Who's seeing your files? State isn't trying to protect privacy of medical records

July 14, 1996|By Jennifer A. Katze

IMAGINE A HORROR story that begins when a hacker breaks into Maryland's state-run medical bank and steals information from your medical files.

The hacker sells the information to a private detective or some other information broker, who resells it to your employer, the bank where you've applied for a loan, your insurance company or any busybody who wants it.

Would you want the world to know that you're being treated for depression, a sexually transmitted disease or cancer?

Perhaps some of you didn't even know you live in a state that collects personal information from every encounter you have with a health professional -- and it's being compiled without your consent.

And perhaps you're even more surprised to know that Marylanders are the first people in the nation to have relinquished so much medical privacy.

State officials say we should not worry; the files are secure. But personal medical information is a valuable commodity, and the potential for misuse is great. Already in Maryland, there have been examples of state employees accepting bribes from HMOs for information on Medicaid recipients; and a banker obtained a list of cancer patients, cross-referenced it with loan customers at his bank and called in those loans.

A huge state-wide data base is a tempting target for corporations and businesses eager to market their particular products and services to a segment of the population. More importantly, it provides a means to screen and deny health, life or disability insurance and/or employment etc to other select segments. Disclosure of sensitive medical information can impact citizens in all areas of their lives. They should decide for themselves whether to assume such a risk.

In 1993, the Legislature established the Maryland Health Care Access and Cost Commission (HCACC) as part of a broad and complicated health care act aimed at controlling soaring medical costs in Maryland. While the goal was praise-worthy, HCACC has never been able to explain clearly why patient-specific information which could be traced to specific individuals is necessary to reduce health care costs. Other states have successfully used anonymous "aggregate" or lumped data, samples of data from patients who are asked their consent, and survey data to make studies about where medical funds are wasted. An enormous amount is already known about this, and, alas, the answers have little to do with individual patients or even individual health care givers.

Last spring, the legislature failed to enact a law to require Marylanders to be asked for their consent before personal information, including all of each individual's medical diagnoses, entered into the computerized Maryland medical data base. The legislators accepted HCACC's reassurances that it would protect this information as carefully as possible, although the executive director of HCACC, John Colmers, admitted that there is no way that confidentiality can be guaranteed in this age of computer piracy.

There is a much larger issue here than whether HCACC will try to preserve confidentiality and whether there are adequate penalties in place (there are not) if the data base is broken into. There is the issue of who owns medical diagnoses. Whose property are they? Are they the government's or are they the individual's? If they are the individual's, then don't Marylanders have the right to be individually asked for consent to have potentially sensitive and even stigmatizing diagnoses collected for a life-long record in a computer data base? When we quibble about the likelihood of computer piracy's affecting any one individual, we're missing the point of the right to medical privacy and the right to consent. The loss of such a right should have a very compelling and easily identifiable direct health necessity, such as the mandatory reporting law about child abuse.

In May, Time/CNN published the results of a nationwide survey about Americans' opinions on the right of privacy in this new age of computer data bases. About 87 percent of citizens responded that permission should be asked before such data collection. HCACC and our General Assembly need to respect this result. At present, about 40 percent of Marylanders are already in the HCACC Data Base. Their information was provided "on a voluntary basis" by 10 of the states largest medical insurance companies, Medicare and Medicaid. Patients were asked consent for the insurance company to gather data for reimbursement purposes, but no patient was asked if he or she (( wanted that data to be passed on to the government data base. Few patients even know about it.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.