American Journal of Law & Medicine

If I am only for myself, what am I? A communitarian look at the privacy stalemate.

I. INTRODUCTION

There is little quarrel that access by medical and health policy researchers to medical records and claims data has spurred advances in quality and access to medical treatment. Nevertheless, dissatisfaction lingers with the regime used to regulate access to that information. The American regulatory regime on medical record access has politely been characterized as "fragmented"(1) and less politely as a "black hole."(2) U.S. Senator Edward M. Kennedy asserts, "[t]oday, video rental records have greater protection than sensitive medical information."(3) At the center of this dissatisfaction is the question of how much say an individual should have in letting others--even those with legitimate need--look at and use an individual's records.

The issues surrounding the use of medical records and claims data by third parties, such as medical and health policy researchers, employers, marketers, public health officials and the law enforcement community, have created a cacophony of sound and fury. This has led to numerous hearings and several abortive legislative attempts addressing the privacy rights of individuals as well as those who want access to the data, including medical and health policy researchers, whose work may benefit the public at large.

Members of Congress have introduced bills to limit the access and use of medical information since the mid 1990s.(4) The legislative proposals have taken several different forms.(5) Committees in both congressional houses have held hearings, yet neither has ever reported comprehensive legislation.(6)

Congress will try again this year under the pressure of a deadline created by the Health Insurance Portability and Accountability Act of 1996 (HIPPA).(7) HIPPA provides Congress with the first opportunity to enact legislation that regulates the use and disclosure of individually identifiable health information.(8) The legislation must also address the rights individuals should have regarding such information and procedures for exercising of those rights.(9) If Congress fails to pass legislation by August 1999, the Secretary of the Department of Health and Human Services (HHS) must impose regulations on these matters by February 21, 2000.(10)

With only a few months until the congressional deadline, battle lines are being drawn. On one side are the privacy advocates: civil libertarians, disability advocates, some consumer groups and health care provider groups.(11) These groups demand stringent regulation of medical record privacy to protect personal autonomy values and to prevent patients from being stigmatized. The privacy advocates are armed with both polling data suggesting that Americans want heightened privacy protection(12) and with anecdotal evidence detailing inappropriate, even illegal disclosures of personal medical data.(13)

On the other side are the data users: managed care organizations (MCOs), health insurers, medical and health policy researchers and pharmaceutical companies. Beyond them are employers, law enforcement agencies and a new breed of entrepreneurs who seek to package and sell data to research and marketing interests for a profit. Data users are generally content with preserving the status quo on medical record access, although they generally support strong sanctions against those who misuse data.(14)

If Congress intends to retain its prerogative to legislate in this area, it will need to find common ground among divergent interests in a very short period of time. While there is reason for skepticism that Congress will be more successful than in years past, there is also reason for optimism. Interests that support even the most stringent restrictions on the availability of medical information still acknowledge that advances in medical treatment and access to care cannot occur if researchers are denied access to medical information.(15) Likewise, scientific and policy researchers subscribe to a professional ethic that opposes personal harm to research subjects as a result of their participation. These researchers also believe that a balance must be struck between access and privacy interests.(16) However, as with most controversial legislation, the devil is in the details. Despite agreement on fundamental principles, the flexibility required by one can be viewed as an unacceptable loophole by the other.

Given that a new regulatory regime will be promulgated, either by Congress or by the Secretary, this Article proposes a framework for evaluating the normative basis on which competing claims should be analyzed. It suggests that Congress should look to communitarian principles in its effort to resolve the stalemate between privacy advocates and data users. The communitarian framework is uniquely well positioned to mediate the interests in this debate. This framework recognizes "both individual human dignity and the social dimension of human existence ... [which includes] the responsibilities that must be borne by citizens, individually and collectively, in a regime of rights."(17) A communitarian analysis begins by appreciating the conflict and the positions of the antagonists because "[o]ut of a genuine dialogue, clear voices can arise, and shared aspirations can be identified and advanced."(18) The search for a communitarian consensus begins in Part II, which explores the historical context in which the dispute has arisen. In Part III, the Article examines the cultural forces that have converged to bring this issue to the forefront. Part IV examines the efforts of Donna Shalala, HHS Secretary, to bridge the gap between the data users and privacy advocates through her recommendations to Congress, and the reactions of those parties to her efforts. It also examines the first of several bills addressing the issue that could be introduced in Congress in these last few months before the deadline. Part V critiques the approach taken to this issue by the privacy advocates, an approach that is reflected to varying extents in the proposed legislation. A review of the arguments advanced by the privacy advocates suggests the issue is not so much about privacy as it is autonomy and control. The restrictions suggested by privacy advocates could impede vital clinical and health policy research that is both popular with and vital to the community as a whole. Part V goes on to suggest that Congress adopt a communitarian perspective, particularly when considering further restrictions on the access of medical, pharmaceutical and health policy researchers to data, rather than the atomistic(19) perspective in which the debate is currently framed. By using the communitarian framework, Congress is more likely to produce a solution that Americans will view as legitimate.

II. FOUNDATIONS OF THE PRIVACY DEBATE

Although privacy has been largely a nonlegal concept throughout American history,(20) American law began to address it in the nineteenth century, at the point where the forces of industrialization and urbanization began to challenge it as never before.(21) In a seminal article, Samuel D. Warren and Louis D. Brandeis, defining privacy as "the right of the individual to be let alone,"(22) argued that the individual should enjoy, cognizable in the law, freedom from unwanted publicity.(23) As the twentieth century progressed, the privacy right of the individual was championed in such areas as reproductive law(24) and criminal law.(25) In the realm of health law, one can argue that privacy has always been valued, because the Hippocratic oath required physicians to keep private what they learned through their physician-patient relationship.(26)

However, while the privacy of medical relationships is deeply rooted in tradition, philosophy and ethics, the law is inconsistent in respecting this relationship. For example, although many regard the privacy of medical records as a "right," it is one that the U.S. Supreme Court has been reluctant to recognize. In Whalen v Roe,(27) the Supreme Court overrode privacy objections to uphold a New York statute requiring pharmacists to transmit a copy of prescriptions for certain dangerous drugs to a state registry. The state offered law enforcement and public health justifications for the statute.(28) Patients contended that the statute violated their right to privacy by creating a risk that information about their use of medications might be known publicly and might therefore adversely affect their reputations.(29) Patients also alleged that the statute had a chilling effect on their freedom to choose appropriate medications.(30)

The court was particularly unsympathetic to the patients' privacy arguments noting:

 
   [These disclosures are not] meaningfully distinguishable from a host of 
   other unpleasant invasions of privacy that are associated with many facets 
   of health care. Unquestionably, some individuals' concern for their own 
   privacy may lead them to avoid or to postpone needed medical attention. 
   Nevertheless, disclosures of private medical information to doctors, to 
   hospital personnel, to insurance companies and to public health agencies 
   are often an essential part of modern medical practice even when the 
   disclosure may reflect unfavorably on the character of the patient. 
   Requiring such disclosures to representatives of the State having 
   responsibility for the health of the community does not automatically 
   amount to an impermissible invasion of privacy.(31) 

Notwithstanding the Supreme Court's failure to recognize a right to privacy in medical information, restrictions on the disclosure and use of identifiable medical data are firmly rooted in a patchwork of federal and state laws.(32) Although state laws historically stipulated that medical records were the sole property of the health care provider,(33) most state laws also required health care professionals to maintain the confidentiality of a patient's personal information.(34) Thus, if a patient discloses personal information to a health care professional believing it is private, the professional may be liable in tort for disclosure without the patient's consent.(35)

More significant to the current debate is that state laws do not protect confidential medical information that is disclosed with the consent of the patient.(36) A substantial quantity of medical record and claims data enter the public domain through the use of blanket consent forms.(37) As a condition to apply for insurance or assert claims, patients must routinely sign blanket consent forms authorizing discretionary disclosure by the recipient for any lawful purpose.(38) "These contractual arrangements [typically] permit disclosure between and within healthcare systems and payer organizations."(39) Additionally, the forms often permit release of information to others not directly involved in the provider-patient relationship.(40)

Although courts have upheld the validity of general releases,(41) it is arguable whether the consent documented by these forms is either voluntary or informed.(42) It is undisputed that the widespread use of the general release form has partially fueled the huge growth in the collection and sale of health data.(43) This in turn has fueled calls for the systemic reform of health care information access.

III. THE CALL FOR PRIVACY LEGISLATION

It would be wrong to characterize the call for comprehensive federal regulation of medical information access merely as a consumer reaction to the inequality of bargaining power inherent in the general release. The privacy of medical records is an enormously emotional issue. This is tree partly because we are an autonomy-besotted culture and privacy "is related to the very notion of the self."(44)

The privacy of medical records is particularly high on Congress's agenda now largely because of the convergence of several factors: the public's lack of trust in institutions; advances in genetic mapping; fear of employment and insurance discrimination; discomfort with managed care; and the computerization of medical records in the advent of the information age. Public trust in government institutions and leaders, as well as public health leaders, is at an all-time low(45) Americans are also losing trust in each other. A survey conducted by The Washington Post, the Henry J. Kaiser Family Foundation and Harvard University showed that only 35% of respondents agreed that most people could be trusted, down from 76% in 1964.(46) Harvard political scientist Robert Putnam views the generation that came of age after World War II as the "last great civic generation," after which, each succeeding generation "has been more mistrustful of human nature than the last."(47) Focus groups conducted by the Mayo Clinic to gauge patient reaction to proposed changes in Minnesota's medical records access laws confirm the public's fear about government record collection.(48)

The Human Genome Project, which aims to map and sequence the 100,000 genes that code for human life, has increased the pressure to address the issue of privacy of medical records. This is because "the DNA molecule . . . contains an individual's probabilistic `future diary.'"(49) As such, DNA analysis results may tell individuals more than they want to know.(50) Further, it may provide information to those who are well positioned to discriminate against the individual, such as employers and insurers.

Since the beginning of the century, employers have been collecting medical information about their employees.(51) If in the beginning the purpose was to screen individuals with tuberculosis, later it became a method for determining those "who not only were in good health at the time they were hired but were also likely to remain in good health."(52) Still later, when insurance and health care costs became prohibitive, employers collected medical records to avoid potentially costly employees and dependents.(53) In 1996, concerns about insurance costs and absenteeism reportedly motivated thirty-five percent of Fortune 500 companies to use personal health information in making employment decisions.(54)

Today, employers have or may obtain a great deal of medical information pertaining to an employee. Many employers choose to self-insure under the Employee Retirement Income Security Act of 1974.(55) Through such mechanisms as claims processing, claims auditing and utilization review, employers come into greater contact with employees' private medical information.(56) A self-insuring employer armed with information about high-cost employees can rewrite the company health plan to exclude high-cost illnesses.(57) The Americans with Disabilities Act (ADA) offers no relief in this circumstance because "[d]iscrimination in health benefits is permissible under the ADA so long as it is based on valid actuarial principles and is not a subterfuge for disability discrimination."(58)

Further exacerbating the problem is the rise of managed care and the paradigm shift in medicine from physician autonomy to oversight, and from personal judgment and anecdotal information to evidence-based medicine, utilization review and clinical practice guidelines. Managed care derives its life blood from data; data is to managed care as air is to human beings(59) Conclusions are likely to be more valid and generalizeable when based on a broader number of individual experiences. But in an era in which "[m]edical treatments often still rely on notions transmitted from masters to apprentices (during medical training)," efforts to evaluate and improve treatments appear to the public like interference in the physician-patient relationship, leaving both parties unnerved and distrustful.(60) Although medical and health policy research are performed to improve the efficacy and efficiency of"cost[-]containment efforts, outcomes studies, disease management projects, and many other functions that characterize today's delivery system,"(61) research indicates a growing concern that outcomes will be used to examine utilization and eliminate benefits, as many perceive managed care has already done.(62) The irony of this concern is that data can demonstrate whether MCOs are providing quality care.(63)

Finally, the computerization of medical records is seen as a great threat to privacy, although it also has the capacity to provide protections for the data.

 
   Computers are a mixed blessing, because the ease with which they can make 
   data widely available poses new risks to individual privacy. Compared to 
   paper-based records, electronic information is more easily manipulated and 
   linked ... [and] also raises the specter of a huge national database of 
   identifiable, comprehensive health information.(64) 

The possibility of an individual or entity linking health data with another nonhealth database creates concern, because "[t]hese consolidated personal data may be used by employers, private investigators, or others who may have a nonbeneficent interest in an individual's personal health or lifestyle."(65) In a study conducted by the California Health Care Foundation, fifty-four percent of all adults interviewed opined that "the shift from paper recordkeeping systems to electronic or computer-based systems makes it more difficult to keep personal medical information private and confidential. …

Log in to your account to read this article – and millions more.