Your Medical Records Aren’t Secure

I have one observation about, and one minor difference with, the very good—and very concerning—Wall Street Journal opinion piece by Deborah Peel of Patient Privacy Rights. The piece announces PPR’s “Do Not Disclose” campaign around health information, which will soon be pouring into promiscuous, government-designed “electronic medical records.”

In a January 2009 speech, President Barack Obama said that his administration wants every American to have an electronic health record by 2014, and last year’s stimulus bill allocated over $36 billion to build electronic record systems. Meanwhile, the Senate health-care bill just approved by the House of Representatives on Sunday [now signed into law] requires certain kinds of research and reporting to be done using electronic health records. Electronic records, Mr. Obama said in his 2009 speech, “will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.” But electronic medical records won’t accomplish any of these goals if patients fear sharing information with doctors because they know it isn’t private…

Describing how the Health Insurance Portability and Accoutability Act (HIPAA) undermined health privacy, Peel says, ”In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators…” Other than the quibble about whether federal law ever gave patients anything that could be genuinely called a right, this is correct and concerning.

What’s interesting is that the policy is routinely ascribed to President Bush (not only by Peel). My suspicion is that blaming President Bush props up the dream that privacy can be maintained in a system that centralizes control of health care—if only the right party is in power.

In fact, the passage of HIPAA in 1996 (under President Bill Clinton) set the course for this outcome. The fact that HIPAA privacy was undone during the Bush administration is a coincidence convenient for his ideological and political opponents. If I’m mistaken, the proof will be the reversal of the policy during the current administration. I’m not aware of any plan for that to happen.

“Electronic record systems that don’t put patients in control of data or have inadequate security create huge opportunities for the theft, misuse and sale of personal health information,” says Peel. I agree, but more importantly, I think, public policies that don’t put patients in control create the same—or at least parallel—problems.

Transferring control of health care to the federal government transfers control of health information to the federal government. The government has interests distinct from patients, and no matter how hard one fights to protect patients’ privacy interests, the government’s interests in cost control, social engineering, and such will ineluctably win out.

Public policies that restore power to patients will restore health privacy to patients. A decade or two of exploring alternatives to patient empowerment may drive the lesson home.