Home/red-rock-eater/[RRE]Database Nation

[RRE]Database Nationwriting

militarymediasurveillancecivil-libertiesprivacydemocracytechnology-policycommerce
35 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com/rre/2000/RRE.Database.Nation.html

Content

| | | | --- | --- | | Red Rock Eater Digest | Most Recent Article: Tue, 15 Aug 2000 |

[RRE]Database Nation

``` [I have heavily formatted this. Apologies for any glitches.]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html or send a message to requests@lists.gseis.ucla.edu with Subject: info rre

---

Date: Thu, 23 Dec 1999 18:11:41 -0500 From: "Simson L. Garfinkel"

Database Nation: The Death of Privacy in the 21st Century

Simson Garfinkel

O'Reilly and Associates January 2000 ISBN 1-56592-653-6 336 pages (est.) $24.95 (est.)

Table of Contents

1. Privacy Under Attack 2. Database Nation 3. Absolute Identification 4. What Did You Do Today? 5. The View from Above 6. To Know Your Future 7. Buy Now! 8. Who Owns Your Information? 9. Kooks and Terrorists 10. Excuse Me, but Are You Human? 11. Privacy Now! Annotated Bibliography and Notes Acknowledgements Index

"Database Nation by Simson Garfinkel is a graphic and blistering indictment of the burgeoning technologies used by business, government, and others to invade the self -- yourselves -- and restrict both your freedom to participate in power and your freedom from abuses of power. The right of privacy is a constitutionally protected right, and its erosion or destruction undermines democratic society as it generate, in one circumstance after another, a new kind of serfdom. This book is one that you're entitled to take very personally."

Ralph Nader

[The first half of] Chapter 6: To Know Your Future

Note: This is a beta-chapter. It may contain errors such as broken links, missing images, empty tables, and incomplete code.

Did you have an abortion when you were fifteen?

A few years ago, when your marriage was going through an especially rough spot, our records indicate that you were treated for a sexually transmitted disease that your wife didn't have. Does she know?

Is that lonely child with Down Syndrome in the state hospital yours? Why don't you visit her more often?

I told Janice about the headaches you've been having at work. She said that when you guys were kids, your father used to smash your head against the wall. Do you think you might have brain damage?

Did you know that you are adopted?

Most Americans consider their medical records to be the most sensitive pieces of personal information that they have. Medical records are beacons into our past. They reveal secrets about families. They strip us naked, as if we had been prepped for surgery. They remind us about things we would rather forget -- and things that we don't want others ever to discover.

Medical records are also windows into our future. They are imperfect oracles, to be sure -- a healthy person walking across the street can be hit by a truck -- but many illnesses and medical conditions follow a predictable path. People with untreated blockage of their coronary arteries tend to have heart attacks; diabetics who can't control their blood sugar are apt to go blind; people with untreated chronic depression are inclined to attempt suicide. Genetic records can be even more revealing.

But medical records tell as much about the temporarily healthy as they do about the chronically ill. In a world of uncertainties, the precision that comes from knowing a healthy person's weight, blood pressure, and cholesterol level conveys a feeling of predictability. A doctor can't say for sure that you'll live to be 92, but a statistician can tell you that your odds of doing so are 35%. Insurance companies use this information to set rates. Businesses can use this information to help decide who they should train and promote for positions of responsibility.

No Bigger Gap

Medical records are also among the most difficult kinds of personal information to protect. While the actual paper or electronic files can be protected with locks or passwords, individual facts from those records are easily revealed out of malice, for profit, or even by accident.

Consider the case of a young woman in Poughkeepsie, New York, who was in an automobile accident with her fiance in 1982. The pair was taken to the Vassar Brothers Hospital -- where the woman had secretly given birth the year before. When the woman checked in, an attendant pulled up her records from the hospital's computer. "Oh, you had a baby a year ago," the attendant said, in the presence of both the woman and her fiance. It was an understandable slip, but it revealed a world of personal information.

A far more malicious privacy invasion befell U.S. Representative Nydia Velazquez that same year. Three weeks after Velazquez won New York's Democratic primary, she received a telephone call from Pete Hamill, a reporter at the New York Post. Velazquez testified before the Senate Judiciary Committee in 1994:

He told me that the night before, the Post had received an anonymous fax of my records from St. Claire Hospital. The records showed that I had been admitted to the hospital a year ago, seeking medical assistance for a suicide attempt. He told me that other newspapers across the city had received the same information and the New York Post was going to run a front-page story the next day.

My records were leaked for one purpose only, to destroy my candidacy for the U.S. House of Representatives by discrediting me in the eyes of my constituents. Very few people knew about my situation, and I made a decision of not sharing it with my family. I wanted them to always remember me as a fighter, happy and strong. My father and mother, 80 years old, they did not understand. They still do not understand. When I found out this information was being published in the newspaper and that I had no power to stop it, I felt violated. I trusted the system, and it failed me.

What's even more disturbing is that, in all likelihood, no laws were violated when Velazquez's records were faxed. A doctor can be disciplined or lose his or her license for violating patient confidentiality. Hospitals are required under the state's hospital regulations to have a medical records department that "ensure[s] the confidentiality of patient records" -- and a hospital can lose its accreditation if there is a pattern of confidentiality violations, says Donald Moy, General Council of the New York State Medical Society. But no state or local law has criminalized the unauthorized release of medical records themselves. A secretary or a janitor who walks into the hospital's records room and faxes out the records might be violating the hospital's rules, but they wouldn't be committing a criminal act.

"Most people think it's illegal to release medical records. They are unaware that no law exists," says Robert Ellis Smith, publisher of The Privacy Journal. "What they might mean is that release would subject a physician to ethical sanctions or that the victim could sue for an invasion of privacy. You should ask folks who make that assertion [that medical records are protected] to cite the law. In my experience, in no other area of privacy is there a bigger gap between what people's expectation of protection is and what the reality is than in medical records."

As of 1995, 43 U.S. states lacked laws criminalizing the release of medical records. Likewise, there is no federal law criminalizing the improper release of medical records. Such laws are clearly needed, because unauthorized releases are very widespread. According to the 1993 Health Information Privacy Survey by Louis Harris and Associates and Alan Westin, "27% of respondents (representing 50 million adults) report their belief that an organization or person having their personal medical information has disclosed it improperly". Thirty-one percent of these respondents (representing 8% of the total population and 14 million Americans) go on to report that they were harmed or embarrassed by that disclosure". The study also found that the people most likely to believe that there is a serious problem with medical privacy today are the people on the front lines -- doctors and nurses.

"Most patients would be surprised at the number of organizations that receive information about their health record: their provider, insurer, pharmacist, state public health organizations -- perhaps even their employer, life insurance company, or marketing firms," says Paul D. Clayton, who chaired the National Research Council's Committee on Healthcare Privacy and Security. "Sharing of information within the healthcare industry is largely unregulated and represents a significant concern to privacy advocates and patients alike because it often occurs without a patient's consent or knowledge."

Despite the revelation of her suicide attempt, Velazquez managed to win her election. But Tommy Robinson wasn't so lucky. In 1990, Congressman Robinson was the Republican candidate for Governor of Arkansas, running against Bill Clinton. An insurer leaked to the press that Robinson had problems with alcohol. As it turned out, the diagnosis was in error. Nevertheless, Robinson's loss was attributed in part to the revelation. It's a revelation that might have had profound national consequences, since Bill Clinton was able to use the governorship that he won in that election to launch a successful campaign for the U.S. Presidency.

As hard as it is to protect medical records in doctors' offices and in hospitals, the task pales when viewed in the broader context. There is an ever-increasing proliferation of other kinds of personalized medical information in our society -- information that, if revealed, can be just as damaging as a doctor's diagnosis. Billing records are mailed to insurance companies and other third-party payers. Test results and detailed paper bills are sent to patients. Pharmacies know patients' prescription drugs. When a person buys an over-the-counter drug, the supermarket tape register becomes a kind of medical record. Likewise, there is an increasing assortment of home test kits for blood sugar, ovulation, pregnancy, and drug use. And a new generation of genetic tests is swiftly gaining in popularity -- tests that in many cases can be performed without a person's knowledge or permission. This information is being used, among other things, for marketing. Metromail reportedly has a medical database, called Patient Select, with 15 million names. "For about thirty cents per name, large drug companies can pitch their products directly to angina sufferers, diabetics, or arthritics," reports Amitai Etzioni, citing an article that appeared in Consumer Reports.

In February 1998, the Washington Post revealed that two large drugstore chains, CVS and Giant Foods Pharmacy, were selling prescription drug sales records to Elensys, a Woburn, Massachusetts, marketing and fulfillment. The companies said that they were only using Elensys to send out mailings that reminded customers to get their prescriptions refilled. But the Post story revealed that the profiles were also being used for targeted marketing -- and were being shared with other drug manufacturers. Giant Foods immediately said that they would curtail the practice, but CVS refused, at least at first, although it finally gave in to a torrent of consumer complaints. One month later, John Weld, Jr., a resident of South Dennis, Massachusetts, filed a class-action lawsuit against CVS, Elensys, and Glaxo-Wellcome, claiming that his private medical information had been breached and improperly traded.

The Medical Records Fairy Tale

From the outside, Daniel looked as if he was certainly vice-president material. In his seven years with the company, he had relocated twice, revamped a division, and become a senior director. But then, one evening, Daniel's boss discovered a prescription bottle inside Daniel's medicine cabinet when she was over for dinner (she had been looking for an aspirin). A few telephone calls revealed that the drug was used for controlling hypertension -- and that Daniel had a 15-year history of high blood pressure. The company's doctor said that people with Daniel's condition usually die within five to thirty years -- but every case is different. So when Daniel's annual review came up, he got a hefty raise but not a promotion. After all, why give the guy more stress? And why groom a person to be one of the company's top executives when he might not be around in ten years?

Once upon a time, medical records had a very specific purpose: they provided a detailed record of a person's encounters with the medical establishment so that future encounters might have a higher chance of having a positive outcome. People had a vested interest in making sure that their medical records were correct.

Today, medical records have an expanded role -- a role that doesn't involve primary healthcare. They are used by employers and insurance companies to decide who should be hired and insured. They are used by hospitals and religious organizations to solicit donations. Even marketers are buying up medical records in search of sales leads. Whereas people once had an incentive to make sure that their medical records were complete, accurate, and up to date, nowadays many people feel pressured to compartmentalize their medical records so that, when they are inevitably disclosed, the damage will be minimized.

Medical records were once seen as sacrosanct. Today, medical records are routinely sought and used in lawsuits to discredit witnesses, especially in cases of rape. Politicians and criminals alike have their medical records reported in the media without their permission. Ironically, the rapid proliferation of medical knowledge to the lay public is making the release of personal medical information all the more damaging. Medicine is a complex, largely ad hoc science, with many rules but many more individual exceptions. In untrained hands, a person's medical history or profile frequently becomes a tool to justify prejudice or an already decided outcome.

The confidentiality of psychological records is particularly under attack, says Dr. Denise Nagel, executive director of the National Coalition for Patient Rights. Lawyers, HMOs, life insurance companies, and others are routinely demanding access to psychological records -- and in so doing, they are jeopardizing the nation's entire mental health system.

"A person's willingness to share sensitive, often embarrassing information is dependent on being assured confidentiality. It is the basis of trust in the relationship," says Nagel. Recovery from many kinds of mental trauma and diseases requires that the issues discussed during therapy remain secret. The U.S. Supreme Court reached the same conclusion in the 1995 case Jaffe v. Redmond. Nagel notes, when the court ruled that conversations between a patient and a licensed social worker or therapist, even one who does not have a medical license, are nevertheless protected conversations about which testimony cannot be compelled unless the judicial need for disclosure clearly outweighs the patient's privacy interests. "Quality healthcare is rooted in the imperative need for confidence and trust," and that trust must not be lightly breached, the court concluded.

Nevertheless, these same records are often sought by lawyers of alleged rapists. The attorneys then typically threaten to take the records into open court, in an attempt to disprove the credibility of their client's accusers, unless the victim drops the charges.

Such behavior by a defense attorney might itself seem criminal, or at least unethical, but it is standard practice in many rape trials. For example, a rape victim might have frequently fantasized about being raped when she was young; she now finds herself profoundly disturbed and unable to come to terms with the fact that the crime has finally happened to her for real. The victim might go through months of therapy to come to terms with this realization, only to be forced to listen in court to a defense attorney's theory that the woman might somehow have encouraged her attacker and been a willing participant.

Parents, meanwhile, are increasingly demanding to have access to the psychological records of people who come into contact with their children. In West Virginia, parents demanded to see the medical records of a school bus driver who had made strange remarks while driving children. The school superintendent investigated and said the man was on medication and his condition posed no harm to the children. But the parents sued, and in 1986, the state's supreme court sided with the parents, saying that they were entitled to see the driver's complete medical file -- including his psychological records.

Privacy Is Your Doctor's Responsibility

A placard on the wall of my local hospital says "Please Respect Patient Confidentiality". And in a very important way, this sign says it all. Hospitals and other medical facilities need to rely on the ability of their employees to hold patient secrets. Doctors, nurses, clerks, and even janitors all see highly charged information. A hospital that tried to shield its employees from all sensitive patient information would quickly cease to function.

Fortunately, in most cases, this trust seems well placed. I have never met a doctor or a healthcare professional who did not seriously undertake their responsibility for patient confidentiality. Patient privacy is at the very core of the healthcare profession. It goes all the way back to Ancient Greece and the Hippocratic Oath, which says, in part: "All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal."

What complicates the confidentiality process is the fact that between 50 and 75 people need access to a patient's chart during a typical hospital visit. Keeping a secret requires everybody's cooperation: revealing it requires just one bad apple. Many hospitals hire temporary administrative workers who have little or no training in medical ethics. Other healthcare facilities are actively downsizing, creating employees who have a grudge against their employer. As the cases of Nydia Velazquez and Tommy Robinson demonstrate, it is all too easy for a careless and motivated insider to shatter the wall of medical privacy.

Over the past 50 years, military intelligence agencies and major corporations have developed techniques for preventing the theft of confidential information and for tracing the sources of leaks. People are given personalized copies of records. Photocopies are logged. People have their bags searched upon entering or leaving a secure facility. These techniques are simply impossible to implement in the healthcare workplace. And for the most part, they are unnecessary.

But leaks do happen -- and not just to people running for elected office. Since the outbreak of the AIDS epidemic, there has been case after case of people who have lost insurance or their jobs when it was revealed that they were infected with the HIV virus. In 1989, the FBI canceled the contract of a physician who had performed preemployment and annual physical exams for the Bureau in San Francisco when it learned that the physician had AIDS. In Salt Lake City in the early 1990s, a vitamin manufacturer fired Kim Allred when he tested positive for a marijuana derivative found in the prescription drug Marinol; when the company learned that he was taking the drug for AIDS, it refused to rehire him. At the Princeton Medical Center in 1987, a practicing surgeon named Dr. William Behringer was treated at his own facility and was diagnosed as suffering from AIDS. "Within hours of his discharge, he received many calls from well-wishers who evidently had learned of his condition. Most of the callers were his colleagues at the Medical Center. After that, patients called. Soon his surgical privileges were suspended by the hospital. A court found the breach of confidentiality the fault of the hospital," read an account in War Stories Volume II, published by the Privacy Journal.

These stories show another side of the medical information privacy dilemma as well. You don't need to photocopy somebody's medical chart in order to destroy their medical privacy -- all you need is to leak a single declarative sentence like "Nydia Velazquez attempted suicide" or "Dr. William Behringer has AIDS". Indeed, as demonstrated by the Tommy Robinson case, the statement doesn't even have to be true -- just believable.

When I started dating my wife in 1993, we went together to get tested for AIDS at Boston City Hospital. The clinic was one of several in the city specifically set up to allow for anonymous testing. The nurse who took my blood had no idea who I was and never asked for any identification. She gave me a control number when I left so I could learn the results. But when my wife and I returned a week later, a woman who was volunteering at the clinic recognized me from a class we had taken together at MIT. Should that volunteer have been legally prohibited from telling people that she had seen me at the clinic? What about other people who happened to be in the waiting room who might have recognized me?

The problem here is one of segregation. The goal of anonymous AIDS testing is to allow individuals to be tested without the creation of a record. But by creating a special place for the anonymous delivery of a particular medical service, the privacy of the individuals becomes dependent on their continued anonymity. If there were multiple medical services delivered anonymously at the clinic, then merely recognizing a person at the clinic's doors would not compromise that person's ultimate medical privacy. Rape crisis centers and abortion clinics ("women's clinics") present similar problems. One solution would be the reintegration of these services into mainstream medical practices.

Some people take the reverse point of view. They think that the best way to handle the morass of medical privacy is simply to eradicate it: unlock the files and the databanks, and make everybody's medical records freely available. David Brin, author of the Transparent Society, is a big proponent of this viewpoint. I actually believed it once myself; transparency has a simple elegance. I figured that everybody has some sort of medical condition or problem: the best way to destigmatize our diseases is to air them in public.

The problem with opening everybody's medical records is that everybody has a different body. Some of those bodies are diabetic. Some have asthma. Some have inherited genetic diseases. Some have brains that are mildly schizophrenic, but controllable with medication. And some bodies are genuinely healthy. Opening up everybody's medical history to public scrutiny opens up people to all manner of discrimination and personal attack, for which there are seldom workable remedies. One of the purposes of privacy in society is to protect us from other social problems that we have not yet eradicated.

Even if some futuristic and enlightened society manages to respect and value the sick in ways that we can't today, there is yet another overriding reason to abide by patient privacy. People who have managed to master their own physical or mental ailments deserve to go about their day-to-day lives without being constantly reminded of those problems by well-wishers. And as I mentioned earlier, the promise of confidentiality for psychological records is a fundamental need in order to have effective treatment for psychological diseases.

People deserve and require control over their own medical matters and privacy for their medical records. Doctors and nurses understand this. But the healthcare establishment increasingly doesn't care.

Privacy Is Not Your Insurance Company's Responsibility

While my local hospital is busy reminding its employees to respect patient confidentiality, my health insurance company is busy reminding me that privacy is not compatible with its way of doing business.

Like nearly all Americans, in order to have my insurance pay for a doctor's visit, I have to fill out a claim form. And at the bottom of the form is a little contract that washes away any quaint preconceptions of privacy that I might have. The contract is called a consent form. It says:

I authorize any physician, hospital, or other medically related facility, insurance company, or other organization, institution or person, that has any records or knowledge of me, my dependents, or our health, to disclose, whenever requested to do so by CNA or its representatives, any and all such information. A photostatic copy of this authorization shall be considered as effective and valid as the original.

I'm not a lawyer, but it doesn't take a lawyer to understand what this consent form means. As a precondition to having my insurance company reimburse me the $50 for the doctor's visit and the $14 for my antibiotics, I authorize everybody to divulge all of my records to anybody. This blanket authorization covers all records: school records, tax records, and bank records. It even covers those embarrassing love letters I wrote to my ninth-grade girlfriend. And it is an indefinite authorization, with no expiration date or time period.

Some people think that consent forms such as this one are not enforceable. These people have a reasonable expectation that my insurance company might call up my doctor to get a diagnosis or additional proof that a particular service was rendered, but they doubt that an insurance company would go after all of those other files. After all, there is no legitimate business reason for them to do so. That's just plain common sense, isn't it?

The problem with this common-sense approach to legal contracts is that it is often wrong. The authorization form means what it says it does. "Any records" means any records. "All information" really does leave nothing out. The blanket authorization allows the insurance company to go after any personal record it wants.

"The reason that [the claim form] is worded that way is so that we can get the information that we would need" to detect fraud, says Roger Morris, a spokesperson for CNA insurance. "It's not our goal to accumulate information on individuals, but it is our goal to try to protect the interests of our policy holders". The overly broad release allows the insurance company to investigate cases of suspected fraud without fear of being sued for invasion of privacy. These corporate savings eventually translate to lower insurance premiums for everybody, says Morris. Of course, the savings also translate to higher corporate profits.

Health insurers say further that there is no reason for us to worry about providing them with sensitive information. "The insurance industry has a pretty good record helping to maintain privacy. We are required and committed to following laws on the books," says Richard Coorsh, the spokesperson for the Health Insurance Association of America.

The American public may feel otherwise. According to the 1993 Harris-Equifax survey on healthcare privacy issues, 15% of those who had their medical confidentiality violated -- representing 7.5 million people -- said that it had been violated by insurance companies.

Another person who feels otherwise is George Washington University professor Amitai Etzioni, author of The Limits of Privacy. In his book, which is generally critical of privacy, Etzioni nevertheless affirms the importance of privacy for medical records. And the real threat to medical records privacy, writes Etzioni, isn't government: it's business.

To try to understand the motivation behind the authorization form, I called up Albert H. Wohlers & Co., the Illinois-based company that administrated my insurance policy for CNA. I spent an hour working my way up through a chain of claims processors and supervisors, until I was finally transferred to the office of James Malik, whom I was assured would be happy to answer my questions. But when I got to Mr. Malik's office, I was informed by his assistant that I couldn't talk to him. I asked for his title; she wouldn't tell me. I asked for her name, and she wouldn't tell me that either. She said that if I had a question, I should submit it in writing. Then she hung up on me.

The treatment that I got at the hands of Albert H. Wohlers & Co. is symptomatic of a deep-rooted problem with the U.S. healthcare industry. Healthcare is a weird confluence of money and medicine, and it's played by the rules of billion-dollar companies. No matter how strange or arbitrary those rules may seem, they are the rules. If you wish to get insurance, see your doctor, or have your hospital visits paid for, you will play by them. And since insurance companies save money when they lose customer claims, they actually have a financial incentive to offer poor customer service. All of this is true because the people paying the insurance company's bills are not those who are utilizing its services.

We should also be fearful of the nonmedical uses that businesses make of medical records, warns Etzioni, who cites an unpublished 1996 study which found that "35 percent of the Fortune 500 companies acknowledged that they drew on personal health information in making employment decisions. One of the most common ways that employers get this information is from insurance companies or from self-insured health plans -- that is, plans that are administered by professional health insurance companies but paid for by the businesses themselves. (Such self-insurance plans are exceedingly popular because they give big businesses more flexibility under the law to violate their employees' rights.) One of the cases that Etzioni cites is that of a Southeastern Pennsylvania Transit Authority (SEPTA) employee who was taking AIDS medications. SEPTA learned of the medications when it was asked to reimburse their purchases, and the information was provided to the man's supervisor.

By reading the authorization paragraph at the bottom of my health insurance claim form, I was doing something subversive. Many don't read the forms they sign during their day-to-day lives -- the forms are too depressing. These forms and the policies behind them create and reinforce feelings of powerlessness. They are the trappings of a system that's been gimmicked against the consumer. We do not have the choice either to negotiate or to strike our own deal. Our only choice is to submit.

Nobody Knows the MIB

As part of his Ph.D. thesis at the Harvard Business School on privacy policies in corporate America, Jeff Smith surveyed more than a thousand people on a variety of privacy issues, and conducted in-depth interviews with several dozen. One of the key questions he asked was whether people had ever heard of a company called the Medical Information Bureau (MIB). What he found wasn't terribly surprising: they hadn't.

Only one consumer in the sample was aware of the existence of MIB, even though all but two of the consumers had applied for life insurance and had gone through an underwriting process. One can only conclude that the consumers had not read the insurance application forms very carefully, since the MIB notification was surely included. However, this lack of awareness may also point to some inadequacies in the notification procedure.

I asked my wife if she knew what the Medical Information Bureau was. She said that she didn't. I then showed her a medical insurance application that she had filled out nearly two years before. It included these two paragraphs:

I AUTHORIZE any physician, medical practitioner, hospital, clinic, other medical or medically-related facility, the Medical Information Bureau, Inc., (MIB, Inc.), consumer reporting agency, insurance or reinsuring company, or employer having certain information about me or my dependents to give John Alden Life Insurance Company or its legal representative any and all such information. The nature of the information authorized to be disclosed includes information about: (1) physical condition(s), (2) health history(ies), (3) avocations(s), (4) age(s), (5) occupation(s), and (6) personal characteristics. This authorization includes information about: (1) drugs, (2) alcoholism, (3) mental illness, or (4) communicable diseases.

I UNDERSTAND the information obtained by use of the Authorization will be used by JOHN ALDEN LIFE INSURANCE COMPANY to determine eligibility for benefits. I ALSO AUTHORIZE JOHN ALDEN LIFE INSURANCE COMPANY to release any information obtained to reinsuring companies, Medical Information Bureau, Inc., or other persons or organizations performing business or legal services in connection with my application, claim, or as may be otherwise lawfully required, or as I may further authorize.

"Is that your signature at the bottom of this form?" I asked her. Yes, it was. She then read the form again. Still, she had no real clue what the MIB was, other than that it was probably some kind of clearinghouse for medical information.

In fact, what the Medical Information Bureau keeps in its computers is information about people. Specifically, every time you report a significant medical condition on an insurance application -- anything from heart problems to skin cancer -- the insurance company can report that condition to MIB. The next time you apply for insurance, your "new" insurance company will pull your MIB file and find out what you previously reported.

In theory, MIB is supposed to prevent people who have significant medical conditions (and have been repeatedly rejected when they apply for insurance) from suddenly omitting their conditions from their applications and then getting health and life insurance with low-cost premiums that are reserved for healthy people. MIB helps "keep the cost of insurance down for insurance companies and for consumers by preventing losses that would occur due to fraud or omissions," says Neil Day, MIB's president.

MIB isn't supposed to be a medical blacklist. Member insurers are officially forbidden from using the information contained in MIB's files as the basis for denying insurance. Instead, they are only allowed to use the information as the basis for further investigation. At least, those are the rules.

MIB was organized in 1902 as a nonprofit trade organization; today, roughly 750 insurance companies belong. MIB's files don't contain medical records, test results, or X-rays. Instead, each person's file contains one or more codes that stand for a particular medical condition that has been reported for that person. There are codes that signify diabetes, heart problems, and drug abuse. Some codes are very detailed. For example, Jeff Smith found that MIB had five codes for AIDS:- AIDS-related complex or condition (ARC) or acquired immune deficiency syndrome (AIDS).- Unexplained history of thrush, other opportunistic infections, weight loss, generalized chronic swelling of lymph nodes, persistent fever, or diarrhea.- Abnormal T-cell study.- Abnormal blood test for which there is no specific code.- Two or more different types of antibody tests indicating exposure to the HTLV-III (AIDS) virus; this code is no longer used.

Not all of the codes at the Medical Information Bureau are medical, Smith noted. For example, MIB has five codes that indicate a dangerous lifestyle, including "adverse driving records, hazardous sports, or aviation activity". These codes map to similar questions on most life insurance firms.

MIB is thus the official insurance agency gossip columnist. MIB helps make sure that if one life insurance company rejects a person on medical grounds, then other life insurance companies will be made aware of the ailment and reject that person as well.

MIB has been the subject of ongoing controversy since the 1970s, when its existence first became generally known. At the root of the controversy is the organization's penchant for secrecy. For many years, insurance agencies consulted MIB without telling applicants about the files. MIB was not mentioned in the few books on consumer issues and consumer privacy. MIB even had an unlisted phone number. Today, the secrecy continues, if to a lesser extent: MIB won't release the list of codes that it uses.

Day explains:

The whole point of a code list is to protect confidentiality. The MIB report is very brief. It is about a 2 * 2 piece of paper that has, on average, between two and three codes. The codes are generally three digits -- "321" -- sometimes there are additional letters -- it might be "321XYZ". A major point in protecting confidentiality is to have a code list which is used by authorized persons at insurance companies, but not to have that code list available to anyone else.

Keeping secret the mapping between the actual code and the conditions that the codes stand for does protect privacy, to a certain extent. But no privacy is gained by keeping secret the list of coded conditions. Put it another way: is any patient confidentiality lost by my reporting that MIB has in its files the five AIDS-related codes printed above? By keeping secret not just the codes but also the English descriptions of what each code means, MIB has left itself open to the attack that its files contain more than just medical information. In the past, says Privacy Journal publisher Robert Smith, MIB had codes that stood for "sexual deviance" and "sloppy appearance". Day disagrees, but since MIB won't release the list of conditions for which it has created codes, there is really no way to know for sure.

There have also been disagreements over the accuracy of MIB's files. The Fair Credit Reporting Act specifically exempts medical records, but MIB agreed to be voluntarily bound by the rules after a 1983 examination by the Federal Trade Commission. Since then, MIB has received roughly 15,000 requests by individuals each year, says Day. Between 250 and 300 patients per year argue with the contents of their report, he says. Overall, "97% of all consumers who received their MIB report [in 1996] found that their MIB record was accurate," reads a company pamphlet.

But if you happen to be one of those 300 patients, you might find yourself without medical or life insurance. In 1990, the Massachusetts Public Interest Research Group (MASSPIRG) did a study on MIB and found numerous cases in which erroneous records in the company's files had prevented people from getting insurance. In one case, says Josh Kratka, a MASSPIRG attorney, a Massachusetts man told his insurance company that he had been an alcoholic but had managed to remain sober for several years and that he regularly attended Alcoholics Anonymous. The insurance company denied him coverage and forwarded a code to MIB: "alcohol abuse; dangerous to health". The next company the man applied to for insurance learned of the "alcohol abuse" through the information bureau and charged the man a 25% higher rate.

In another case, a clerical error caused a woman's records at MIB to say that she carried the AIDS virus. "It was only after unusual intervention by the state regulatory board,'' because the woman worked for a physician, that the records were corrected, MASSPIRG discovered.

MIB claims that if these people were rejected from getting insurance as a result of the MIB report, then the report was being used incorrectly. And the company stresses that MIB reports are based on insurance applications -- never on claims. But this protest rings hollow in light of insurance claim forms, which specifically give the insurance company the right to report claim information to MIB.

"The MIB guidelines are clear, but only a series of independent audits of life/health insurance companies would yield a definitive answer regarding actual practices," says Jeff Smith. "To the best of my knowledge, no researcher outside the industry has conducted such a series of audits."

Forcing Physicians to Lie

Indeed, insurance companies obtain information from a variety of sources, including the Disability Insurance Record System (DIRS) and the Health Claims Index. And the fact that insurance companies are lawfully allowed to deny consumers health or life insurance because of preexisting conditions has put doctors under a tremendous amount of pressure. On the one hand, doctors clearly have a professional and legal requirement to keep accurate records on their patients and submit truthful billing statements. On the other hand, doctors know that if they are truthful in their diagnoses, they might be creating notations in their patients' healthcare records that will prevent the patient from getting insurance in the future. Even without a written diagnosis, much of what insurance companies want to learn can be gleaned automatically from billing codes.

"Insurance companies collect tremendous amounts of information," says Dr. Peter Tarczy-Hornoch, who directs numerous telemedicine projects at the University of Washington Medical Center. The information is "not the really cool sexy information". Instead, it's things like "What medical diseases did your grandmother have? Have you ever been hospitalized with a drug or alcohol problem? Do you have a problem that is expensive to take care of that you have previously taken care of? They are not particularly concerned with accuracy. It's a screening process. Ninety percent is good enough for a lot of this stuff."

Ninety percent is good enough for a medical insurance company to figure out if it should try to sell you life insurance, or if it should turn down your application. Ninety percent is good enough to decide how far to hike your or your company's insurance rates when it's time to renew. Ninety percent is good enough to systematically exclude the people most likely to need health insurance in the first place. And what if you happen to be one of the unlucky 10% who are denied insurance or face higher premiums even though there is really nothing wrong with you? Your best bet is to try another insurance company and hope that your erroneous information hasn't been forwarded to MIB.

Faced with this dilemma, some doctors have chosen to lie. Instead of putting down a particular diagnosis or billing code, they use a code that has a similar reimbursement rate but lacks the social stigma and long-term insurance implications. For example, says Tarczy-Hornoch, a doctor might use the billing code for "adjustment disorder" instead of "depression."

Medical professionals call these alternate diagnoses surrogates. The practice has questionable legality -- it is a kind of fraud, after all -- and there are no good statistics regarding its prevalence. But it is clear that surrogates create a kind of cat-and-mouse game between doctors and insurers, with insurance companies constantly trying to figure out what surrogates are currently in vogue, and with doctors trying to figure out new ones. What complicates the game is the fact that different doctors in different parts of the country use different surrogates, and that some people actually have the surrogate conditions, rather than the nastier conditions for which the surrogates stand.

My wife and I discovered this particular side effect of surrogates in 1994, when Beth applied for health insurance. The insurance company gave Beth a form to have her therapist fill out. When the form was returned, the insurance application was denied.

The reason Beth was denied, we later learned, was that Beth's therapist had told the insurance company that Beth had been seen and diagnosed with a case of "generalized anxiety". There was good reason for Beth's anxiety -- she had been seen just three weeks before we were getting married! But the problem was that other therapists in our area had taken to using "generalized anxiety" as a surrogate for a patient who has depression and is being treated with antidepressants. Understandably, the insurance company didn't want to take on a potentially expensive customer like my wife. After all, insurance companies only make money when they insure the healthy.

In August 1996, President Clinton signed the Health Insurance Portability and Accountability Act. Under this law, U.S. health insurance companies are forbidden from excluding new employees from their employer's group health insurance packages because of preexisting conditions. But that is as far as the act goes. Insurance companies must offer coverage for preexisting conditions, but they can do it at astronomical rates. They can also choose not to renew an entire company's health insurance package because one person joined the company who had an expensive preexisting condition. This might not impact a company like IBM or Exxon, but it can be a major factor for small businesses. The act only covers employees who are changing from one employer's health insurance program to another -- it doesn't cover people who are self-employed, or those who have to buy their own health insurance because they work at companies that don't provide health insurance to their employees. Finally, the act says nothing about life insurance, which has a long history of using medical records in a discriminatory manner. After all, it's life insurance companies that created MIB in the first place.

A Right to Your Self

As we move into the twenty-first century, it is unthinkable that people would be denied access to their own medical records. Indeed, 96% of Americans believe that the right to be able to obtain a copy of their own medical record is important, and 84% believe it is "very important". Yet for many Americans, no such right exists.

According to the Privacy Journal's Compilation of State and Federal Privacy Laws, only 23 states give patients the right to view their own medical histories (see the sidebar). Despite the laws, however, even residents of these states sometimes find that their doctors deny them access to copies of their records.

How can you get around this conundrum? Lie. Advise your doctor that you're moving, and that your medical records should be copied and sent to a doctor in another state. Of course, instead of giving the name of just any doctor, give the name of an old college friend whom you've notified and who knows what to expect. In my experience, this piece of subterfuge has never failed to work.

States That Grant Patients the Right To View Their Own Medical Records

Arizona California Colorado Connecticut Florida Georgia Hawaii Illinois Indiana Kansas (mental records only) Louisiana (partial access) Maryland (partial access) Massachusetts Nevada New York Ohio (law applies only to hospitals) Oregon (law only encourages open access) Rhode Island Tennessee (law applies only to hospitals) Utah (records are provided to the patient's attorney, not the patient) Virginia Wisconsin

According to the 1993 Harris-Equifax survey, most Americans (87%) believe that they "know everything" or "have a general idea, but don't know in detail" what's in their medical records. And approximately one in four Americans have asked to see the contents of their medical records. When they've asked to see it, 92% were able to get a copy. Of those who were denied this fundamental right, 31% were told that the medical record couldn't be located; 25%, representing four million Americans, were simply denied the request, with no reason given.

Such problems are considerably worse overseas. In Germany, for example, individuals not only do not have a right to see their medical records, but there is also a tradition of hiding diagnoses of cancer and other stigmatized diseases from the sick and, in some cases, from family members. Germany is now creating a national cancer registry, and it is taking considerable pains to use sophisticated cryptographic algorithms to scramble the names of people who are entered into the system. But the purpose of the cryptography is not to protect people's identity or privacy. In fact, it's just the opposite: the cryptographic controls are designed to prevent a person diagnosed with cancer from accidentally discovering his own diagnosis.

Denying people access to their own medical records is fundamentally wrong. Twenty-five years ago, the drafters of the Code of Fair Information Practices realized that there must be no records kept on a person that the person cannot inspect and correct. It is astonishing that, even in countries with progressive privacy protection, this practice continues.

Ironically, increased access to a patient's own records is one of the benefits of the lack of medical records privacy today. With physicians so willing to send medical records to insurance companies and to other doctors, it's all but impossible to keep these records out of the hands of a determined patient. In fact, the combination of patient rights movements, increased health insurance portability, and the trend toward self-employment will all likely result in giving people increased access to their own medical records in the coming years. But exploiting the lack of confidentiality in medical records is a lousy way to assure patient rights. ```

| | | --- | | ProcessTree Network TM For-pay Internet distributed processing. | | Advertising helps support hosting Red Rock Eater Digest @ The Commons. Advertisers are not associated with the list owner. If you have any comments about the advertising, please direct them to the Webmaster @ The Commons. |