Balancing privacy with better medical data

By James B. Rule, The Sacramento Bee

Among the rare domestic policy innovations strongly promoted by both the Obama and Bush administrations is centralization of all Americans' medical records. The appeal of the notion is hard to miss.

Today, Americans' medical histories are as dispersed and haphazard as American medical care itself. Information from earlier episodes of care is apt to be lost to subsequent caregivers, with resulting costs in time, money and life itself. Creating a fully computerized, all-inclusive, quickly accessible source for such data could add a margin of confidence to every medical intervention. It would also provide a resource for medical researchers tracking the origins of disease and the effectiveness of treatments.

So what's not to like? Some observers have decried risks to privacy associated with these plans. They have called for technological safeguards against unauthorized access and patient consent for any release of data from such files.

But we ought to be worrying much more about inevitable pressures for authorized access. Creating an authoritative, fully centralized trove of all medical data on every American would focus and intensify demand for routine and acknowledged access by a range of government and private-sector interests. The ultimate result could be to render anyone's medical history about as private as his or her credit or marital history – that is, not very private at all.

Think of your IRS tax returns. Originally mandated to implement each citizen's tax obligations, the personal data provided there have relentlessly grown available for countless purposes unrelated to taxation. Under today's law, government investigators can readily delve through one's tax records. But so do private-sector interests ranging from prospective employers to mortgage brokers to financial aid officers at your child's college or university. One can refuse to grant access to such parties – but only at the price of certain rejection.

No doubt everyone can find some of these non-tax uses of IRS data to applaud, some to decry. The point is, the very existence of IRS returns effectively undercuts anyone's privacy interests in the data contained there. If powerful parties can be certain that the information is there, they will find ways of seeking its disclosure with offers we can't refuse.

Imagine, then, the cast of interests that will step forward to claim access to patient files from any comprehensive medical record system. Prospective employers, divorce lawyers, sellers of insurance, lenders, law enforcement agencies of all sorts, plus, of course, Homeland Security – just for starters. And indeed, the data contained in a centralized medical repository will often be vital for these interests to accomplish what they consider their legitimate aims.

Strictly medical information will attract intense interest from current and prospective employers, lenders, insurance companies and others interested in patients' future health prospects. Data on people's sex lives and psychiatric consultations will be sought after by courts in divorce cases and by institutions like schools and day care centers considering candidates for positions of trust over vulnerable populations.
Even non-medical data, documenting where people present themselves for medical care and when, will draw much interest. Law-enforcement authorities and courts will surely seek such information in investigating crimes. And then there is the predictive value of data held on file – the use of such data, like that on people's phone and e-mail records, to reveal associations with terrorist activities, criminal schemes and other destructive conduct. Indeed, sophisticated data-mining of a truly comprehensive record of people's medical files could identify patterns pointing to guilty parties before they have the chance to act.

Do we really want our complete medical histories to be subject to the same wide scrutiny now applied to our tax returns? Do we want to enter every medical consultation with the knowledge that information provided there, or inferred from further testing or analysis, must become part of our permanent record, available to all "legitimate" claimants, current and future?

If not, our options are limited. A centralized system could offer the option of anonymous consultation and care, where patients felt especially sensitive information had to be broached. But since we never know what information is apt to be prejudicial or revealing in future contexts, serious privacy protection would require granting patients the ability to delete data from their files after the fact. Needless to say, any such constraint will likely trigger massive opposition from many parties now supporting centralization.

In the medical arena as elsewhere, efficiency and privacy will not be easy values to reconcile.