Contrary to the assertions of some advocates of the right to privacy, powerful reasons exist for the broad collection and use of health care data. High-quality data are needed so that consumers can make informed choices about health care plans and providers; more effective clinical care can be provided; the quality and cost-effectiveness of health care services can be assessed; fraud and abuse of the health care system can be monitored; the health care services provided to underserved populations and the patterns of morbidity and mortality among those populations can be tracked and evaluated; and the causes, prevention, and treatment of injury and disease can be effectively researched. Systematic collection of a broad range of personal data can, however, present a substantial tradeoff in loss of personal privacy [4]. In the United States, society places great value on individual rights, autonomous decision making, and protection of the private sphere from governmental or other intrusion. Perhaps the most intimate and sensitive form of personal information is an individual's health care records.

Practitioners and scholars sometimes suggest that adequate legal protection of private information on health care will eliminate the need to limit the collection of health care data. However, resolution of the conflict between the need for information and the need for personal privacy is not as easy. Because adequate privacy cannot realistically be achieved in the infrastructure of health care information, we are faced with a dilemma: Should we sharply limit the systematic collection of identifiable health care data to maintain reasonable levels of personal privacy? This article examines the conflicts between establishing health care databases and protecting a person's right to privacy, explores ethical values that may help to resolve those conflict, reviews applicable federal and state laws to determine whether they facilitate efficient collection of health care data while adequately protecting personal privacy, and proposes national legislation to safeguard the privacy of personal information on health care.

Conflicts between Collecting Health Care Information and Protecting Personal Privacy

The Institute of Medicine observed that "no one engaged in any part of health care delivery or planning today can fail to sense the immense changes on the horizon, even if the silhouettes of those changes, let alone the details, are in dispute" [5]. The Institute was referring to the development of a national infrastructure of health care information. I define this infrastructure as a basic, underlying framework that consists of the collection, storage, use, and transmission of electronic data and that supports all essential functions of the health care system.

The rapidly emerging infrastructure of health care information and its relation to patient privacy have been described in the literature [1, 6, 7]. Many articles in this supplement address the purposes, forms, and uses of electronic databases on health care. The health care industry spends approximately $10 billion to $15 billion each year on information technology, and expenditures are expected to grow by 15% to 20% a year [8].

The future infrastructure of health care information will probably have several features that facilitate efficient collection and use of data. Features may include 1) electronic patient records that contain longitudinal birth-to-death accounts of a person's health care status, financing costs of medical care, diagnoses, and treatments; 2) databases that enable more comprehensive and systematic collection, use, and reconfiguration of health care information; 3) electronic card technology that enables patient data to be recorded on and accessed from a card issued to the patient; 4) unique personal identifiers that establish eligibility for health care benefits from private and government providers and cross-match patient records in various health care databases (for example, databases for health maintenance organizations, Medicaid, and Medicare) with records in databases unrelated to health care [for example, databases on taxes, credit, banking, and military records]; 5) internal networks designed to share information among affiliated organizations that provide medical services, reimbursement services, pharmaceutical agents, and quality review; and 6) public on-line networks, such as the Internet, that access health care and financial information (both text and image) from off-site locations and allow clinicians, researcher agents, and health care managers to share the information.

The emerging infrastructure will provide data needed for quality assurance, analysis of practice patterns and patient outcomes, and scientific research, all of which contribute to higher-quality care [9]. Electronic databases can reduce health care costs (for example, by eliminating the need for duplicate tests); facilitate the detection of fraud by examining practice patterns in greater detail; and eliminate the burdens imposed on patients, health care professionals, and health care plans by the enormous amount of required paperwork. The establishment of electronic databases also supports the goal for portable health care coverage as consumers move from provider to provider or from plan to plan. Finally, an infrastructure of health care information can improve public health surveillance and facilitate scientific research.

The vision of a comprehensive system of health care information is technologically feasible. A well-functioning system might also achieve substantial health care benefits for society. The effects of that system on personal and group rights to privacy would, however, need to be measured.

The Proliferation of Users of Health Care Data

Advocates of the right to privacy have long recognized that the most serious threats to privacy stem from "systemic flows of information throughout the health care industry" [8]. Most transfers of health care information occur among authorized users. According to the Institute of Medicine, the names of authorized users of computer-based patient records are too exhaustive to list-this list would be similar in length to a complete list of individuals and organizations directly or indirectly associated with health care. Access to patient records is not, however, limited to persons with a primary need for information, such as those involved in health care delivery, patient management, and financial reimbursement. Authorized secondary uses of patient records include education (medical conferences and medical programs at teaching hospitals), regulation (litigation, postmarketing surveillance, and accreditation), commercial enterprises (development of biotechnologies and marketing strategies), social services and child protection (tracking medical records of spouse or child abuse), and public health services (reports on disease mortality and morbidity, partner notification, and surveillance) [10].

Unauthorized persons and organizations might also have access to the information. Powerful commercial reasons exist for obtaining health care information, including the sale of data to information brokers or marketing firms. The Office of Technology Assessment suggests that lawful and unlawful sale of personal information from databases (particularly databases containing medical information) operated by the government or private sector is widespread [11]. Establishment of an extensive infrastructure of health care information would create countless opportunities for invasion of privacy by the many authorized users, users who have lawful access without explicit authority, and users who obtain fraudulent access.

The Sensitive Nature of Health Care Information and the Dangers of Disclosure

Health care records contain a vast amount of personal information: 1) demographic information, such as age, sex, race, and occupation; 2) financial information, such as employment status and income; 3) information about disabilities, special medical needs, and other criteria required to determine eligibility for federal or state subsidies; 4) medical information about diagnoses, treatments, and disease histories [including mental illness, drug or alcohol dependency, AIDS, and sexually transmitted diseases]; 5) genomic information, including diagnostic tests for carrier traits (for example, sickle cell anemia or cystic fibrosis) and genetically related diseases (for example, Huntington's chorea or certain types of breast cancer) [12]; 6) personal and social information, such as sexual orientation, family status, sexual relationships, and environmental choices; and 7) information about being the victim or perpetrator of violent behavior, such as rape, spouse or child abuse, or firearm injury. The information is frequently sufficient to provide a detailed profile of a person. Moreover, traditional medical records are only a subset of records that contain substantial health care and personal information in the files of, for example, universities, employers, social services agencies, immigration services, law enforcement, and credit and banking institutions.

The Enhancing Power of Electronic Databases

Computerization of health care data is frequently presented as an opportunity to improve personal privacy. Security measures designed to protect electronic data include personal identifiers that restrict entry into the database, information organized by security levels that prevent users from accessing unauthorized data, limitations on disclosure of information by health care providers (that is, disclosing only the information needed for specific purposes rather than disclosing a patient's entire medical record), and audits of everyone who uses the database that are performed to identify inappropriate or fraudulent access [13].

In contrast, advocates of the right to privacy view computerization as a substantial threat. As vastly greater amounts of information are collected and transmitted to an ever-increasing number of users in remote locations, the ability of consumers to control the dissemination of personal information is sharply reduced [14]. Although electronic records are not qualitatively different from manual records, a detailed personal dossier can be created more quickly by accessing on-line networks and retrieval services.

Computerization facilitates entering, transmitting, copying, and deleting vast amounts of data. The acquisition and dissemination of information are efficient, rapid, and silent. If a user accesses an online system, the data (that is, one record or numerous records) can be viewed, studied, and downloaded from any location. Because physical evidence of the user accessing the electronic data does not exist, unauthorized entry to medical and personal data and theft of that data are virtually undetectable, thereby endangering a patient's right to privacy.

Risk-Retention Plans, Integrated and Managed Health Care Systems, and Personal Privacy

Information systems on health care are developing in the context of fundamental changes in the organization, delivery, and financing of health care. Changes in the health care system include rapid development of employer risk-retention plans, integrated delivery systems, and managed care organizations. These complex, multifaceted arrangements require sophisticated information systems that can facilitate extensive sharing of information to different locations and for various purposes [8]. Because the functions of employer, insurer, and health care provider frequently overlap, these new health care arrangements create substantial opportunities for invasion of privacy and social discrimination.

Most employers who directly provide health care benefits to their employees establish risk-retention plans, which are commonly called self-insurance arrangements. Under these plans, employers directly cover the costs of services used by employees and their dependents [15]. Industry therefore becomes both the employer and the insurer.

Mergers among hospitals, clinics, health care provider groups (for example, physicians, psychotherapists, physiotherapists, and nurses) [16], suppliers of pharmaceutical agents and medical devices, and insurers are creating integrated delivery systems that consolidate several functions under one corporate umbrella [8]. These integrated systems may also provide managed care so that a single entity is responsible for treatment, costs, and risk management. Characteristically, managed care organizations are paid on a capitated basis.

Risk-retention plans, integrated delivery systems, and managed care organizations have substantial financial incentives to control health care costs and thus have an interest in the health status of employees, consumers, and patients. In an effort to control costs, a health care provider might choose to obtain sensitive information that is not directly related to traditional clinical care, such as the physical or mental ability of an employee to perform a job or the projected costs of health care required by an employee.

An example is the potential uses of mental health records. Detailed notes taken by a psychotherapist in a managed care network may contain explicit information about a person's sexual experiences, anxiety, or depression. This information may be sought by the network's administrators to determine whether a person is eligible for continuing mental health services, by the pharmaceutical group of an integrated delivery system to determine appropriate medication, by an employer and managed care organization to establish preexisting conditions or evaluate future benefit levels, or by an employer to assess an employee's ability to do a job.

Theoretically, a fire wall is erected between the various functions performed by employers, integrated delivery systems, and managed care organizations. Such functions include employment (hiring, promotions, and firing), insurance (underwriting, benefit determinations, and coverage exclusions), and health care (diagnosis, care, and treatment). However, the absence of adequate legal standards that can be applied to employers, insurers, and providers (including health care plans) precludes establishment and enforcement of rules to protect privacy and security of information on health care [1].

Ethical Values: Personal Privacy and Societal Benefits

The literature on privacy offers several moral justifications for the rules of privacy. One standard account holds that the primary justification for respecting privacy resides in the principle of respect for autonomy. To respect the privacy of others is to respect their autonomous wishes not to be observed or have information about themselves released [17]. Respecting privacy also enhances the development and maintenance of trusting relationships. An expectation of privacy allows patients to confide freely with their physicians and other confidants about the most sensitive medical or personal issues.

The ethical justifications for protecting patient information also address the economic damage (for example, loss of employment, health care insurance, or housing) and the social or psychological damage that may result from unwanted disclosures of personal information on health care. To the extent that ethical justifications for privacy rely on the damage that might occur if the rules are not observed, privacy has instrumental value. In terms of health care, privacy is important primarily because of its utilitarian features-it promotes more effective communication between physician and patient; enhances autonomy; and prevents economic harm, personal embarrassment, and social discrimination.

Equally compelling ethical claims can be made to support a more efficient system of maintaining information on health care. Although justifications for privacy are primarily based on protecting the rights of the individual, justifications for more efficient use of health care information are primarily based on its collective benefit to society. More efficient use of health care information would promote higher-quality health care, more cost-effective services, better scientific research, and more effective public health interventions. One purpose of government is to attain, through collective action, goals that individuals who are acting alone could not achieve. Chief among those goals is the assurance of healthy living conditions. Although government cannot guarantee a person's health, it can use its resources to prevent disease and disability and to promote health care among its population.

My intention is not to argue whether a system of health care information that benefits society as a whole is more important than a person's right to privacy or vice versa. A moral theory that demonstrates the primacy of one over the other does not exist. I do, however, propose a social contract that reasonably balances the value of both without declaring either a winner.

In many instances, individuals have been willing to sacrifice privacy to obtain services that benefit society collectively. Law enforcement, public safety, tax collection, and national security are partially achieved because of a willingness to allow substantial collection of personal information. Although all citizens might not agree with this social contract, they all benefit from a communal right to franchise. A complex modern society must consider both societal interests and each person's interest in maintaining privacy.

As the values and effectiveness of health care in the United States are being considered, citizens must acknowledge that one of the burdens of achieving cost-effective, accessible health care might be some loss of personal privacy. In exchange, the government is obliged to create reasonably strong assurances of fair practices in the collection and use of information.

Disclosure of Data to Evaluate Health Care Providers: Privacy or Proprietary Interests at Stake?

Databases on health care information, particularly those in the managed care environment, affect both patients and health care providers because they contain information that can be used to assess the efficacy of health care plans, hospitals, and physicians. The general public deserves access to information about the performance of a health care facility and the quality and cost-effectiveness of its services [18, 19]. For example, a health care plan may provide consumers with report cards that rate clinical prevention services (for example, mammograms, cervical smears, and vaccinations), clinical outcomes at various health care facilities, and consumer satisfaction with those facilities.

Some physicians have claimed the right to safeguard data on performance evaluations by preventing disclosure to patients and consumers in general. Such a claim to physician privacy may, however, be misplaced because of fundamental differences between patient information and provider information. Data designed to evaluate a physician's performance have few, if any, of the personal or sensitive characteristics of patient data. The privacy of patient data is protected because of the intimate nature of clinical information. In contrast, provider data do not contain personal information about a physician's mental or physical health or social behavior but are designed to objectively assess the quality of professional services.

In addition, the privacy of patient data is protected because of the need to preserve the therapeutic relationship between patient and physician. Patients have little choice but to disclose personal information to physicians to assure accurate diagnosis and treatment, and the rules of confidentiality safeguard the physician-patient relationship that develops. On the other hand, disclosure of data on a physician's performance is unlikely to harm the physician-patient relationship. To the contrary, if the data can be used to fairly evaluate medical performance, they provide the foundation for a therapeutic relationship based on an accurate assessment of the efficacy and quality of health care services.

To better understand the moral rules that govern disclosure of physician data, health care can be viewed as a service industry; physicians offer services to patients and are reimbursed for those services. Consumers have a valid claim to receive the information necessary to objectively assess the quality and effectiveness of health care services [20]. If the health care industry is analogous to a service industry, then disclosure of information that evaluates the services cannot be viewed as a privacy issue.

Physicians, however, do have a proprietary interest in ensuring that the data accurately reflect their performance. For example, data that suggest poor patient outcomes for a given physician may be misunderstood if the physician's practice includes a disproportionate number of geriatric patients or patients with terminal illnesses. Disclosure of provider data that are inaccurate, misleading, or deceptive can harm a physician's livelihood and undermine his or her professional reputation.

In terms of moral rights, however, the relationship between physician and patient cannot be considered reciprocal because it is between one person who is disclosing intimate information and another who is providing services, not between two confidants. Although physicians have a duty to safeguard patient data, they should not expect information about the performance of their services to be confidential. As mentioned, physicians do have proprietary interests in preventing disclosure of misleading information and therefore have a legitimate claim to oversee the collection, use, and dissemination of data that might affect their reputation.

Legal Protection of Health Care Privacy

If society truly believes that the value of health care information warrants developing on-line data networks, it must reckon with the potential effects on personal privacy. One method of protecting privacy would be to establish rigorous legal safeguards. Such safeguards are inadequate, fragmented, and inconsistent, however, and they have major gaps and substantial theoretical problems [1, 8].

Federal Protection of Health Care Information

Minimum levels of protecting the privacy of information are afforded by the U.S. Constitution and federal legislation; however, both suffer from serious limitations [21, 22]. Under the U.S. Constitution, the right to privacy is restricted to state action. Any constitutional protection of privacy afforded to individuals does not pertain to private industry, where considerable information is collected and stored [23]. Even when the government is the collector of data, constitutional safeguards may be nominal. Courts allow the states wide latitude in protecting the public health of their residents and are certain to view the issues of quality assurance, cost containment, and scientific research as important, if not compelling. When government officials address such policy issues as privacy and security of health care information, the deferential approach adopted by the judicial system may prevail.

The Privacy Act and the Freedom of Information Act also provide some protection for health care records maintained by the federal government. Although these laws can be useful in safeguarding personal data, they have the following limitations: The laws only protect federal records and do not extend to records kept by state governments or the private sector, federal agencies retain discretion to disclose data without the consent of individual citizens, and the judiciary is empowered to require agencies to disclose health care records if they are required for the administration of justice.

Several federal statutes and regulations provide additional protection of privacy but only in limited contexts. The Americans with Disabilities Act requires employers to maintain separate files on medical questionnaires and examination records of applicants and employees [24], regulations of the Department of Health and Human Services stipulate that federally funded facilities strictly protect patient records on drug and alcohol treatment [25], and "Medicare Conditions of Participation for Hospitals" regulations require hospitals to implement procedures that ensure confidentiality of patient records [26].

State Protection of Health Care Information

Although most states have nominal safeguards that address the privacy of health care information, they are often incomplete or inadequate [6]. Like federal legislation, most state statutes restrict their scope to government-held data. Even these statutes may be silent about the degree of protection afforded, may confer less protection to certain kinds of information, or may grant state officials broad discretion to disseminate personal information.

State statutes seldom specify whether a narrow group of individuals may have access to specific information but often provide a wide definition of who may have access. On the other hand, legislation may authorize access to so many groups that it undermines the right to privacy. In addition, state statutes usually do not address secondary use of information (for example, disclosure of data for purposes beyond those used to justify the original collection). Accordingly, users of the data are uncertain about whether or to what extent data collected for one purpose can be accessed for an unrelated purpose. For example, a state statute might not include guidelines on whether data collected for quality assurance can be used by clinicians who are compiling data on diagnoses and treatments; by scientific researchers; or by welfare, immigration, and judiciary officials. State statutes often do not explicitly protect health care data from disclosure through subpoena or court order, which may render sensitive data vulnerable to disclosure in civil or criminal proceedings. Furthermore, if data are disclosed without legal authorization, penalties for such disclosure may be weak or nonexistent. In addition, public health officials may be exempt from liability for negligent handling of information.

In contrast, some states have erected superconfidentiality statutes for certain diseases (such as HIV infection, AIDS, or mental illness) or certain kinds of health care data (such as genetic records) [27, 28]. Such strict protection of records on specific diseases or information has inherent problems. First, the assumption is that patients who have AIDS or a mental illness need confidentiality more than do other patients (for example, those with breast cancer, sexually transmitted diseases, or alcoholism). Second, superconfidentiality laws may require health care providers to segregate certain health care information, such as information pertaining to HIV and AIDS or genetics, from other kinds of health care information. This may result in severe administrative problems or may, for example, prevent differentiation between genetic and nongenetic data. Finally, privacy laws that are highly restrictive may impede the transfer of data across state lines, particularly to providers headquartered in other states.

Theoretical Problems with the Law and Ethics

The foregoing discussion of ethics and law suggests the existence of substantial limitations in our understanding of the concept of personal privacy. The ethical analysis of privacy is frequently based on the Hippocratic Oath, which requires physicians to maintain the secrets of information divulged by patients. Thus, prevailing ethics rely extensively on the trusting relationship between physician and patient. Legal protection, particularly under the common law, is also frequently based on the existence of a special relationship between a physician and a patient. Tort law recognizes a breach of privacy if a physician discloses information divulged during a therapeutic session [29]. Furthermore, the law places duties on the "holder" of the record, thereby presuming that one party collects, stores, and owns the record. Penalties for breach of privacy are typically levied against the information holder, and no other party is deemed to be legally responsible for safeguarding the privacy of health care information.

This view of the law and ethics is flawed. Most information on health care is not generated solely from the physician-patient relationship but from diverse sources. Many therapeutic sessions do not involve a primary care physician. Patients may visit numerous physicians, nonphysician specialists, nurse practitioners, and other ancillary health care professionals. Under the traditional rules of privacy, information obtained during these visits may not be protected. Patient records contain considerable information that is gathered from numerous primary and secondary sources, including laboratories, pharmacies, schools, public health officials, researchers, and insurers.

Furthermore, because no one actually "holds" electronic data, penalizing the administrators of a database that controls medical records is ineffectual. Health care records are generated and maintained by the office staff of private physicians or health care providers in addition to government agencies, regional public health organizations, universities, and information brokers. Databases maintained by the staffs of such organizations can be collected and electronically transmitted, reconfigured, and linked. The rationale that placed responsibility on the holder of information assumed that paper records were being created and maintained by a single provider. Today we must envision electronic patient records that can be viewed by anyone with access to the database or on-line network. Because geographic location has less meaning in an electronic world, protecting privacy requires safeguarding the health care data themselves rather than the sanctity of a given therapeutic relationship.

National Legislation To Promote Efficient Information Systems and Protection of Privacy

Continued reliance on current legal safeguards is incompatible with the policy objectives of an integrated system of health care information for the following reasons. A state-by-state approach to regulation of medical information does not reflect the realities of modern health care financing and delivery. The flow of medical information is rarely restricted to one state but may be routinely transmitted to other states for various purposes, ranging from medical consultation to collaboration on scientific research to monitoring by government officials for quality. As information is transmitted, however, it may be subject to the different legal requirements stipulated by each state.

The lack of a uniform policy on interstate dissemination of health care information imposes hardships on almost everyone. When health care facilities, insurance companies, and self-insured employers practice interstate transmission of data, they often do so without clear guidance on which state's laws govern the transmission or which state's courts have proper jurisdiction to resolve disputes. Furthermore, without the ability to rely on uniform regulation of information, patients lack the basis for meaningful consent to disclosure. Lack of uniformity adversely affects the integrity of health care data (and possibly the quality of health care itself) and undermines efforts to computerize medical records. State-by-state regulation of information would be detrimental to implementation of a regional or national system for monitoring quality and cost-effectiveness. Consequently, many persuasive reasons exist to adopt a uniform federal policy on health care information that transcends state borders.

The Health Insurance Portability and Accountability (HIPA) Act of 1996 [30] requires the U.S. Secretary of Health and Human Services to adopt standards that provide a unique identifier for users of the health care system. The Secretary is also required to adopt security standards. According to the HIPA Act, each person who maintains or transmits health care information is required to implement reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of information. This act calls on Congress to enact new privacy laws; if legislation is not enacted by August 1997, the Secretary is required to promulgate final privacy and security standards no later than 6 months after that date [31].

The following proposals for a federal privacy statute are based on consultations with the Centers for Disease Control and Prevention [6] and recommendations from the National Research Council [8].

1) National safeguards that protect the privacy of health care information should be based on fair information practices. Federal legislation should establish uniform and comprehensive privacy protection of health care information. Privacy protection should cover all health care information regardless of its form (paper, microfilm, or electronic), location (in storage, transit, or archives), or user or holder (government, provider, or private organization). Effective penalties for breach of privacy should be established.

A national privacy framework should be founded on the following code of fair information practices: Individuals would have the right to control the use of personal data, secret data systems would not be permitted to exist, individuals would have the right to review and correct personal data, and data would be collected and used only for important health care purposes.

2) Patients should be able to consent to the collection and use of personal information. Patients are entitled to know and consent to the collection and use of identifiable information, the length of time that information can be stored and the circumstances under which it can be expunged, and the degree to which third parties (for example, regulators, researchers, and government officials) can obtain access. The acquisition, storage, use, and transmission of data should be done with the consent of patients.

3) Health care providers should adhere to the principle of least-intrusive disclosure. Disclosure of information by health care providers must be restricted to data that are least likely to identify the patient and reveal sensitive personal facts and to the fewest number of persons necessary to achieve the stated purpose.

4) An industry-wide security infrastructure should be established. The National Research Council [8] made the following recommendations to ensure enhanced security: Develop technical and organizational policies, practices, and procedures (for example, authentication of users, access controls, audit trails, disaster recovery, protection of remote access points, and encryption of all patient-identifiable data before transmission on public networks); promote the sharing of information on security throughout the industry; and improve security technologies for health care applications.

5) A data protection and security board should be established. A data protection and security board would help to protect each citizen's right to privacy within a secure framework. The proposal for creation of a data protection panel has been recommended by Congress [32], experts on the right to privacy [33], and the National Research Council [8]. This board or panel would set privacy and security standards; monitor and evaluate the implementation of standards set by statute, regulations, and guidelines; sponsor or conduct research, studies, and investigations; and work with providers to foster development of privacy and security practices that would be responsive to their goals of providing effective health care.

Conclusion

Top Conclusion Author & Article Info References

A federal statute that addresses the privacy of health care information should offer a balance between the societal benefit of collecting health care data (recognizing the value of public health to the community) and the individual right to protection of privacy (recognizing the value of respecting individual citizens). As a society, we confront some difficult decisions regarding the acquisition, storage, and use of health care information in general and the protection of personal information and privacy. What do we value more, and how can we best execute our answers?

Perhaps what the public desires is not absolute privacy but reasonable assurances that when personal information is collected, health care providers, managed care organizations, and insurers will treat the information with respect, store it in an orderly and secure manner, and disclose it only for important public health purposes and in accordance with publicly accountable principles of fairness.