Threat to Confidentiality of Personal Medical Records

Buried in the Kennedy-Kassebaum Health Insurance Portability and Accountability Act passed by Congress last year was a little-publicized provision exhorting health care providers to help build a national database of patients’ medical records. Americans have much to gain from such a database. With it, emergency room doctors could review the medical history of an unconscious accident victim before deciding on a method for revival. Or researchers could try to determine whether medication given to pregnant women was associated with diseases in their children years later.

There are no federal laws, however, ensuring that medical records will be limited to professional hands like these. And so unless Congress acts promptly against inappropriate access, Americans stand to lose as much as they will gain from the ongoing computerization of medical records. Now many doctors are thinking twice about what information they include in patient records, for fear it could be used against a patient’s best interest. And some people are denying themselves the benefits of genetic tests because they don’t want insurers and employers to discover they have a predisposition to a particular disease.

One would think that patients already enjoy privacy of their medical records, but as a National Research Council panel warned earlier this month, “There are no strong incentives to safeguard patient information because patients, industry groups, and government regulators aren’t demanding protection.”

California is one of a few states offering a modicum of medical confidentiality. Under section 56 of the state civil code, companies are allowed to see the medical records of their employees only if they can show that they need the information to make medical insurance contributions. But Beth Givens, project director of the nonprofit Privacy Rights Clearing House in San Diego, says section 56 has “a loophole big enough for a Mack truck to drive through.” It allows hospitals and other health care facilities to release a patient’s key medical records unless the patient has forbidden release in writing. Moreover, under ERISA, the Employee Retirement Income Security Act of 1974, companies that develop their own medical plan rather than contract with an outside health care provider are exempt from all state confidentiality laws.

Solutions must come primarily from Washington. For only Congress can eliminate blanket exemptions in ERISA (a federal law), impose confidentiality laws governing interstate computer networks and prohibit the disclosure of medical information without a patient’s consent.

Congress can take a first step toward patient privacy by passing the proposed Fair Health Information Practices Act, introduced in January by Rep. Gary A. Condit (D-Ceres). Condit’s bill doesn’t address all of the ways in which the sophisticated medical records industry has learned to procure patient data. Those loopholes--which an advisory commission to Health and Human Services Secretary Donna Shalala is now studying--will have to be closed by future legislation. But unlike two confidentiality bills that died in Congress last year, Condit’s bill more sharply limits disclosure of medical records.

The Kennedy-Kassebaum Act gave Congress until late 1999 to devise a plan for ensuring medical confidentiality. Present dangers, however, demand prompter action.