University Times

A janitor at a Boston hospital finds a computer terminal unattended. The janitor, a convicted sex offender, calls up medical records for names and addresses of women patients to whom he later sends harassing letters.

A Connecticut druggist tells a woman customer he's sorry, but he isn't allowed to refill her migraine prescription. He explains that the company managing her pharmacy benefits has decided she is taking too many kinds of medications — for allergies, asthma and joint pain, in addition to migraines. The woman later discovers that the company also has written letters to each of her doctors, listing the medications she's taking and, in the woman's opinion, insinuating that she is a drug abuser.

A Florida man is overheard in a bar, urging friends to check with him before launching any new sexual affairs. It turns out that the man works for the Florida Department of Public Health, and carries in his pocket a computer disk with a copy he's downloaded of his department's registry of HIV-positive state residents. He could easily have posted the registry on the World Wide Web, if he'd wanted.

* Paul Appelbaum, a University of Massachusetts physician and psychiatrist, cited those incidents — as reported in the Boston Globe and the Washington Post in the last three years — in a Nov. 2 lecture at Pitt's law school, "No Place to Hide: Threats to Confidentiality of Medical Records." It was the inaugural Mark A. Nordenberg Lecture in Law and Psychiatry.

Confidentiality has long been a cornerstone of medical ethics, and is enshrined in the Hippocratic Oath. "Yet, threats to medical confidentiality, particularly of psychiatric records, seem to be coming at us today from every direction," according to Appelbaum, who is the A.F. Zeleznik Professor and psychiatry department chairperson at U-Mass. He also is a former Pitt professor, and the author of several books and numerous articles on law in clinical practice.

Appelbaum warned that patients will be reluctant to disclose vital information about themselves if they suspect that such information may be shared with insurers, employers, police, government agencies — all of which could be on the verge of gaining unprecedented access to medical records thanks to:

* The growing computerization of those records, often with inadequate security.

* Creation of regional and national databases of health care transactions.

* Proposed new privacy standards under the federal government's Health Insurance Portability and Accountability Act (HIPAA).

HIPAA was passed into law in 1996 but has not gone into effect yet, as Congress continues to debate specific regulations. While HIPAA's most controversial component was its call for mandatory medical I.D. numbers for all U.S. citizens (in effect, a birth-to-death national identification system), HIPAA's draft regulations on medical records privacy were equally disturbing, said Appelbaum.

As initially proposed by the U.S. Department of Health and Human Services (HHS) in November 1999, those privacy regulations would have radically altered doctor-patient confidentiality, according to Appelbaum.

And based on his recent discussions with HHS officials, Appelbaum predicted, HHS soon will release revised draft regulations on medical privacy that essentially will be unchanged from last year's.

"When I was a medical student, I was trained that we gave out patient-related medical information when our patients gave us permission to do so. And without that permission, the information didn't go out. Most physicians I know still abide by that practice," Appelbaum said.

"The [proposed] HHS regulations would, in fact, do away with the presumption that no medical record information would be released without patients' consent. Instead, HHS would substitute a system of regulations which would define the circumstances in which information had to be, or at least could be, released. And patient consent would become irrelevant in the vast majority of circumstances."

For example, lawyers would gain access to medical records for use in litigation, Appelbaum said. Police could use medical records in identifying suspects, fugitives, material witnesses and missing persons. Health researchers likewise would gain unprecedented access to medical records, while federal, state and possibly even municipal government agencies could obtain patient records for public policy planning.

All without patients authorizing the release of their medical records.

Also under the original HHS draft regulations, a physician treating a patient for a particular illness could have combed through national and regional databases to view records of other patients with the same illness.

"Now, I can't speak for the medical profession as a whole," said Appelbaum, "but I can tell you that that would be a very unusual way for figuring out what the best treatment is for a patient. My colleagues and I would be much more likely to, say, go to a textbook and find out what the recommended treatment for a condition might be. Or, we might consult with a respected colleague who specializes in that area.

"But I think it's the [HHS] mindset that's critical here," he emphasized. "It suggests that almost any reason at all is a good enough reason for granting access to medical record information. It's probably that mindset that troubles me the most about this proposal."

Congress passed the HIPAA legislation after shooting down President Clinton's proposed health care plan. Appelbaum noted that the Clinton plan would have created a national databank of every doctor-patient transaction within the United States, even those for which a patient paid out-of-pocket.

"I was always amazed, in all of the debate about the Clinton proposal, how little attention this [databank] provision got — essentially, next to none," Appelbaum said. "There are people in Montana who are scanning the skies for 'black helicopters,' worrying about when the U.N. is going to come in and take over the country, when the real threat to individual liberty and privacy was right in front of their eyes.

"This really is Big Brother. We're talking about pulling everyone's medical record information into one databank or linked series of regional databanks….There will be literally no place to hide."

Although the Clinton plan was defeated, Appelbaum doesn't foresee an end to calls for huge medical databanks. The potential profits and cost savings for hospitals, insurers, managed care organizations, and especially for computer hardware and software producers, are too great for the idea to go away, he said.

Everyone in the information industry remembers how Ross Perot became a billionaire, Appelbaum pointed out: by winning the contract to provide data management services for the fledgling Medicare program. Perot's company profited by a fraction of a penny for each Medicare transaction. These numbered in the hundreds of thousands annually in the early 1960s but later soared into the billions.

For all his misgivings about medical databanks, Appelbaum allowed that computerization of medical records is inevitable and largely beneficial to patients, doctors and health insurers alike.

With a few keystrokes, an emergency room doctor can learn a patient's whole medical history, including allergies and other hidden conditions. A basement-full of paper records can fit on a single computer disk. Computerization also allows the medical community to track epidemics and outbreaks of formerly rare diseases.

But without proper security, Appelbaum said, there's a downside, as evidenced by the anecdotes cited at the beginning of this story. Appelbaum also recalled the public furor that resulted, three years ago, when the Boston Globe revealed that records of patients enrolled in the Harvard Community Health Plan HMO, including psychiatric records, could be accessed by virtually anyone at any of the HMO's sites. In response, the health plan went back to keeping pencil-and-paper records of psychiatric care while maintaining computerized records for all other care. "It's been three years, and they still haven't come up with a better plan," Appelbaum said.

Confidentiality concerns go beyond psychiatric records, he argued. "Potentially embarrassing or compromising information can also be found in many other parts of the patient's chart," Appelbaum said. "For example: histories of substance abuse, HIV status, whether or not a woman has had an abortion, whether you've had an illness such as cancer which, even if successfully treated, might have some impact on your desirability as an employee or your chances of being promoted."

How to protect medical confidentiality?

Patients themselves must always be told if their medical records are being stored on a computer, so they can choose to withhold information or seek care elsewhere, Appelbaum maintained.

It's already technically possible, he said, to better protect sensitive data. He praised the University of Michigan's new medical records system, which stores information about psychiatric care behind a computerized "firewall" that can be breached only by authorized members of the psychiatry department. Other, more general information is available to patients' physicians.

"Audit chains" noting each time a patient's records are accessed, and by whom, enable patients to monitor how their records are being used, Appelbaum said.

"Above all," he concluded, "I think we need to be vigilant about these developments. We as physicians, and all of us as patients."

— Bruce Steele