Database nation : the death of privacy in the 21st century

As the 21st century dawns, advances in technology endanger our privacy in ways never before imagined. Direct marketers and retailers track our every purchase; surveillance cameras observe our movements; mobile phones will soon report our location to those who want to track us; government eavesdroppers listen in on private communications; misused medical records turn our bodies and our histories against us; and linked databases assemble detailed consumer profiles used to predict and influence our behavior. Privacy -- the most basic of our civil rights -- is in grave peril.Simson Garfinkel -- journalist, entrepreneur, and international authority on computer security -- has spent his career testing new technologies and warning about their implications. Database Nation is his compelling account of how invasive technologies will affect our lives in the coming years. It's a timely, far-reaching, entertaining, and thought-provoking look at the serious threats to privacy facing us today. The book poses a disturbing question: how can we protect our basic rights to privacy, identity, and autonomy when technology is making invasion and control easier than ever before?Garfinkel's captivating blend of journalism, storytelling, and futurism is a call to arms. It will frighten, entertain, and ultimately convince us that we must take action now to protect our privacy and identity before it's too late.Background: Fifty years ago, in "1984, " George Orwell imagined a future in which privacy was demolished by a totalitarian state that used spies, video surveillance, historical revisionism, and control over the media to maintain its power. Those who worry about personal privacy and identity--especially in this day of technologies that encroach upon these rights-- still use Orwell's "Big Brother" language to discuss privacy issues. But the reality is that the age of a monolithic Big Brother is over. And yet the threats are perhaps even more likely to destroy the rights we've assumed were ours.Today's threats to privacy are more widely distributed than they were in Orwell's state, and they represent both public and private interests. Over the next fifty years, we'll see new kinds of threats to privacy that don't find their roots in totalitarianism but in capitalism, the free market, advances in technology, and the unbridled exchange of electronic information.Today's Threats to PrivacyThe End of Due Process. Governments and businesses went on a computer-buying spree in the second half of the 20th century, replacing billions of paper files with electronic data-processing systems. But the new computers lacked some very important qualities of the manual systems that they replaced: flexibility, compassion, and understanding. Today, humans often are completely absent from digital decision-making. As a result, we've created a world in which the smallest clerical errors can have devastating effects on a person's life. It's a world where comput- ers are assumed to be correct, and people wrong. The Fallibility of Biometrics. Fingerprints, iris scans, and genetic sequences are widely regarded as infallible techniques for identifying human beings. They are so good, in fact, that fifty years from now identification cards and passports will probably not exist. Instead, a global data network will allow anyone on the planet to be instantly identified from the unique markings of their own body. Will it be impossible for people to conceal their identity from the federal government, and if so, is that a good thing? What about concealing your identity from the local drug store? And who controls the databank, anyway? Would they ever need to create "false" identities?The Systematic Capture of Everyday Events. We are entering a new world in which every purchase we make, every place we travel, every word we say, and everything we read is routinely recorded and made available for later analysis. But while the technology exists to capture this data, we lack the wisdom to

Chapter Six To Know Your Future Did you have an abortion when you were fifteen? A few years ago, when your marriage was going through an especially rough spot, our records indicate that you were treated for a sexually transmitted disease that your wife didn't have. Does she know? Is that lonely child with Down Syndrome in the state hospital yours? Why don't you visit her more often? I told Janice about the headaches you've been having at work. She said that when you guys were kids, your father used to smash your head against the wall. Do you think you might have brain damage? Did you know that you are adopted? Most Americans consider their medical records to be the most sensitive pieces of personal information that they have. Medical records are beacons into our past. They reveal secrets about families. They strip us naked, as if we had been prepped for surgery. They remind us about things we would rather forget--and things that we don't want others ever to discover. Medical records are also windows into our future. They are imperfect oracles, to be sure--a healthy person walking across the street can be hit by a truck--but many illnesses and medical conditions follow a predictable path. People with untreated blockage of their coronary arteries tend to have heart attacks; diabetics who can't control their blood sugar are apt to go blind; people with untreated chronic depression are inclined to attempt suicide. Genetic records can be even more revealing. But medical records tell as much about the temporarily healthy as they do about the chronically ill. In a world of uncertainties, the precision that comes from knowing a healthy person's weight, blood pressure, and cholesterol level conveys a feeling of predictability. A doctor can't say for sure that you'll live to be 92, but a statistician can tell you that your odds of doing so are 35%. Insurance companies use this information to set rates. Businesses can use this information to help decide who they should train and promote for positions of responsibility. No Bigger Gap Medical records are also among the most difficult kinds of personal information to protect. While the actual paper or electronic files can be protected with locks or passwords, individual facts from those records are easily revealed out of malice, for profit, or even by accident. Consider the case of a young woman in Poughkeepsie, New York, who was in an automobile accident with her fiancé in 1982. The pair was taken to the Vassar Brothers Hospital--where the woman had secretly given birth the year before. When the woman checked in, an attendant pulled up her records from the hospital's computer. "Oh, you had a baby a year ago," the attendant said, in the presence of both the woman and her fiancé. It was an understandable slip, but it revealed a world of personal information. A far more malicious privacy invasion befell U.S. Representative Nydia Velázquez that same year. Three weeks after Velázquez won New York's Democratic primary, she received a telephone call from Pete Hamill, a reporter at the New York Post . Velázquez testified before the Senate Judiciary Committee in 1994: He told me that the night before, the Post had received an anonymous fax of my records from St. Claire Hospital. The records showed that I had been admitted to the hospital a year ago, seeking medical assistance for a suicide attempt. He told me that other newspapers across the city had received the same information and the New York Post was going to run a front-page story the next day. My records were leaked for one purpose only, to destroy my candidacy for the U.S. House of Representatives by discrediting me in the eyes of my constituents. Very few people knew about my situation, and I made a decision of not sharing it with my family. I wanted them to always remember me as a fighter, happy and strong. My father and mother, 80 years old, they did not understand. They still do not understand. When I found out this information was being published in the newspaper and that I had no power to stop it, I felt violated. I trusted the system, and it failed me. What's even more disturbing is that, in all likelihood, no laws were violated when Velázquez's records were faxed. A doctor can be disciplined or lose his or her license for violating patient confidentiality. Hospitals are required under the state's hospital regulations to have a medical records department that "ensure[s] the confidentiality of patient records"--and a hospital can lose its accreditation if there is a pattern of confidentiality violations, says Donald Moy, General Council of the New York State Medical Society. But few state or local laws criminalize the unauthorized release of medical records themselves. A secretary or a janitor who walks into the hospital's records room and faxes out the records might be violating the hospital's rules, but they are rarely committing a criminal act. Three weeks after Nydia Velázquez won the New York Democratic Party's nomination to serve in the U.S. House of Representatives, somebody at St. Claire Hospital in New York faxed Velázquez's medical records to the New York Post. The records detailed the care that Velázquez had received at the hospital after a suicide attempt--an attempt that had happened several years before the election. [Photo courtesy Nydia Velázquez] Most people think it's illegal to release medical records. They are unaware that no law exists," says Robert Ellis Smith, publisher of The Privacy Journal. quot;What they might mean is that release would subject a physician to ethical sanctions or that the victim could sue for an invasion of privacy. You should ask folks who make that assertion [that medical records are protected] to cite the law. In my experience, in no other area of privacy is there a bigger gap between what people's expectation of protection is and what the reality is than in medical records." As of 1995, 43 U.S. states lacked laws criminalizing the release of medical records. Likewise, there is no federal law criminalizing the improper release of medical records. Such laws are clearly needed, because unauthorized releases are very widespread. According to the 1993 Health Information Privacy Survey by Louis Harris and Associates and Alan Westin, "27% of respondents (representing 50 million adults) report their belief that an organization or person having their personal medical information has disclosed it improperly." Thirty-one percent of these respondents (representing 8% of the total population and 14 million Americans) go on to report that they were harmed or embarrassed by that disclosure." The study also found that the people most likely to believe that there is a serious problem with medical privacy today are the people on the front lines--doctors and nurses. "Most patients would be surprised at the number of organizations that receive information about their health record: their provider, insurer, pharmacist, state public health organizations--perhaps even their employer, life insurance company, or marketing firms," says Paul D. Clayton, who chaired the National Research Council's Committee on Healthcare Privacy and Security. "Sharing of information within the healthcare industry is largely unregulated and represents a significant concern to privacy advocates and patients alike because it often occurs without a patient's consent or knowledge." Despite the revelation of her suicide attempt, Velázquez managed to win her election. But Tommy Robinson wasn't so lucky. In 1990, Congressman Robinson was the Republican candidate for Governor of Arkansas, running against Bill Clinton. An insurer leaked to the press that Robinson had problems with alcohol. As it turned out, the diagnosis was in error. Nevertheless, Robinson's loss was attributed in part to the revelation. It's a revelation that might have had profound national consequences, since Bill Clinton was able to use the governorship that he won in that election to launch a successful campaign for the U.S. Presidency. As hard as it is to protect medical records in doctors' offices and in hospitals, the task pales when viewed in the broader context. There is an ever-increasing proliferation of other kinds of personalized medical information in our society--information that, if revealed, can be just as damaging as a doctor's diagnosis. Billing records are mailed to insurance companies and other third-party payers. Test results and detailed paper bills are sent to patients. Pharmacies know patients' prescription drugs. When a person buys an over-the-counter drug, the supermarket tape register becomes a kind of medical record. Likewise, there is an increasing assortment of home test kits for blood sugar, ovulation, pregnancy, and drug use. And a new generation of genetic tests is swiftly gaining in popularity--tests that in many cases can be performed without a person's knowledge or permission. This information is being used, among other things, for marketing. Metromail reportedly has a medical database, called Patient Select, with 15 million names. "For about thirty cents per name, large drug companies can pitch their products directly to angina sufferers, diabetics, or arthritics," reports Amitai Etzioni, citing an article that appeared in Consumer Reports . The Medical Records Fairy Tale From the outside, Daniel looked as if he was certainly vice president material. In his seven years with the company, he had relocated twice, revamped a division, and become a senior director. But then, one evening, Daniel's boss discovered a prescription bottle inside Daniel's medicine cabinet when she was over for dinner (she had been looking for an aspirin). A few telephone calls revealed that the drug was used for controlling hypertension--and that Daniel had a 15-year history of high blood pressure. The company's doctor said that people with Daniel's condition usually die within 5 to 30 years--but every case is different. So when Daniel's annual review came up, he got a hefty raise but not a promotion. After all, why give the guy more stress? And why groom a person to be one of the company's top executives when he might not be around in 10 years? Once upon a time, medical records had a very specific purpose: they provided a detailed record of a person's encounters with the medical establishment so that future encounters might have a higher chance of having a positive outcome. People had a vested interest in making sure that their medical records were correct. Today, medical records have an expanded role--a role that doesn't involve primary healthcare. They are used by employers and insurance companies to decide who should be hired and insured. They are used by hospitals and religious organizations to solicit donations. Even marketers are buying up medical records in search of sales leads. Whereas people once had an incentive to make sure that their medical records were complete, accurate, and up to date, nowadays many people feel pressured to compartmentalize their medical records so that, when they are inevitably disclosed, the damage will be minimized. Medical records were once seen as sacrosanct. Today, medical records are routinely sought and used in lawsuits to discredit witnesses, especially in cases of rape. Politicians and criminals alike have their medical records reported in the media without their permission. Ironically, the rapid proliferation of medical knowledge to the lay public is making the release of personal medical information all the more damaging. Medicine is a complex, largely ad hoc science, with many rules but many more individual exceptions. In untrained hands, a person's medical history or profile frequently becomes a tool to justify prejudice or an already decided outcome. The confidentiality of psychological records is particularly under attack, says Dr. Denise Nagel, executive director of the National Coalition for Patient Rights. Lawyers, HMOs, life insurance companies, and others are routinely demanding access to psychological records--and in so doing, are jeopardizing the nation's entire mental health system. "A person's willingness to share sensitive, often embarrassing information is dependent on being assured confidentiality. It is the basis of trust in the relationship," says Nagel. Recovery from many kinds of mental trauma and diseases requires that the issues discussed during therapy remain secret. The U.S. Supreme Court reached the same conclusion in the 1995 case Jaffe v. Redmond . Nagel notes, when the Court ruled that conversations between a patient and a licensed social worker or therapist, even one who does not have a medical license, are nevertheless protected conversations about which testimony cannot be compelled unless the judicial need for disclosure clearly outweighs the patient's privacy interests. "Quality healthcare is rooted in the imperative need for confidence and trust," and that trust must not be lightly breached, the Court concluded. Nevertheless, these same records are often sought by lawyers of alleged rapists. The attorneys then typically threaten to take the records into open court, in an attempt to disprove the credibility of their client's accusers, unless the victim drops the charges. Such behavior by a defense attorney might itself seem criminal, or at least unethical, but it is standard practice in many rape trials. For example, a rape victim might have frequently fantasized about being raped when she was young; she now finds herself profoundly disturbed and unable to come to terms with the fact that the crime has finally happened to her for real. The victim might go through months of therapy to come to terms with this realization, only to be forced to listen in court to a defense attorney's theory that the woman might somehow have encouraged her attacker and been a willing participant. Parents, meanwhile, are increasingly demanding to have access to the psychological records of people who come into contact with their children. In West Virginia, parents demanded to see the medical records of a school bus driver who had made strange remarks while driving children. The school superintendent investigated and said the man was on medication and his condition posed no harm to the children. But the parents sued, and in 1986, the state's Supreme Court sided with the parents, saying that they were entitled to see the driver's complete medical file--including his psychological records. Privacy Is Your Doctor's Responsibility A placard on the wall of my local hospital says "Please Respect Patient Confidentiality." And in a very important way, this sign says it all. Hospitals and other medical facilities need to rely on the ability of their employees to hold patient secrets. Doctors, nurses, clerks, and even janitors all see highly charged information. A hospital that tried to shield its employees from all sensitive patient information would quickly cease to function. Fortunately, in most cases, this trust seems well placed. I have never met a doctor or a healthcare professional who did not seriously undertake their responsibility for patient confidentiality. Patient privacy is at the very core of the healthcare profession. It goes all the way back to Ancient Greece and the Hippocratic Oath, which says, in part: "All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal." What complicates the confidentiality process is the fact that between 50 and 75 people need access to a patient's chart during a typical hospital visit. Keeping a secret requires everybody's cooperation: revealing it requires just one bad apple. Many hospitals hire temporary administrative workers who have little or no training in medical ethics. Other healthcare facilities are actively downsizing, creating employees who have a grudge against their employer. As the cases of Nydia Velázquez and Tommy Robinson demonstrate, it is all too easy for a careless and motivated insider to shatter the wall of medical privacy. Over the past 50 years, military intelligence agencies and major corporations have developed techniques for preventing the theft of confidential information and for tracing the sources of leaks. People are given personalized copies of records. Photocopies are logged. People have their bags searched upon entering or leaving a secure facility. These techniques are simply impossible to implement in the healthcare workplace. And for the most part, they are unnecessary. But leaks do happen--and not just to people running for elected office. Since the outbreak of the AIDS epidemic, there has been case after case of people who have lost insurance or their jobs when it was revealed that they were infected with the HIV virus. In 1989, the FBI canceled the contract of a physician who had performed preemployment and annual physical exams for the Bureau in San Francisco when it learned that the physician had AIDS. In Salt Lake City in the early 1990s, a vitamin manufacturer fired Kim Allred when he tested positive for a marijuana derivative found in the prescription drug Marinol; when the company learned that he was taking the drug for AIDS, it refused to rehire him. At the Princeton Medical Center in 1987, a practicing surgeon named Dr. William Behringer was treated at his own facility and was diagnosed as suffering from AIDS. "Within hours of his discharge, he received many calls from well-wishers who evidently had learned of his condition. Most of the callers were his colleagues at the Medical Center. After that, patients called. Soon his surgical privileges were suspended by the hospital. A court found the breach of confidentiality the fault of the hospital," read an account in War Stories II , published by the Privacy Journal. These stories show another side of the medical information privacy dilemma as well. You don't need to photocopy somebody's medical chart in order to destroy their medical privacy--all you need is to leak a single declarative sentence like "Nydia Velázquez attempted suicide" or "Dr. William Behringer has AIDS." Indeed, as demonstrated by the Tommy Robinson case, the statement doesn't even have to be true--just believable. When I started dating my wife in 1993, we went together to get tested for AIDS at Boston City Hospital. The clinic was one of several in the city specifically set up to allow for anonymous testing. The nurse who took my blood had no idea who I was and never asked for any identification. She gave me a control number when I left so I could learn the results. But when my wife and I returned a week later, a woman who was volunteering at the clinic recognized me from a class we had taken together at MIT. Should that volunteer have been legally prohibited from telling people that she had seen me at the clinic? What about other people who happened to be in the waiting room who might have recognized me? The problem here is one of segregation. The goal of anonymous AIDS testing is to allow individuals to be tested without the creation of a record. But by creating a special place for the anonymous delivery of a particular medical service, the privacy of the individuals becomes dependent on their continued anonymity. If there were multiple medical services delivered anonymously at the clinic, then merely recognizing a person at the clinic's doors would not compromise that person's ultimate medical privacy. Rape crisis centers and abortion clinics ("women's clinics") present similar problems. One solution would be the reintegration of these services into mainstream medical practices. Some people take the reverse point of view. They think that the best way to handle the morass of medical privacy is simply to eradicate it: unlock the files and the databanks, and make everybody's medical records freely available. David Brin, author of the Transparent Society , is a big proponent of this viewpoint. I actually believed it once myself; transparency has a simple elegance. I figured that everybody has some sort of medical condition or problem: the best way to destigmatize our diseases is to air them in public. The problem with opening everybody's medical records is that everybody has a different body. Some of those bodies are diabetic. Some have asthma. Some have inherited genetic diseases. Some have brains that are mildly schizophrenic, but controllable with medication. And some bodies are genuinely healthy. Opening up everybody's medical history to public scrutiny opens up people to all manner of discrimination and personal attack, for which there are seldom workable remedies. One of the purposes of privacy in society is to protect us from other social problems that we have not yet eradicated. Even if some futuristic and enlightened society manages to respect and value the sick in ways that we can't today, there is yet another overriding reason to abide by patient privacy. People who have managed to master their own physical or mental ailments deserve to go about their day-to-day lives without being constantly reminded of those problems by well-wishers. And as I mentioned earlier, the promise of confidentiality for psychological records is a fundamental need in order to have effective treatment for psychological diseases. People deserve and require control over their own medical matters and privacy for their medical records. Doctors and nurses understand this. But the healthcare establishment increasingly doesn't care. Privacy Is Not Your Insurance Company's Responsibility While my local hospital is busy reminding its employees to respect patient confidentiality, my health insurance company is busy reminding me that privacy is not compatible with its way of doing business. Like nearly all Americans, in order to have my insurance pay for a doctor's visit, I have to fill out a claim form. And at the bottom of the form is a little contract that washes away any quaint preconceptions of privacy that I might have. The contract is called a consent form. It says: I authorize any physician, hospital, or other medically related facility, insurance company, or other organization, institution or person, that has any records or knowledge of me, my dependents, or our health, to disclose, whenever requested to do so by CNA or its representatives, any and all such information. A photostatic copy of this authorization shall be considered as effective and valid as the original. I'm not a lawyer, but it doesn't take a lawyer to understand what this consent form means. As a precondition to having my insurance company reimburse me the $50 for the doctor's visit and the $14 for my antibiotics, I authorize everybody to divulge all of my records to anybody. This blanket authorization covers all records: school records, tax records, and bank records. It even covers those embarrassing love letters I wrote to my ninth-grade girlfriend. And it is an indefinite authorization, with no expiration date or time period. Some people think that consent forms such as this one are not enforceable. These people have a reasonable expectation that my insurance company might call up my doctor to get a diagnosis or additional proof that a particular service was rendered, but they doubt that an insurance company would go after all of those other files. After all, there is no legitimate business reason for them to do so. That's just plain common sense, isn't it? The problem with this common-sense approach to legal contracts is that it is often wrong. The authorization form means what it says it does. "Any records" means any records. "All information" really does leave nothing out. The blanket authorization allows the insurance company to go fishing after any personal record it wants. "The reason that [the claim form] is worded that way is so that we can get the information that we would need" to detect fraud, says Roger Morris, a spokesperson for CNA insurance. "It's not our goal to accumulate information on individuals, but it is our goal to try to protect the interests of our policy holders." The overly broad release allows the insurance company to investigate cases of suspected fraud without fear of being sued for invasion of privacy. These corporate savings eventually translate to lower insurance premiums for everybody, says Morris. Of course, the savings also translate to higher corporate profits. Health insurers say further that there is no reason for us to worry about providing them with sensitive information. "The insurance industry has a pretty good record helping to maintain privacy. We are required and committed to following laws on the books," says Richard Coorsh, the spokesperson for the Health Insurance Association of America. The American public may feel otherwise. According to the 1993 Harris-Equifax survey on healthcare privacy issues, 15% of those who had their medical confidentiality violated--representing 7.5 million people--said that it had been violated by insurance companies. Another person who feels otherwise is George Washington University professor Amitai Etzioni, author of The Limits of Privacy . In his book, which is generally critical of privacy, Etzioni nevertheless affirms the importance of privacy for medical records. And the real threat to medical records privacy, writes Etzioni, isn't government: it's business. To try to understand the motivation behind the authorization form, I called up Albert H. Wohlers & Co., the Illinois-based company that administered my insurance policy for CNA. I spent an hour working my way up through a chain of claims processors and supervisors, until I was finally transferred to the office of James Malik, whom I was assured would be happy to answer my questions. But when I got to Mr. Malik's office, I was informed by his assistant that I couldn't talk to him. I asked for his title; she wouldn't tell me. I asked for her name, and she wouldn't tell me that either. She said that if I had a question, I should submit it in writing. Then she hung up on me. The treatment that I got at the hands of Albert H. Wohlers & Co. is symptomatic of a deep-rooted problem with the U.S. healthcare industry. Healthcare is a weird confluence of money and medicine, and it's played by the rules of billion-dollar companies. No matter how strange or arbitrary those rules may seem, they are the rules. If you wish to get insurance, see your doctor, or have your hospital visits paid for, you will play by them. And since insurance companies save money when they lose customer claims, they actually have a financial incentive to offer poor customer service. All of this is true because the people paying the insurance company's bills are not those who are utilizing its services. We should also be fearful of the nonmedical uses that businesses make of medical records, warns Etzioni, who cites an unpublished 1996 study which found that "35 percent of the Fortune 500 companies acknowledged that they drew on personal health information in making employment decisions." One of the most common ways that employers get this information is from insurance companies or from self-insured health plans--that is, plans that are administered by professional health insurance companies but paid for by the businesses themselves. (Such self-insurance plans are exceedingly popular because they give big businesses more flexibility under the law to violate their employees' rights.) One of the cases that Etzioni cites is that of a Southeastern Pennsylvania Transit Authority (SEPTA) employee who was taking AIDS medications. SEPTA learned of the medications when it was asked to reimburse their purchases, and the information was provided to the man's supervisor. By reading the authorization paragraph at the bottom of my health insurance claim form, I was doing something subversive. Many don't read the forms they sign during their day-to-day lives--the forms are too depressing. These forms and the policies behind them create and reinforce feelings of powerlessness. They are the trappings of a system that's been gimmicked against the consumer. We do not have the choice either to negotiate or to strike our own deal. Our only choice is to submit. Nobody Knows the MIB As part of his Ph.D. thesis at the Harvard Business School on privacy policies in corporate America, Jeff Smith surveyed more than a thousand people on a variety of privacy issues, and conducted in-depth interviews with several dozen. One of the key questions he asked was whether people had ever heard of a company called the Medical Information Bureau (MIB). What he found wasn't terribly surprising: they hadn't: Only one consumer in the sample was aware of the existence of MIB, even though all but two of the consumers had applied for life insurance and had gone through an underwriting process. One can only conclude that the consumers had not read the insurance application forms very carefully, since the MIB notification was surely included. However, this lack of awareness may also point to some inadequacies in the notification procedure. I asked my wife if she knew what the Medical Information Bureau was. She said that she didn't. I then showed her a medical insurance application that she had filled out nearly two years before. It included these two paragraphs: I AUTHORIZE any physician, medical practitioner, hospital, clinic, other medical or medically-related facility, the Medical Information Bureau, Inc., (MIB, Inc.), consumer reporting agency, insurance or reinsuring company, or employer having certain information about me or my dependents to give John Alden Life Insurance Company or its legal representative any and all such information. The nature of the information authorized to be disclosed includes information about: (1) physical condition(s), (2) health history(ies), (3) avocation(s), (4) age(s), (5) occupation(s), and (6) personal characteristics. This authorization includes information about: (1) drugs, (2) alcoholism, (3) mental illness, or (4) communicable diseases. I UNDERSTAND the information obtained by use of the Authorization will be used by JOHN ALDEN LIFE INSURANCE COMPANY to determine eligibility for benefits. I ALSO AUTHORIZE JOHN ALDEN LIFE INSURANCE COMPANY to release any information obtained to reinsuring companies, Medical Information Bureau, Inc., or other persons or organizations performing business or legal services in connection with my application, claim, or as may be otherwise lawfully required, or as I may further authorize. "Is that your signature at the bottom of this form?" I asked her. Yes, it was. She then read the form again. Still, she had no real clue what MIB was, other than that it was probably some kind of clearinghouse for medical information. In fact, what the Medical Information Bureau keeps in its computers is information about people. Specifically, every time you report a significant medical condition on an insurance application--anything from heart problems to skin cancer--the insurance company can report that condition to MIB. The next time you apply for insurance, your "new" insurance company will pull your MIB file and find out what you previously reported. In theory, MIB is supposed to prevent people who have significant medical conditions (and have been repeatedly rejected when they apply for insurance) from suddenly omitting their conditions from their applications and then getting health and life insurance with low-cost premiums that are reserved for healthy people. MIB helps "keep the cost of insurance down for insurance companies and for consumers by preventing losses that would occur due to fraud or omissions," says Neil Day, MIB's president. MIB isn't supposed to be a medical blacklist. Member insurers are officially forbidden from using the information contained in MIB's files as the basis for denying insurance. Instead, they are only allowed to use the information as the basis for further investigation. At least, those are the rules. MIB was organized in 1902 as a nonprofit trade organization; today, roughly 750 insurance companies belong. MIB's files don't contain medical records, test results, or X-rays. Instead, each person's file contains one or more codes that stand for a particular medical condition that has been reported for that person. There are codes that signify diabetes, heart problems, and drug abuse. Some codes are very detailed. For example, Jeff Smith found that MIB had five codes for AIDS: * AIDS-related complex or condition (ARC) or acquired immune deficiency syndrome (AIDS). * Unexplained history of thrush, other opportunistic infections, weight loss, generalized chronic swelling of lymph nodes, persistent fever, or diarrhea. * Abnormal T-cell study. * Abnormal blood test for which there is no specific code. * Two or more different types of antibody tests indicating exposure to the HTLV-III (AIDS) virus; this code is no longer used. Not all of the codes at the Medical Information Bureau are medical, Smith noted. For example, MIB has five codes that indicate a dangerous lifestyle, including "adverse driving records, hazardous sports, or aviation activity." "Superscript" These codes map to similar questions on most life insurance firms. MIB is thus the official insurance agency gossip columnist. MIB helps make sure that if one life insurance company rejects a person on medical grounds, then other life insurance companies will be made aware of the ailment and reject that person as well. MIB has been the subject of ongoing controversy since the 1970s, when its existence first became generally known. At the root of the controversy is the organization's penchant for secrecy. For many years, insurance agencies consulted MIB without telling applicants about the files. MIB was not mentioned in the few books on consumer issues and consumer privacy. MIB even had an unlisted phone number. Today, the secrecy continues, if to a lesser extent: MIB won't release the list of codes that it uses. Day explains: The whole point of a code list is to protect confidentiality. The MIB report is very brief. It is about a 2 "FM-Symbol"× 2 piece of paper that has, on average, between two and three codes. The codes are generally three digits--"321"--sometimes there are additional letters--it might be "321XYZ". A major point in protecting confidentiality is to have a code list which is used by authorized persons at insurance companies, but not to have that code list available to anyone else. Keeping secret the mapping between the actual code and the conditions that the codes stand for does protect privacy, to a certain extent. But no privacy is gained by keeping secret the list of coded conditions. Put it another way: is any patient confidentiality lost by my reporting that MIB has in its files the five AIDS-related codes printed above? By keeping secret not just the codes but also the English descriptions of what each code means, MIB has left itself open to the attack that its files contain more than just medical information. In the past, says Privacy Journal publisher Robert Smith, MIB had codes that stood for "sexual deviance" and "sloppy appearance." Day disagrees, but since MIB won't release the list of conditions for which it has created codes, there is really no way to know for sure. There have also been disagreements over the accuracy of MIB's files. The Fair Credit Reporting Act specifically exempts medical records, but MIB agreed to be voluntarily bound by the rules after a 1983 examination by the Federal Trade Commission. Since then, MIB has received roughly 15,000 requests by individuals each year, says Day. Between 250 and 300 patients per year argue with the contents of their report, he says. Overall, "97% of all consumers who received their MIB report [in 1996] found that their MIB record was accurate," reads a company pamphlet. But if you happen to be one of those 300 patients, you might find yourself without medical or life insurance. In 1990, the Massachusetts Public Interest Research Group (MASSPIRG) did a study on MIB and found numerous cases in which erroneous records in the company's files had prevented people from getting insurance. In one case, says Josh Kratka, a MASSPIRG attorney, a Massachusetts man told his insurance company that he had been an alcoholic but had managed to remain sober for several years and that he regularly attended Alcoholics Anonymous. The insurance company denied him coverage and forwarded a code to MIB: "alcohol abuse; dangerous to health." The next company the man applied to for insurance learned of the "alcohol abuse" through the information bureau and charged the man a 25% higher rate. In another case, a clerical error caused a woman's records at MIB to say that she carried the AIDS virus. "It was only after unusual intervention by the state regulatory board,'' because the woman worked for a physician, that the records were corrected, MASSPIRG discovered. MIB claims that if these people were rejected from getting insurance as a result of the MIB report, then the report was being used incorrectly. And the company stresses that MIB reports are based on insurance applications--never on claims. But this protest rings hollow in light of insurance claim forms, which specifically give the insurance company the right to report claim information to MIB. "The MIB guidelines are clear, but only a series of independent audits of life/health insurance companies would yield a definitive answer regarding actual practices," says Jeff Smith. "To the best of my knowledge, no researcher outside the industry has conducted such a series of audits." Forcing Physicians to Lie Indeed, insurance companies obtain information from a variety of sources, including the Disability Insurance Record System (DIRS) and the Health Claims Index. And the fact that insurance companies are lawfully allowed to deny consumers health or life insurance because of preexisting conditions has put doctors under a tremendous amount of pressure. On the one hand, doctors clearly have a professional and legal requirement to keep accurate records on their patients and submit truthful billing statements. On the other hand, doctors know that if they are truthful in their diagnoses, they might be creating notations in their patients' healthcare records that will prevent the patient from getting insurance in the future. Even without a written diagnosis, much of what insurance companies want to learn can be gleaned automatically from billing codes. "Insurance companies collect tremendous amounts of information," says Dr. Peter Tarczy-Hornoch, who directs numerous telemedicine projects at the University of Washington Medical Center. The information is "not the really cool sexy information." Instead, it's things like "What medical diseases did your grandmother have? Have you ever been hospitalized with a drug or alcohol problem? Do you have a problem that is expensive to take care of that you have previously taken care of? They are not particularly concerned with accuracy. It's a screening process. Ninety percent is good enough for a lot of this stuff." Ninety percent is good enough for a medical insurance company to figure out if it should try to sell you life insurance, or if it should turn down your application. Ninety percent is good enough to decide how far to hike your or your company's insurance rates when it's time to renew. Ninety percent is good enough to systematically exclude the people most likely to need health insurance in the first place. And what if you happen to be one of the unlucky 10% who are denied insurance or face higher premiums even though there is really nothing wrong with you? Your best bet is to try another insurance company and hope that your erroneous information hasn't been forwarded to MIB. ced with this dilemma, some doctors have chosen to lie. Instead of putting down a particular diagnosis or billing code, they use a code that has a similar reimbursement rate but lacks the social stigma and long-term insurance implications. For example, says Tarczy-Hornoch, a doctor might use the billing code for "adjustment disorder" instead of "depression." Medical professionals call these alternate diagnoses surrogates . The practice has questionable legality--it is a kind of fraud, after all--and there are no good statistics regarding its prevalence. But it is clear that surrogates create a kind of cat-and-mouse game between doctors and insurers, with insurance companies constantly trying to figure out what surrogates are currently in vogue, and with doctors trying to figure out new ones. What complicates the game is the fact that different doctors in different parts of the country use different surrogates, and that some people actually have the surrogate conditions, rather than the nastier conditions for which the surrogates stand. My wife and I discovered this particular side effect of surrogates in 1994, when Beth applied for health insurance. The insurance company gave Beth a form to have her therapist fill out. When the form was returned, the insurance application was denied. The reason Beth was denied, we later learned, was that Beth's therapist had told the insurance company that Beth had been seen and diagnosed with a case of "generalized anxiety." There was good reason for Beth's anxiety--she had been seen just three weeks before we were getting married! But the problem was that other therapists in our area had taken to using "generalized anxiety" as a surrogate for a patient who has depression and is being treated with antidepressants. Understandably, the insurance company didn't want to take on a potentially expensive customer like my wife. After all, insurance companies only make money when they insure the healthy. In August 1996, President Clinton signed the Health Insurance Portability and Accountability Act. Under this law, U.S. health insurance companies are forbidden from excluding new employees from their employer's group health insurance packages because of preexisting conditions. But that is as far as the act goes. Insurance companies must offer coverage for preexisting conditions, but they can do it at astronomical rates. They can also choose not to renew an entire company's health insurance package because one person joined the company who had an expensive preexisting condition. This might not impact a company like IBM or Exxon, but it can be a major factor for small businesses. The act covers only employees who are changing from one employer's health insurance program to another--it doesn't cover people who are self-employed, or those who have to buy their own health insurance because they work at companies that don't provide health insurance to their employees. Finally, the act says nothing about life insurance, which has a long history of using medical records in a discriminatory manner. After all, it's life insurance companies that created MIB in the first place. A Right to Your Self As we move into the twenty-first century, it is unthinkable that people would be denied access to their own medical records. Indeed, 96% of Americans believe that the right to be able to obtain a copy of their own medical record is important, and 84% believe it is "very important." Yet for many Americans, no such right exists. According to the Privacy Journal compilation of state and federal privacy laws, only 23 states give patients the right to view their own medical histories (see the boxed list). Despite the laws, however, even residents of these states sometimes find that their doctors deny them access to copies of their records. States That Grant Patients the Right To View Their Own Medical Records Arizona California Colorado Connecticut Florida Georgia Hawaii Illinois Indiana Kansas (mental records only) Louisiana (partial access) Maryland (partial access) Massachusetts Nevada New York Ohio (law applies only to hospitals) Oregon (law only encourages open access) Rhode Island Tennessee (law applies only to hospitals) Utah (records provided to patient's attorney, not to patient) Virginia Wisconsin According to the 1993 Harris-Equifax survey, most Americans (87%) believe that they "know everything" or "have a general idea, but don't know in detail" what's in their medical records. And approximately one in four Americans have asked to see the contents of their medical records. When they've asked to see it, 92% were able to get a copy. Of those who were denied this fundamental right, 31% were told that the medical record couldn't be located; 25%, representing four million Americans, were simply denied the request, with no reason given. How can you get around this conundrum? Lie. Advise your doctor that you're moving, and that your medical records should be copied and sent to a doctor in another state. Of course, instead of giving the name of just any doctor, give the name of an old college friend whom you've notified and who knows what to expect. In my experience, this piece of subterfuge has never failed to work. Such problems are considerably worse overseas. In Germany, for example, individuals not only do not have a right to see their medical records, but there is also a tradition of hiding diagnoses of cancer and other stigmatized diseases from the sick and, in some cases, from family members. Germany is now creating a national cancer registry, and it is taking considerable pains to use sophisticated cryptographic algorithms to scramble the names of people who are entered into the system. But the purpose of the cryptography is not to protect people's identity or privacy. In fact, it's just the opposite: the cryptographic controls are designed to prevent a person diagnosed with cancer from accidentally discovering his own diagnosis. Denying people access to their own medical records is fundamentally wrong. Twenty-five years ago, the drafters of the Code of Fair Information Practices realized that there must be no records kept on a person that the person cannot inspect and correct. It is astonishing that, even in countries with progressive privacy protection, this practice continues. Ironically, increased access to a patient's own records is one of the benefits of the lack of medical records privacy today. With physicians so willing to send medical records to insurance companies and to other doctors, it's all but impossible to keep these records out of the hands of a determined patient. In fact, the combination of patient rights movements, increased health insurance portability, and the trend toward self-employment will all likely result in giving people increased access to their own medical records in the coming years. But exploiting the lack of confidentiality in medical records is a lousy way to assure patient rights. A Right to Your Past One particular group of Americans has been systematically denied access to medical records, medical histories, and family records for more than 60 years. These Americans have their identities seized by the state, sealed, and replaced with new records that are fraudulent. These Americans look like anyone else; many don't even know their own secret. These hidden victims are those Americans who have undergone closed adoptions. Adoption records have been sealed in the United States since the 1930s. By sealing the records, social reformers hoped that they could simultaneously eliminate the birth mother's stigma of having an illegitimate child and the adopting couple's stigma of infertility. The push for sealed adoption records took on a greater sense of urgency during World War II, when many illegitimate children were born to the wives of soldiers who were fighting in Europe and Asia. As adoption became institutionalized, those providing services discovered that the secrecy increased their control over both the birth parents and those adopting. Finally, the secrecy "made for nice marketing to adopting parents--that this child would be yours, and the birth family was completely out," says Abigail Lovett, vice president of the American Adoption Congress, an organization that is fighting to reform adoption laws nationwide. "Everybody thought this was going to be the best way to do things." The sealing and unsealing of adoption records is an extremely complicated issue--one that invariably involves issues of abortion, parental rights, and the rights of the child. The nonprofit National Council for Adoption (NCFA) argues that closed records are in the best interest of all parties' privacy. By sealing the name of the adopted child's original mother, the mother is protected from that child's ever returning into her life. The child is also protected, NCFA maintains, from a mother who changes her mind and tries to get her child back. NCFA says that if records are not legally sealed, many women will opt to abort illegitimate children rather than bring them to term and give them up for adoption. But a growing number of adult adoptees say that sealed adoption records violate their inalienable right to know their identity, their past, their medical records, and their heritage. They argue that birth parents should not have the right to turn their backs on their children, just as they do not have the right to abuse or murder their children. For years, Shea Grimm had pains in her back. Doctors ran tests, but nobody could figure out what the problem was. "They blamed it on my scoliosis," she recalls. Grimm had other worries as well. She worried that she might die an early death from breast cancer. She worried about heart disease. And she wondered what her heritage was--who were her people? Unlike many adoptees, she knew that she was adopted. But after that, it was a brick wall. From a medical point of view, the fundamental problem with closed adoptions is that even after all of the paperwork is done and the records are sealed, there is still an essential genetic bond between the birth parents and the adopted child. No matter what the forged birth certificate says, an adopted child does not take on the genes of its adoptive parents. And as medical science has increasingly come to recognize, appreciate, and use the role that genetics and heredity play in diagnosing and curing disease, it's clear that the fundamental fiction of closed adoptions is more than just untrue--it's dangerous. "I always sort of wondered if, because I was adopted, physicians and doctors had to run more tests on me. I didn't have a lot of information," said Grimm. Those were some of the reasons that Grimm decided to search for her birth mother--a search that was eventually successful. And then the answers to her questions started pouring in. She learned that she was half Native American. "About two weeks after I found my birth mother, I found out that she had a degenerative disk. I was able to go back to my doctor and say, `I have a degenerative disk.'" Even better, Grimm knew the cure. "My birth mother had gone into weight training to strengthen her muscles, on advice of her doctor, to compensate for the weakness of her disk. That's what I did. It became a big hobby of mine. And it made all the difference in the world." Six years later, Grimm says that she has back pain "very seldom." And as an added bonus, she's no longer worried about breast cancer. "I have no history of breast cancer in my family whatsoever." Grimm is Legislative Chair of Bastard Nation, an in-your-face adoptees advocate group that is fighting for open records nationwide. The fight, she says, is a simple matter of equity, identity, and self-determination. "I was denied the information that has allowed me to have my tribal membership. All of the things that people take for granted, that assist you in raising your family, I was denied." Patrick Purtill, a spokesperson for the National Council for Adoption, agrees that medical records are one of the most difficult issues facing adoptees. Purtill says that courts will tell adopting parents about known problems affecting the health of their new child. The problem, though, is that most women placing their children up for adoption are in their teens or early 20s, while most life-threatening medical problems--those the child should be made aware of--won't happen to the mother until she is at least in her late 30s or 40s. Nevertheless, the NCFA remains opposed to opening adoption records. Purtill argues that the small benefit in medical knowledge for the adoptees would be far outweighed by the drop in adoptions that would be sure to follow. It is a question of the greater good, he argues. The best way to deal with the issue of medical records, says Purtill, is so-called mutual consent registries , in which birth parents and adopted children register with the state that they wish to meet. If both parties register, the records are unsealed. "They try to say that mutual consent registries are the answer for us, but dead people don't sign on to mutual consent registries," says Abigail Lovett. "And [the registries] are often under-funded and under-publicized." Mutual consent registries are like a game of craps with fixed dice. In order for them to work, adoptees need to register which means they need to know that they are adopted! Many adopted children do not know this basic fact about their own lives. "I've been facilitating a support group for about seven years," says Lovett. "I have had 50-year-old men who walked into my support group because they discovered at their mother's funeral that they were adopted." Why did the news suddenly come out? "A greedy relative who wanted to cut them out of a will." In another case, says Lovett, she met a woman who had given birth to a child, a child who ended up being tremendously physically challenged. Eventually, the woman had no choice but to put her baby into an institution. It was at that point that she started looking for a child that she had given birth to earlier in life. "She actually found the first child institutionalized [with similar problems], with no one to come and visit and be its mother," Lovett says. Apparently, the adoptive family had given up the child when the problems had first arisen. "She never would have had the second child if she had known." A mutual consent registry never would have helped this woman because her institutionalized child could not register. Adoption is one of our society's cruelest open secrets. While Lovett was denied basic information about her adoption for years, many members of her community knew much more. "Just after my adoptive mother died, the doctor who delivered me came into my store [and] asked for me by name," says Lovett. But the doctor refused to tell Lovett her true identity: I grew up knowing that I was adopted. I knew the doctor who delivered me. Everybody in his office knew my story. The hospital and that staff knew my story. The attorney and his staff knew my story. And the court and their staff knew my story. All of these people within my community knew my story. They knew more about me than I knew. I was not allowed to know my story. I am not allowed to look at my birth records; I am not allowed to look at my court records. Briseis Gatto, who was adopted in New York City in the early 1960s, puts it this way: All the relatives know about the adoption but not the child himself. You literally grow up in a society where everyone is continually lying to you. You don't dare talk about it for fear your parents will kick you out, so you become a liar yourself, hoping that by not showing who you are, you will not be rejected, not only by your parents but by your relatives. When I spoke to my brother who was adopted in roughly the same period I was, he confirmed that he also had somehow absorbed the impression that adoption was something that was absolutely unthinkable to talk to his parents about, although they had never told him anything of the sort. One way that organizations such as NCFA have fought the issue of open records is by claiming that what adoptees are really after is reunion with their birth parents. This technique pits the rights of the adoptees against the alleged privacy rights of the birth parents--the majority of whom, NCFA alleges, see the original pregnancy as an unfortunate accident they want to put behind them. But adoptees and their birth parents are perfectly capable of protecting themselves from relationships they don't want. After all, there are laws against harassment. Organizations like Bastard Nation say that reunions aren't the issue. "A lot of people aren't looking for family, they are simply looking for information. There are rights that are afforded every other adult citizen of this nation which you, as an adult adoptee, are denied, simply by virtue of your adopted status," says Damsel Plum, the Publications Chair for Bastard Nation. "As we go into the next century, we are realizing how utterly important genetic information is," says Abigail Lovett. "We are realizing that breast cancer has genetic predispositions. If you grow up knowing that breast cancer is in your family, you will eat and treat yourself completely different." Ultimately, the growing availability of online information may render the controversy moot. At the Bastard Nation web site, there are detailed instructions on how to go about searching for birth parents. And there are links to other online information sources--sources like the Social Security Death Indices, genealogical databases, and traditional Internet search engines. "The Internet is going to make confidentiality a joke, in terms of the ability of people to find each other," agrees Dawn Smith-Pliner, who runs a Vermont adoption agency. "In fact, we already use [the Net] for that purpose here at the agency. If somebody wants to find someone definitely enough, they are going to be able to do it online." But alas, to use these advanced search techniques, an adoptee still needs to have a name, a date, or a place. And they still need to know that they are adopted. Smith-Pliner sees an end to closed adoptions and an opening of all adoption records within the next 20 years. "Adults are going to have to recognize the importance of an adoptee's connection to their birth families. I think that is beginning to happen on a national basis." We can only hope. Computerized Patient Records: The Promise For more than 20 years, the healthcare industry has been adopting computers, but it's been a slow and sometimes painful process. Today we are only halfway there. Medicine has been largely successful in computerizing billing codes, lab test results, and physician schedules. X-rays are being digitized now. And over the coming years, handwritten and transcribed physician notes will follow. The ultimate goal of the computerization process is medicine's equivalent of the paperless office--the computerized patient record . This record will contain the patient's full medical history, from conception, including immunizations, meetings with doctors, childhood diseases, and results from annual physicals. The record will include payment information, reminders for future checkups, and notes. X-rays will be digitized and stored in the record, as will laboratory test results. Part of the push for computerized patient records comes from the need to handle increasing amounts of information more efficiently. Many hospitals are legally forbidden to throw out patient records. As a result, they spend millions storing paper records in warehouses. This same information can be digitized and stored in just a few cubic feet using modern data storage techniques. The savings of storage space, combined with decreased costs for film and processing, is one of the primary reasons why hospitals are turning to digital X-ray systems. Moving to a computerized patient record poses tremendous technical challenges. When you first walk into a doctor's examination room, a nurse or medical assistant writes down your blood pressure and pulse. How does this information get into the computer? Likewise, how do the doctor's notes get digitized? When the doctor wants to order medical tests or X-rays, they're usually written down on a piece of paper--it's faster than typing them into a computer. When you go down to the lab, there's more paper still. Advancing technology, combined with new business practices, is overcoming many of these problems. For example, at one hospital I visited in Seattle, doctors are now dictating their notes into tape recorders. The doctor's voice is then transmitted electronically to India, where labor is cheap and English is widely spoken. There, skilled transcribers listen to the doctor's voice and type the notes into computers. The text is then sent back over a computer network. The Japanese film company Fuji, meanwhile, has developed an electronic plate that is sensitive to X-rays. This plate can be used with conventional X-ray equipment to directly digitize an X-ray and send it into a computer. Although the plate costs nearly a thousand dollars, it is reusable--saving substantial money in film. And once the X-rays are digitized, they can be stored on magnetic tape for a fraction of the cost of a climate-controlled warehouse. One of the factors contributing to the rise in the cost of medical care is the large number of repeated medical tests. Tests are repeated because the results get lost, or because a patient transfers to another institution without all of his or her records. The 1997 Kennedy-Kassebaum healthcare portability legislation tried to solve the problem of repeated tests by forcing healthcare providers to adopt a universal healthcare identification number. The idea of the legislation was simple: if all hospitals and doctors offices used the same identification number, then test results would be less likely to get lost. The legislation justified the adoption on the grounds of "administrative simplification." However, implementation has temporarily been halted by Congress, largely as the result of objections by privacy groups. Once the medical record is computerized, the information can be put to many new uses. One simple technique is to have the computer scan its records each time a patient shows up, and print a little reminder if there is some routine test that's overdue. The reminders can make sure that women get Pap smears and mammograms; they can encourage parents to have their children tested for lead; they can even prompt adults to be checked regularly for high blood pressure and cholesterol. The reminders are written in English and printed on the patient's chart. When the patient shows up with a complaint or for a routine checkup, the doctor sees the reminder and, during the visit, performs or schedules the needed procedure. When Dr. Harold Goldberg, a specialist in medical informatics at the University of Washington, first proposed the idea of reminders to his fellow physicians, they sneered--the physicians said that they had been trained to remember which patients needed what procedures. But when the program was implemented, something miraculous happened: the rate at which patients got their necessary tests skyrocketed. Today, reminders are standard throughout the managed care industry. "There are now 17 randomized controlled trials that tell us if you prompt physicians at the point of service, you improve the ability to [perform needed tests] by 70%," says Goldberg. Computerized Patient Records: The Threat Physicians are less sanguine about the potential threat to privacy that computerized patient records will bring. According to the Harris-Equifax 1993 survey, 74% of physicians thought that computerized systems were "almost certain to weaken" medical confidentiality, compared to 26% who thought that computers "could be managed to strengthen confidentiality." The problem is the inherent difference between the physical and the electronic. Paper records are physical. Paper records can only exist in one place at one time. And while paper records can be faxed all over town, a person must be physically holding the records in order to do so. The principal advantage of electronic records is that they are easy to manipulate, but this ease cuts both ways. With electronic laboratory records, it's unlikely that the results of a patient's last blood test will be lost. That's good for patients--especially patients who don't like getting stuck with needles. But computerized record systems make it equally likely that a curious nurse or intern might walk up to an unattended terminal, type in a name, and see the results of that person's test. And since that same computerized file can be accessed at hundreds of terminals throughout a hospital at the same time, controls are all the more difficult. In its 1997 report on medical records privacy issues, the National Research Council identified the following five "threat levels" for information stored in healthcare computers: * Insiders who make "innocent" mistakes and cause accidental disclosures of confidential information. This could be as simple as a lab sending a fax to a wrong phone number, or a nurse pulling up one patient's medical records instead of another. * Insiders who abuse their record access privileges. Browsing seems to be a problem with many electronic record systems. The Internal Revenue Service, for example, has had persistent problems with curious employees looking through the tax records to which they have access. It's unreasonable to think that hospitals will somehow avoid this affliction. * Insiders who knowingly access information for spite or for profit. During the 1992 Democratic primaries, a pathologist I know at Beth Israel Hospital in Boston was contacted by a member of the press who wanted access to candidate Paul Tsongas's medical records. The reporter offered good money, and a less ethical pathologist could easily have retrieved the file without leaving a trace. * An unauthorized physical intruder who gains access to information. Many hospitals rely on physical security to protect information stored inside a computer: the terminals are put in a special room or behind a desk to which only authorized personnel are supposed to have access. But hospitals are not as secure as hospital administrators would like the public to believe. If that journalist had simply put on a white lab coat and a fake badge, he could probably have retrieved Tsongas's medical records unassisted. * Vengeful employees and outsiders, such as vindictive patients or intruders, who mount attacks to access unauthorized information, damage systems, and disrupt operations. A doctor who practices at an HMO recently told me of a problem that her group has been having: an employee--they think they know who--has been accessing the HMO's scheduling computer and deleting patient appointments. The scheduling desk then thinks the appointment slot is free, and two or three patients show up at the same time. There are a variety of techniques that can be used to minimize the threats of unauthorized access. At Beth Israel Hospital in Boston, for instance, certain patient files are marked as "VIP." When these files are accessed for any purpose, the name of the person making the access is logged; a human has the duty of auditing the log files on a regular basis to make sure that all of the accesses were legitimate. Just who should be a VIP? Currently, the hospital marks files as VIP if there is some reason that employees at the hospital might be curious about the person's records. Celebrities and political figures are obvious candidates. But hospital employees and their families also get VIP status, in order to cut down on inquiries from nosy (or well-meaning) coworkers. Ideally, anybody who wants the VIP label should get it. In practice, Beth Israel does not notify patients that they have this right. Some computer professionals suggest that encryption can be used to create a simple solution for the problems caused by computerized patient records. Give everyone a copy of their medical history that they can carry around on a smart card. Store a copy of the medical record someplace else, to guard against the theft of the card, and encrypt that backup so no one can access it without authorization. But doctors are worried about such cryptography-driven technological fixes. They fear that in an emergency, it might become impossible to decode or even locate a person's medical history. Most people, they argue, are not willing to die for the right to their privacy. Other Threats Computerization creates other privacy risks that are only now becoming apparent. Take the case of those dictation services in India. What if an employee of the Indian transcription firm recognized the name of one of the people whose medical charts were being transcribed and decided to sell this information to an American tabloid newspaper? Even assuming that the leak could be traced back to that employee, it is hard to imagine how the employee could be adequately punished. But computerization also opens up the possibility for improved patient confidentiality. The person in India doesn't need to know the true name of the individual whose medical records are being transcribed--a code number would work just fine. And instead of making that code number the patient's Social Security number, make it a case number, or the time of day the patient was seen, or some other kind of code generated by the admitting hospital. The records being transcribed could essentially be anonymous--at least from the point of view of the person in India. The ability of computers to shield identity and hide information is perhaps one of the reasons that a slim majority (53%) of hospital CEOs think that computers will actually strengthen patient confidentiality. Among insurance company CEOs, the majority is even higher--61%, compared with 35% who think computers will harm confidentiality. Why the disparity between the CEOs and the doctors? Probably because the CEOs know what is possible with information technology, but doctors see the way it's actually being implemented. And doctors know that any technology that makes it harder for people in a hospital to access medical information could cost some patient his or her life in an emergency. Even simple anonymizing codes increase the chances that two patients' records will be confused--with potentially disastrous results. Would you want to be treated in an emergency room where the computer forces people to type usernames and passwords before ordering a test? When the University of Washington Medical Center installed its medical record system, the information technology managers gave each physician and nurse his or her own username and password. The system was designed to make people accountable for the files they saw by logging every access. The system even had a timeout feature, so that if somebody left a terminal while still logged on and walked away, that person would be automatically logged out. But a month later, a scan through the log files revealed that the only person using the system on a particular ward was the chief resident. A walk up to the terminal revealed why: the chief resident's username and password had been written on a sticker and pasted to the terminal, so when the chief resident was logged out, any nurse or doctor who happened to be standing near the terminal could log the chief resident back in. Today, we can easily imagine a better solution to the problem of auditing access to medical records at places like this medical center. First, make sure the terminals are placed in secure locations, so only authorized individuals can access a patient's medical record. Then place a small video camera on top of each terminal, so when each access is made, the image of the person making the access is recorded. Currently, such videotaping systems are purely hypothetical. Rethinking Medical Care and Medical Insurance Most Americans consider their medical records to be the most sensitive pieces of personal information they have. But for HMOs and insurance companies, medical records are merely scoreboards for an elaborate game of musical chairs. Insurance companies know that if they wait long enough, there's a good chance that any given patient will soon be covered by another insurance company--because that person (or their company) switched carriers, because they lost their job, or because they turned 65 and are now covered by Medicare--the United States' socialized medical insurance program for the elderly. Insurance companies that have a high churn rate actually have an incentive to avoid offering preventive care and to close their eyes during the early, cheaper stages of most diseases--hoping that by the time the disease progresses, the patient will be somebody else's financial responsibility. When they are taking on new contracts, insurance company underwriters use medical records the way a bookmaker uses a sports lineup--as rate cards for calculating odds. Underwriting, in fact, is the real devil of health and life insurance. Fundamentally, the underwriting process weighs the premiums paid by the insured and the profits on that revenue against the chance of a possible payout. It's an inexact science, but one that is getting increasingly more accurate as insurance companies consider more and more pieces of information. And there are few limits on what kind of information can be considered. Today, an insurance company might think that a person who has high blood pressure or high cholesterol is a bad risk and needs to be charged a correspondingly higher monthly premium; tomorrow, the insurance company might adjust your premiums on a month-by-month basis depending on how many pizzas you are eating. A great many of the abuses mentioned in this chapter could be solved by fundamentally changing the way that medical care is paid for in the United States. Instead of tying health insurance to employment (a policy that dates to the wage and price controls of the 1940s), health insurance could be based on residency and citizenship. The simplest, easiest way to end discrimination in health insurance would be to adopt universal, state-sponsored health insurance. Doing so, however, is politically impossible given the size and wealth of the nation's health insurance industry--an industry that makes its money by gambling on the lives of the healthy and the diseases of the sick. In the absence of a systemwide redesign, consumers are best protected by the combination of transparency and regulation transparency of insurance industry practices to prevent the most egregious antiprivacy cases, and regulation to protect consumers in their day-to-day interactions with the medical establishment. Without a policy turnaround, things will only get worse. Copyright (c) 2000 O'Reilly & Associates. All rights reserved.