Tracking Entitlements to Medical Records: A Trusted System
Rebecca Del Carmen
I. Introduction
The notion of privacy in the healthcare profession is beginning to mutate, as are the physical forms in which medical information is stored and distributed. Industry emphasis on managerial concepts such as shared-information and digitization 1 , and on methods such as telemedicine and preventative medicine, has forced the medical profession to reevaluate the benefits of privacy in light of its costs. 2 As Samuel W. Warburton, chief medical officer of NYLCare Health Plans Inc., a large New York managed-care company, says: "Hippocrates is 2,000 years old. Medicine isn’t one-on-one anymore. It’s a team effort." If the protection of medical information is no longer governed by a pared down one-to-one rule between doctor and patient, the question then remains: who has what entitlements to medical records, and how should we monitor their enforcement?
The supposed privacy of medical records and its recent downfall has received a great deal of attention in both legal and medical literature. Many commentators concede that the traditional one-to-one privacy of an individual’s medical information is beyond our reach – and, in some cases, detrimental to the public’s health and welfare. 3 Not surprisingly, the movement to "go online" has generated much of this recent concern. 4 Digitizing information is a presumed threat to its own security, and medical information is no exception. For that reason, the software company Healtheon (the touted gatekeepers to the paperless revolution in healthcare) faced numerous setbacks in trying to make their product both guarantee the level of security expected of medical records and still be user-friendly. 5 In fact, the digitization of the healthcare industry has been relatively slow because of security and privacy concerns. 6
Ultimately, however, the debate surrounding a paperless revolution extended beyond the threat of unauthorized hacking and into the staggering numbers of authorized users that digitization helps to facilitate. 7 Starting with the traditional notion that a patient shares her medical information with her doctor and none other, how did the current system develop whereby "[t]here are thousands of people who consider patient data their business."? 8
The arguments in support of a modified level of privacy protection for medical records generally justify two categories of authorized use. The first is authorized use of medical information within a managed-care organization. Large healthcare institutions like Health-Maintenance Organizations (HMOs) now share a patient’s medical information with a large "inner circle" of providers. Putting aside the mining of data to protect an organization’s bottom line, an HMO’s primary purpose is still to provide quality healthcare to its consumers; toward this goal, the sharing of information has become a valuable tool for preventative and disease management. 9 Health-care providers now spend around $ 2 billion a year on information networks that support approaches like disease management. These networks consist of computerized programs that, inter alia, help prod sick people into getting particular kinds of treatment. 10 For example:
At Harvard Pilgrim Health Care in Boston . . . information specialists scanned the company database and located all patients who had had expensive emergency room visits more than three times. Many of them, it turned out, were alcoholics. Thereafter, when one of the patients entered an emergency room, his or her primary physician was notified and instructed to talk to the patient. Was this a valuable public health measure or a violation of confidentiality? It's a judgment call. 11
Pharmaceutical companies data mine as well --- to protect their bottom-line, to target new customers and to develop new products. 12 However offensive one may find these uses of personal data, many argue that they are, for the most part, here to stay. "[I]nformation is the life's blood of the modern healthcare system . . . . The public should get reasonable assurances that when their personal information is collected, the health-care system will treat it with respect, store it securely, and disclose it only for important health purposes." 13
Second, the need to police fraud and to manage costs has justified the use of medical records between entities, such as between an employer and a pharmaceutical company. A recent Third Circuit decision 14 supported this expansion of the "inner circle." SEPTA, a stateagency, decided to offer drug benefits to its employees, and chose to self-insure. Because of this choice, SEPTA had a hefty incentive to limit its employees’ use of medications. Therefore, SEPTA’s Chief Administrative Officer (CAO) requested and received reports from Rite-Aid (their sole provider) with the names of individuals filing prescriptions for more than one hundred dollars a month and the specific drugs that these employees received. Somewhere down the line, the CAO learned that one of his employees, John Doe, was receiving AIDS medication. John Doe subsequently learned of the leak, and felt that his CO-workers were treating him differently because of this information. A jury agreed with Doe and awarded him $125,000 for invasion of privacy and emotional distress. 15
The Third Circuit reversed the ruling. The court noted that SEPTA had a strong interest "in containing its costs and expenses by permitting this sort of research by authorized personnel." In addition, the court concluded that SEPTA’s financial interest outweighed "the minimal intrusion" upon Doe’s privacy. 16 Two points are significant here. First, an employer seems to have a valid interest in an employee’s medical information if the employer’s financial interest is at stake. Second, the Court instructs us that disclosure of Doe’s status as an AIDS patient is minimally intrusive. Absent Congressional action to change the fact that video rental records are currently afforded more federal protection than are medical ones 17 , patients such as Doe seem to have lost the battle.
To restate, the court asserted that SEPTA had a strong interest "in containing its costs and expenses by permitting this sort of research by authorized personnel." 18 John Doe did not authorize these personnel to examine his prescription records. SEPTA did. This line of reasoning suggests that John Doe’s interests are immaterial to authorization; SEPTA’s authorization is sufficient. Medical records, therefore, are no longer the patient’s property once in the hands of a Rite-Aid, or by extension, an HMO? Or were the records ever the property of the patient in the first place?
This Article attempts to disentangle the current system of data-use in the healthcare industry and to provide a more predictable and workable framework for tracking property entitlements to medical records. First, I will argue that the patient has the strongest proprietary interest in, and indeed, ownership claim to, her medical records; therefore, an entitlement to medical records should be given to the patient, protected by a property rule. Second, I will argue for carved-out exceptions to the property rule in situations where the public interest is significant enough that the patient should (and has had) no single entitlement to the information. Third, putting this construct into practice, I will explore how the application of a "trusted system" to data management in healthcare could both enforce property protection of a patient’s data and "fair use" of the data by authorized users in the industry.
II. Protecting a patient’s entitlement to medical records by a property rule
The first choice that society must make when it faces conflicting interests --- an HMO’s desire to scan medical information versus a patient’s to protect her records from strangers’ eyes --- is who should receive the entitlement. 19 It is clear that society, and particularly state legislators, have chosen to afford the entitlement to the patient. 20 Beyond that initial entitlement, however, the rules governing protection become somewhat murky. Guido Calabresi and A. Douglas Melamed define such second order decisions as "the manner in which entitlements are protected and . . . whether an individual is allowed to sell or trade the entitlement." 21 They go on to consider three types of protection: a property rule, a liability rule, and an inalienable entitlement. Before considering why a property rule is best suited to the protection of medical records, I will first discuss why a liability rule or inalienability are improper.
Liability rules permit non-voluntary transactions between the entitlement holder and the party seeking to infringe upon the entitlement. "Whenever someone may destroy the initial entitlement if he is willing to pay an objectively determined value for it, an entitlement is protected by a liability rule." 22 Therefore, whenever an insurance company or an employer is willing to pay a collectively-determined reasonable price for transcripts of an individual’s psychiatric sessions, or proof of his HIV status, a liability rule would enforce the transaction. This window of opportunity for non-voluntary transactions would seriously undermine popular expectations of privacy relating to medical information, as well as the Supreme Court’s notion of the right to privacy as the right to "control of information concerning an individual’s person." 23
Another option to protect medical records would be to make the individual’s entitlement inalienable, so that "its transfer is not permitted between a willing buyer and a willing seller." 24 Calabresi and Melamed identify two situations which lend themselves to inalienability: when a transaction would create significant externalities, and when "external costs do not lend themselves to collective measurement which is acceptably objective and nonarbitrary .", i.e. moralisms. 25 One could argue that the commodification of medical records could lead to moralisms, for a society which creates a monetary incentive to sell off one’s medical information is a step away from a society which permits the sale of organs. With medical information, however, the inability to transact would create significant externalities. Obviously, a sick individual cannot receive due care if he cannot transact with his doctor to receive such care in exchange for money and access to his medical information. Another example would be a pharmaceutical company that depends on data from heart patients ages fifty-five to seventy to help develop a new anti-clotting medication. Inalienability of such data would inflict severe externality costs on society.
The only option left in Calabresi and Melamed’s framework is the protection of the individual’s entitlement by a property rule. "Much of what is generally called private property . . . is protected by a property rule. No one can take the entitlement to private property from the holder unless the holder sells it willingly and at the price at which he subjectively values the property." 26 Therefore, protection by a property rule would allow the patient to control any dissemination of his personal medical information. 27 Though I will assert that there are limited situations where a patient should not have such control, a patient’s entitlement is generally best protected by a property rule.
One rejoinder to property protection of medical records is that such privacy allows individuals to manipulate access to personal information and therefore the world around them, thereby increasing transaction costs between bargaining parties and creating harmful information asymmetries. 28 First, this Posnerian argument relies on a notion of privacy as motivated solely by reputational interests. "To the extent that the privacy preference is in fact derivative of a reputational interest, it often can be characterized as the utility derived from deception. In such a case, the cost of restricting disclosure will likely outweigh the gain." 29 However, critics of Posner such as Richard S. Murphy argue that the motivation to keep one’s personal information private may extend well beyond reputational interest:
Avoidance of embarrassment, a seemingly central role of "shame" in our psychology, and a desire to avoid future disturbance all can be reasons for a privacy preference . . . . A rich woman may want her banker not to disclose her income because she wants to deceive the IRS, but it is just as likely she wants to avoid solicitations from charities . . . . she may simply derive utility from modesty or reticence, and dislike exhibiting to others what she deems private conduct. The point is, in the utility calculus, these psychic values count. 30
Murphy calls these psychic values "pure privacy" preferences. 31 He proposes an informational privacy model that would permit disclosure if and only if "the value of the information when disclosed exceeds the value of the pure privacy preference of the individual; and permitting disclosure will not distort or eliminate the information in future transactions." 32
As for the first prong of the test, the psychic motivations that justify protection of one’s medical information by a property rule could certainly classify as "pure privacy preferences." Most simply, the right to "control of information concerning an individual’s person" could stem from a belief that information concerning your person is yours --- not from a desire to deceive society into believing that you are someone other than who you are. Likewise, John Doe’s desire to keep his HIV status private while working at SEPTA may have stemmed from a desire to avoid future disturbances, such as the disturbance which ultimately forced him to go to court.
Another justification for protecting medical records with a property rule whereby the patient controls dissemination is the second prong of Murphy’s test: whether permitting disclosure will or will not distort or eliminate the information in future transactions. Transactions between patient and doctor/HMO work best if a patient has confidence in the confidentiality of her visit. Wide disclosure rules for medical records could distort patient behavior in an extremely inefficient manner. "Fearing loss of employment and social discrimination, people will either lie to their physicians or avoid seeking care . . . . These same fears will also harm job market efficiency by causing individuals to remain in current positions rather than risk unemployment or a lack of medical coverage in a new job." 34 Most of us do not have a clear sense of where our medical data is going and who is mining it. 35 I imagine that if more Americans knew that their medical information was zipping through research, pharmaceutical and managed-care networks, then patient behavior in confidential settings would change --- just as John Doe’s behavior toward pharmaceutical treatment of his HIV may have changed if he had known that SETPA was monitoring his purchases.
A property rule would thus best protect a patient’s strong proprietary interest in her medical records, as well as protect her pure privacy preferences. There are obstacles, however, to implementing a strict property rule for this entitlement. First, as stated before, many commentators argue convincingly that such strict protection in today’s wired industry is no longer possible or preferable. 36 If all individuals or certain classes of individuals are unwilling to sell medical data to industry researchers, then pharmaceutical firms, for example, which use huge amounts of patient data in research, will face the possibility of skewed study results. There may be then certain circumstances where society will not benefit from a property rule that restricts transactions to instances where the entitlement holder is willing to sell and the interested party is willing to buy at the holder’s price. The next section will explore the arguments for fair use of medical data by certain players in the industry, and how to reconcile a property rule with such exceptions.
FOOTNOTES
1. See Paul M. Schwartz, Privacy and the Economics of Personal Health Care Information, Texas Law Review, 76 Tex. L. Rev. 1, 14 (1997) (noting that “the sharing of personal medical data plays a fundamental role in the shift to large, integrated systems for providing health care in the United States….The computer is essential to this transformation because it permits both the collection of extensive personal health data and the rapid sharing of such information.”).
2. I use the word costs to refer not only to transactional costs, but to the detrimental effects of privacy on the medical-research industry, and to preventative treatment of patients.
3. See generally Wendy Parmet, Public Health Protection and the Privacy of Medical Records, Harvard Civil Rights-Civil Liberties Law Review, 16 Harv. C.R.-C.L. L. Rev 265 (1981); Arthur Allen, Medical Privacy? Forget It!, Medical Economics May 11, 1998 (pg. Unavailable online); Paul M. Schwartz, “Privacy and the Economics of Personal Health Care Information.” 76 Tex. L. Rev. 1, 23 (1997).
4. See Medical Privacy in the Age of New Technologies Act of 1997, H.R. 1815. “New technologies increase the importance of addressing new threats to the confidentiality of health information. For example, technologies that permit an individual’s health information to be computerized increase the possibility of unauthorized electronic access to the information.”
5. Resistant Strain: Healtheon Struggles In Efforts to Remedy Doctors' Paper Plague, Wall Street Journal, Oct. 2, 1998 (pg. Unavailable online) (noting that among Healtheon’s problems was a program that was awkward for first time users because of the necessary levels of security protection).
6. Techtravails…
7. See Allen, supra note 2 (“Along the way, thousands of eyes scan the data. Those eyes may belong to health researchers seeking improved treatments, or to corporate managers bent on slashing costs, or to drug-company marketers looking for new customers.”).
8. Allen, supra note 2. See Randolph C. Barrows, Jr. and Paul D. Clayton, Privacy, Confidentiality, and Electronic Medical Records, 3 J. Am. Med. Informatics Ass’n 139, 141 (“The notion of confidentiality in ehalth care has a strong professional tradition that has suffered progressive erosion due to third-party reimbursement schemes, managed care and other health care organization structures, and the perceptions and culture of professionals within modern health care systems.” (citation omitted).
9. See Wendy E. Parmet, supra note 2 at 265; Arthur Allen, supra note 2.
10. Arthur Allen, supra note 2.
11. Id.
12. Id.
13. Id., quoting Georgetown University law professor Lawrence Gostin.
14. 72 F.3d. 1133 (3 Cir. 1995), cert. Denied, 117 S. Ct. 51 (1996).
15. Id.
16. Id. at 1140.
17. Sheri Alpert, Smart Cards, Smarter Policy: Medical Records, Privacy, and Health Care Reform, Hasting Center Rep., Nov. - Dec. 1993, at 13, 13-23.
18. Footnote, emphasis mine
19. Guido Calabresi and A. Douglas Melamed, Property Rules, Liability Rules and Inalienability: One View of the Cathedral, 1090 Harvard Law Review, April 1972.
20. See Robert E. Smith, A Compilation of State and Federal Privacy Laws 21-24 (1988) (collecting statutes prohibiting disclosure of health information without consent). There are, however, critics of the privacy system who maintain that full and unfettered disclosure of personal information would better enhance social welfare. See generally See Richard A. Posner, The Right of Privacy, 12 Ga. L. Rev. 393; Richard A. Epstein, The Legal Regulation of Genetic Discrimination: Old Responses to New Technology, 74 B.U. L.Rev. 1, 21-22 (1994). Because both traditional doctrine and popular expectations have stood the test of time in upholding some level of privacy protection for medical records, I will limit my analysis by assuming a general right to privacy in this sphere.
21. Calabresi and Melamed, One View of the Cathedral at 1092.
22. Id. at 1092.
23. United States Dep’t of Justice v. Reporters’ Comm., 489 U.S. 749, 763 (1989).
24. Calabresi and Melamed, supra note 18 at 1092.
25. Id., at 1111-1112.
26. Id. at 1105.
27. See Richard S. Murphy, Property Rights in Personal Information: An Economic Defense of Privacy, Georgetown Law Journal, 84 Geo. L.J. 2381, 2384 (1996) (discussing that an individual can control dissemination of certain information deemed objectively “private.”).
28. See Richard A. Posner, The Right of Privacy, 12 Ga. L. Rev. 393.
29. Murphy, supra note 26 at 2386.
30. Id.
31. Id.
32. Id. at 2387.
33. United States Dep’t of Justice v. Reporters’ Comm., 489 U.S. 749, 763 (1989).
34. Paul M. Schwartz, Privacy and the Economics of Personal Health Care Information, Texas Law Review, 76 Tex. L. Rev. 1, 22-23 (1997).
35. See Allen, supra note 2 (“Many people would be surprised at just how exposed they are. Millions of individual medical records float around these days in a vast electronic network that serves both commerce and scientific research. The information zips around the country, speeded by computers at every stage. Computers help diagnose disease, monitor patients, organize the data about their conditions, and transmit the information to managed-care networks, medical research networks, pharmaceutical benefits managers, and other outposts of America's increasingly wired health-care system.”)
36. See Allen, supra note 2 (“Perhaps the best that privacy advocates can hope for is a set of laws to punish those who abuse data egregiously. Bill Hogan, a privacy advocate at the Center for Public Integrity, puts it bluntly: "There is no real money constituency in favor of privacy, and there is a lot of money in favor of invading it."); Schwartz, supra note 1 at 17 (“Society will not be served well if the law maximizes the boundaries of an individual right of control over personal data. Indeed, enormous and shared benefits result from some level of public and private sector scrutiny of personal information….”).