Computerized or not, your medical records and intimate health data are supposed to be accessible only to those with a legitimate need to see them, such as the physicians involved in your care and the insurers who pay the bills. Physicians take a professional oath not to disclose information about their patients. Health insurers have rules in place that are supposed to protect the privacy of your records. And yet, in recent years, pranksters, busybodies, and computer sleuths have demonstrated just how easy it is to subvert security measures.

A teenage girl made prank calls informing people who had visited a hospital emergency room that they were pregnant or had AIDS. Those called took the news seriously; one victim attempted suicide. The girl had retrieved their names and phone numbers from the hospital computer while visiting her mother, who worked at the hospital.

In 1994, administrators of the new computerized medical-record system at Kaiser Permanente Northwest in Oregon were shocked to find that 141 employees--most of them not involved in the case--had peeped at the records of figure-skater Tonya Harding after she visited one of the health plan's facilities to be treated for a sprained wrist. (The incident prompted system administrators to strengthen staff confidentiality training programs.)

Just by knowing the birth date and ZIP code of the governor of Massachusetts, Latanya Sweeney, a computer-privacy researcher at Carnegie Mellon University, was able to retrieve his health records from a supposedly anonymous database of state employee health-insurance claims. Sweeney also demonstrated that she could do the same for 69 percent of the 54,805 people on the voting list of Cambridge, Mass. (italics ours)

The electronic storage of individuals' intimate medical data has offered new ease and convenience for snoops. The problem is expected to grow much worse over the next few years as information convergence unfurls its potential for linking medical records to vast amounts of personal, shopping, and credit information kept on individuals. There's relatively little hard data on the risk this poses to privacy; we're still on the cusp of this mega-change. This means there is still time for judicious regulations to limit the ability of the authorized and unauthorized alike to find out about your every pimple, health habit, risk factor, and medication purchase.
 

We know your health affairs

Does it matter? Should you be concerned? Consider the hypothetical case of Nora T. Hyde, 42, a Maryland corporate middle manager. As far as Nora knows, her colleagues at work and the bank where she's applied for a home-improvement loan have no idea she recently had a bout of early-stage breast cancer. And even her husband doesn't know that Nora has been taking antidepressant medication to help her recover her spirits after her surgery.

What Nora doesn't realize is that without her knowledge or consent, various computer databases have efficiently swept up virtually every detail of her medical history. A record of her lumpectomy went into Maryland's computerized cancer registry and also its hospital discharge dataset--along with her birth date, race, and gender.
 

Into the state's new outpatient Encounter Dataset went the details of her visit to the doctor for depression treatment--complete with an encrypted "unique patient identifier." Two databases, one at her neighborhood pharmacy and one at the giant pharmaceutical-benefit clearinghouse that handles drug claims for her company's health plan, also recorded her prescription for an antidepressant.

Nora's health-insurance plan received notice of all these things, too, because to have her medical costs reimbursed, Nora gave blanket permission to disclose the information. Recently, the health plan signed a contract with an Internet company to put all its claims processing online and plans to protect patients' privacy with passwords and "secure sockets layer" technology.

Meanwhile, Nora spent some time visiting health web sites. At a drug-company site, she filled out an online form to order a discount coupon for a medicine. The instant she typed in her name and address, automated software plugged her name and address into a big direct-mail database from which the drug company learned her age, her household income, her hobbies, and her catalog purchase history.

Nora is a fiction. But every one of the electronic databases and Internet ventures mentioned in this vignette is up and running. For the moment, most of them operate in relative isolation. The drug-company web site, for instance, doesn't link up with the state hospital-discharge database. But before long it will be technically possible for all of these records to be cross-referenced and merged to create a cradle-to-grave picture of your health history.

"Technology now has the ability to collect a vast amount of information, and to mix and match and merge and commingle it at a level undreamed of a generation ago," says Carole Doeppers, a privacy advocate for the Wisconsin chapter of the American Civil Liberties Union. "It's out there, and everybody wants it, and it's very profitable."

This new world of digitized medical information promises some real benefits. Electronic medical records have already been shown to vastly reduce the likelihood of medical error caused by ignorance of some critical fact about a patient's health history, such as a drug allergy. Electronically transmitted prescriptions drastically reduce medication errors. In one study reported in 1999, medication errors for hospitalized patients dropped 81 percent after doctors started entering drug orders on a computer instead of by hand. Using databases to track medical outcomes yields valuable information about which treatments work best.

But, say privacy experts, the very architecture of the Internet makes it difficult--perhaps even impossible--to guarantee the confidentiality of personal health information stored or transmitted online. And for the moment, at least, the laws requiring companies even to make the attempt are few, weak, or--at the federal level--nonexistent. Until laws change, it is up to you to protect the privacy of your health information.

"If you put your medical information online," says Robert Gellman, a Washington, D.C., privacy consultant, "you're turning your private information over to the world."
 

Where the information is

For the time being, personal health information is held in three distinct and separate oceans of electronic data. The technical problems of bridging those oceans are, ironically, today's strongest form of privacy protection.

Government and institution databases. The federal government maintains electronic files of hundreds of millions of Medicare claims. And every state aggregates medical data on its inhabitants, including registries of births, deaths, immunizations, and communicable diseases. But most states go much further. Thirty-seven mandate collection of electronic records of every hospital discharge. Thirty-nine maintain registries of every newly diagnosed case of cancer. Seventeen collect records of ambulatory care. Most of these databases are available to any member of the public who asks for them and can operate the database software required to read and manipulate them.

Most of these databases are "de-identified." That is, the records are stripped of names and Social Security numbers, which could be used to identify individuals.

However, it is technically possible to link these records to the literally thousands of private-sector electronic medical records, which come with names and addresses attached: prescription records in pharmacies, claims records in health-care plans, and billing records in hospitals and doctors' offices. That's because the U.S. health-care system uses standardized codes for diagnoses and procedures. Disease code 410.90, for example, means the patient has had a heart attack. Procedure code 92982 says he got an angioplasty for it. The codes show up on insurance claims and hospital discharge records.

Some medical databases are sequestered in computers with no connection to the outside world. Others--perhaps the majority--are accessible via modem through private data exchanges, though not yet on the Internet itself.

Ironically, the one thing that rarely exists in electronic form is what we think of as our medical record--the detailed written notes of doctor visits and hospital stays kept by doctors and nurses. More than 90 percent of such records are still kept in paper form only, though large health-care systems are working to put these into computers, too. And once they do, your complete individual health history will be accessible at the click of a mouse.

"The better the electronic record, the more linked together it is," explains Gwen Hughes, professional practice manager for the American Health Information Association. "We're trying to get sophisticated enough so anyone who needs your information can get it quickly. With paper records, it's hard to get them to travel as fast as the patient does."

The laws covering medical databases are spotty and inconsistent. The federal Privacy Act of 1974 outlaws disclosure of the personally identifiable health information the U.S. government collects, such as Medicare treatment records. But the laws say nothing about private medical records. Only 35 states protect the government records that they keep, according to a 1999 survey by Georgetown University's Health Privacy Project. The survey found that fewer than half of states give complete legal confidentiality protection to personal records maintained by doctors, hospitals, pharmacies, and health insurance plans.

"It's not established who owns your medical record," says Zoe Hudson, a policy analyst for the Health Privacy Project at Georgetown University. "When it's sitting in the hospital, the hospital thinks it's theirs. When a bit of information goes to a pharmaceutical company, they think they own it."

Commercial databases. For many years, direct-mail companies have been amassing detailed household-level information on consumers. Some of it comes from public sources such as census, mortgage, and motor-vehicle records. But an amazing amount comes from your voluntary disclosures. Every time you send away for a rebate, buy something from a catalog, fill out a consumer questionnaire, or register a warranty, you're adding to that base of knowledge. (CU doesn't share subscribers' annual questionnaire responses with anyone.)

A surprising amount of that information has to do with health. This information ends up in places like the BehaviorBank product offered by Experian, one of the world's largest direct-mail database companies. Clients can buy mailing lists of, for example, 990,070 Americans with bladder-control problems, or 2,492,820 with high cholesterol.

These databases are obviously useful to drug manufacturers, who are increasingly selling their products directly to consumers. In fact, marketing consultants are advising drug makers to set up 800 numbers and coupon offers to capture still more names and addresses.

There are no laws governing the use of information in these commercial databases.

The Internet. Health care has been slower than other forms of commerce to embrace the Internet. So far, most of the action has been in information web sites. But consultants at an Internet health commerce meeting we attended earlier this year repeatedly exhorted their pharmaceutical company clients to step up their efforts to collect personal information from web surfers. Health-care companies such as Healtheon/WebMD are hotly competing to get doctors to write prescriptions over the Internet and to persuade consumers to place personal health records there.

Confidentiality protection

The guardians of all these data are hardly cavalier about it in view of the many polls that show how protective people feel about their personal health information. About seventy percent of respondents to a national poll by the California Health Care Foundation didn't want drug companies to use their personal data to try to sell them drugs or other health-care products. (In 1998 Consumers Union received a six-month grant from the California Health Care Foundation to raise public awareness about medical privacy.)

But working against privacy is the ability of new electronic technologies, which could eventually create a vast, universally accessible ocean of personal health data. Some major trends in this direction include:

Personal identifiers. Stripping hospital discharge records and other public medical datasets of "personal identifiers" hasn't been the panacea it was once assumed to be. State agencies doing public-health research, for example, have found they're routinely able to locate the same person in disparate databases by matching up data elements such as age, gender, race, ZIP code, and diagnosis.

So far, the possibility of just this sort of cross-referencing has made the guardians of government health data cautious about putting it on the Internet. But in the course of processing a private health-insurance claim, your personal records may be seen by many pairs of eyes. "Health plans, pharmacies, and pharmacy benefit managers all have access to them," says Gellman, the Washington, D.C., consultant, "And the more people that have the information, the greater the likelihood that someone will use it improperly."

Two years ago several drug companies paid to have the CVS and Giant pharmacy chains use their prescription databases to generate promotional letters to customers taking certain medications. One such letter went to customers who'd previously filled prescriptions for nicotine-replacement products. "We hope you successfully quit smoking but if you, like many others who have tried to quit, are still smoking, we have good news for you," the letter read, then went on to pitch a new stop-smoking medication called Zyban.

The promotions stopped after the public complained but not before highlighting the fact that the database of prescriptions was not, as most customers probably assumed, confidential.

Many employers also have legal access to staffers' medical records. A University of Illinois Study of 84 Fortune 500 companies found that 35 percent inspected medical records before making job-related decisions. And a national survey of employers by the Kaiser Family Foundation found that 30 percent had access to the records.

Warehousing data. The latest trend in business, a data warehouse, is essentially a huge conglomeration of formerly disparate databases. By working out ways to access and recombine previously scattered data, the thinking goes, companies can do more-sophisticated analysis of their operations.

A report from Acxiom, a large business data-consulting company, explains how it might work: The moment a caller responds to an advertisement by dialing an 800 number, the system recognizes the incoming phone number, matching it in real time against a national database of phone numbers, names and addresses. If demographic data is appended in that instant, age, income, or lifestyle, could be handled using different scripts that pop up on the screen of the tele-operator.

The next level of data integration would be to eliminate the need for a consumer to actually place a phone call in order to be subjected to demographic profiling. A company called Cogit.com offers a service called RealTarget that does precisely that. All that's needed to trigger the process is for you to give your name and address to a web site maintained by any Cogit.com client.

The last privacy frontier would be for web sites not to bother to strip out names and addresses before linking visitors to their offline demographic profiles. DoubleClick, a big company that places banner ads on web sites, was planning to do so, using a commercial database that it recently purchased. But a storm of public criticism forced it to suspend its plan.

The wide-open Internet. Both deliberate and accidental privacy breaches can happen here, even when web sites try to protect users' privacy. "As you put more and more sensitive information on sites that have a public presence on the Internet, any error can expose them to espionage, abuse, or hacking," says Lauren Weinstein, cofounder of a California-based watchdog group, People for Internet Responsibility.

For example, earlier this year, according to The Wall Street Journal, Drug Emporium shut down its pharmacy web site after it somehow displayed one customer's credit-card number to the next online purchaser.

But a bigger problem may turn out to be the invisible, subtle, deliberate violations of privacy on health-related web sites. In our May 2000 report Big Browser is watching you! we explained how the online world can create a profile of your interests and behavior by following your "clickstream"--a record of the pages or links you click on at a web site. This is as true of Internet health sites as of any others. The California HealthCare Foundation recently examined the privacy practices of 21 of the most popular health-care sites and found, in some cases, that they were violating their own written privacy guidelines--usually by sending personal information to third parties without the knowledge or consent of site visitors.

The unanswered question is how far Internet health companies will go in exploiting this rapidly growing trove of information on consumer-health conditions and behavior. So far the position of most Internet enterprises seems to be that no amount of personal profiling is too much as long as the technology avoids knowing your name.

Some privacy advocates disagree. "You'd never put up with this sort of thing in the non-computer world," argues Weinstein. "If a creepy little guy with a notebook was following you around the mall, writing down every place you went, and then followed you home and watched when you opened your mailbox, you'd be pretty peeved. That's what's going on, on the web."

Recommendations

Some uses of health information are legitimate. Patients are well served if doctors and hospitals have fast access to accurate records. With proper safeguards against reidentification, analysis of government, hospital, and health-care databases yields a gold mine of information on public-health trends and the effectiveness of various types of care. We encourage the efforts that some states are making to make it more difficult to identify individuals from these databases while still allowing data to be used for legitimate research and oversight purposes. On the other hand, we agree with the majority of consumers that health-care marketers have no business mining this data to sell us things.

Last fall the Clinton administration proposed the first national regulations on the privacy of health information in electronic form. The regulations would forbid the disclosure of personally identifiable medical information without the consent of the individual, except for such purposes as providing or paying for treatment. The rule would also end the common practice of making people sign over all their medical information in order to receive health benefits; now the plan would only be entitled to the information needed to process a particular claim. The rule would also give people the right to their own doctor and hospital records--a right currently guaranteed by only about 26 states.

We support the prompt enactment of these regulations. And we think consumers should be able to amend and correct their health-information records, too. If patients are not given complete access to their medical records, employment and other decisions that will directly affect them may be based on inaccurate information.

On the Internet, consumers should be informed in advance about how their personal information is being collected and given, at minimum, an opportunity to "opt out."

At the personal level, you can limit disclosure of your personal information to your insurance company. If presented a blanket release, revise it to limit your permission to the treatment at hand. Don't forget to sign and date your changes.

Finally, if you don't want details about your bladder control or laxative habits to make it into commercial databases, you can simply decline to provide that information when marketers ask for it. Don't fill out questionnaires or product-registration cards. Check the privacy policies at online web sites before you register, and consider avoiding those that are in the business of selling their customers' names and personal information.