The New Enemy of Privacy: Big Bucks

Challenge, May, 2000 by Amital Etzioni

Additional concerns are raised by the fact that, once online, health information can be linked with other, nonhealth data sets, such as an individual's credit report, to create encompassing personal dossiers. In 1995, Equifax, the giant consumer credit reporting agency, announced it would supply computerized medical records systems in addition to consumer credit reports. Together, these personal data may be used by employers, private investigators, lawyers, or others who may have a nonbeneficent interest in an individual's personal health or life-style, or almost anything else.

The prestigious Institute of Medicine, part of the National Academy of Sciences, concluded that all of these developments

raised numerous issues, including (1) worries on the part of health care providers and clinicians about use or misuse of the information health database organizations will compile and release, and (2) alarm on the part of consumers, patients, and their physicians about how well the privacy and confidentiality of personal health information will be guarded. (Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy [Washington, DC: National Academy Press, 1994], 3)

Authorized Abuse

Most violations of privacy of medical records are the result of legally sanctioned--or at least tolerated--unconcealed, systematic flows of medical information from the orbit of the physician-patient--health insurer and health management corporations to other, non-health-care parties, including employers, marketers, and the press. I refer here not to the occasional slipup or the work of a rogue employee, cases that often violate ethical codes or laws, but to the daily, continuous, and numerous disclosures and usages that are legal but of highly questionable moral value and intent, acts that may be labeled authorized abuse.

One major problem area is the disclosure of information by some health insurance companies to employers, information that employers then use to the detriment of prospective or current employees. In a 1996 survey conducted at the University of Illinois at Urbana-Champaign, 35 percent of the Fortune 500 companies acknowledged that they draw on personal health information in making employment decisions. These companies employ many millions of people.

Another example of authorized abuse is when corporations that self-insure (provide their own health insurance plans to their workers) draw on their personnel departments or medical claims divisions for privacy-violating data. According to recent figures from the General Accounting Office and the Employee Benefit Research Institute, as many as 48 million people are involved in this practice. A 1991 survey by the Office of Technology Assessment found that one-third of employers used their personnel departments to examine the medical records of their employees, without notifying these employees.

Another avenue of employer access to personal medical information is exemplified by the Southeastern Pennsylvania Transit Authority (SEPTA). SEPTA had contracted with Rite-Aid pharmacy to provide prescription benefits to its workers. The contract included a requirement that the pharmacy provide SEPTA with systematic access to employees' prescription records. In one case, the supervisor of an employee was told that the employee was taking medication for AIDS. While it is unclear how the information was used in this case, one can imagine how such data could be abused.