Within the past year and a half, a substantial amount of attention has been paid to the issue of the privacy of patient records. The Health Insurance Portability and Accountability Act of 1996 required the Secretary of Health and Human Services to make recommendations to Congress on ways to protect the privacy of medical records. Secretary Shalala submitted her proposals to Congress on September 11, 1997. A copy of her proposals can be found at http://www.hhs.gov/progorg/asl/testify/t970911a.txt. The National Academy of Sciences and the National Association of Insurance Commissioners have issued recommendations of their own, located at http://www.naic.org [Click on "committee activity," then "model acts"]. Senator Robert Bennett (R. - Utah) has circulated draft legislation entitled the "Medical Information Confidentiality Act" that may well be the focus of congressional action this coming year.

Two developments account for this flurry of interest. The first is the growth of electronic medical record-keeping in place of paper records. The National Academy of Sciences report states that the health care industry spent between $10 and $15 billion on information technology in 1996. Much of this expenditure is attributable to creating electronic records systems and converting conventionally stored data to electronic formats.

Electronic medical records ("EMRs") appear to present new threats to maintaining the privacy of patient-identifiable medical records. An EMR can be called up instantaneously by someone with access to the data system and the relevant passwords. Although a paper record can be photocopied and faxed, it is less easy to distribute widely, and requires physical possession for accessibility. Computerized records systems are "black boxes" to many health professionals who are otherwise familiar with traditional records systems; they fear losing control of the systems, and having to rely on computer experts who may not have internalized the privacy-related ethics of the medical profession. At the same time, one hears proposals to link all medical records systems so that patient data can be accessed wherever and whenever patients require medical services. This raises the prospect that access to one portion of one record may afford access to all records on an individual.

A second reason for the increased concern over medical records privacy is the growth of managed care organizations. In the traditional, fee-for-service model of health care delivery, patient records would be produced and retained by the physician or other provider of services. The patient's health insurer would be given access to selected records needed for claims review. Disclosure of the records required patient authorization, although, typically, patients executed these authorizations automatically and in blanket fashion. In a managed care organization, on the other hand, the provider of care and the insurer, in some sense, are the same entity. Any medical information in the possession of the provider also is held by the insurer. This is clearest in a closed-panel HMO like Kaiser but is present, to a varying degree, in all forms of managed care.

The fear here is that the insurer will gain access to medical records that the patient and the provider would not normally transmit, and that the insurer will use the data to take action adverse to the patient's interest, such as limiting benefits or terminating the patient's insurance coverage.

Special problems are created by employer-sponsored health plans. Here, the plan is essentially the same entity as the employer, and the concern is that the employer will have access to medical information possessed by the health plan and will use the information contrary to the employee's interests, such as to terminate employment.

The basic solutions that are being proposed are, first, to require record makers and keepers to implement a set of technical steps to protect the security of medical records, and, second, to impose penalties on makers and keepers of records who release them for unauthorized or inappropriate purposes.

Technical steps being touted include unique patient and access identifiers; "audit trails," which are electronic methods of detecting and recording the identities of anyone who accesses a record; encryption of external transmissions of record information; appointment of internal information security officers with responsibility to police record-keeping practices; and "firewalls," which are electronic barriers that isolate records systems from unauthorized access or penetration.

The problem is that these techniques are expensive and no one is sure how well they work. I received a glimpse of how unrealistic these solutions might be at a meeting on medical records privacy I attended this past fall as a member of a joint working group of the Joint Commission on the Accreditation of Healthcare Organizations ("JCAHO") and the National Committee for Quality Assurance ("NCQA"), the organization that accredits managed care organizations. One member of the working group, the person in charge of medical records at a large managed care plan, pointed out that neither she nor anyone else in her organization knew what records existed or where they were! She suspected that this was likely to be true of most managed care plans and provider organizations. Moreover, she explained that the greatest single threat to the privacy of medical records was post-it notes: people jotted down their passwords and pasted them on or near their computers. The more passwords, personal identifiers and other electronic steps a person had to take to access records, the more these little reminders would be necessary, rendering the fancy security techniques ineffective.

Some of the other issues that are being debated by policy-makers include:

• Whether to require patient/enrollees to authorize each release of medical records or only to require them to give a blanket release, say upon enrollment. Advocates of blanket releases argue that requiring a signed authorization for every record release would be burdensome and most patients don't care. Proponents of individual authorization respond that this is necessary to alert patients that their records are being disclosed so they can take steps to prevent inappropriate disclosures.
• Whether to establish uniform standards or minimum standards. Managed care organizations and other record makers and keepers like uniform standards because it tells them clearly what they have to do. Some patient advocates propose minimum standards to enable plans to compete for enrollees on the basis of how well they maintain privacy: plans that adopted more stringent security measures could publicize this fact to potential enrollees who have a choice of plan.
• Whether to enact a federal law that pre-empts stricter state laws. A uniform law would facilitate interstate business by allowing a managed care plan to comply with one standard nation-wide. But some patient advocates urge that states be allowed to adopt more stringent security requirements, if only to permit experimentation to see what works best at protecting privacy.
• How much control to give patients over what goes in to and what stays in their medical records. Most privacy proposals would give patients the right to correct inaccuracies in their records but not to delete material. Some patient advocates argue that patients should have the right to block the entry or remove information that they fear would stigmatize them or lead to insurance or employment discrimination. Health care professionals are concerned that incomplete records could interfere with proper medical management. Patient advocates respond that, so long as the incomplete records are marked as such, patients should be permitted to weigh the risks of stigma or discrimination against the risks of a reduced quality of care.

There is almost certainly going to be federal legislation on medical record privacy. But this will not end the debate. Accreditation organizations such as the JCAHO and the NCQA will establish their own standards; managed care plans and provider organizations will adopt their own internal policies and procedures. Meanwhile, the science of electronic records and their security will develop, presenting new options and challenges. Stand by for further reports.