Benefits of Increased Data Collection
Borzo, "Automation trends in medicine," AMNews staff. American Medical
News, October 13, 1997
This article discusses a new project at the University of California
San Diego School of Medicine called the Patient Centered Access to Secure
Systems Online (PCASSO). PCASSO will put patients' full medical records
on the Internet, permitting physicians and health-care providers to view
them from anywhere with Internet access. Borzo reports that such a system
will help patients become "providers" of their own care, since they can
ask doctors to define and clarify things in their records. Borzo talks
briefly about the security measures the system will employ to prevent unauthorized
users from gaining the patients' medical information.
Industry Report: Document Imaging, Workflow, and Electronic Patient Records
This site provides three insightful articles relating to managing computerized
patient records. In his article, "What Healthcare REALLY Needs to Know
About Managing Electronic Documents," Bob Smallwood details the benefits
health care providers derive from using Electronic Paper Records (EPR).
He argues that they, "...reduce labor, eliminate lost files and loose sheets,
improve access to authorized users, increase security (with a 100% audit
trail), and provide quicker documentation for claims." Debbie Madison argues
in her article, "Breaking Away from Paper," that "With the click of a button,
the physician can access each chart to be reviewed and completed. Physicians
can also edit transcribed documents online in real time rather than sending
them back to the transcriptionists...The hospital estimates that emergency
department physicians are completing charts in 1/15 of the time it previously
took with paper..." And, finally, in their article, "The Journey to the
Electronic Health Record," Mary Lu Lander and Angela Daniel give further
explanation of the way electronic health records work and their benefits.
This is the site to a health care environment entitled TelMed, created
by the Los Alamos National Laboratory in collaboration with the National
Jewish Center for Immunology and Respiratory Medicine. TelMed "is an intuitive
patient-record system that supports image, audio, and graphical data, ...
integrates complete patient records with detailed radiographic data, and
allows the remote sharing of patient and radiological data over networks...TeleMed
improves clinical diagnosis and reduces the cost of health care by eliminating
the time-consuming and costly activity of data gathering and by enabling
easy use of powerful analysis tools."
This site advertises a LaserCard System, which stores a patient's medical
information electronically on a card that the patient carries with him
or her. The site claims that the optical memory card can "transport secure,
partial or complete electronic patient records, helping to expedite care,
reduce costs, and perhaps save lives."
The Dystopic Alternative
The 1997 movie "Gattaca," written and directed by Andrew Niccol, was an flashy flop that nevertheless prompted viewers to consider the society that we might end up with if medical databases were combined with a little biological determinism. Andrew Niccol spoke at the Computers, Freedom, and Privacy in Washington, D.C. this year.
Current Federal Legislation
The following two acts provide some limited protection for medical information
Privacy Act of 1974. This act generally provides that no federal
agency may disclose information without the consent of the individual.
In 1996, the Kennedy-Kassebaum Health
Insurance Portability and Accountability Act of 1996 was enacted. Under
one of its provisions to simplify the administration of health insurance,
the Act calls for the Secretary of Health and Human Services (HHS) to develop
standards for the exchange of electronic health information and for the
creation of unique health identifiers for individuals, employers, and health
with Disabilities Act. This act provides that: employers may
not ask for medical information prior to offering employment; once hired,
the employer may not require any medical examination that is not required
of all employees holding similar positions; if a potential employee is
not hired, the employer must prove that it is physically impossible for
the individual to do the work required. This act applies to businesses
with more than 25 employees.
Within this same bill, Congress called for the development of recommendations
to protect the privacy and confidentiality of Americans' health records.
The recommendations, presented to Congress by HHS Secretary Donna Shalala,
propose to "provide important new rights for patients and define responsibilities
and limitations for those who need to have access to these medical records."
Shalala's recommendations include: a nationwide standard; leave for the
states to enact stronger standards if they wish; granting patients access
to their own medical records and the ability to make corrections; ensuring
that those who provide and pay for health care give patients clear written
explanations of how they intend to use, keep and disclose the information;
and providing punishment for those who misuse personal health information.
The recommendations provide for an exception to privacy requirements
for law enforcement officials acting in their official capacities. If Congress
does not pass legislation with regard to privacy, the Health Insurance
Portability and Accountability Act of 1996 calls for the Secretary of the
Health and Human Services to impose confidentiality controls on electronic
The ACLU has voiced concerns with the HHS recommendations. The organization
claims the proposal: fails to allow individuals to insist on paper records;
fails to protect records from being up-linked to national databases; and
fails to prohibit the creation of a system of "unique health identifiers"
(a de facto national health I.D., much like one's Social Security Number)
that would be attached to every piece of medical information. The organization
also claims the law enforcement exception is too wide and could lead to
Proposed Federal Legislation
The following bills, introduced during the current session of Congress,
are attempts to provide federal protection to health and medical information
in an age of computerization.
Currently there are several proposed laws designed specifically to protect
genetic information from misuse. For the purposes of this course, we will
highlight proposed laws that seek to protect health and medical information
1921 Health Care PIN Act
Introduced by Senator Jeffords (R-VT), this bill seeks to protect against
the unauthorized and inappropriate use of health information that is created
or maintained as part of medical treatment, health care plan administration,
or medical research. If enacted, this bill would allow individuals
to inspect and copy their individual medical information upon written request.
Additionally, this bill would require health care providers, employers,
health or life insurers, and health researchers to provide notice of their
Medical Information Privacy and Security Act (MIPSA)
Introduced by Senators Leahy (D-VT) and Kennedy (D-MA), this bill would
prohibit discrimination on the basis of all protected health information
in employment and insurance. Protected health information is defined to
include any individually identifiable information that is created during,
or becomes part of the health care treatment, diagnosis, enrollment, payment,
plan administration, testing, or research processes. In addition, every
patient would have the right to challenge the accuracy and completeness
of his or her protected health information. The bill would also establish
an Office of Health Information Privacy within the Department of Health
and Human Services.
52: Fair Health Information Practices Act of 1997
This bill is an amendment to section 552a of title 5, United States
Code to protect personally identifiable health information, as improper
use "may unfairly affect the ability of the individual to obtain employment,
education, insurance, credit, and other necessities." Representative Condit
(D-CA) offers the movement of individuals and health information across
state lines, the computerization of health information, and the emergence
of multi-state health care providers as justifications for the need for
uniform Federal law.
1367. Federal Internet Privacy Protection Act of 1997
Introduced by Representative Barrett (D-WI), this bill is designed to
prohibit Federal agencies from making available through the Internet certain
confidential records with respect to individuals, including medical history
records. It also provides for remedies in cases in which such records are
made available through the Internet.
1815. Medical Privacy in the Age of New Technologies Act of 1997
This bill, introduced by Representative McDermott (D-WA), notes the
lack of protection of health information in some states and the threats
to confidentiality posed by computerization and the possibility of unauthorized
electronic access and suggests the need for minimum Federal standards of
protection. One of the stated purposes of H.R. 1815 is to restrict the
gathering of aggregate health information for financial gain or other purposes
without obtaining the consent of each subject.
2368: Data Privacy Act of 1997
Introduced by Representative Tauzin (R-LA), this proposed act includes
a provision that restricts the use, for commercial marketing purposes,
of any personal health or medical information obtained through an interactive
computer service without the consent of the individual.
Laws by State, Electronic Privacy Information Center, Current as of
This extensive database allows users to click on any state and provides
a chart for each state's privacy legislation. If a state legislates privacy
for a certain topic (medical records is an included area), an X appears
next to the topic.
Survey of State Confidentiality Laws, with Specific Emphasis on HIV and
Immunization," Final Report Presented to the U.S. Centers for Disease
Control and Prevention, Professor Lawrence O. Gostin, J.D., LL.D. (Hon.),
Georgetown University Law Center and The Johns Hopkins School of Hygiene
and Public Health; Zita Lazzarini, J.D., M.P.H., Harvard School of Public
Health; and Kathleen M. Flaherty, J.D., Georgetown/Johns Hopkins Program
on Law and Public Health , Feb. 1997.
This report provides a thorough overview of state laws for each area
of medical privacy concern. For each sub-topic, the researchers have analyzed
how states handle privacy concerns and how many states legislate privacy
in medical records. For example, the report analyzes state laws regarding
health care information, public health data, redress of medical privacy
violations, and protection for HIV and immunization information. Below,
we provide only a small sample of the information that is available in
this report regarding medical privacy and electronic media. The report
also provides an overview of gaps in federal and state laws and provides
recommendations for new legislation.
"Computers and other electronic media are fast becoming the storage
method of choice for medical and other personal information. Despite this
fact, only twenty-two states have specific provisions regarding the protection
of confidentiality of records maintained on electronic or computerized
media. These provisions offer varying degrees of protection. Several states,
such as Tennessee, use the same standards for confidentiality of computerized
or electronic records as those applied to paper records. In other states,
including Arkansas, statutes governing confidentiality of computerized
health care information apply only to public health data; private physicians,
hospitals and other health care facilities may or may not be held to the
same definition. Oklahoma's Health Care Information System Act provides
that individual forms, computer tapes or other forms of data collected
by and furnished to the Division of Health Care Information or to a data
processor shall be confidential. Statutory protection of computerized data
may also lack specificity. Florida requires only that computerized records
be kept in accordance with "sound" record-keeping practices."
Cases involving medical records privacy generally implement a balancing
test, weighing an individual's right or expectation of privacy against
the employer's or government's need to access medical records. As you read
these cases, apply your own balancing test: do you feel that individual
privacy is being sufficiently protected?
Also, bear in mind that computer networks can collect, aggregate, and
disseminate personal medical information on a vastly increased scale. What
effect, if any, will cyberspace have on future judicial determinations
similar to these cases?
v. Roe, 429 U.S. 589 (1977)
(When you reach the Supreme Court search screen, enter 429 U.S. 589
in the citation search.)
Patients and physicians brought an action challenging the constitutionality
of New York statutes that mandated that the state be provided with a copy
of every prescription for certain drugs and that also provided security
measures to protect that information. The Supreme Court reversed a lower
court decision and held that the statutes were a reasonable exercise of
the state's broad police power. Other courts interpret this decision as
recognizing that individuals do have a limited right to privacy in their
medical records. What do you think?
United States v. Westinghouse Elec. Corp., 638 F.2d 570 (3d Cir.
1980) [full text available on Lexis/Nexis or Westlaw]
The United States sought to compel an employer--by authority of the
Occupational Safety and Health Act--to produce employee medical records.
The employer objected, raising the privacy interests of its employees and
their medical records. The Court of Appeals held that strong public interest
in facilitating research and investigations of the National Institute for
Occupational Safety and Health justified minimal intrusion into privacy
surrounding employees' medical records, and that the employer was not justified
in its blanket refusal to give the Institute access to records or in seeking
to condition their disclosure on compliance with the employer's strict
v. SEPTA 72 F.3d 1133 (3d Cir. 1995)
(When you reach the 3d Circuit search screen, enter "SEPTA" in the
party name search.)
A public employee filed suit against his employer and supervisor for
violating his right to privacy after the employer discovered that the employee
had AIDS. This discovery was made by examining records of drug purchases
made through its employee health program. The Court of Appeals recognized
a limited constitutional right to privacy in one's prescription records;
however, the Court held that the employer's need for access to employee
prescription records outweighed the employee's interest in confidentiality.
v. Lawrence 1998 WL 39209 (9th Cir.(Cal.))
(When you reach the 9th Circuit search screen, enter "Bloodsaw" in
the party name search.)
The Court of Appeals held, inter alia, that the constitutionally
protected privacy interest in avoiding disclosure of personal matters clearly
encompasses medical information and its confidentiality.
Privacy Information Center, "Minnesota Takes the Lead on Agreement to Protect
41 Million Americans,"Oct. 25, 1995.
This article describes a settlement with two of the largest health care
companies in the U.S. The settlement requires the companies to substantially
reform their methods of marketing prescription drugs. Under the terms of
the settlement, consumers must be advised about the extent to which confidential
information in their files will remain confidential, including the fact
that medical histories and prescription drug usage could be made available
to consumers' employers.
International Views Regarding Medical Privacy
Privacy Legislation in Australia. This site provides a list of
links and summaries for public and private sector privacy laws in Australia.
While these do not specifically address medical records, the laws give
some insight into the direction of Australian views with regard to privacy
European Commission, Press Release: Council
Definitively Adopts Directive on Protection of Personal Data, July
25, 1995. This press release summarizes the European Union's 1995
Gesundheit is German for health, daten is data, and schutz is protection.
Generally, the site notes that German-speaking countries (Austria, Germany,
Switzerland) have not yet addressed such issues in any systematic way,
but have begun to show concern for the protection of medical privacy. The
German and Swiss Data Protection Registrars (one each for the federal states
and one for Germany as a whole) have "issued several cautionary statements
about smart cards in the health care field which are being tested in Germany
with approval of the physicians' chamber."
Doctrine of Confidentiality, Irish Medical Journal, June/July 1997.
This article discusses current Irish judicial opinions with respect to
medical records confidentiality. Generally, it explains, "[t]he doctor's
duty of confidentiality as regards the patient's medical records, is also
governed, ethically by the Irish Medical Council's Guide to Ethical Conduct
and Behavior and Fitness to Practice, and legally by the Common Law Doctrine
of Confidentiality." It also explores the impact of electronic data on
individuals' privacy and the security of medical records.