|
|
|
|
|
|
|
| Click here to visit the CIO Forum Members
Only section of our site (password
required). | ||||||
|
Health and the Right to
Privacy Justice Louis Brandeis Lecture Thank you for the opportunity to present
this Justice Louis Brandeis Lecture on privacy and access to health
information."Privacy & Access to Information: Striking the Right Balance in Healthcare," Massachusetts Health Data Consortium Boston, MA, April 16, 1999 Copyright 1999 Paul Starr Paul Starr When Louis Brandeis and Samuel Warren introduced the phrase "the right to privacy" as the title of an article in the Harvard Law Review in December 1890, they were primarily concerned about a right of privacy from the news media. "The press," they wrote, "is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers.". You could hardly say that Brandeis and Warren's concerns were out of date, but their article offers us a mixed precedent for any discussion of privacy and information today. To be sure, their idea of a right to privacy has proved to be enormously influential; it has even been extended to areas of law and policy, such as contraception and abortion, which they did not anticipate. In this general sense, their case for a right to privacy has been vindicated. But the specific cause that Brandeis and Warren took up must be judged largely to have failed. Do the news media today pursue gossip with industry? Gossip is an industry. Are "the details of sexual relations ... spread broadcast"? They are -- and with scant fear of legal repercussions. In the century since their 1890 article, the law has not followed the path that Brandeis and Warren proposed. Where claims of privacy have conflicted with the First Amendment, the Supreme Court has, with only rare exception, come down on the side of the First Amendment. It has given higher priority to the public's right to know than to the right of individuals to control access to information about themselves. There is an irony about this result. For it was Justice Brandeis himself, together with Justice Holmes, who in their dissents in the 1920s paved the way for the expansive interpretation of the First Amendment decades later in Sullivan v. New York Times, Time v. Hill, and a series of subsequent cases that effectively subordinated privacy rights to the First Amendment. This history holds a lesson for us. Privacy is not an all-purpose trump card; it is not the only value implicated in the rules governing the control of information. There are other legitimate interests as well -- different ones, to be sure, in the case of health data from that of news. Patients have a strong interest in preserving the privacy of their personal health information, but they also have an interest in medical research and other efforts by health care organizations to improve the medical care they receive. As members of the wider community, they have an interest in public health measures that require the collection of personal data. Fortunately, these interests in medical research and public health can be pursued with far less jeopardy to privacy than upholding the First Amendment in the case of news. For unlike the news media, medical research and public health are not interested in disclosing individual identities to the public. Insofar as they need individually identifiable health information, it is as an intermediary step in the production of knowledge or protection of health. In other areas, such as the use of medical records for law enforcement, the right of privacy must be judiciously balanced against other values in finding the appropriate policy. But at least with respect to medical research and public statistical data, there ought to be not simply a balancing of interests, but a fully satisfactory way of protecting both privacy and health; and thus it would be tragic if in the effort to safeguard privacy, we were to adopt laws and regulations that jeopardized research and data by degrading their quality or raising their cost to prohibitive levels. The goal of protecting privacy in health care underlines another limitation of the conception of privacy as Brandeis and Warren introduced it. They famously described privacy as the "right to be let alone," a phrase often attributed to them, though they were only quoting a standard work on torts. But too much of what we do today entangles us in the business of large institutions for us to expect that we can enjoy privacy merely by being let alone. We need those institutions to observe rules that preserve our privacy even as we do business with them and they accumulate information about us. We don't want to be let alone by our health care institutions; we want them to take care of us. Privacy must be the result not simply of an absence of intrusions, but of positive effort and careful planning. The effort and planning required to protect privacy in health care defy simplistic answers. The sheer scale of our health care system and the complex flows of data among providers, networks, insurers, employers, and government agencies inevitably require a complex structure of legal rules and technical provisions to maintain the security and confidentiality of personal health information. But this complexity is itself a problem. It is impossible for individual patients or citizens to know whether these systems actually safeguard the privacy of their data. And in an age of cynicism about large institutions, many people are ready to believe the worst -- especially when they hear news reports of egregious episodes in which the privacy of medical records has been violated. The object of law and policy, therefore, is doubly difficult: it must not only protect privacy, health, and other legitimate interests. It must also produce public trust in institutions. But trust is scarce. Americans read countless stories about the abuses of managed care. Talk radio is filled with tales of the evils of government bureaucracies. There is a particular variant of these sentiments that I call "information populism" -- a deep fear of the information-gathering role of big institutions. I have some acquaintance with this current of populist distrust from my experience on the Clinton health plan. During the spring of 1993, a story appeared in small-town papers across the country that the White House was planning to require every American to carry a smart card that would include a medical record; supposedly, any policeman could pull you to the side of the road and read your entire medical history. This was a complete fantasy -- we were not proposing a smart card -- but no matter: Our telephones were so jammed for the next few days by irate callers that the office could hardly function. Later, stories appeared that the Clinton plan would create a single national data bank with everyone's medical record -- another falsehood, but one that has appeared in reputable publications and books, down to the present (see, for example, Etzioni, 1999). There were legitimate privacy concerns in health care reform, but the atmosphere of distrust that pervaded the reform debate made rational public discussion of those problems nearly impossible. Big Brother -- or was it Big Sister because of Mrs. Clinton? -- was supposedly out to get your medical records, the better to keep you under the thumb of that oppressive government in Washington. Information populism is, in a sense, the underside of the information society: Just when information becomes a critical economic resource and when information technology becomes cheap and widely available, many people grow more anxious and distrustful about how information about them may be used. Today the problem is scarcely an imaginary one. Personal medical data are regularly used to set rates for health insurance in the individual and small-group markets that effectively exclude some people from coverage. Personal data are used to deny some people jobs. It is hard to allay public anxieties when those anxieties have a real foundation. Unfortunately, addressing some of those concerns, particularly about health insurance coverage, requires just the kind of reform effort that now seems out of political reach. What is in reach, indeed, scheduled for adoption within the next year even in the absence of congressional action, is a national legal framework for the privacy of health records. Under the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, Congress gave itself a deadline, August 21, 1999 -- a little more than four months from now -- for enacting federal health privacy rules. If Congress fails to act by then, the Secretary of Health and Human Services will issue privacy regulations by February of next year. Although Congress could postpone this date or nullify it entirely, the deadline finally promises to break the long stalemate in national policy. Public opinion polls have long shown large majorities of Americans to be concerned about privacy; to disapprove of the use and sale of health information for purposes other than that for which it was originally collected; and to favor stronger privacy protections. Despite this public sentiment, health privacy legislation has been stalled for decades. Indeed, privacy legislation generally in the United States has made little legislative headway despite broad support in public opinion polls. Political scientists identify the blockage of privacy protection as a classic case of the triumph of concentrated interests over the diffuse interests -- that is, ability of the information industry and in this case, much of the health insurance industry, with their ample financial resources, to prevail over the broad but weak commitment of the public (Regan, 1995). With a deadline now in view, the political dynamics change. The deadline has led to a more substantial national policy-making effort in health privacy than ever before, and that effort has borne fruit. There is relatively broad agreement about much of what needs to be done in the establishment of fair information practices. But there are still differences on critical issues, potential eruptions of public suspicion and industry lobbying could derail needed reforms, and the public at large and even the medical community have not been much engaged in the debate . Consequently, the kind of discussion we are having here today could not come at a more opportune moment. The Origins and Nature of the Health Privacy Problem Almost everyone agrees that the absence of stronger protections for the privacy of health data is a national problem, and that the problem has become more urgent in recent decades. But there is disagreement about the nature of the problem and exactly what has made it more serious. The conventional story is that the threat to the privacy of health information comes from technological change. Once your innermost medical secrets dwelled in a paper record safely locked away at your local hospital and doctor's office. Now those same records are computerized and effectively out of control as they zip across electronic networks to an expanding array of interested parties. But computerization has only magnified and dramatized a problem that was already developing because of the larger social and economic transformation of health care; and it is a mistake to assign computers the role of villain in this story, when they may, in fact, be a large part of the solution. It is a dangerous mistake to thing of trying to roll back or obstruct computerization of health data, as a few have urged -- that is a hopeless and misdirected cause. The source of change is not so much technological as it is economic. As health care has been transformed into a complex industry representing one-seventh of the economy, organizations of all kinds --- employers, insurers, plans, networks, systems, pharmaceutical makers, device makers, and many others -- have had growing interests in data to control their costs, increase their revenues, or improve their performance in some other dimension. They have been willing to invest in information, to pay for information, to sell information -- information itself has become a business. This is what we expect in an information society. In this case, unfortunately, much of the information concerns the personal health of patients and customers. Buying and selling such information -- applying such information for purposes unrelated to those for which patients originally provided it, and possibly harmful to their interests -- is not what the public expects or approves. And thus we have a yawning gap between privacy ideals and actual information practices in health care. Somehow we have to narrow that gap by bringing practice more into line with public values. But doing that right will require some careful distinctions. Discussions of health privacy focus on three distinct kinds of violations of health information privacy. Although the classification that follows is my own, I take the examples from congressional testimony of Janlori Goldman, the director of the Health Privacy Project at Georgetown University; but similar episodes, and often the identical ones, are recounted throughout the literature. The first category of violations, by far the most commonly cited, represents cases of individual misappropriate of medical records, indeed often of outright theft The sources are indicated are those cited by Goldman (1998).:
These examples of privacy violations all involve individuals who misused medical data, often publicly disclosing sensitive information and typically violating both the policies of the institutions that kept the records and the laws of their state. Many of these cases are egregious and shocking; still, they don't fundamentally raise new issues of policy and law. Rather, they raise questions about the adequacy of institutional policies for data security, the enforcement of existing laws, and the possible need for stronger criminal and civil penalties and more aggressive enforcement to serve as a deterrent to individual misbehavior. Other violations of privacy involve institutional practices. My second category consists of the use of personal health data for marketing and other purposes where the harm to the individual is ambiguous or relatively small. For example, Janlori Goldman notes that "the chain drug stores CVS and Giant Food admitted to making patient prescription records available for use by a direct mail and pharmaceutical company ... to track customers who don't refill prescriptions, and send them letters encouraging them to refill, and consider alternative treatments." The problem here is not so much the harm actually caused by the practice -- many customers might have appreciated the reminders -- as the potential for harm that the practice discloses. We worry about the hands into which such lists might fall. But because many of these cases have ambiguous benefits and harms, there may be some dispute about exactly what practices ought to be legally prohibited. Is it allowable, for example, for a health plan, but not a pharmacy, to send a reminder to a patient to refill a prescription or to consider an alternative, perhaps more cost-effective treatment? It should be possible to prohibit outright merchandising of health data for purposes unrelated to those for which patients provided the original information. But I am not confident that the benefits of this policy are going to be all that substantial, and overinclusive rules could end up prohibiting some useful efforts in disease management. It would be ironic if such laws prohibited just the kind of outreach to the sick that champions of social reform and public health have long advocated. My third category consists of institutional practices that do cause unambiguous harm to identifiable individuals. Here are two such examples from Goldman's testimony:
These cases -- actually, not cases, but reports of widespread practices -- are substantially different from the first two categories and raise much more serious issues of policy. The commingling of the insurance and employment functions in the United States, particularly in self-insured firms, has led to serious abuse of confidential medical information; and the development of genetics has made possible a new and insidious form of discrimination. In the reform of health privacy, it is cases of this kind -- widespread abuses causing serious harm to identifiable individuals -- that we should be most concerned to correct, although the other issues also need to be addressed, if for no other reason than trying to improve public trust in the security and confidentiality of health data. But it is not altogether clear that this is what will happen. In particular, there is a danger that a bullet which ought to be intended for commercial and employer abuses of privacy ends up hitting medical and public health research, and damages interests that are as vital to patients as their interest in privacy. Policies for Change More than 30 years ago, the political scientist Alan Westin defined informational privacy as "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others." (Westin, 1967) This conception, which seems to me to confuse privacy with one means of achieving it, has been highly influential. The core of health privacy reform is a set of fair information practices, the principal object of which is precisely to give patients greater ability "to determine for themselves when, how and to what extent information about them is communicated to others." Among the new rules institutionalized at the national level would be the principle that patients should have a right to see and copy their own medical records, as many states already provide. The new framework would also give people a right to notice about how their health information will be used, so that they can make informed choices. And it would require consent for the disclosure of personal health information, with some exceptions, such as emergencies and for some public health purposes. The stronger privacy protection measures would require consent for each distinct use of the information. One of the proposals has included a right for patients to opt out of electronic records entirely. Is consent the solution to the problem of health information privacy? The problem with the emphasis on individual consent is that it offers both too little protection and too much. It offers too little protection because patients are typically asked for consent under circumstances that make it nearly impossible for them to refuse it, for fear of being denied insurance coverage or medical care. On the other hand, individual consent may offer too much protection when it is required for every distinct use of the information, and this requirement becomes an obstacle to the conduct of medical research initiated after the initial encounter. In this case, the requirement may raise the costs of that research, or so distort the selection of cases, as to rule out studies that serve important public purposes. This last year, the state of Minnesota imposed such a requirement on medical researchers, and it has become an additional burden, in some cases enough of an extra cost to deter an investigation. Moreover, in retrospective studies, it is often difficult to locate the patients -- some may be inform, others may be dead -- and if those are the patients excluded because consent cannot be obtained from them, the validity of the data will be fatally impaired. My concern about the impact on research is heightened by the distinction in much of the legislation between two levels of authorization for the use of information. At the first tier, as a precondition for serving a patient, a health care provider will most likely be able to require consent for some uses of data, primarily treatment and payment, while patients will be able to refuse second-tier authorization for other uses of data without jeopardizing their care. The first-tier authorization will effectively be mandatory -- it will be consent in name only -- and will satisfy the financial interests most immediately concerned with treatment. The second-tier authorization, however, may well not be granted, and as a result certain kinds of data may often be impossible to obtain for research and evaluation. Although the object of segregating the two kinds of authorization is to give patients more control over information, this policy could end up disempowering them in another respect. Patients have an interest in being able to make informed choices among different methods of treatment and providers of care, and these choices are best informed by comparative data on the outcomes of treatment and other dimensions of performance. But if such data depend on second-tier authorizations that even a minority of patients refuse to provide, those data may not be available or, if available, not representative. But what a misfiring of reform that would be! After all, data on populations do not violate anyone's privacy; what purpose is achieved by requiring consent for research and other efforts that do not result in the disclosure of personal information? Is there evidence that researchers have abused their trust by disclosing the identities of individual patients? The literature on health privacy does not provide such evidence (indeed, not a single episode recounted by Goldman or others that I read involved a medical researcher). Insofar as individually identifiable data are required as an intermediary step in the production of knowledge, patients are in a poor position to know whether there are adequate protections against loss of privacy. This is a job for regulatory agencies and professional organizations, not for individuals -- it is a misplaced individualism to rest upon consent the burden of protecting privacy rights that must be secured by institutions with the resources and knowledge necessary for real accountability. What these reforms are doing, in a larger sense, is confusing the concept of a privacy right with a property right. The essential interest in privacy is not control, but dignity -- the protection of the individual from offensive and embarrassing disclosures. To be sure, one of the objects of reform should be to induce researchers and others to rely, wherever possible, on non-individually identifiable health data. In this regard, the development of a universal health identifier could be a critical step, especially if combined with encryption that blinds researchers to the true number. Today, files on individuals contain much personal information in order to achieve reliable identification; it will be easier to anonymize data in research if there is a unique and reliable number associated with all records pertaining to a case. And yet some privacy advocates have opposed the introduction of universal health identifiers on the grounds that this is a step down the slippery slope of totalitarianism. But if there were such a genuine totalitarian threat, it would make no different whether there is a unique health identifier; thugs bent on tyranny will scarcely be deterred by the administrative inefficiency of our health care system. When Secretary Shalala announced the administration's approach to privacy, the single biggest source of legitimate concern was the broad exemption envisioned for law enforcement. Proposals in Congress include requirements that law enforcement agencies obtain warrants as is they were conducting a physical search, though the exact standards for access vary. In this connection, there ought to be consideration for distinguishing among different zones or layers of health records, requiring varying levels of judicial scrutiny for law enforcement access. The same record that contains information relevant for insurance fraud may also contain unrelated intimate facts that ought to be treated as belonging to a more private and protected zone. This kind of zoning or segmentation of medical records can be built into computerized record systems. Even without legislation, health care institutions should be seeking to segment their records to improve data security. (I recognize such segmentation may be imperfect and inconvenient, but it is still worth doing.) The institutions general need to pursue stronger measures to protect the security of data, including the use of biometric identifiers for health personnel accessing patient databases and the development of audit trails to keep track of who accessed what. If patients can see their records, they ought to be able to see the file recording who else has seen their records. Making the tracks visible would be a deterrent to both casual browsing and malicious intrusion. These measures might help minimize the highly publicized cases of individual trespass and misuse of data that have raised public concern about the security of health information. But the more important step should be unambiguously to proscribe the wholesale violation of medical records privacy by employers, marketers, and others when those violations do actual harm to individuals. Finally, one of the key divisions over national health privacy regulation has been whether it would preempt state laws. The industry wants preemption to simplify the legal requirements with which it has to comply, while privacy advocates want no federal preemption of stronger state laws. In the long run, a consistent national framework makes enormous sense, but the issues remain too unsettled, the picture too complex, for preemption to be a wise policy in the short run. It is not even clear what state laws would be preempted. Justice Brandeis called the states our "laboratories of democracy." At least for some time, they can be our laboratories of privacy protection, too. Because of the deadline facing Congress in August, this round of national debate about privacy may be nearing a conclusion. But American society will most likely be debating these issues for a long time to come. The evolution of the information society -- the advent not just of new technologies, but of new uses of information and entire new industries, with biotechnology being at the cutting edge of innovation -- means that we are probably just at the beginning of a long historical effort to define health privacy law, policy, and practice. The failure of Brandeis' original privacy crusade -- privacy from the news media -- should warn us that privacy is not as simple as it may seem, and the ultimate resolution may not be what even our greatest legal and moral thinkers initially want. Endnotes Etzioni, Amitai. 1999. The Limits of Privacy. New York: Basic Books. Goldman, Janlori. Testimony before the U.S. House of Representatives Subcommittee on Government Management, Information, and Technology of the Committee on Government Reform and Oversight, May 19, 1998. Regan, Priscilla M. 1995. Legislating Privacy: Technology, Social Values and Public Policy. Chapel Hill: University of North Carolina Press. Warren, Samuel D., and Brandeis, Louis D. 1890. The Right of Privacy, Harvard Law Review 4: 191-220. Westin, Alan. 1967. Privacy and Freedom. New York: Atheneum. |
|
|
|
|
|
|
|
