Two months ago, a 42-year-old woman named Mimi walked into her pharmacy in Fairfield, Conn., to pick up a refill of the medicine she had taken for years for her migraine headaches -- and stormed out with a headache larger than she'd ever imagined.

She could not get a refill, her druggist told her, because a company that manages pharmacy benefits had decided she was taking too many kinds of medicine. Mimi, a mother and part-time psychotherapist who asked that her full name not be used, called two of her doctors, only to discover that the company had written each a letter listing every medication she was taking for asthma, joint pain and allergies, along with the migraines. "I felt violated because the [company] did all this behind my back," she said. "It made it look like they were insinuating I was a possible drug addict."

The company is part of a relatively new breed known as pharmacy benefit managers, which take a decidedly different view of such situations. They say that maintaining computerized records about what drugs patients take allows them to recommend less expensive medications, prevent people from taking a drug longer than recommended and warn people of the dangerous effects of taking the wrong combination of medicines.

The dispute illustrates the potential benefits and dangers of trying to use medical information in new ways. It also shows why it has been so difficult for the federal government to develop national rules to safeguard the privacy of Americans' medical records.

Congress on Saturday missed its own deadline, set three years ago, for passing a medical privacy law. Now, the Republican-controlled Congress will cede the touchy issue to the Democratic administration. The Department of Health and Human Services has until February to put federal privacy rules into effect. But HHS faces the same quandary that befuddled Congress: how to protect Americans' most intimate medical secrets while harnessing new information technology to make the health care system more effective and economical.

Even though most records are still on paper, a growing volume of computerized medical information is within easy reach of employees at insurance companies, hospitals, pharmacies, drug benefit management companies and medical laboratories.

Ready access to patients' computerized records does make it easier for managed-care plans to control costs by making sure patients get only the care they need. It allows states and the federal government to ferret out waste in the country's public insurance programs, Medicaid and Medicare. And it gives new tools to researchers in private insurance companies and the nation's major medical centers to help deduce what kinds of treatment are most effective.

As a service to its members, Kaiser Permanente, a large HMO, started an experiment three years ago that allows patients to use the Internet to make a doctor's appointment, request a prescription refill or ask a nurse for advice. About 50,000 patients have used the service so far in several states, including the Washington area, and it is scheduled to become available nationwide this fall. By next year, Kaiser expects their online service to be able to relay patients' laboratory test results via special e-mail accounts.

In a different kind of effort to help patients and control medical costs, Aetna U.S. Healthcare, another of the nation's major health plans with 21 million members, sifts through patients' records to find out who might be suitable for one of its "disease management programs." The company gets in touch with such people and their doctors, asking whether patients with diabetes would like a free kit to test their blood-sugar levels at home or whether congestive heart patients would like a home visit from a nurse to help them stick to a salt-free diet and keep tabs on their weight.

"If society were to decide that we could never have access to a patient's records, that would be okay, as long as society doesn't also then hold us responsible for . . . helping people get better care," said Arthur Leibowitz, Aetna U.S. Healthcare's chief medical officer, who said 95 percent of the patients the company contacts want its help in managing their ailments.

On the other side of the debate, civil liberties advocates and specialists in privacy issues warn that the widening access to patients' records holds distinct dangers. For instance, they predict that the burgeoning ability to test people for a genetic predisposition to certain diseases opens them to possible discrimination in getting health insurance or jobs.

Already, employees occasionally run into big problems. Ronnie Tompkins, for example, had a clean record as a long-distance driver for Old Dominion Freight Line when he was suspended without pay in December 1997. Three weeks later, he was fired.

The trouble, it turned out, was that the 52-year-old Atlanta trucker had been feeling depressed and started drinking too much on his days off. So he checked in briefly at a drug treatment clinic, which contacted Old Dominion's insurance company. The company, Benefit Management Services Inc., wouldn't pay for Tompkins's treatment, but told his bosses, who decided it was too risky to have him on the road.

Employers aren't the only ones who want more information. As HMOs have gained control over how much and what kind of treatment patients get, health plan representatives have begun to drop by patients' hospital beds, poring over their medical charts to determine whether they are ready to go home. Psychiatrists complain that they sometimes are told they will not get paid unless they hand over notes they take during therapy sessions.

The use of data by pharmacy benefit managers, such as the company that stopped Mimi from getting her headache medicine, has emerged as another major frontier in the privacy battles. Jim Bigl, the president of that company, York Prescription Benefits, said his company was "ultra-conservative" in protecting patients' confidentiality. He said it intervenes only if a patient appears to be taking an unsafe mixture of drugs or when a health plan believes a patient has so many doctors that they might not know all the medicines the patient was taking.

Other similar companies have a more expansive view of their role. Merck-Medco Managed Care, a large company that dispensed 53 million prescriptions last year, reviews individual patients' drug claims and, without telling them, routinely writes doctors urging them to consider switching the patient to a similar but less expensive medication -- or to stop prescribing a drug that the patient has been taking for longer than standard medical guidelines recommend.

There is no way to assess the overall effects of such new uses of patient records -- good or bad -- but there is evidence that at least some patients are uncomfortable.

One out of six Americans have taken steps to protect the confidentiality of their medical information, according to a national survey last winter by the California HealthCare Foundation, which showed that some patients gave doctors incomplete medical information, while others paid for certain treatments or tests on their own so they would not be reported to an insurance company. Peter Basch, a Capitol Hill internist, said patients routinely ask him to use an alias when sending blood samples to a lab for an AIDS test, or not to submit claims for such tests to their health plans.

But there also is evidence that the public does not want government protections to be too tight. Last January, a new law took effect in Maine that prohibited the release of any information about patients without their written permission. Facing a fine of up to $50,000 per patient if they violated the law, hospitals across Maine clammed up, refusing to give patients' medical condition to anyone -- or even to confirm whether they had been admitted.

Florists complained they could not make deliveries. Newspaper reporters complained they no longer could write about accident victims. Catholic priests motivated parishioners to lobby their state legislators, telling them they would no longer be able to get into hospital rooms to deliver last rites. The state's legislature unanimously repealed the law within two weeks, replacing it with a far looser version that is to take effect in February -- with protests, this time, by civil liberties advocates.

"What we really did . . . [is] protect patients more than they wanted to be protected," said Gordon H. Smith, who helped to write the original law as an official of the Maine Medical Association.

With the issue stirring such commotion in a small state where the political parties often work together, Smith is pessimistic that a partisan Congress could ever find common ground.

This spring and summer, the Senate Health, Education, Labor and Pensions Committee canceled votes four times on a patient privacy bill, because members could not agree how far to go. Matters in the House have been messier. The only privacy provision to reach a vote by the full House this year was grafted onto a banking bill -- and the privacy section was quickly rescinded after civil liberties advocates convinced even its sponsor that it would leave patients more vulnerable than they are today. Lawmakers in both chambers vow to return to the issue this fall, possibly to pass a law before the Clinton administration's February deadline.

HHS Secretary Donna E. Shalala hopes Congress will act so that her department won't have to step in. A 1996 health insurance reform law -- the statute that set Congress's deadline for passing privacy legislation -- gave the department limited powers, allowing it to regulate only the use of electronic records -- not paper ones -- and permitting it little ability to set penalties if information is misused. A senior department official said the department will have a proposal ready this fall and, unless Congress steps in, a final version in place by February.

Regardless of whether Congress or the administration ultimately sets the rules, the competing interests of confidentiality versus new uses of health information mean that some constituencies inevitably will end up dissatisfied. Said Robert Gellman, a former congressional staff member who now is a consultant on confidentiality issues: "This privacy stuff is its own little monster."