Wendy E. Parmet
Excerpted from: Wendy E. Parmet, Public Health
Protection and the Privacy of Medical Records, 16 Harvard Civil
Rights-Civil Liberties Law Review 265-304 (Summer, 1981) (171 Footnotes)
Today there is a sharp tension "between society's
interest in protecting medical confidentiality and its legitimate need
for access to medical records." The institutionalization of
programs to provide health care and the increased mobility of modern
life have forced physicians to include more information in medical
records so that other practitioners will be aware of prior diagnoses and
treatments. Additionally, the recognition of the relevance of emotional
factors to the treatment of all illnesses has increased the sensitivity
of the information stored in medical records; they can be as sensitive
as psychiatric records.
The increased complexity and institutionalization of
health care programs has also meant that medical records are used for
purposes not directly related to the treatment of patients. Since health
care is now largely financed by private or public insurers, records are
used to substantiate claims. Furthermore, records provide both
scientific and fiscal information necessary for technological and
structural innovations in health care. Improvements in data technology
have made medical records easier to store and transfer, despite their
proliferation. The result is that medical records are presently used in
more ways and by more people than ever before .
The law has not adequately met the threat to the
confidentiality of medical records. No legal protection was seen as
necessary under the common law. At that time an individual's records, if
any, were maintained by the patient's family doctor and were rarely
disclosed. The statutory physician- patient privilege, first enacted in
the nineteenth century, only protects medical records from disclosure
during the course of litigation. The privilege does not shield the vast
amount of information which is now revealed either casually or through
administrative processes. Several recent court decisions have recognized
a limited privacy right that attaches to medical records, but no court
has clearly delineated the bounds of that right, nor has Congress
accommodated the tension between society's need for medical records and
a patient's privacy interests.
In the past, two broad rationales supported the
confidentiality of medical records: privacy and public health. The
privacy rationale rested upon an ethical judgment about the nature of
human dignity which allows the individual to control the disclosure of
certain personal information, and to make certain kinds of decisions
about his or her life independent of state interference. The public
health rationale was based on a utilitarian calculation that the
confidentiality of medical records promotes public health because
patients will not seek medical treatment unless they are assured that
what physicians learn about them will not be disclosed.
Today, however, concerns for public health often favor
the disclosure of medical records. Therefore, the concerns for privacy
and public health reflect the tension within society itself between
protection of an individual's privacy and the public's need for
disclosure. . . .
I. Two Rationales for Upholding the Confidentiality of Medical
Records
A. The Privacy Rationale
The privacy rationale has long been endorsed by the
medical profession's own code of ethics. In recent years, courts have
recognized and endorsed the privacy rationale. The modern ethical basis
for protecting privacy has been defined in many ways, but the law has
used the term to denote two central interests: the individual's ability
to control the disclosure of certain personal information, and the
individual's ability to make certain kinds of important decisions about
his or her own life independent of societal pressure. The individual's
ability to control disclosure is never absolute. An individual cannot
live in society without others knowing something about her, nor can she
possibly control all the information that others obtain. In the case of
medical treatment, for example, a patient may wish to limit her
disclosures to the doctor to what is absolutely necessary for a specific
treatment. Since the doctor will inevitably discover more than the
patient would knowingly reveal, the patient could never be totally
successful in limiting the doctor's knowledge.
The interest in non-disclosure does not lose its
importance merely because it cannot be fully accommodated. Relative
control over the disclosure of personal matters is a vital condition for
the realization of many widely held values. Control over disclosure has
been claimed to be a prerequisite for the formation of human
relationships, the ability to escape societal prejudices and
stigmatizations, and even the ability to participate in a democratic
polity.
These justifications for non-disclosure have an important
central vision; they view the individual's control over disclosure as a
way of mediating the conflict between autonomy and community. The
justifications recognize and value the need for individuals to be
different, yet accept the need for a society although it circumscribes
the uniqueness of individuals. By controlling the disclosure of personal
matters an individual can be a member of society while maintaining his
or her individuality.
Recent court decisions have shown an increasing
sensitivity to the interests of non-disclosure. For example, in Katz v.
United States the Supreme Court held that the fourth amendment protected
an individual's reasonable expectation of privacy. Developments in tort
law have made physicians liable for breaching confidentiality in medical
records. The plurality opinion in Singleton v. Wulff, which upheld a
physician's ability to obtain standing on behalf of a patient,
implicitly recognized a patient's interest in protecting the
confidentiality of medical records. The extension of standing to the
physician enabled her to come forward publicly and assert the patient's
cause of action while the patient remained anonymous.
The ability to make personal decisions is less directly
related to medical records disclosure. It is important, however, because
the law has used this privacy interest to delimit certain areas of
individual decision making where the individual is free to make a
decision without state interference, such as contraception, abortion,
and religious and political beliefs. In these areas, disclosure
threatens the individual's ability to make decisions. In NAACP v.
Alabama ex rel. Patterson, the Court held that disclosure of the Alabama
membership lists of the NAACP threatened to inhibit the members' freedom
of association. Similarly, in Planned Parenthood of Missouri v. Danforth,
the Court recognized the inhibiting effect that extensive record-keeping
could have upon a woman's right to have an abortion. The Court concluded
that records could be kept, but only if they were "reasonably
directed to the preservation of maternal health and properly respects a
patient's confidentiality and privacy . . . ."
Drake v. Covington Board of Education is another example
of how disclosures threaten individual choice. In Drake, an unmarried
public school teacher was dismissed when the school board learned from
her physician that she was pregnant. A three-judge district court
determined that her dismissal, without any evidence regarding
incompetency, constituted an invasion of her constitutional right of
privacy. The disclosure of Drake's medical records had led to an
abridgement of her fourteenth amendment rights.
The Supreme Court has recognized both types of privacy
interests--the interest of non-disclosure, and the ability to make
personal decisions--in the medical area. Doe v. Bolton emphasized the
confidential nature of the physician-patient relationship while
affirming that the decision to perform an abortion was one that
primarily must be left to the physician and the patient. The privacy
interest attaching to medical records themselves was at least noted and
considered in the Court's decision in Whalen v. Roe. The Court in Whalen
unanimously upheld a New York law which required a central computer
recording of the names and addresses of all persons who obtained
prescriptions of certain easily abused drugs. Justice Stevens, speaking
for the Court, discussed the interests in non-disclosure and personal
decision making and left open the possibility that these privacy
interests might take on constitutional proportions.
Congress has also recognized the privacy rationale and
implemented it in numerous pieces of legislation. In the Privacy Act of
1974 Congress declared that "the privacy of an individual is
directly affected by the collection, maintenance, use and dissemination
of personal information. . .," and that "the right to privacy
is a personal and fundamental right protected by the Constitution of the
United States. . . ." In at least two areas, financial and
newspaper records, Congress has gone beyond the judiciary and has
enacted legislation to protect privacy.
Congress has also specifically recognized the privacy
interests attaching to medical records. Title II of the Privacy
Protection Act of 1980 authorizes the Attorney General to establish
guidelines for federal officers obtaining documents held by third
parties. These guidelines safeguard privacy interests in a
"confidential relationship such as that which may exist between a .
. . doctor andpatient." More comprehensive but still incomplee
protection for medical records privacy was proposed in the various bills
introduced in the 96th Congress. H.R. 5935 exemplified the intention of
those bills by terming the right to privacy a constitutionally protected
fundamental right which can be threatened by "the collection,
maintenance, use and dissemination of medical information." None of
the bills, however, passed either house of Congress.
B. The Pro-Public Health Rationale
The public health rationale has been the historically
dominant justification for the majority of already existing
confidentiality safeguards. In the nineteenth century this rationale
appeared to be reasonably consistent with the existing institutional
structure of health care delivery in which the major means of improving
health care delivery was treatment by an individualphysician. The
rationale was also consistent with laissez- faire conceptions of the
public good, and the relationship between public and private powers.
Under this view, the only way to achieve the public good was to support
freely chosen individual relationships. The state could best improve the
public health by facilitating and promoting physician-patient
relationships that would improve each individual's health. If medical
record confidentiality protects the individual physician-patient
relationship, confidentiality can be justified for instrumental reasons
without relying on any ethical conceptions of privacy.
The physician-patient evidentiary privilege, the law's
first protection for medical records confidentiality, embodied the
public health rationale. The original justification of the privilege was
not the private nature of the communications between a patient and a
physician, but rather the belief that, without the privilege, patients
would be discouraged from seeking treatment. An 1836 report from the
Commission on Revision of the Statutes of New York, reviewing the first
evidentiary privilege statute stated:
[U]nless such consultations are privileged,
men will be incidentially punished by being obliged to suffer the
consequences of injuries without relief from the medical art, and
without conviction of any offense. Besides, in such cases, during the
struggle between legal duty on the one hand, and professional on the
other, the latter aided by a strong sense of the injustice and
inhumanity of the rule, will in most cases, furnish a temptation to the
perversion or concealment of truth . . . .
The promotion of public health therefore justified the
enactment of the privilege. In addition, the cost of the privilege,
measured in terms of the concealment of truth, was thought to be minimal
since physicians were unlikely to testify against their patients in any
event.
The justification for promoting care by promising to keep
medical information confidential is also illustrated by the special
privileges given to records resulting from mandatory medical
examinations for certain communicable illnesses, such as venereal
disease. Here, the guarantee of the privilege seeks to prevent people
from evading laws that otherwise would be almost impossible to enforce.
In such cases the public health rationale harmonizes with privacy
concerns aroused by the sensitive nature of such treatments.
Since the justification for the evidentiary privilege is
to induce people to seek medical care, it is not surprising that the
privilege is usually maintained in all situations which would otherwise
lessen "the patient's freedom from apprehension of
disclosure." The privilege is usually maintained even after the
patient is dead, the reason being that fear of posthumous disclosure
would deter living patients from seeking medical care. The privilege is
typically waived when a patient sues a doctor or raises his mental
health as an issue. Although such waiver theories may justify disclosure
even when a court is influenced by the privacy rationale, sensitivity to
privacy considerations would demand that a court be more careful when
implying a waiver, especially when the party is deemed to have waived
privacy rights only by acting to protect other legally protected rights.
The most interesting aspect of the public health
rationale is not how often it has undermined confidentiality, but rather
its own empirical vulnerability. As Wigmore noted, it is a very
questionable assertion that people would not seek medical treatment if
their medical records were not confidential. Under the pressures of pain
and mental anguish, most people probably would opt to suffer the
embarrassment, stigmatization, and perhaps legal liability that could
follow from the disclosure of their medical records.
Even if the confidentiality of medical records does to
some degree encourage treatment, it is unclear whether it will always
promote the public health more than disclosure would. Recent changes in
the delivery of health care have undermined the premises underlying the
public health rationale for medical record confidentiality. As of 1976,
for example, physicians provided less than five percent of the health
care services in America. Instead, medical care today is provided by a
host of professionals including nurse practitioners, physician
assistants, dentists, optometrists, and psychiatric social workers.
Moreover, care is delivered in private offices, hospitals, clinics, and
nursing homes. As of 1975, two-thirds of these services were paid for by
either private or public third-party insurers who have increasingly
begun to regulate and monitor the services they finance.
Political conceptions about public health care have
also changed. People now look to the government to do more for public
health than merely facilitate private transactions. Governmental
insurance programs, health and safety regulations, and public support
for medical research are a few examples of the new roles that government
plays in health care. This increased governmental participation in
health care has all but destroyed the basic premise of a doctor-patient
relationship present in the public health rationale. In fact, these
changes could be seen as justifying the abolition of medical records
confidentiality since the disclosure of medical records often enhances
the efficient pursuit of the new goals. Today's health care may be more
improved by detecting and eradicating environmental hazards than by
promoting individual trust in physicians. The detection of environmental
hazards may be further facilitated by epidemiological studies of medical
records. Thus the promotion of public health would not justify the
non-disclosure of medical records to epidemiologists. Likewise, if
anyone elects to receive medical care from governmental aid programs or
third-party insurance programs despite the knowledge that such support
will lessen the confidentiality of their medical records, then the
promotion of public health goals will not justify protecting the
confidentiality of program beneficiaries.
To some extent, the use of non-identifiable records could
satisfy the informational needs of these public health programs. But the
process of coding and abstracting records will often be costly and the
non-identifiable records will often be less useful for accomplishing the
goal their use was meant to promote. Moreover, in terms of treatment
inhibition, the utilitarian cost of record disclosures is uncertain and
less compelling today than in the past. Patients in modern health care
institutions are accustomed to consenting to a wide variety of
disclosures. Consequently, except when there is an unusually sensitive
diagnosis, such as venereal disease, the reluctance of patients to come
in for medical treatment probably does not equal the costs to the public
health of the denial of identifiable disclosures. The validity of the
purely utilitarian rationale that lay behind the evidentiary privilege
is now highly questionable. As a consequence, utilitarian and privacy
concerns now conflict in most cases, leaving us to seek a way to
reconcile the competing interests.
II. Health Care Related Disclosures
The virtual collapse of the public health rationale for
medical records confidentiality necessitates a reappraisal of the
interests in health care and the construction of a framework which can
accommodate those interests. Public health improvement must be promoted
while simultaneously respecting privacy interests.
It is impossible to schematize all of the uses of medical
records. Nevertheless, five broad types of use, or "use
spheres," can be noted. The first four concern health care related
disclosures, or primary disclosures, and will be discussed in this
section. The fifth sphere, secondary disclosures, is discussed in Part
III. Of course, any one individual or institution can operate in more
than one sphere. The typology is not institutional, it is purely
functional.
A. The Medical Treatment Sphere
Health care delivery is the first "use sphere."
In this sphere medical records are created and used to facilitate the
treatment of an indiual. The record user can be a single physician or a
large public hospital, and one or dozens of individuals may have access
to the records. Nevertheless, the patient's treatment is the reason for
the creation and use of the records.
The medical treatment sphere is the one sphere in which
record keeping and use is legitimate. By definition, the public health
interest favors disclosure within this sphere since such disclosures
facilitate treatment. Second, the patient has some control over the
information which is disclosed. This control may be limited, since the
patient may be under severe stress and may therefore disclose more than
he or she would otherwise. The physician may also learn more than the
patient intended to disclose. Still, the information is recorded
primarily to facilitate treatment. The patient normally approves of this
goal and thus either explicitly or implicitly authorizes the record user
to use the records for that purpose. Furthermore, as long as record-
keeping remains in this professional atmosphere, dangers of
stigmatization, misuse of information, and inhibition of patient
autonomy are limited by professional ethics. Within the medical
treatment sphere, the harm to privacy interests caused by disclosures is
far less than the harm to the patient's and the public's health that
would be caused by prohibiting disclosures.
B. Health Care Evaluation and the Support System
Health care evaluation and support ("the support
system") is the second category of use spheres. This broad area
includes third-party insurers, professional certifiers and auditors, and
government program inspectors. Again, the public health goals favor
disclosure, as disclosure makes claims processing and quality reviewing
cheaper and more effective.
However the privacy interests here are more compelling
than in the health care delivery sphere. The support system's use of
records goes beyond the physician-patient relationship. Information is
often disclosed without the patient's knowledge and the presumption that
the patient would approve of such disclosures is weak. Furthermore, such
disclosures are often made to parties other than health care
professionals. Disclosures increase the chance of stigmatization and
societal disapproval of the patient, causing a corresponding loss of
autonomy. The harm caused by a lack of privacy appears most alarmingly
in psychiatry, in which studies have shown that many patients do not
request insurance benefits to which they are entitled merely because
they fear the loss of control over their record disclosures.
To a large degree the privacy threat caused by the
support system's use of medical records is unnecessary. Some of this
sphere's needs for medical records could be met by using
non-identifiable records. Certain types of auditing and evaluating could
be done by using coded or abstracted records, as is now required for
medical records generated under some programs. The American Medical
Association's Commission on Professional and Hospital Activities
believes that the massive reporting of records now required by auditing
programs is unnecessary and audits of abstracted records could be
substituted. As an expert in the field of medical records confidentially
has noted, both Britain and France manage to conduct their audits and
evaluations without the broad use of identifiable data which prevails in
this country.
One situation in which personal data is disclosed
needlessly is an experimental peer review program for the evaluation of
outpatient psychiatric claims. The program is designed to provide means
for reviewing psychiatric cases in order to facilitate insurance
coverage for all legitimate claims. "Suspicious claims" are
sent to a participating psychiatrist for a peer review. The records used
in this review include the patient's name and other
identifyinginformation. There is no reason why the records could not be
sent to the reviewer with only a code number attached by the insurer.
In many cases the information which identifies the
patient would seem necessary for the achievement of support system
goals. Third-party insurers need to see some description of the
treatment and diagnoses given to their beneficiaries, and auditors will
often have to look at the original records as well as abstracted data
prepared by a health care provider. The cost of medical care is already
so high that the government, private insurers, and the economy cannot
accept without question a professional's description of services
rendered. Without mechanisms for preventing excessive fees and poor
services, not only will our dollars buy less health care, but negative
public reaction may reduce support for health care services altogether.
The public health interest favors at least some identifiable disclosures
to the support system.
The interests supporting disclosure outweigh the privacy
interests infringed upon by disclosures within the support system. The
majority of cases, in which a record is audited or a claim processed by
an anonymous clerk who has no interest in any particular patient, pose a
relatively minor threat to individual privacy interests. The
individual's privacy is protected by the impersonality of the process.
If the support system employee is unconcerned about the particular
patient or cannot remember the information, then the patient suffers no
threat of stigmatization or other forms of social reproach.
C. The Research Sphere
Scientific research is the third sphere of use. This
sphere possesses many of the characteristics found in the previous
spheres--the users are primarily professionals, the patient is usually
unknown, and his or her identity is not a particular concern of the
record user. Furthermore, some of the need for medical records can be
met by using non-identifiable records.
The public health rationale justifies researchers having
access to records. While most research can be done prospectively with
the researcher obtaining informed consent from the patient, much
epidemiological research requires a retrospective analysis of records.
The danger of DES, for example, was determined through such studies.
Since knowledge of the study may affect the behavior of both patients
and clinicians, obtaining patient consent may destroy the scientific
validity of the study.
Once the researcher contacts the patient and comes to
know him the situation changes dramatically. A researcher's contact can
deeply violate the patient's privacy. For example, one researcher went
to a patient's home on a Saturday when a party was in progress. He
introduced himself by saying, "Hi, I am so- and-so from
such-and-such organization, and we are doing a follow-up study of
patients who had been enrolled in the methadone maintenance
program." But, the patient can be hurt even when the contact is
private. The contact may reawaken unpleasant memories, thereby lessening
the patient's ability to escape his past and change his future.
The possibility of such privacy losses should require
anincreased protection for the individual. Such contacts, therefore,
should be treated like secondary disclosures, which also require
additional safeguards and will be considered in Part III.
D. The Public Health Investigation Sphere
The fourth use sphere is that of public health
investigations. This sphere is closely related to the research sphere,
the major differences being that records are used to detect specific
health problems or violations rather than for scientific discovery, and
the user is often a governmental body acting with the force of law.
Disclosures in the context of public health
investigations form a continuum between those which are prima facie
justifiable and those which are not. At one extreme are disclosures in
which the patient is not suspected of having caused the violation or
condition under investigation. The patient is instead the intended
beneficiary of the investigation's discoveries. A prime example of such
a situation comes from recent OSHA regulations which require an employer
who "makes, maintains, contracts for, or has access to employee
exposure or medical records" to keep the records for thirty years
and make them available to OSHA. In such a case, privacy would seem not
to be intruded upon any more than in the research sphere. As far as the
patient is concerned, the government is acting like an epidemiologist,
except that the patient is more likely to be the beneficiary of the
investigation since specific public violations or conditions which can
harm the particular patient are the subject of investigation. Such
disclosures should be permissible.
Other types of public health investigations are made
pursuant to various mandatory reporting statutes. The requirement that
physicians report all cases of gunshot wounds or child abuse. arguably
require disclosure which benefits the patient's interests and which the
patient would consent to if he or she were able to do so. The
requirement, existing in all states, that physicians report information
about deaths and births, may also fall into this category.
Other types of reporting statutes would not seem to
benefit the patient's health as much as the public health in general or
some other societal goal. These statutes include venereal disease
reporting statutes and other sexual activity reporting statutes or drug
abuse reporting statutes. considering the appropriateness of these
statutes, two crucial questions must be asked: what is the real purpose
of the investigation and what is the threat to privacy? As the nature of
the investigation changes from one which benefits the patient to one
which benefits public health, the threat to privacy increases. At some
point such investigations become, from the patient's perspective,
non-health care investigations. The following section discusses the
problems which may be caused by such investigations.
