Privacy vs. Productivity: It's a Tough Choice
WSJ Article March 8, 2001
THE NEXT TIME Vice President Dick Cheney has chest pains, his most recent EKG will be available to doctors no matter where he is. If you had a heart attack while out of town, you'd be glad if an emergency room could get your records quickly with a few taps on a keyboard.
You'd be less happy, and so would Mr. Cheney, if every curious hospital employee could pull up anyone's medical records.
Behind the tales of wonder about the Internet and the horror stories about violations of privacy lurks a truth not yet widely accepted: We have to surrender some privacy to capture the benefits of information technology. And we have to sacrifice some of the efficiency that electronic sharing of information might produce in order to protect our privacy.
In crafting rules for the health-care industry, courts, banks, brokers and insurers, the government attempts to balance conflicting demands for privacy and productivity. In each instance, it has produced an exceedingly complex compromise that is assaulted as too loose by privacy advocates and too onerous by the industry that must comply with the rules.
Congress couldn't find a compromise to protect medical records so it tossed the task to the Department of Health and Human Services. The complexity of the result -- the rules fill 32 pages of small type -- reflects the complexity of the choices. HHS got 52,000 comments on its privacy rules.
Outlawing hacking and malevolent use of personal information is simple. Enforcing such bans is hard, though researchers are working on technology to reduce risks. Demanding that Web sites post privacy policies is straightforward. Making sure they stick to them is challenging. And government can't do much about those who volunteer intimate details, provided they're adequately warned. MedicalMarketing Service Inc., a Wood Dale, Ill., outfit, offers mailing lists by ailment -- 18,021 people with genital warts, 121,495 with rectal itching. The lists, it says, are gleaned from "voluntarily completed consumer surveys" provided by Equifax Inc.
BUT WRITING RULES to prohibit nosiness and carelessness without denying doctors and banks the benefits of information technology is hard. So is drawing lines that tell institutions what they can share, what they can't and with whom. How much should patients know before medical researchers tap into their records? Should hospitals be allowed to solicit donations from patients? (Just once, says HHS.) Does it make sense that big outfits like Citigroup can share your financial data with all their affiliates, yet small banks must alert you before an outside vendor takes over its toll-free phone line? (That's the law.)
Conflict between society's need to know and individuals' right to privacy isn't new. "We have expectations as a society that conflict with individuals' views about privacy of health information," HHS said in December when it issued the rules; the Bush administration has delayed implementation. "We expect insurers and the government to reduce fraud," the HHS wrote. "We expect to be protected from epidemics, and we expect medical research to produce miracles. We expect the police to apprehend suspects, and we expect to pay for our care by credit card. All of these activities involve disclosure of health information to someone other than our physician."
And, it might have added, all of these activities precede the Internet. Indeed, much of the recent flap over the HHS rules is about precomputer records. Initially, the rules covered only information maintained or transmitted electronically. Not good enough, critics shouted. So HHS extended the rules to paper files and information transmitted orally. Too far, shouted different critics.
BUT THE INTERNET does change everything. As the Supreme Court once put it, court documents once languished in "practical obscurity," their juicy tidbits available only to those with time to find them. Store documents electronically and allow Internet access, and nothing is obscure.
Living.com Inc., a furniture retailer, listed salaries, bonuses and home addresses of employees in a recent corporate bankruptcy filing. A court-appointed trustee put the information on the Web. Should those details be available to anyone with an Internet connection?
Meanwhile, in the technologically backward back offices of American health care, believers in information technology's potential struggle to overcome patients' anxiety. Try countering one soundbite-size outrage -- the hacker who posted 5,000 records from University of Washington Medical Center files -- with tedious details about the way computers allow doctors to control who sees what portion of a patient's record, says Paul Tang, chief information officer at Palo Alto (Calif.) Medical Foundation. "People don't understand how little privacy there is in the status quo, the paper world," he says.
Or how much they might benefit if doctors can update records instantly and call them up in a late-night emergency from their home computers. One Stanford University study found that, on the average patient visit, there were four pieces of information the doctor couldn't find in the paper file, Dr. Tang says.
Coming soon from Epic Systems Corp., a Madison, Wis., software company: a way for patients to select parts of a medical record to put on the Internet, visible only to those who type a password indicating that they have the person's consent. Not quite Cheney-caliber care, but a start. |
