The Washington Post
Some privacy advocates read a quiet menace in Shalala's words. In bland official language, Shalala erased the traditional standard of a "compelling public interest" to justify a governmental invasion of privacy, and replaced it with a broader balancing act, says Beverly Woodward, a Brandeis University sociologist. It was the jurist for whom Woodward's university is named, Supreme Court Justice Louis Brandeis, who in a 1928 ruling described the "right to be let alone" as "the most comprehensive of rights and the right most valued by civilized men." Today, there are so many interested parties in the medical privacy debate -- dozens of industries that depend on access to sensitive information -- that in developing any new law, an awful lot of balancing is going to have to be done. At times it has seemed that individual privacy will get balanced right out of existence.
That's just the point, says Georgetown University law professor Lawrence Gostin. Privacy has disappeared, he says -- get used to it. After reviewing the issues on several panels over the last decade, Gostin says that what strikes him is the "mind-boggling information out there" on the expanding digital health care networks. Some people argue that computers are no more vulnerable to attack or exploitation than the old system of paper records, and in fact are more easily protected because of electronic security devices and audit trails. Gostin doesn't buy that. No amount of security can protect individuals from leaks by authorized users, he says. And a talented hacker can break into a computer system almost no matter how sophisticated it is; Pentagon computers suffered an estimated 250,000 attacks in 1995, according to a General Accounting Office report, and 65 percent of the hack attacks were described as successful to some degree.
What's needed, Gostin argues, is for someone to tell the public, plainly, clearly, that absolute privacy does not exist and certainly will not in health care's brave new world, a world so different from the one Brandeis knew. "There are trade-offs between privacy and the goods society gets from medicine. And information is the life's blood of the modern health care system," he says. "The public should get reasonable assurances that when their personal information is collected, the health care system will treat it with respect, store it securely, and disclose it only for important health purposes." And there should be laws in place to give victims of data abuse easy access to the courts, he says.
What sorts of potential abuses might people have to worry about? Some are already visible. Let's say you own a medium-size company and are concerned about rising health insurance premiums. What to do? You ask your insurer for the records of your employees to find out who's running up the bills. Under the Americans With Disabilities Act it is illegal to fire an employee because of such an audit. But discrimination may be difficult to prove, and not all illnesses qualify as disabilities under the law.
More and more employers have information about their employees' health, and more and more of them use it in personnel decisions. In part, workers are victims of their own success. Union drives during the 1960s led to the creation of employee assistance plans with on-site clinics and nurses. Around the same time, companies were given tax and regulatory incentives to run their own insurance programs, a process that accelerated during the 1980s as health insurance costs skyrocketed. Some companies have fire walls to keep employees' medical records away from their supervisors. Some don't. David F. Linowes, a University of Illinois public policy professor who has been studying workplace privacy since the early 1970s, says that in his 1996 survey of Fortune 500 companies, a third of the 84 respondents said they used medical records to make employment-related decisions.
"The thrust is that employers don't hesitate to use this information," says Linowes. "It's something that enters the equation concerning their investment in personnel."
In a complaint filed in D.C. Superior Court last fall, a cancer patient named Patricia Scott charges that her former employer, the Service Employees International Union, did just that. She says the union canceled her health insurance and eventually dismissed her because it had changed to a self-insured health plan and didn't want to cover her expenses. The union denies the charge, saying it was dissatisfied with Scott's job performance and that she refused to provide adequate medical proof of her disability. Scott's attorney, Diane Seltzer, says such cases are becoming more common.
In Philadelphia, supervisors at the Southeastern Pennsylvania Transit Authority paid Rite Aid Pharmacy to supply medications to its workers in exchange for a breakdown on who was using what drugs. When executives found that an employee was using an AIDS medicine, they informed his supervisor. The employee sued for invasion of privacy but lost; the judge said the company had a legitimate business reason to delve into his records.
Then there is the story of a 46-year-old Washington man known in D.C. court records as John Doe. During the eight years he has been HIV-positive, he has managed, with the help of the drug AZT, to remain healthy except for two brief hospitalizations; he has also confined knowledge of his illness to a few close friends and relatives. In April 1996, Doe spent several days at the Washington Hospital Center for treatment of severe fevers and headaches diagnosed as a form of meningitis. To keep his debts down, Doe had been working two jobs -- behind a desk at the Office of Personnel Management by day and behind a broom at the State Department by night. He alleges that a fellow State employee, Tijuana Goldring, who moonlighted as a receptionist at Washington Hospital Center and who knew Doe had been treated there, somehow caught a glimpse of his private medical records and passed word of his condition to co-workers. Doe says that after his condition became known, colleagues went out of their way to avoid him and some began wearing plastic gloves even on cigarette breaks. They teased him relentlessly, he says, asking, "How's your health?" or saying, "I hear you got the alphabet disease."
Doe says he must cope with both anxiety about the future and humiliation on the job. "People make snide remarks about homosexuals being the carrier of the virus and joke about me dying," Doe wrote in his complaint. "I feel violated and naked before these people."
As Congress debates how to protect people like Doe with a new federal law, it will be pushed and pulled by special interests that have a financial stake in the unfettered flow of medical information. Shalala's proposals -- which were based on months of consultation with privacy experts, industry and Congress -- aim to secure medical data with new record-keeping and computer access rules; to prohibit the disclosure of medical information outside the health care arena; to allow patients access to their own records; and to strengthen punishment for abuses. Most players in the various health care industries want some kind of confidentiality law, if only to reassure patients. But all of Shalala's specific proposals are entangled in a web of interests.
The core problem is that the very basis of managed care -- which now accounts for 80 percent of employer-based coverage -- is shared information. Whether it is to improve care, as the insurers would claim, or to cheapen it, as their critics charge, managed care companies intervene at every stage to evaluate whether patients are getting the treatment the insurers prescribe. Scores of people along the way inspect the patient's data. "Hippocrates is 2,000 years old," says Samuel W. Warburton, chief medical officer of NYLCare Health Plans Inc., a large New York managed care company. "Medicine isn't one-on-one anymore. It's a team effort." Warburton fears the chilling effects of a confidentiality law that could make doctors skittish about talking to other doctors, to case reviewers, benefits managers and others. "Communication is bad enough as it is," he says.
Health care providers are currently spending around $2 billion a year to build new information networks that support approaches such as "disease management," which consists in part of computerized programs that help prod sick people into getting particular kinds of treatment. At Harvard Pilgrim Health Care in Boston, for example, information specialists scanned the company database and located all patients who had had expensive emergency room visits more than three times. Many of them, it turned out, were alcoholics. Thereafter, when one of the patients entered an emergency room, his or her primary physician was notified and instructed to talk to the patient. Was this a valuable public health measure or a violation of confidentiality? It's a judgment call: "I don't know how the alcoholics react when their doctor calls and says, 'I hear you were in your third automobile accident,' " says John Ludden, Harvard Pilgrim's senior vice president for medical affairs. "This is an active intervention."
(continued on Page Three)
© Copyright 1998 The Washington Post Company