Medical privacy affects us all, and Congress keeps missing the point

The New York Times reminds us that President-Elect Obama is committed to the automation of medical records. I think that's great, as there are many reasons why electronic health records a great idea. The specific focus of the NYT article is on legislative initiatives to assure privacy, of which there seem to be many. My feelings about that are more mixed -- I love the idea, but am not so wild about the implementation.

I emphatically believe it is crucial to set up a new legal structure for privacy and the government use of information. When making that case, I usually conflate the two big areas of medical records and security/anti-terrorism/law enforcement. But that's a bit sloppy. The truth is, medical privacy issues should be solved first, before we fully tackle the others. National-security privacy issues are almost certain to fall afoul of partisan politics, at least until an example is set by consensus in a less contentious area. And there are indeed several reasons it should be easier to achieve such a consensus in the medical area than it is in security or law enforcement. In the medical realm, unlike national security:

1. The interests of the information's subject are obviously paramount. There are three main reasons to manage medical information -- to treat patients, to facilitate the business side of health care, and to support general medical research. Treating patients is clearly the most important.

2. Information policies can safely be transparent. In national security matters, there's great secrecy even as to what information is or isn't being stored. The medical area is thankfully free of that complication.

3. It is obvious that everybody is equally deserving of protection, with only the most limited of exceptions. This simplifies the discussion. National security vs. privacy debates are often complicated by arguments to the effect that most people are deserving of freedom, but some need to be carefully watched. Whether or not you think that's true, you hopefully agree it doesn't apply in the medical case.

Unfortunately, much of the legislative effort in medical privacy misses the main point. With the happy exception of the Genetic Nondiscrimination Information Act, privacy initiatives are focused on controlling the accumulation and movement of data, rather than its use. I think that's quite insufficient. No matter how stringent the rules are about acquiring and sharing information, they'll never suffice. Reasons include:

  • Medical information needs to be shared in emergencies. And where legitimate emergencies are common, "social engineering" to defeat security procedures is, at least in principle, child's-play.
  • As a condition of getting medical care and getting it paid for, people are routinely coerced to sign waivers allowing information to be shared.
  • HIPAA procedures are already causing hardship to patients and families. For example, family members are routinely banished from patients' bedsides out of fear that they'll overhear some other patient's private information. (OK, maybe that's a pretext, as hospitals generally will take any excuse they can think of to get rid of visitors.) Yet they don't work. (Think of all the releases of celebrities' medical information.)
  • Over-legislating detailed rules about technology tends to backfire in general.

Here are some examples of laws-about-medical-information-use I would favor:

  • It should be illegal to discriminate in any way based on medical information, subject only to the same common-sense allowances for discrimination found in the Americans With Disabilities Act.
  • It should be illegal to use medical information for marketing purposes. Limited exceptions can be carved out for health-care providers.
  • Unauthorized use of medical information should carry substantial criminal penalties, at least in certain use-cases, such as releasing it for publication. Normally I hate anything that smacks of censorship, but it should be possible to draw bright lines that keep this rule from being overly broad.
  • Doctor/patient confidentiality should be strengthened. In particular, the use of medical data for law enforcement needs to be rolled back. For example, New York City's law -- made famous in the recent matter of Plaxico Burress -- that requires health care providers to rat out patients with bullet wounds is awful. And I say this as a former member of Handgun Control, who wishes it were realistic to repeal the Second Amendment.
  • Aggregation of personal medical information for research should be tightly regulated. Many such uses are worthy and should be permitted, but that can't be allowed to open a path around the rest of privacy protections.

This is not to say that there shouldn't also be rules about a general duty to keep information confidential. But they're a sideshow. The bottom line is this:

Medical information will be exchanged. The legal focus needs to be on ensuring that patients don't suffer as a result.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies