There have been stories and novels about the end of privacy.
1984, by George Orwell, comes to mind. I also
remember reading a science fiction short story once, about how
technology had made privacy so difficult to maintain, and so accepted
by society, that it was considered rude to want privacy. I
can’t remember who wrote that one.
This post was inspired by an article in the Wall Street Journal, that
points out how little privacy there is when it comes to medical
records. More below the fold…
Time Magazine just published 25 “top-10″ lists for 2006. One
of the lists is for political
cartoons. Two of them have to
do with loss of privacy.
And of course we all know that cell phones have cameras, palm pilots
have cameras, laptop computers have webcams, security cameras are
everywhere. You can even get a disposable
digital video camera at CVS for about $30. You can
video cameras that can be installed anywhere, that put the
images out on the Internet, potentially for anyone to see.
Websites such as MySpace and Flickr often have photos posted and
tagged, such that anyone might have his or her photo posted on the
Internet, visible to anyone, and accessible with a simple search
I’ve often thought that it would be possible to construct an accurate
personality profile of someone, using only electronic data about their
usage of credit cards and debit cards, if it could be correlated with
the electronic inventory control systems that most stores use.
Not nice, but entirely possible.
But now, we get to one of the most serious sources of potential
breaches of privacy: electronic medical records.
Overall, I am in favor on electronic medical records. There
is a tremendous potential for greater efficiency, leading to cost
savings. Perhaps more importantly, there is a potential to
improve the quality of medical care.
The quality improvements could come about in different ways.
For one, it would be much easier for providers of care to
collaborate effectively, if it were easy for each to see what the other
is doing, or has done. It would lessen the risk of certain
errors. Another potential way that such records could be used
to improve quality, is by facilitating the systematic collection of
data with public health implications.
The potential benefits are irresistible. Most institutions
are moving quickly to some kind of electronic medical record keeping.
The problem, though, is that it may be difficult to get all
of the advantages without introducing certain disadvantages.
The records would be most useful if they were easy to access.
But the easier it is to access them, the more likely it is
for there to be violations of confidentiality.
The biggest loophole appears to occur with insurance companies.
Because medical treatment is almost invariably associated
with insurance payments, and insurers have a right to see what they are
paying for, the records can leak out. Then, they can end up
in the hands of bill collectors, then who knows where they will go.
My greatest concern, of course, has to do with mental health records.
In the article linked above (here),
generally viewed as worthy of the most stringent safeguards. In recent
years, courts and state legislatures have afforded psychotherapy
records special protections. All 50 states recognize some form of
psychotherapist-patient privilege to limit disclosures in legal
proceedings, and a similar federal privilege was established in a
landmark 1996 Supreme Court ruling.
I remember applauding the 1996 Supreme Court ruling. But,
unfortunately, it has not had as much effect as we had hoped:
privacy advocates, Congress authorized the Department of Health and
Human Services to draft privacy regulations. The final rules allow
health insurers and medical providers — including doctors, pharmacies
and hospitals — to disclose medical information for “treatment,
payment and health-care operations,” among other situations, without
specific patient permission. But they aren’t supposed to send any more
records than necessary for nontreatment purposes…
The federal rules allow patients to ask doctors, other medical
providers and insurers not to share records with certain people, groups
or companies. But medical professionals and insurers can ignore such
If psychotherapy or other mental health treatment notes get mixed in
with other medical records, they are no longer protected. As
the article points out, if the clinic or hospital claims it is
impractical to keep different kinds of separate, then they are not
expected to do so.
said that “psychotherapy notes that are kept together with the
patient’s other medical records are not defined as ‘psychotherapy
notes’ under HIPAA.” The hospital is not required to keep them
separate, the court papers said, and it would be “impracticable” to do
This is nonsense, of course. One thing about electronic
records is the ease with which they can be tagged and filtered.
It would be trivial to set up a database that recognizes
mental health records, and treats them differently than other records.
If there is a problem keeping them separate, it is because
the system is poorly set up, or poorly operated. In the case
mentioned in the article, the hospital scanned the records, and mixed
them up. So it wasn’t a modern electronic medical record
system, and it would have been a little harder to set up the filtering.
I suppose it was cheaper to do it that way, but it was also
And how is the enforcement of the new rules coming along?
violations have been piling up at the Department of Health and Human
Services. Between April 2003 and Nov. 30, the agency fielded 23,896
complaints related to medical-privacy rules, but it has not yet taken
any enforcement actions against hospitals, doctors, insurers or anyone
else for rule violations. A spokesman for the agency says it has closed
three-quarters of the complaints, typically because it found no
violation or after it provided informal guidance to the parties
“We’re three years into the enforcement of the rule, and they haven’t
brought their first enforcement initiative,” says Peter Swire, a law
professor at Ohio State University who helped write the regulations.
“It sends the signal that the health system can ignore this issue.”
What this means is that the current instance of the Department of
Health and Human Services is run much like the EPA: not much bark, and
absolutely no bite.
In some informal communication with others, I’ve heard people mention
that they are more reluctant to seek medical care because of the
privacy issue. Not just mental health care, but any kind of
I know that some psychiatrists and therapists are concerned about this,
and have been keeping abbreviated records as a result. I tend
to focus on documenting the symptoms the person is having, and any
impairment of functioning that is present, leaving out a lot of
historical information. This creates other problems, but at
present, the only way to keep the information absolutely private, is to
not keep any record of it.
Oh, and by the way, there are many other ways that mental health
information can leak out from the supposed veil of privacy. I
just focused on what they mentioned in the article. Believe
me, there is more.