Medical privacy is a hot news topic these days and for good reason. According to the California Health Care Foundation, one in five Americans believes that a health care provider, insurance plan, government agency or employer has improperly disclosed medical information, to the embarrassment or harm of the patient. In order to maintain medical privacy, many patients take steps such as withholding information or avoiding care altogether. The growing loss of trust in the privacy of the health care system will undermine care. It will take more than political platitudes to regain trust.

There is a constant struggle between the “bad guys” who seek to violate medical privacy and “good guys” like the government, whose role is to protect it. So far, the bad guys seem to be winning. Sometimes it’s even hard to tell the good guys from the bad guys, as when government agencies themselves violate privacy.

Last year the American Psychiatric Association (APA) joined other medical groups and the American Civil Liberties Union (ACLU) in criticizing the proposed general “Rule” of the U.S. Department of Health and Human Services (DHHS) regarding Standards For Privacy of Individually Identifiable Health Information. (Published at 64 Fed. Reg.59918-60065 (November 3, 1999).

The following is an excerpt from the ACLU statement objecting to law enforcement access to medical records:

“In September, 1997, pursuant to statutory direction, HHS submitted recommendations to Congress regarding medical privacy that included a proposal for virtually unfettered law enforcement access to medical records. Roundly criticized for this proposal by the ACLU and many other organizations, HHS has now proposed a regulation that appears to establish limits on law enforcement access, but those limits are illusory and establish no meaningful legal process. Indeed, as drafted, the rule contains gaping loopholes that permit computerized medical records to be used as a vast centralized police database. Medical records of ordinary law-abiding Americans must not be treated like mug shots, fingerprints or other current databases compiled from convicted criminals.”

(Read the entire testimony before Congress on the ACLU Web site at <http://www.aclu.org/congress/l021700a.html>)

Other citizens’ groups have joined in the complaint against the DHHS rule, emphasizing the special needs for privacy of psychotherapy records. The Electronic Frontier Foundation at http://www.eff.org/pub/Privacy/Medical/20000216_eff_dhhs_medpriv_comments.html describes law enforcement agencies’ alarming access to electronic medical records.

Does the ACLU exaggerate the degree of law enforcement agencies’ access to medical records? Until recently, you could have looked at the FBI Web site at http://www.fbi.gov/ and read descriptions of a well-staffed FBI program that explores vast numbers of patient records in search of medical fraud. There were three articles from The Journal of Health Care Compliance (JHCC, Aspen Publishers, Inc). All were written by an FBI Special Supervisory Agent and published between January and June of this year (2000). Both electronic and paper records are involved. The records are not limited to those involving treatment covered by Medicare and Medicaid. Records of patients whose care is covered by private plans are also included. The patients whose records are searched never knowingly gave their consent and have no idea that the FBI is doing it.

The documents containing those descriptions suddenly disappeared from the FBI Web site after attention was drawn to them in an earlier version of this story, which appeared on the Internet in September of this year. A version of the story appeared in at least one Internet newsletter and I’ve been told it was also sent to some members of Congress. Some colleagues speculate that the FBI removed the articles because they found them embarrassing. Maybe it was only a coincidence, but it’s enough to arouse curiosity.

Although the articles can no longer be found on the FBI Web site, they can be obtained from Aspen Publishers Inc., at 800-638-8437. They can also be obtained by email from the Maryland Psychiatric Society; jen@mdpsych.org, or call 410-625-0232.

“Health care fraud investigations routinely involve the collection and analysis of documents and statements. The documents can take many forms, including financial records, correspondence, personnel records, patient files, reimbursement claims, audit and compliance reports, regulation and training materials, and system operation manuals. The document medium can also format, and microfilm. The interviews can be of subjects, witnesses, and subject matter experts.”

“These are a description of necessary tools used in health care fraud investigations. They are well established and well defined actions that serve to protect the health care system as well as the public. Securing and executing a search warrant for documentary evidence can be very labor intensive. Processing, storing, and reviewing the seized documents are equally labor intensive tasks.”

If you wonder how many records the FBI looks through, one of the three articles is devoted to a discussion of statistical sampling as a way of saving time and money in the investigation. When the number of records involved is so voluminous that individual record review would take too long to be practical, statistical sampling is considered. Although we don’t know the numbers, that sounds like a lot of records.

It looks as though the FBI works hard going through so many health care records. Health care fraud is a threat to everyone and the FBI should be applauded for its diligence. However, there is another side to this matter. When an agency has such extraordinary powers to invade the privacy of law-abiding citizens, many fear that such power could be misused. Many people believe that this already happens. A well-known current example is the FBI “Carnivore” program of viewing email messages, currently being investigated by Congress. As described above, the ACLU and other organizations think information from medical records may end up in police databases.

There is also the potential for such information being misused for political purposes. Imagine how President Nixon could have used such a program when he felt under siege from his political enemies. Maybe if this FBI program had existed then, it could have saved him the trouble of sending his henchmen to break into the office of Daniel Ellsberg’s psychiatrist in search of damaging information. There is no reason to believe that the FBI engages in illegal activities, but when such systems as this exist; it could be tempting for a corrupt administration to use them for the wrong purposes. Can we be certain that some future President won’t misuse this FBI program to collect information on his opponents?

Does the FBI share information from medical records with anyone else? Of course it does. For example, as indicated in the JHCC articles, it shares with other divisions of the Justice Department, such as the Office of the Inspector General, which has a branch in DHHS to combat Medicare and Medicaid fraud. It also shares with organizations outside the Department of Justice, as described in one of the FBI articles. “The FBI is dedicated to working jointly with federal, state and local investigators; prosecutors; and private industry representatives to formulate effective enforcement strategies, coordinate limited resources, share information,” etc. Among private industry representatives are members of the NCHAA.

The National Health Care Anti-Fraud Association (NHCAA) http://www.nhcaa.org/ is described on its own Web site. It “represents a national cooperative enterprise between private-sector health insurers and public–sector law enforcement and regulatory agencies.” This public-private alliance of forces includes nearly the entire spectrum of federal and state law enforcement and regulatory agencies and eighty-five of the largest private health care payers. They exchange information with one another. Government agencies do most of the investigation and enforcement for both public and private sectors. The FBI has the top investigative role. You’ll find your favorite managed care organizations (MCOs) on the membership list. Some people might be interested to learn that such a relationship exists between government agencies and for-profit MCOs and insurers. It isn’t clear where the boundaries are between public and private. That may not be a good thing.

Recently the Clinton administration answered its critics. On August 20, 2000, The New York Times carried an article bearing the headline, “U.S. Toughens Rules on Medical Privacy, But Some Want More Limits”. Here is an excerpt:

“After nine months of blistering criticism from doctors, patients and consumer groups, the Clinton administration says it has decided to beef up protections for the privacy of medical records, beyond what it proposed last year. But administration officials said the new rules, to be issued before the November 7th election, would not give patients full control of their medical records, as many advocates of privacy rights had recommended.”

The far reaching, complex DHHS rules will touch almost every aspect of the health care system, but will place no new restrictions on the access of law enforcement agencies to medical records. The new rule covers both paper and electronic records. Among other consequences, physicians will be required to warn patients of how personal records might be used or disclosed and to have patients sign forms acknowledging that they have received such notices. Neither patient nor doctor will be able to prevent unfettered law enforcement access to the records. Far from applauding the White House announcement, the ACLU said that since patient consent is not required, the proposed new regulations are a step backward. The ACLU is not the only group expressing such criticism.

According to the Coalition for Patient Rights (CPR) the (Clinton-Gore) administration is expected to issue “medical privacy” regulations this fall that would actually guarantee extensive access to patients’ health-care records. Among those who will be guaranteed such access are employers, insurers, government agencies, and police.

Margo Goldman, M.D. of the CPR cited a campaign speech made by Vice-President Gore on September 19, in which Gore vowed to protect medical privacy. Goldman challenged Gore to protect medical privacy by removing the privacy violations built into the new government “rules”. The new regulations, which are touted by the administration as an improvement over the existing ones, are expected to be released just before the November election.

National CPR believes many of the Vice- President’s proposals would be helpful, but urges him to support additional federal regulations and legislation granting a specific privacy right to patients in the health-care setting. According to CPR, the proposed rules issued by the current Administration do not grant that right, and they also allow patient information to be released without consent for many purposes. Read the entire CPR story at http://www.nationalcpr.org/Gore.html.

The new DHHS Rules are due to be released shortly before the November elections. According to The Times, the White House thinks the announcement will help Gore win. Maybe it will, but not if voters know the facts about the new regulations. If voters become informed on this issue it would be better strategy for a candidate to make a pledge to give patients control over what happens to their medical records. I hope all candidates take this position, and may the best man win.

This story is on its way to publication shortly before the election. By the time it appears, a new President will have been elected. No matter who wins, the need will continue for physicians to work with other citizens to protect medical privacy. A well-known quotation from Thomas Jefferson is worth repeating again. “The price of freedom is eternal vigilance.”