As humankind's facility with analysis and manipulation of its own genetic makeup grows, so grows the potential for including genetic testing as part of the dossier that makes up our individual health information. Likewise, as a person's womb to tomb medical history is compiled, so grows the battery of questions we ask. Where is this information stored? Who can access it? Who has the right to interpret its significance for his/her specific needs?
There have been documented cases of discrimination based on either genetic predisposition to certain conditions or being at risk for an inherited illness. The discrimination was based not on the manifestations of the "illness" itself, but on the potential for expressing symptoms in the future. The results included loss of employment, loss of insurance coverage, and ineligibility for insurance. There is often a presumption that genetic conditions lead to inheritance by offspring, so this affects not just the person who has been diagnosed, but family members as well. We may well be looking at a future with medical records that can not only track us from womb to tomb, but can lay an electronically networked trail that tracks us from one generation's womb to the next generation's womb.
This paper has three parts. In the first, I'll relate some case study experiences with respect to genetic discrimination. In the second, I'll follow what could happen to a family's medical information if it were to flow through the health care network of Alice and Bob as outlined in the National Research Council report, "For The Record: Protecting Electronic Health Information." The situations I describe are broadly drawn, but the principles can be applied to more subtle situations as well. Last, I'll look at the status of some current bills on Capitol Hill and how proposed federal legislation may affect the flow of Alice and Bob's information.
Here are a few of the cases from the study involving Huntington's disease, a fatal, untreatable, autosomal dominant disorder whose symptoms appear in middle age. A genetic test can diagnose the condition.
Hemochromatosis is an iron storage disorder. Some individuals carrying the gene indicating the condition, however, can be asymptomatic. It is treatable by drawing blood, and is autosomal recessive. Here is a case involving hemochromatosis.
MPS disorders are usually associated with mental retardation and enlarged organs.
Alice and Bob are married and in their late twenties. They live with and care for Alice's father, who has Huntington's disease. Alice is employed by a small firm and Bob by a large one which is self-insured. Through Bob's company, they choose a preferred provider organization (PPO) that allows them to choose physicians from a participating group. The organization reimburses services from these physicians at a higher rate than they would for non-participating physicians. It also provides pharmacy benefits.
Like the Alice in "For the Record," she chooses a primary care physician, a member of a small group practice. On her first visit, she fills out the required paperwork. She indicates she will use the health insurance benefits available through Bob's job. Since a party other than herself is paying for some of her charges, she signs a form that would authorize the physician's office to send information to the insurer for claim payments. The release covers all information that may be generated by Alice's future visits to this group.
Although her records for the initial examination are recorded on paper and held at the physician's office, routine blood samples are sent to an outside laboratory. Lab results are returned on a paper copy to the physician's office, and the lab bills Alice for the service. The lab also maintains a record of the test and Alice's identity. Through the third-party administrator (PPO), Bob's firm receives the claim for the office visit and blood test. It then approves payment.
Let's take a look at the Alice we created for this paper. It's one year later, and our Alice and Bob would like to start a family. Knowing that because her father has Huntington's Disease and she is at risk herself, Alice needs to make a decision about her future. Since HD is autosomal dominant, she has a 50% chance of getting the disease. Does she want her husband and children to devote the same amount of time and care to her as she now devotes to her father? =8A the feeding, the bathing, the grief she felt watching the inevitable physical and neurological deterioration? Her husband may be willing to, but her children would have no choice. They would be born into the world of her decision-making, facing both the suffering of their mother and her death at a relatively young age. Suppose she decides to take the presymptomatic test to determine whether she has HD. Let's follow the path of her records. After she decides to take the test and receives the counseling that is incorporated into the testing program, her records follow the path we've already outlined. Blood analysis equipment at the lab records the results and prints a copy which then to goes to the physician. Another copy is retained at the lab, the third party administrator sends the claim on to Bob's firm, and payment is approved. With the addition of a genetic test, how is this picture different? Do our feelings about the situation change? Are we as comfortable with the number of parties who are involved with record-keeping? Would Alice feel comfortable knowing that the results of her test for HD can be read by someone she doesn't know at the blood lab? By the third-party administrator? By someone at Bob's firm?
Let's change the characters slightly. It's Bob's father who has HD and it's Bob who is at risk for Huntington's. It's Bob, who works at a large firm and holds a position of some authority with potential for long-term, steady advancement who considers taking the predictive test. Does the picture shift again? Now how comfortable are we with the claim being sent to Bob's firm? How certain is long-term advancement when an employer begins to question how long the term can realistically be?
Let's change the decision-making process this time. It is Alice again who is at-risk, and feeling that she can live with Huntington's disease, decides not to test herself. She decides, however, that she would like to test her embryo for HD. How might the information on the child's medical record flow? Let's follow the path of these records. When Alice talks to her primary care provider about prenatal testing, the physician refers her to a clinic at a teaching hospital that will test and counsel. The third party administrator approves the consultation and a portion of the fee. Because of the sensitive nature of the testing, Alice's doctor trusts the consultant to keep the information confidential. The test on the embryo is negative. This does not prove that Alice is positive or negative. It is possible that Alice does not have the HD gene and therefore could not have passed on the gene to her child. It is equally possible that Alice *does* have the gene for Huntington's disease, but the embryo, with its 50% chance of inheritance did not get the gene for HD. But there is a further development in this scenario. Bob's company, as a self-insuring entity, asks the third party administrator to provide it with any claims information pertaining to its employees. Although the administrator is sensitive to issues of privacy with respect to patient-identifiable information, he has no legal basis to refuse the request. Over his own reluctance, and keeping in mind the need to maintain the good will of his client, he provides the information. This includes the prenatal tests and counseling for Huntington's disease. The human resource department at Bob's firm sees this information. There is no way to determine who is at risk. Is it Alice? Is it Bob? Should they ask? Do they have a right to know? Not only does the genetic legacy affect future generations, but with the flow of information and the advent of prenatal predictive testing it can affect previous generations. What should the human resources department do with this information? Ignore it? Clarify it? Pass it on? To whom? Act on it? Act on it how?
Let's change the picture for Alice and Bob's family again. We are not focused on Alice's legacy of HD. We are concerned with Alice's mother and grandmother, who died of lung cancer in their early forties. We now trace Alice's records after the birth of her first child as she and Bob decide to buy life insurance. As Alice applies for coverage with a large, respected firm, the insurance company agrees to provide coverage if she passes a physical examination and forwards her medical history. Alice's examination and medical history show that her mother and grandmother died of lung cancer. However, since Alice is not a smoker, she and Bob are free to buy the coverage of their choice because she is not a person the insurance company considers at elevated risk for early death.
Suppose, however, Alice's mother and grandmother died, not of lung cancer, but of breast cancer in their early forties. Aware that there are heritable forms of breast cancer, the life insurance company raises her rates. Is this fair? Is this sound risk management? Is this good business practice? Let's suppose the life insurance company will pay for the examination as long as Alice signs a release permitting the results of the exam to be forwarded to the Medical Information Bureau. Now let's suppose some time has passed. Alice is no longer in her late twenties, but in her early fifties and planning to buy a new life insurance policy. The prospective insurer checks her medical history on file at the MIB that was begun when she was in her twenties. Should her family history be calculated as part of her risk? Generally the breast cancer associated with the newly identified BRCA 1 and BRCA 2 genes affects younger women. Should the now-older Alice be considered part of the general risk category now as opposed to the higher risk category, since she passed the period of life when certain hereditary cancers commonly develop?
What is a "high" genetic risk and what is a "low" genetic risk? Does risk remain constant throughout life? When do we know what is certain and what is simply a predisposition? How do we distinguish between what *will* happen and what *might* happen? When issues of confidentiality arise, how do we protect against uninformed use of genetic information that may be accessed by those without the proper knowledge to make an informed decision? What safeguards exist in our society to balance individual rights to privacy with legitimate societal needs to access and use information?
So let's take a look at the law as it relates to privacy issues and electronic health information. According to the "Milbank Quarterly,"
...a fragmented, incrementalist approach to privacy issues has characterized the US response over the last few decades. The result has been highly incomplete protections, which serve well neither the privacy interest of individuals or social efficiency. The health care sector's need for a comprehensive information policy approach is particularly acute. It remains to be seen whether a compromise is possible from among the many competing visions of an appropriate private/social balance. (4)The history of regulation for health information shows that control has traditionally been at the state level. However, with the expansion of, and increased complexity of information exchange, it has become critical to create a federal health information policy. Why? Because the activity at the state level shows that in over two thirds of the states in the past three years there has been legislation passed to regulate health information practices. This has led to an inconsistent array of laws that makes it almost impossible to operate health services at an interstate level without bumping into questions over jurisdiction. Virtually nothing exists at the federal level concerning health information regulation and medical privacy.
Federal law has addressed privacy issues in other areas -- educational records (1974), bank records (1978), cable television services (1984), electronic communications (1986), employee polygraphs (1988), video rentals (1988), and telemarketing (1991). However, health privacy bills have been less successful, as they have run into opposition from various sectors of the health care establishment. Even though the bills that were introduced in the early 1990s recommended information technology to facilitate the flow of clinical and administrative information, they mentioned only some issues of health privacy. So during this period, while the systems of managed care and its attendant use of information flourished, a coherent national regulatory framework did not. (5)
This year, however, a number of bills drafted to protect the privacy of medical records have attracted intense interest on Capitol Hill. Sponsors include Senator Robert F. Bennett and Representatives Gary A. Condit and Jim McDermott. All the bills are still in committee. The same is true of two bills introduced to address specific protections for genetic information, H.R. 341 (Rep. Stearns) and H.R. 306 (Rep. Slaughter). They also are still in committee. In the case of the Bennett-Leahy bill (S. 1360), "The Medical Records Confidentiality Act," the legislation remains in limbo because the Senate Labor and Human Resources Committee has delayed action to give the pharmaceutical industry and health data companies an opportunity to express their concerns about the privacy provision in the bill.
Where does this leave us at the close of the 105th Congress in drafting federal law that regulates health information? Pretty much where we were at the beginning of the decade. The major differences are that our sense of urgency has ramped up, lobbying groups have conducted more research in order to rally arguments, and we have an even larger array of inconsistent statutes.
What is in effect now is the Health Insurance Portability and Accountability Act of 1996. Its content falls into two main categories, administrative simplification and privacy provisions.
For instance, if we look back at Alice and Bob's situation with prenatal testing and the possible misunderstanding of predictive testing results, we can see how the lack of protection in our current health care system may lead to tactics taken to avoid potential privacy threats. This bill attempts to prevent that from happening by adding protection. But does it? The definition of "misuse" of unique health identifiers is not clear. With the lack of clarity for what constitutes use and misuse of information, this act alone would not alleviate fears about losing control of information dissemination and its consequences. To safeguard against this, some people who seek genetic tests would tend to pay for them out of pocket. This may not keep genetic information off the record, but it may keep it out of the hands of the insurers. However, this puts doctors in a difficult position. Do they respect doctor/patient confidentiality, and at the same time become party to a professional deception? The dilemma is real, for a few insurers do admit that their relationship that receives priority is not with the patient/employee, but with the employer. (6) This means, as we outlined in Alice's story, that although an insurer may be reluctant to disclose individually-identifiable health information if an employer requests it, the insurers will comply if pressed, for there is no statute to prevent it. We still operate under the obligations of the business contract, not the regulations of a legal code.
Looking at the provisions of the Kennedy-Kassebaum act, it becomes clear that its primary strength is to mandate action by Congress or the Clinton Administration (HHS) within a specified amount of time. Additionally, it shows where the gaps are, but does not draft a rigorous set of clear policies itself. It seems to be more of an outline. It outlines a need, but does not necessarily fulfill the need.
And it is not only the general public and its elected representatives who perceive this need. Citing a Harris survey, the Center for Technology and Democracy states that 93% of those termed "leaders," including hospital CEOs, health insurance CEOs, physicians, nurses and state regulators, believe that third party payers need to be governed by detailed confidentiality and privacy policies. (8)
In addition to getting pressure from Congress to issue its report on health information policy through HHS, the Clinton Administration also responded to pressure from Federal and state law enforcement agencies. One provision of the HHS report gives significantly less protection than the pieces of legislation the House and Senate are now discussing. It proposes legislation that would allow police officers to gain broad access to patients' medical records, with hardly any restriction on use or redisclosure of data. This is due to the increasingly high priority placed on investigating insurance fraud. While it is common for law enforcement authorities to negotiate such access now, the Administration recommends that care providers and those who pay for such care be explicitly "permitted to disclose health information without patient authorization" when the records are sought by Federal or state investigators. (9) What effect would this have on privacy?
As reported by the "New York Times," Andrew Fois, an Assistant Attorney General, said, "There has been no documented history suggesting that law enforcement agencies have abused their current access to medical records, or that existing Federal and state law is inadequate to guard against such a danger." (10)
However, in the same article, Deirdre Mulligan, a lawyer for the Center for Democracy and Technology, responded, pointing to the lack of regulation that exists for medical privacy. "It's easy to claim that there have been no violations because there are few laws to violate. There's no procedural requirement to inform patients that law-enforcement agents are getting access to their records." (11)
So, as we stand at the end of another year, legislation in limbo, health information policy in committee, my hope is that within the next year, the US can successfully draft and enact a set of regulations that protect the privacy of people's medical data. It should include some of the following provisions.
2. Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure; and Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications, National Research Council; "For the Record: Protecting Electronic Health Information," National Academy Press, 1997.
3. Kolata, Gina; "On Cloning Humans, 'Never' Turns Into a 'Why Not,'" "The New York Times," December 2, 1997.
4. Cushman, Reid; Detmer, Don; "Information Policy for the US Health Sector: Engineering, Political Economy and Ethics," "The Milbank Quarterly: A Journal of Public Health and Health Care Policy," Milbank Memorial Fund, 1997. http:// www.med.harvard.edu/publication.Milbank/art/index.html
5. Ibid.
6. "CDT Policy Post," The Center for Democracy and Technology. Volume 2, Number 30, August 16, 1996. http://www.cdt.org/publications/pp_2.30.html
7. Saltus, Richard; "Fear of Insurers Leading to Gene Testing in Secret," "The Boston Globe," September 12, 1994.
8. Goldman, Janlori; Statement Before the House Committee on Government Reform and Oversight Subcommittee on Government Management, Information and Technology on Medical Records Confidentiality, speaking as deputy director of the Center for Democracy and Technology, June 14, 1996.
9. Recommendations of the Secretary of Health and Human Services, pursuant to the section 264 of the Health Insurance Portability and Accountability Act of 1996, "Confidentiality of Individually-Identifiable Health Information," September 11, 1997.
10. Pear, Robert; "Plan Would Broaden Access of Police to Medical Records," "The New York Times," September 10, 1997.
11. Ibid.
Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure; and Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications, National Research Council; "For the Record: Protecting Electronic Health Information," National Academy Press, 1997.
Cushman, Reid; Detmer, Don; "Information Policy for the US Health Sector: Engineering, Political Economy and Ethics," "The Milbank Quarterly: A Journal of Public Health and Health Care Policy," Milbank Memorial Fund, 1997. http:// www.med.harvard.edu/publication.Milbank/art/index.html
Geller, Lisa; Alper, Joseph; Billings, Paul; Barash, Carol; Beckwith, Jonathan; Natowicz, Marvin; "Individual, Family, and Societal Dimensions of Genetic Discrimination: A Case Study Analysis", "Science and Engineering Ethics," Volume 2, Issue 1, Opragen Publications, 1996.
Goldman, Janlori; Statement Before the House Committee on Government Reform and Oversight Subcommittee on Government Management, Information and Technology on Medical Records Confidentiality, speaking as deputy director of the Center for Democracy and Technology, June 14, 1996.
Kolata, Gina; "On Cloning Humans, 'Never' Turns Into a 'Why Not,'" "The New York Times," December 2, 1997.
Pear, Robert; "Plan Would Broaden Access of Police to Medical Records," "The New York Times," September 10, 1997.
Saltus, Richard; "Fear of Insurers Leading to Gene Testing in Secret," "The Boston Globe," September 12, 1994.
Secretary of Health and Human Services, recommendations pursuant to the section 264 of the Health Insurance Portability and Accountability Act of 1996, "Confidentiality of Individually-Identifiable Health Information," September 11, 1997.
US Congress Thomas Public Information System. http://thomas.loc.gov