Who can see your medical records?

Congress passes a bill under the banner of protecting privacy. Critics say it does anything but that.

Published July 8, 1999 7:30PM (EDT)

Who would you entrust with the secret flaws of your mind and body? Your
doctor? Your therapist? Your HMO?

How about Citicorp? The House just did. While we were getting ready for
Independence Day, it seems, the House of Representatives voted
overwhelmingly to open our medical records to the businesses that profit
from prying into them.

On the night of July 1, in a 343-86 vote, the House of Representatives
passed the sweeping Financial Services Act of 1999, the first major
overhaul of the finance sector since the Great Depression. The bill creates
a legal framework for the coming megamergers of insurance companies, banks
and other financial firms. But it also contains an amendment, under the
innocuous heading "Confidentiality of Health and Medical Information," with
potentially disturbing implications for medical privacy.

The amendment's
sponsor, Iowa Republican Rep. Greg Ganske, described it as language to
protect the medical records of people whose health insurance policies
become accessible to banks through mergers. But a close reading suggests
that it does just the opposite. The amendment prohibits the disclosure of
patient information to anyone "without the consent of customers," then
goes on to list a series of exceptions that includes just about any
conceivable use of health records -- from insurance underwriting to research
to bill-collecting to criminal investigation. In short, the amendment was
written very loosely, enabling companies that hold medical records to
release them to virtually anyone with whom they do business.

"This could,
frighteningly enough, be the last word on medical privacy," says an aide to
Democratic Sen. Patrick Leahy, the author of a liberal medical privacy
bill that died in committee.

There are innocent readings as to how Ganske's amendment was passed, and
there are conspiratorial ones. Medical privacy has become a hot-ticket item
in Washington in recent years, as privacy advocates and ordinary citizens
alike began to realize there were no federal laws to protect their health
records. Indeed, such records have become commodities like any other in
the information age, bought and sold by a variety of interested parties.
Various research studies published in the past several years have shown
that corporations routinely peruse employee health records in making
hiring, promotion and firing decisions. Pharmacies sell patient information
to drug companies, which use it for marketing back to the patient or his
medical group. Managed care plans ogle patient files to find ways to refuse
payment or to urge doctors to stop expensive procedures. Insurers look for
ways to deny claims.

In the absence of privacy laws or universal health
care, discrimination against the ill or potentially sick will grow more
acute as genetic examinations become a more routine part of clinical
science and DNA profiles enter medical records. A 1996 study by Stanford
and Harvard researchers found 206 asymptomatic individuals who lost jobs or
insurance coverage because of their genetic profiles. Other studies have
cited cases where people, after innocently donating blood samples, were blackballed from jobs because of secret readings of their DNA sequences.

A study to be published next week in the journal Neurology indicates that many people who carry the Apo-E4 gene variant -- about a quarter of the population -- suffer progressive memory loss starting in late middle age. Imagine the discussions that could go on in boardrooms of companies that get their hands on this information: "Should we promote
Jerry to VP?" "Nah, he's an 'E4' -- he'll be a bozo in 10 years."

A national medical privacy bill was supposed to prevent this kind of
Orwellian scenario. The 1996 Health Insurance Portability and
Accountability Act ordered Congress to pass a medical privacy law by Aug.
21, 1999. Fifteen different bills have been introduced, but all have
foundered under intense industry pressure. A compromise measure introduced
by Vermont Republican Rep. Jim Jeffords stalled in the Labor Committee in June.
Four times Jeffords called a meeting to mark up the bill for a vote in the
full Senate, but had to cancel each time because of disagreements between the
health care industry and privacy advocates. Business interests, represented
by conservative Republicans on the committee, wouldn't budge in response to
privacy advocates' demands: that the bill not preempt stronger state
legislation, and that it give citizens the right to sue health care firms.

Around the time the last meeting was canceled, Ganske introduced his
amendment into the Financial Services Act without consulting any of the
pro-privacy lobbyists. Ganske, a physician himself, said the bill was
worded to make sure financial companies could get the information they
needed to pay patients' bills. "We all want privacy for patients," he
reassured colleagues during the debate, adding in a letter that the bill
"will not preempt state privacy laws. It will not create a disincentive
for comprehensive medical privacy legislation."

It is possible the amendment could be thrown out when the Senate and House
meet in conference to integrate their two versions of the finance bill.
Ganske has told Democratic colleagues he
is willing to discuss changing the language in conference committee.
However, an aide to another Republican congressman involved in the
legislation acknowledged that the amendment as it is currently written
could become law if Congress, as expected, fails to pass a more
comprehensive privacy law in its final two weeks before recess.

"I think this amendment was written very cleverly in a sneaky way. It's shameful, a
massive step backward," says Janlori Goldman, an activist whose Health
Privacy Project has spearheaded attempts to bring advocates and industry
together. Goldman and others assume that the insurance industry -- which is
big in Iowa -- wrote the amendment. "It shows how powerful these industries
are that you can get Ganske to rise on the floor of Congress and say his
amendment will protect privacy when he's heard over and over that it's a
disaster for privacy," she says. "Why call it a privacy amendment? Why not say who put
it in?" Groups opposing the amendment included not only privacy gadflies,
but many of the major physician and patient groups, among them the American
Medical Association, the American Association of Retired Persons and
the American Psychiatric Association.

Industry's interest in data sharing, of course, is not entirely malevolent
or pointless. Managed-care companies use electronic databases to make sure
kids are immunized, to make sure diabetics are filling their prescriptions,
to hold down costs -- although customers rarely seem to benefit from the
latter. The Centers for Disease Control and Prevention uses databases to track infections. The government uses
them to catch Medicare fraud; academics and pharmaceutical companies use
them for research.

But it was easy to imagine less benevolent uses when
Travelers Group and Citicorp merged two years ago -- even though the two
firms' executives promised to keep the two functions separate. With the
new banking law in place, mergers of insurers and banks are likely to be
plentiful. Wells Fargo, Fleet Financial and BBT are some of the larger
banking companies expected to get into the insurance business once the
banking reform law gets final passage; John Hancock and State Farm have
already bought thrifts. It would be naive to think that financial companies
won't use information that helps the bottom line. Under the House-passed
bill, they can.

"If someone is deciding to give you a car loan, they might
want to know if you have high blood pressure," says Jim Pyles, a lobbyist
for the American Psychoanalytic Association who alleges that Citicorp/Travelers was involved in shaping the medical privacy amendment. "If you want a home loan they
might want to know if you've been treated for depression. I'm sure they'd
be quite interested. Plus they can also sell it. They can transmit it, sell
it to anybody who wants it."

"At first glance we think of the wish for privacy as a need to be alone,"
writes psychotherapist Janna Malmud Smith in her recent book, "Privacy
Matters." "But it also makes possible a deeper, more particular
openness." For now, most Americans seem oblivious to the invasion of their
health privacy. But in the world of psychotherapy it is already keenly
felt. Managed mental health care companies have become ever more intrusive
in demanding detailed patient information before they authorize payment. In
response, many therapists simply don't tell their patients about the dozens
of health industry bureaucrats who will be examining the patients' inner lives.
Those who do inform their patients do so at their own risk: Patients
sometimes flip out and decide either to pay out of pocket, thereby keeping
their names out of the computers, or abandon therapy all together.

"I get increasing numbers of patients through the yellow pages, which never used to happen," says Paul Ling, a Massachusetts psychiatrist. "People are a lot more savvy
to the fact that they don't have confidentiality if they get me through an
HMO or health plan. The only way to get total confidentiality is to pay out
of pocket."

The sense of violation is not limited to psychotherapy. Patrick Dunn and
Jocelyn White, internists in Portland, Ore., found in a recent survey of
area physicians' practices that more than half the patients claimed to have
withheld information out of concern that it would come around to damage
them. The physicians Dunn and White talked to had, on average, one patient each who had been harmed by the release of information; most of the time, these were people who were refused coverage due to a "prior condition" clause. A larger survey in California, released in
January, found only about a third of patients trusted their health plans to
maintain patient confidentiality.

"Medical records privacy is the
absolutely fundamental core of the doctor-patient relationship," says an
American Medical Association representative. "If you believe you could lose your job or not qualify
for a mortgage or life insurance, why seek treatment? It puts a tremendous
chill on somebody's interest in seeking care."

One reason that health
insurers say they need detailed patient information is for research. But if
patients are submitting false or incomplete information, how sound will the
research be?

The odd thing about Americans is that while we are paranoid about
government intrusion in our private lives, we generally let corporations
snoop on and market to us without protest -- when they're really just after our
money. The citizenry has been generally passive in the face of the growing
transparency of its medical records -- except when it stops to think about

"When I talk to people on my book tour they're simply shocked. Most
of the public doesn't know that people are getting fired already for their
genetic profiles. Prospective employers are already checking peoples'
DNA," says philosopher Amitai Etzioni, who has been speaking to groups on
a tour for his book, "The Limits of Privacy." "It takes a Columbine or a
Kosovo for Americans to focus on a problem. And there hasn't been anything
like that yet for medical privacy."

By Arthur Allen

Arthur Allen writes on health, science and other issues for Salon. He lives in Washington.

MORE FROM Arthur Allen

Related Topics ------------------------------------------

Healthcare Reform