Technology Outpaces Privacy Protection

CURE, Summer 2008, Volume 7, Issue 2

The debate about electronic health care tools and patient privacy shows no sign of ending soon.

A long-simmering debate about the extent to which patient privacy should be shielded from the perils posed by electronic health care tools shows no sign of ending soon, despite efforts in Congress and calls from critics to shore up protections.

Few people dispute the tremendous promise of such tools. The big question is whether disagreement about the appropriate scope of privacy protection will cripple efforts to fulfill that promise.

A rising tide of electronic health records, doctor-patient e-mail, e-prescribing, and online chats with health professionals is greatly expanding information access even though many important privacy issues remain unresolved.

Proponents of the digital wave say compromising on privacy is a reasonable price to pay for safer, more efficient, and less costly health care at a time when such care is fragmented.

“Today, health data are so important—for public health, for biomedical research, and for patient care, payment, quality, and safety—that to say, ‘Well, we can get along without data’ or ‘We can let every person decide whether or not they want to share data’ isn’t in our common interest,” says Don Detmer, MD, president and CEO of the American Medical Informatics Association in Maryland.

In 2002, Congress amended the Privacy Rule in the Health Insurance Portability and Accountability Act of 1996, the federal law that regulates the privacy, security, and confidentiality of patient information. Under the Privacy Rule, personal information cannot be used for purposes unrelated to health care or administrative/financial purposes, and only the minimum amount of information may be released when necessary. The rule still requires patients’ consent before their information can be shared with marketing firms, life insurers, banks, and other businesses for non-health care purposes. Anyone who disobeys the rule could face a fine of up to $250,000 and up to 10 years in prison.

Still, privacy watchdogs—and many Americans—are skeptical that current safeguards are adequate. According to a survey released last November by Harris Interactive of nearly 2,400 consumers, 58 percent believe laws and health organizations do not sufficiently protect the privacy of medical records.

Deborah Peel, MD, a physician who founded Patient Privacy Rights, a consumer advocacy group in Austin, Texas, says the uncertain outlook for privacy may be particularly troubling for people with cancer because employers could be reluctant to hire or retain them. Furthermore, she says, insurers might balk at the potential cost of cancer treatment or, in the case of healthy insurance applicants and their children, at the results of genetic tests suggesting a greater cancer risk.

Genetic discrimination is rare, but some people are concerned genetic profiling might increase as genetic tests become more common. The Genetic Information Nondiscrimination Act, signed into law by President Bush in May, outlaws such discrimination.

“We think the need for privacy is paramount for cancer survivors,” Dr. Peel says.

More stringent state privacy laws trump, and are different from, the Privacy Rule, enforcement of which has been nearly nonexistent, according to Peter Swire, JD, an Ohio State University law professor. State laws vary and are scattered among thousands of statutes, regulations, common law principles, and advisories, making it difficult to determine which standards apply in any individual case.

Legislation recently introduced in the House and Senate would beef up federal safeguards. However, it is unclear if lawmakers will take much action before the end of this election year.

The privacy debate could heat up in coming months as Google and Microsoft market new forms of the personal health record—an online, unregulated software application that gives consumers control of their health information. Up to 10,000 patients at the Cleveland Clinic have been invited to participate in tests of Google’s MyChart. Last October, Microsoft unveiled a test version of HealthVault, along with a lengthy privacy protection statement.

Exactly how the privacy debate will ultimately play out is anyone’s guess. One thing, however, is certain: Both sides will monitor the situation closely in hopes of striking a balance between privacy protections and leveraging the potential of electronic tools for better health care.