Privacy, Health Care Data and Information Technology
25-26 July 1996
University of Virginia (Charlottesville, US)
Date of publication: 30 September 1996
Citation: Van den Hoven, J and Cushman, R. (1996), 'Privacy, Health Care Data and Information Technology', Conference Report, 1996 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/confs/3privacy/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_3/hoven/>
1. Conference Summary
On 25-26 July 1996, the Virginia Health Policy Center at the University of Virginia organized the conference on Privacy, Information Technology and Health Care. The conference brought together philosophers, ethicists, computer engineers, physicians and public policy specialists to discuss the value issues associated with privacy and health care information. These issues have resisted easy policy solutions in the last few decades, particularly in the US. Expanding technological capabilities thus enter a legal and social arena in the main unable to articulate the parameters of appropriate personal data use.
2. Issue Background
The health care sector arguably represents the US's most pressing data-protection problem area. See for example (Cushman, R; 1996) The US's predominately private system of health care finance provides strong incentives for use of health-related data, to structure decisions about insurance and employment. (The majority of private health insurance is provided through employer- sponsored plans.) Weak anti-discrimination and privacy protections provide little limit to rapidly expanding commercial traffic in health data. Expanded information technology capabilities provide the potential for low-cost duplication and dissemination of information, which the new health care organizing principle of 'managed care' has been quick to embrace.
The Clinton-Gore administration has cited the positive effect on health care cost containment as one argument for the development of a National Information Infrastructure. Clearly, responsible health care policies must deal with concerns over the fate of citizens' sensitive medical information, as an integral part of the attempt to bring U.S. health care institutions online. Although this seems to be the broad consensus, political action lags behind.
Current health care data protection is unreliable. The Privacy Act of 1974, and the 1988 Computer Matching and Privacy Protection Act amending it, provide only weak protection. These statutes reach only Federal (national) government agencies. Most health institutions in the U.S. are private. Even Federal activities are only weakly circumscribed. Broad data traffic is permitted under the rubric of 'routine use,' 'secondary use,' and disclosures 'consistent' with the purpose for which data were collected. Needless to say these under-qualified expressions allow for a considerable amount of data-base sharing, matching and linking of patient information, which many people no doubt would feel uncomfortable with if they only knew about it.
Legislation and regulations on the state (sub- national) level provide an even more unreliable regime of protection. State statutes, like their Federal counterparts, apply predominantly to public agencies; private data traffic is largely beyond their reach. Moreover, state health privacy protections are typically embedded in a broad range of institutional and professional licensure statutes, public health laws, and insurance regulations, rather than in a coherent 'data protection' measure. Dictates commonly conflict even within the same jurisdiction. Moreover, much data exchange takes place electronically across the boundaries of states and even across the boundaries of countries.
As the Office of Technology Assessment (1993) concluded '[t]he present legal scheme does not provide consistent, comprehensive protection for privacy in health care information.... [T]his patchwork of State and Federal laws addressing the question of privacy in personal data is inadequate to guide the health care industry with respect to the obligations to protect the privacy of medical information in a computerized environment.'(Office of Technology Assessment,1993 p.15)
There is little evidence that the situation is improving, as the U.S. health sector embraces networked information applications at an ever faster rate. Yet a 1996 survey revealed'... significant problems that affect both the development of fair and effective public health information systems and the protection of privacy. While most states have nominal safeguards of public health privacy, they are often incomplete or inadequate. Statutes may be silent about the degree of privacy protection afforded, confer weaker privacy protection to certain kinds of information, or grant health officials broad and unreviewable discretion to disseminate personal information.'(Gostin & Lazzarini, 1996)
Despite these manifest deficits, none of the four health privacy bills introduced in the current Congress was able to gain sufficient support.
3. Primary and Secondary Data Uses
Especially worthy of scrutiny are the close links between the health care system and other spheres than the medical sphere in strict sense. There are a number of 'secondary users' of personal medical data -- i.e., parties who use the information for other purposes than for which it was created. These secondary users also have different interests and different relations to the data-subject than the health care professionals who created the data in the first place.
The most important group of secondary users are third party payers, comprising private insurance companies and government agencies which run programs such as Medicaid and Medicare. They need information to deal with the administrative logistics of bills, claims for benefits, and reimbursements; they also need it to deal effectively with deception and fraud. The aggressive cost containment policies exemplified in the idea of managed care and health maintenance organizations (MCOs and HMOs) establish direct relations and close ties between health care providers and third party payers. The demand for information on the part of these financially interested parties is driven by the regulative ideal of what economists refer to as 'perfect information.' The Medical Information Bureau (MIB) does not come anywhere near to providing private insurance companies with perfect information, but it is an interesting beginning. Seven hundred private insurance companies have established a data clearinghouse at MIB, which holds records of some 15 million persons and now enters 3 million new records per year.
Other examples of secondary users of medical information for non-medical purposes include life and auto insurers, employers, licensing agencies, public health agencies, the media, educational institutions, rehabilitation and social welfare programs, and disability and probation hearings in the judicial sphere (OTA, 1993).
The Office of Technology Assessment has noted the 'tremendous outward flow of information generated in health care relationship today,' and the 'proliferation of private sector computer databases.' In the three years since that report, information traffic has increased at an ever more rapid pace. This expanded use of medical records for nontreatment purposes exacerbates the shortcomings of existing legal schemes and new proposals 'must address the increase in the flow of data outward from the medical care relationship' (OTA, 1993). As long-time privacy scholar Alan Westin has noted, information technology forces society to make clear value choices about to whom personal medical information is made available. In the current US political environment, it appears we are not ready to make such decisions. In the policy vacuum, private health data exchange is conducted with minimal social oversight.
4. Conference Discussion
Philosophers Jim Childress (University of Virginia), Judith DeCew (Clark University), Joseph Kupfer (Iowa State University of Science and Technology), Jeffery Johnson (Eastern Oregon State College) agreed on the importance of privacy as a central moral value. They articulated the need however of finding an equilibrium between salvaging patient autonomy by means of informed consent to data-use, and the benefits to the community of the availability of medical records for the purpose of research in health care. Experiences with medical experimentation and clinical trials still give us good reasons to keep to a system where informed consent is required.
Representatives of the medical profession Don Detmer and Don Lindberg argued that too strong data-protection regimes would drastically reduce the pace of scientific progress and quality research in health care and would raise the cost of service provision substantially. They criticized the McDermott Bill (104th Congress, H.R.3482) for virtually ruling out that patient records be used, even in cases were there are immediate threats to the health of the data-subject. Both were in favor of what they considered a more realistic privacy protection regime, as exemplified in the Bennett-Leahy Bill (104 S.1360).
Detmer (chairman of Institute of Medicine study on Computerized Patient Record) stressed the need for a communitarian perspective on data-protection in order to accommodate public health objectives as a supra-individual concern. He emphasized the interdependencies between individuals, as in preventing infectious diseases, and the impossibility in many cases to think of individuals as being separate in the context of research, care and cure.
Lindberg (Director of the National Library of Medicine) thought that in the preparation of the Bennett Leahy Bill the importance and political charge of the privacy issue was underestimated. He thought that in forthcoming attempts to tackle the issue in the context of health care policy, serious attention should be given to the moral issues. Perhaps also more serious attention than the staunchest privacy advocates have given it.
Tom Rindfleisch (Director of the Center for Advanced Medical Informatics at Stanford) gave an overview of the state of the art of implementing data security policies, by means of technical and administrative deterrents and obstacles. He emphasized that in any system design, the human factor still was very important and a constant security consideration. One of the possible developments sketched by Rindfleisch -- imported from the area of intellectual property rights protection - was the development of so-called 'rights management' software, which is still in a development phase. In this type of software regime, constraints on access and use are integral to the system and are designed in right from the start. Today's health care information systems rarely attend to data security in a satisfactory manner, he noted.
Jean Camp of Carnegie-Mellon presented an overview of security technologies, including encryption and access control technologies. In particular, detailed access matrices for data elements can provide a fine-grained redescription of privacy questions as they play out in practice, allowing for more structure in the inherently moral debate as to who should be allowed to know what. Like Reinfleisch, Camp noted that security technologies have been under-utilized, particularly in health care environments, given the limited legal and other incentives for strong data protection.
Ida Schick (Associate professor in the Graduate Program in Health Services Administration of Xavier University) reported on experiences with privacy protection in Community Health Information Networks (CHIN). Her description of the work on CHINs clearly indicated that a deliberative process for data protection can be institutionalized, and involve all stakeholders, from the beginning of the network design process. In contrast to the usual view of employers as opposed to strict data protection, Schick found corporate participant attuned to the benefits of privacy for employee recruiting and retention.
M.J. van den Hoven (Philosophy and Informatics, Erasmus University Rotterdam, Netherlands) emphasized the importance of articulating different forms of wronging persons in an information society. He argued that privacy violations should be distinguished from information-based harm and informational injustices. The latter occur when information associated with one sphere or sector such as the clinical- medical sphere is transferred to another sphere, such as the commercial.
Reid Cushman analyzed the political context of the most recent legal initiatives to regulate privacy in health care on a federal level and stressed the importance of incorporating moral value concerns in the medical technology assessment of health care information systems.
5. General Conclusions
The general conclusions of the meeting can be summed up as follows: the philosophers argued that privacy protection was essential, appropriately balanced against other social values; the computer scientists thought it was feasible, within limits, given appropriate incentives for system purchasers to include it in design requirements; and the medical specialists thought there should be no further delays in regulating this at the Federal level (which would provide such incentives). All agreed that in the current political environment, it would be difficult to generate legislation which articulated a well- thought-out balance between privacy and socially-valuable data traffic.
(It appears, as of late August, that the 104th Congress will adjourn without a single piece of privacy legislation having been put to a vote by either chamber. A mandate for an executive branch "health data standards" study committee did pass, however, buried in the Kennedy-Kassebaum health insurance 'portability' bill. The committee's mandate includes consideration of privacy issues.)
BibliographyCushman, R (1996) 'Privacy, Confidentiality, and Security issues for electronic Health Care Information',BioLaw, vol. II nos. 2 and 3, Feb/March 1996.
Lawrence O. Gostin, Zita Lazzarini, et al.,(1996) 'The Public Health Information Infrastructure. A National review of the Law on Health Information Privacy'. Journal of the American Medical Association, vol. 275, no. 24, pp 1921-27.