[Med-privacy] NYT article

[Peter Marshall]

December 3, 2006
Health Hazard: Computers Spilling Your History
By MILT FREUDENHEIM and ROBERT PEAR

BILL CLINTON=92S identity was hidden behind a false name when he went to=20=

NewYork-Presbyterian Hospital two years ago for heart surgery, but that=20=

didn=92t stop computer hackers, including people working at the =
hospital,=20
from trying to get a peek at the electronic records of his medical=20
charts.

The same hospital thwarted 1,500 unauthorized attempts by its own=20
employees to look at the patient records of a famous local athlete,=20
said J. David Liss, a vice president at NewYork-Presbyterian.

And just last September, the New York City public hospital system said=20=

that dozens of workers at one of its Brooklyn medical centers,=20
including doctors and nurses, technicians and clerks, had improperly=20
looked at the computerized medical records of Nixzmary Brown, a=20
7-year-old who prosecutors say was beaten to death by her stepfather=20
last winter.

Powerful forces are lobbying hard for government and private programs=20
that could push the nation=92s costly and inefficient health care system=20=

into the computer age. President Bush strongly favors more use of=20
health information technology. Health insurance and medical device=20
companies are eager supporters, not to mention technology companies=20
like I.B.M. and Google. Furthermore, Intel and Wal-Mart Stores have=20
both said they intend to announce plans this week to embrace electronic=20=

health records for their employees.

Others may soon follow. Bills to speed the adoption of information=20
technology by hospitals and doctors have passed both chambers of=20
Congress.

But the legislation has bogged down, largely because of differences=20
over how to balance the health care industry=92s interest in efficiently=20=

collecting, studying and using data with privacy concerns for tens of=20
millions of ordinary Americans =97 not just celebrities and victims of=20=

crime.

Advocates of such legislation, including Representative Joe L. Barton,=20=

the Texas Republican who is the chairman of the House Energy and=20
Commerce Committee, said that concern about snooping should not freeze=20=

progress on adopting technology that could save money and improve care.

=93Privacy is an important issue,=94 said Mr. Barton, who will lose the=20=

chairman=92s post when the Democrats take over next year, =93but more=20
important is that we get a health information system in place.=94=20
Congress can address privacy later =93if we need to,=94 he said.

Democrats, however, have made it clear that they are determined to=20
address the issue of medical-records privacy once they take command of=20=

both houses of Congress next month. =93There is going to be much more=20
emphasis placed upon privacy protections in the next two years than we=20=

have seen in the last 12 years,=94 said Representative Edward J. Markey,=20=

Democrat of Massachusetts and a longtime privacy advocate.

Mr. Markey, a member of the Energy and Commerce committee, said he=20
supported legislation that would allow individuals to keep their=20
medical records out of electronic databases, and require health care=20
providers to notify patients when health information is =93lost, stolen=20=

or used for an unauthorized purpose.=94

Representative John D. Dingell of Michigan, the ranking Democrat who is=20=

expected to become chairman of the Energy and Commerce committee next=20
month, said that expanding electronic health care systems =93clearly has=20=

great potential benefit.=94 But he added that =93it also poses serious=20=

threats to patients=92 privacy by creating greater amounts of personal=20=

information susceptible to thieves, rascals, rogues and unauthorized=20
users.=94 Members of his committee, as well as the House Ways and Means=20=

Committee, have been struggling with such issues.

Academic medical centers like NewYork-Presbyterian have considerable=20
experience with electronic records. But many other hospitals have been=20=

slow to jump on board, as have doctors and patients. Only one in four=20
doctors used electronic health records in 2005, according to a recent=20
study by researchers at Massachusetts General Hospital and George=20
Washington University, and fewer than 1 in 10 doctors used the=20
technology for important tasks like prescribing drugs, ordering tests=20
and making treatment decisions.

Cathy Schoen, a senior researcher at the Commonwealth Fund, a nonprofit=20=

foundation, said primary-care doctors in the United States were far=20
less likely than doctors in other industrialized countries to use=20
electronic records. In Britain, 89 percent of doctors use them,=20
according to a recent report in the online edition of the journal=20
Health Affairs; in the Netherlands, 98 percent do.

Technology experts have many explanations for the slow adoption of the=20=

technology in the United States, including the high initial cost of the=20=

equipment, difficulties in communicating among competing systems and=20
fear of lawsuits against hospitals and doctors that share data.

But the toughest challenge may be a human one: acute public concern=20
about security breaches and identity theft. Even when employers pay=20
workers to set up computerized personal health records, many bridle,=20
fearing private information will fall into the wrong hands and be used=20=

against them.

=93When I talk to employees, the top concern they have is: =91What =
happens=20
to my information? What about the Social Security numbers on my=20
employee insurance, as well as the identity threat now appearing in=20
health care?=92 =94 Harriett P. Pearson, I.B.M.=92s chief privacy =
officer,=20
said in a recent interview. =93We have to be proactive about addressing=20=

privacy issues.=94

Dr. J. Brent Pawlecki, associate medical director at Pitney Bowes, the=20=

business services company, said that people in the United States are=20
most concerned that they could lose their health insurance, based on=20
something in their health records. Pitney Bowes is weighing the pros=20
and cons of electronic personal health records for its employees.

The worries are widely held. Most Americans say they are concerned that=20=

an employer might use their health insurance records to limit job=20
opportunities, according to several surveys, including a recent one by=20=

the nonprofit Markle Foundation.

Some patients are so fearful that they make risky decisions about their=20=

health. One in eight respondents in a survey last fall by the=20
California HealthCare Foundation said they had tried to hide a medical=20=

problem by using tactics like skipping a prescribed test or asking the=20=

doctor to =93fudge a diagnosis.=94

Dr. Stephen J. Walsh, a psychiatrist and former president of the San=20
Francisco Medical Society, said, =93I see many patients who don=92t want=20=

any information about their seeing a psychiatrist on a record=20
anywhere.=94

CONGRESS addressed some of these concerns in 1996, when it passed the=20
Health Insurance Portability and Accountability Act. That made it a=20
federal crime, albeit rarely punished, to disclose private medical=20
information improperly.

But critics say that the law has some worrisome loopholes, that=20
infractions are rarely prosecuted, and that violators have almost never=20=

been punished. The law, for example, lets company representatives=20
review employees=92 medical records in order to process health insurance=20=

claims.

Critics say that it would not be unusual in some companies for the same=20=

supervisor to be in charge both of insurance claims and of hiring and=20
firing decisions; this could allow companies to comb their ranks for=20
people with expensive illnesses and find some reason to fire them as a=20=

way to keep health costs under control. Easily accessible computerized=20=

files would make the job that much easier, the critics say.

Joy L. Pritts, a health policy analyst at Georgetown University, said=20
that in developing and promoting health information technology, the=20
government seemed to assume that it could =93tack on privacy protections=20=

later.=94 But she warned: =93That attitude can really backfire. If you=20=

don=92t have the trust of patients, they will withhold information and=20=

won=92t take advantage of the new system.=94

Executives can hire private tutors who specialize in teaching how to=20
stay on the right side of the rules. But based on the experience so=20
far, there is little chance that executives will be punished if they=20
break them.

The Office for Civil Rights in the Department of Health and Human=20
Services has received more than 22,000 complaints under the portability=20=

law since the federal privacy standards took effect in 2003;=20
allegations of =93impermissible disclosure=94 have been among the most=20=

common complaints. But the civil rights office has filed only three=20
criminal cases and imposed no civil fines. Instead, it said, it has=20
focused on educating violators about the law and encouraging them to=20
obey it in the future.

With federal enforcement so weak, privacy advocates say they are also=20
concerned about recent efforts in Congress to pre-empt state consumer=20
protection laws. They often provide stronger privacy rights and=20
remedies, particularly for information on H.I.V. infection, mental=20
illness and other specific conditions.

State laws, unlike the federal law, have resulted in some stiff=20
penalties. Last April, a California state appeals court approved a=20
malpractice award of $291,000 to Nicholas Francies, a San Francisco=20
restaurant manager, who lost his job after his doctor disclosed his=20
H.I.V.-positive status in a worker=92s compensation notice to Mr.=20
Francies=92s employer. He also got $160,000 from his employer in a=20
settlement.

Dr. Deborah C. Peel, a psychiatrist and privacy advocate in Austin,=20
Tex., has assembled a broad group called the Patient Privacy Rights=20
Foundation, to lobby in Washington. Members span the political=20
spectrum, from the American Civil Liberties Union and the U.S. Public=20
Interest Research Group to the American Conservative Union and the=20
Family Research Council.

Newt Gingrich, the Republican former House speaker, has called for =93a=20=

21st-century intelligent health system=94 based on electronic records. =
He=20
also says individuals =93must have the ability to control who can access=20=

their personal health information.=94

=93People do have a legitimate right to control their records,=94 said =
Mr.=20
Gingrich, who has worked closely with Senator Hillary Rodham Clinton,=20
Democrat of New York, on the issue of computerized records. On their=20
own, they have also advocated strict rules to protect privacy.

Mr. Gingrich noted that the Senate had twice passed bills to prohibit=20
discrimination based on personal genetic information; the House did not=20=

vote on them. Democrats say the outlook for such legislation will=20
improve when they take control of Congress.

EVEN without new federal laws to guide them, some companies have begun=20=

to encourage their employees to embrace electronic medical records. At=20=

Pitney Bowes, employees are paid a bonus if they store a copy of their=20=

personal health records on WebMD.com, the medical Web site.

=93We haven=92t pushed that, except to make an offering,=94 Dr. Pawlecki=20=

said. But for those without electronic records, he added, =93any time =
you=20
go to a different system or a different doctor, the chances are that=20
your records will not be able to follow you.=94 As a result, there is a=20=

risk of =93harmful care,=94 like drug interactions or side effects, he=20=

said, as well as risks of omitting needed care and conducting duplicate=20=

tests.

Pitney Bowes and WebMD Health are among a group of 25 companies meeting=20=

with Ms. Pearson of I.B.M. to develop a set of principles and best=20
practices that she said would help persuade people that their employers=20=

really did not look at private information stored online.

Ms. Pearson=92s group is working with Janlori Goldman, director of the=20=

Health Privacy Project in Washington. Employers need to adopt standards=20=

for personal health records that address their workers=92 privacy,=20
confidentiality and security concerns, Ms. Goldman said.

WebMD, which manages employees=92 health records for dozens of =
companies,=20
had discussions earlier this year with Google, which is developing a=20
Web site called Google Health, according to people familiar with the=20
project. Google has not commented on its plans. But commenting=20
generally on the issues, Adam Bosworth, the vice president for=20
engineering at Google, said that privacy is a hurdle for technology=20
companies addressing health care problems.

=93There is a huge potential for technology to improve health care and=20=

reduce its cost,=94 Mr. Bosworth said in a statement. =93But companies =
that=20
offer products and services must vigorously protect the privacy of=20
users, or adoption of very useful new products and services will fail.=94

Even before the theft this year of a Veterans Affairs official=92s =
laptop=20
that contained private medical records of 28 million people, a consumer=20=

survey found that repeated security breaches were raising concerns=20
about the safety of personal health records.

About one in four people were aware of those earlier breaches,=20
according to a national telephone survey of 1,000 adults last year for=20=

the California HealthCare Foundation. The margin of error was plus or=20
minus 3 percentage points.

The survey, conducted by Forrester Research, also found that 52 percent=20=

were =93very concerned=94 or =93somewhat concerned=94 that insurance =
claims=20
information might be used by an employer to limit their job=20
opportunities.

The Markle survey, to be published this week, will report even greater=20=

worry =97 56 percent were very concerned, 18 percent somewhat concerned =
=97=20
about abuse by employers. But despite their worries, the Markle=20
respondents were eager to reap the benefits of Internet technology =97=20=

for example, having easy access to their own health records.

Companies that have tried to use computers to increase the efficiency=20
of medical care say their success has hinged on security. =93The privacy=20=

piece was critical,=94 said Al Rapp, corporate health care manager at=20
United Parcel Service, which recently introduced a health care program=20=

built on computerizing the records of 80,000 nonunion employees.

U.P.S. offers to add $50 each to workers=92 flexible spending accounts =
if=20
they agree to supply information for a personal =93health risk=20
appraisal.=94 They can receive another $50 if spouses also participate.=20=

More than half accepted, Mr. Rapp said, with the understanding that the=20=

information would go to data archives at UnitedHealth Group and Aetna.=20=

=93We are not involved in any way,=94 he said, referring to U.P.S.=92s=20=

managers.

Aetna and UnitedHealth combine these appraisals with each person=92s=20
history of medical claims and prescription drug purchases. When the=20
software signals a personal potential for costly conditions like=20
diabetes, heart problems and asthma, an insurance company nurse, or=20
health coach, telephones the employee with suggestions for preventive=20
care and reminders for checkups, taking medications and the like.

=93The employee can tell the nurse who calls that they don=92t want to=20=

participate,=94 Mr. Rapp said. =93Thus far, it has been very well=20
accepted.=94

Last week, he said, the health coach reached out to the spouse of an=20
employee after noting that her condition and weight suggested a=20
potential risk for a heart attack.

=93She asked this person, =91Are you taking your cholesterol medication,=20=

Lipitor?=92 She said, =91I won=92t take Lipitor,=92 =94 and went on to =
mention=20
the side effects she had read about on the Internet, Mr. Rapp said.

The nurse informed the woman=92s doctor, who changed her prescription to=20=

a similar drug, Mr. Rapp said. He added that he was one of =93a very few=20=

select people in the human resources department=94 who are permitted to=20=

see personal health records, under the federal privacy rules.

=93I can see the names, to see the issues,=94 Mr. Rapp said. =93I manage =
the=20
program. I have responsibility for the success of the program.=94 But he=20=

added that he was prohibited under the law from sharing the employee=92s=20=

data with other U.P.S. managers. =93Generally speaking, U.P.S. would =
have=20
no knowledge of it,=94 Mr. Rapp said.

Still, worries linger across the health care system. Hospital=20
executives say that private investigators have often tried to bribe=20
hospital employees to obtain medical records that might be useful in=20
court cases, including battles over child custody, divorce, property=20
ownership and inheritance.

But computer technology =97 the same systems that disseminate data at =
the=20
click of a mouse =97 can also enhance security.

Mr. Liss, of NewYork-Presbyterian, said that when unauthorized people=20
tried to gain access to electronic medical records, hospital computers=20=

were programmed to ask them to explain why they were seeking the=20
information.

Moreover, Mr. Liss said, the computer warns electronic intruders: =93Be=20=

aware that your user ID and password have been captured.=94


Copyright 2006 The New York Times Company=