Continued Access to Private Medical Data Raises Concerns

WASHINGTON — Legislation that privacy advocates had hoped would give consumers ironclad assurances that their medical records would remain private has evolved into a measure that would allow insurers and employers continued access to sensitive medical information.

One key provision of the legislation, the target of intense lobbying by the insurance industry and employer groups, requires people who sign up for health insurance to grant insurers and employers access to medical records past, present and future.

The bill gives insurers a legal guarantee that they could continue using those records to determine premium prices. This would primarily affect the 13 million Americans who buy health insurance on their own. State laws generally protect those in job-based group plans from such preferential pricing.

And the provision with potentially the most far-reaching consequences would rule out future state laws that would impose stricter privacy protections than the federal law.

The bill also includes some key safeguards for consumers. It would contain the first comprehensive limits on how individual medical records could be used and would protect consumers from some of the most egregious abuses of personal privacy.

But that falls far short of some privacy advocates’ goals. “I had high hopes for this legislation when they started holding hearings on it last year,” said Denise Nagel, a physician and executive director of the National Coalition for Patient Rights, which is based in Lexington, Mass. “So I was really surprised they came out preempting state law. . . . States are just getting around to writing medical confidentiality law. . . . You could drive a Mack truck through the holes in the bill.”

The measure is sponsored by Sen. James M. Jeffords (R-Vt.) and will come before the Senate Health Education, Labor and Pension Committee this summer.

The legislation is advancing at a time when new technology, specifically the electronic manipulation of patient information, gives records value that they never had when they were just paper files in a doctor’s office.

Direct-mail companies hawk lists of individuals with such chronic diseases as diabetes and Alzheimer’s to drug companies and home health agencies. Others sell employers detailed records on workers’ compensation claims. The implications of computer access to medical information ups the stakes for the legislation.

Though under serious consideration, the bill faces many hurdles, not the least of which are competing pressures from privacy advocates, who are mainly patients and doctors, on one side and employers and the health insurance industry on the other.

Insurance companies want information that will help them determine which treatments work, reduce spending on those that do not and identify doctors with unusually high costs.

Employers generally support the same goals, with an emphasis on cost control. Research institutions have also joined the pro-disclosure forces, concerned that records must be kept open to spur medical innovation.

On the other side, patients fear that potentially damaging information about individuals would be leaked to current or potential employers. They point with alarm to cases in which workers have lost their job because employers were tipped off about health problems.

Case Highlights Privacy Pitfalls

In one recent case in Georgia, Ronnie Tompkins, a long-distance truck driver, had a flawless driving record for Old Dominion Freight Lines when he sought treatment for alcohol use and depression. He never drank on the job, according to his lawyer.

But when the treatment center checked into insurance reimbursement for the cost of his care, the claims administrator for Old Dominion told him that the service was not covered. Then the administrator told the company that Tompkins had a drinking problem, according to Tompkins’ lawyer.

Tompkins’ supervisors suspended him and instructed him to get treatment from a certified substance abuse counselor, his lawyer said. Tompkins could not afford that because his insurance would not pay for it, and he was fired for failing to follow his supervisors’ instructions, according to his attorney, Mark Kraynak.

Calls to seek comment from Old Dominion were not returned.

“My client never drank on the job, and there was no evidence he did, and the employer never insinuated it,” said Kraynak, who is representing Tompkins in a complaint filed with the Equal Employment Opportunity Commission. “But he was penalized nonetheless.”

Doctors, allied with their patients, worry that insurers would use the newly available information to challenge their treatment decisions. The risk seems particularly acute to psychiatrists, who fear being forced to reveal intimate details about their patients.

Insurance policies may cover up to 20 visits to a psychiatrist a year if the treatment is considered medically necessary. But Robert Pyles, a psychiatrist in Wellesley, Mass., and president of the American Psychoanalytic Assn., said that insurance companies often call to check long before that.

“The managed care companies call me up after three visits and ask for my treatment notes before they authorize the next three visits on the grounds that they need to know whether they are medically necessary,” he said.

To protect his patients’ privacy, Pyles said, he frequently offers only a summary. “But they won’t accept that; they want the notes, and this bill codifies the practice.”

The drive for uniform federal standards is in part an effort to undo the confusion caused by today’s crazy quilt of state laws. It is unclear, for example, which state’s laws would cover a resident of Kansas City, Kan., who worked in Kansas City, Mo., bought insurance from an Illinois firm and had insurance claims records stored in Nebraska.

California’s Legislature is considering a measure to beef up enforcement of its privacy rules, and at least 11 other states are working on comprehensive privacy protection legislation, according to analysts at the National Conference of State Legislatures.

Making the issue particularly urgent this summer is a federal law enacted four years ago and sponsored by former Sen. Nancy Kassebaum Baker (R-Kan.) and Sen. Edward M. Kennedy (D-Mass.). Its most widely known provision guaranteed that employees could not lose their health insurance if they switched jobs. The same law also decreed that if Congress did not act by August to protect the privacy of medical records, it would be up to Health and Human Services Secretary Donna Shalala to put privacy protections in place for electronic data (but not paper records).

The House passed some limited health-care confidentiality measures last year as part of another health care bill, but the Senate did not act. This year, the House is waiting for the Senate to make the first move.

Senators introduced bills favored by the two poles: the insurers and employers at one extreme and patients and doctors at the other. Jeffords, chairman of the Senate Labor and Human Resources Committee, took up the task of writing a compromise bill--and was promptly beset by lobbyists.

Leading the industry forces was the Healthcare Leadership Council, whose members include the nation’s 50 or so largest health companies: drug manufacturers, insurers, hospital chains and managed care companies. All seek federal legislation to provide a uniform national privacy standard so they can quit worrying about 50 different state laws.

“The legislation establishes a federal limit on how information can and can’t be used, but it preserves the ability to access information for legitimate health-care purposes . . . ,” said Heidi Wagner, a lobbyist for the council. “We were looking for a single, rational set of standards.”

Insurers note that under Jeffords’ version of the Senate bill, the uses of medical information are limited to treatment, payment and health care operations. The bill prohibits the sale of health care information for profit.

Insurers Say Bill Could Aid Consumers

Insurers argued that the bill preserves medical information for positive purposes, such as generating reminders that individuals with chronic conditions should get regular check-ups.

“To make that happen, you need individual health data that follows a patient,” said Karen Ignagni, president of the American Assn. of Health Plans, which represents more than 1,000 managed care organizations.

The Healthcare Leadership Council and the insurance industry recruited members of the medical research community, including such venerable institutions as the Mayo Clinic, into their lobby.

Arguing that the future of medical science hinges on keeping as much health care information as possible in the public domain was far more attractive to senators than maintaining that managed care and insurance company profits depend on access to information.

“The health plans and drug companies cloaked a lot of their arguments in terms of whether research can go forward . . . ,” said Janlori Goldman, director of the Health Privacy Project at Georgetown University Medical Center. “That was very effective.”

Goldman and other privacy advocates decided to relent on some key issues as long as the bill had some safeguards for consumers that could be strengthened in subsequent legislation. The result was a bill that would preempt future state laws but not current state laws if they are stronger than the federal law.

The bill also sharply limits an individual’s ability to bring a lawsuit if private medical data is disclosed inappropriately and limit their ability to recover damages for pain and suffering, as a result of the disclosure, to $50,000.

Although that falls far short of what privacy advocates had hoped for, Goldman said, the bill as now written is still a net plus for privacy advocates, although it would cease to be if it got much weaker.

Opposition to aspects of the legislation comes from both ends of the political spectrum.

The conservative Heritage Foundation is up in arms because of the blanket authorization form that consumers would be forced to sign as a condition of getting insurance.

The American Civil Liberties Union and a number of women’s organizations are worried that provisions in the bill would allow parents to peruse their minor children’s medical records for confidential services such as contraception and testing and treatment for drug and alcohol use and sexually transmitted diseases.