Discovery Institute
disco-tech | Discovery Institute's Technology Blog: Health IT Archives

April 16, 2009
Protecting digitized health histories

Over at Discovery Blog, Bruce Chapman discusses the Obama administration's great interest in digitizing health records even though the technological and legal infrastructure isn't in place to protect patient privacy.

There appear to be new technologies to prevent such problems and at reasonable cost, but the overall problem of vulnerable computer security--on medical records or national security--is not a minor threat for the country as a whole or for our citizens as individuals. It won't solve itself. It needs high priority notice by government and businesses alike.
If people have to fear:
  • Their doctor may discover a chronic condition, some unfortunate piece of family health history or a youthful indiscretion
  • The information is added to their digitized record
  • The digitized record is stored somewhere or shared with researchers or vendors
  • The file is compromised somehow
  • The information makes its way into the public domain
  • There is ineffective privacy protection
they may be afraid to seek medical treatment, endangering their own life and possibly becomming a public health risk.

There are things network providers and data centers can do to make transmission and storage more secure. But that won't solve the problem of accidental disclosure by members of the health care profession (e.g., lost or stolen laptops) or even intentional disclosure (remember how private investigators gained access to cellphone records through impersonation or other means?).

A comprehensive approach is needed with criminal penalties for inappropriate access, disclosure or other use. Also, we need to modify the evidentiary rules followed by the courts so that sensitive health data contained in a digitized health record is inadmissible in most civil and criminal proceedings.


October 31, 2008
Computerizing health care

According to one report, networking and communications are finally coming to the health care industry.

IT security will eventually meet the expectations of the health-care industry, just as has happened in other sectors, like banking. And when it does, powerful IT networks crisscrossing the globe will change the way much of health care is delivered: Outsourcing and offshoring of medical and nonmedical services will increase, providing more efficient health care at the most cost-effective rates; systems integrations will allow more medical records to be transferred swiftly and securely; efforts to monitor the safety of medicines will gain global access to data; and professionals and patients will find authoritative and up-to-date information on every specialty online.
See: "Prescription for Change," by Amar Gupta, Wall Street Journal, Oct. 20, 2008.

My father is a retired physician and surgeon and my grandfather was a professor of medicine, so I don't want to criticize the profession or the industry too much; but the inefficiency of hospitals, doctor's offices and health insurers (in this computer age) truly staggers the imagination.

If we are to change that, the whole trick is preserving patient privacy. Some people might not even seek treatment if they fear the possibility of having a condition or even genetics which, if revealed, might affect their employment, insurability or reputation.

In the law we have an attorney-client privilege, a doctor-patient privilege and a pastor-penitent privilege. These are evidentiary rules which make certain evidence inadmissable in a court of law so that people won't hesitate to seek the advice and assistance of a doctor, lawyer or pastor.

The doctor-patient privilege prevents prosecutors or litigants from asking for certain medical information; but it needs to be expanded to cover the accidental release of electronic health records, because information which is in the pubic domain isn't covered.

An evidentiary rule does not prevent an employer, insurer or any other third party from using the information for some purpose unrelated to litigation. Congress recently passed the Genetic Information Nondiscrimination Act (GINA), but according to another report it does not go far enough:

A new federal law prohibits health insurers and employers from discriminating against individuals on the basis of their genetic profile. But [anyone who consents to the collection of their genetic profile] could be denied life insurance, long-term care insurance or disability insurance, with no legal penalty. And no law can bar colleagues from raising an annoyed eyebrow at a [participant] who, say, indulges in a brownie after disclosing on the Internet that she is genetically predisposed to diabetes.
This article points out that it is basically impossible to protect genetic information from disclosure if medical researchers are to have access to it, which would help them look for cures.

See: "Project Lets Anyone Take a Peek At the Experts' Genetic Secrets," by Amy Harmon, New York Times, Oct. 20, 2008.

Clearly, extensive regulation is needed in this regard, but not just on how online providers manage the information. Regulation is more importantly needed on how third-parties can use it.

Another article also reaches the conclusion that current law is unsatisfactory:

Safeguarding genetic privacy is more complicated than many people realize, and recently enacted laws such as the 2008 Genetic Information Nondiscrimination Act offer little protection. Better regulations must be developed soon, before testing spreads and abuses grow.

* * * *

Although the laws vary, 12 states require people to give written, informed consent for a genetic test, and 27 states require express consent to disclose test results. Nevertheless, these laws, like the federal regulations, continue to allow insurers and employers to legally require individuals to sign an authorization for the release of their medical information. As a result, 47 states have laws that prohibit insurers from denying or restricting coverage or charging different rates, based on an individual's genetic information. HIPAA already covers these cases for people in employer-sponsored group health plans, however, so the state laws in effect only extend protection to people who buy individual insurance.

Other laws in 35 states prohibit employers from requiring a genetic test as a condition of employment and from using predictive genetic information to deny an individual a job. Yet after a conditional offer of employment, the laws allow an employer to require prospective employees to authorize the release of their health records as a condition of being hired. The states differ on whether genetic information may be disclosed at this time, but that provision is largely immaterial: it is impracticable for anyone to excise genetic information from paper records and equally infeasible to exclude it from electronic records until the contextual access algorithms are devised.

Given such shortcomings, Congress has been under increasing pressure to improve privacy. In May members finally passed the Genetic Information Nondiscrimination Act (GINA), which had been pending since the mid-1990s. The act prohibits health insurance companies from discriminating in providing coverage, and in setting rates, on the basis of genetic predispositions. Unfortunately, the legislation is not much better than or even different from many state laws, and it doesn't cover life, disability or long-term care insurance.

The article concludes that
Indeed, concerns about keeping information private are best addressed by a national system of universal health care, as in Canada. In universal plans, risk is spread across the entire population, and the plan is funded by the entire population. Whether any given person has a high risk for any disease has no bearing on the equation, so there is no incentive for others to seek protected information. The situation eliminates people's two greatest worries: that they will have trouble obtaining or will be dropped from health insurance, and that they will be denied a job because their medical conditions could impose a burden on the company's health plan.
See: "Tougher Laws Needed to Protect Your Genetic Privacy," by Mark A. Rothstein, Scientific American, Sept. 2008.

A national system of health care might solve some of these problems but would clearly lead to other problems such as a huge burden on taxpayers and the rationing of health care. Doctors, not bureaucrats, need to manage treatment decisions, and there need to be incentives for healthy living. At the same time, better protection is also needed for those who, not primarily of their own fault, require expensive care they cannot afford.

Dotted Divider Line





Contact Us
Discovery Institute Logo

Click here for additional contact information