitiless health care economy, many people -- even those with stable jobs and benefits -- feel vulnerable about the potential loss of their insurance, should some corporate-defined "preexisting condition" be disclosed to the wrong party at the wrong time. Indeed, a central predicament of the country's emerging digital medical information network is that, at the very moment when more and more information is becoming available to more and more eyes, the consequences of the data's misuse are potentially more severe than ever before.
New privacy laws have been enacted in response to public outcry over the perceived injustices of for-profit health care, and more laws are on the way. But can any law really protect people from invasions of doctor-patient confidentiality, given the technological, scientific and economic changes underway?
Sometime in the next 18 months, Congress will probably pass a federal privacy law aimed at limiting the authorized uses of medical information and providing for legal redress in the event of abuse. Such a privacy bill -- or, failing congressional action, creation of federal regulations -- is mandated by August 1999 under the Kennedy-Kassebaum health care reform law of 1996. One goal of that legislation was to speed the computerization of health care records, and privacy advocates inserted language to ensure that computerization was accompanied by better protection.
The Clinton administration's aim is to help create a seamless nationwide records system that eventually may involve a "universal patient identifier," the equivalent of a Social Security number for each patient. The goal of the identifier system would be to improve communication among the many agencies and companies involved in health care. It could help control health care costs, help combat fraud, help check the spread of disease, and support authorized medical research into new cures and treatments for dire conditions, its proponents believe.
Last September, Health and Human Services Secretary Donna Shalala took a stab at formulating the privacy protection people should expect in this coming world of fully automated records. "Twenty-five years ago, our health care privacy was protected by our family doctor, whom we trusted not only because of the Hippocratic Oath and the fundamental ethics of medicine -- but because we knew them," Shalala said in testimony before the Senate Labor and Human Resources Committee. "Today, the revolution in our health care delivery system means that instead of Marcus Welby, we have to place our trust in entire networks of insurers and health care professionals." The challenge, she said, is to "balance protection of privacy with our public responsibility to support national priorities -- public health, research, quality care, and our fight against health care fraud and abuse."
(continued on Page Two)
© Copyright 1998 The Washington Post Company