Competing Agendas Threaten To Limit Computer Privacy

How ironic that for all of the time, energy, and words spent debating patient privacy protections, at the dawn of the 21st century Americans can count on greater confidentiality for the records of the videotapes they rent than for the sensitive information they confide to their physicians, observed incoming APA President Richard Harding, M.D.

Despite this incongruous state of affairs, Harding and other psychiatrists and privacy experts cited both progress and troubling symptoms as society decides how to adapt to a computer era in which every bit of data appears to be discoverable with a little electronic ingenuity.

Speaking at a presidential symposium on confidentiality at APA’s 2001 annual meeting in New Orleans in May, Harding pointed to the new federal privacy regulations included in the Health Information Privacy and Accountability Act, often referred to as HIPAA, as a sign that the federal government is aware that steps need to be taken to guarantee patients some degree of privacy for the electronic medical records.

Harding, who had considerable input during the development of the HIPAA rules as a member of the National Committee on Vital and Health Statistics, said that while imperfect, the rules contain “many good features, but will place a burden on [psychiatrists] to stay current on the rules,” as well as any modifications that may be made down the road.

Margo Goldman, M.D., chair of the APA Committee on Confidentiality and cofounder of the National Coalition for Patients’ Rights, pointed out that research is a particularly thorny issue when concerned parties try to define an appropriate place for confidentiality walls. It is a conflict, she added, that organized psychiatry cannot ignore.

The focus of the conflicts, Goldman noted, is that “privacy is pitted against other laudable aims” such as the valuable knowledge and advances that researchers can derive from studying patients’ medical records. There is consensus among researchers, physicians, and other concerned parties that patient consent can be obtained retrospectively when researchers want to gain access to their records, but it becomes “contentious,” for example, when the records in a database were not originally intended to be open to research studies.

“Researchers want to have unfettered access to medical records,” cautioned outgoing APA President Daniel Borenstein, M.D., who chaired the confidentiality symposium.

While researchers have often been able to access patients’ records without explicit consent of the patients, Goldman suggested, there needs to be far more recognition of the “intrinsic value of privacy,” which derives from demonstrating “respect for patients’ autonomy and dignity.”

While new federal policies regarding research access to patient records are “an improvement” over what little regulation existed in the past, Goldman stated, “we still need to raise the bar.” As far as access to psychotherapy records goes, while that bar is indeed higher than for other types of records in the new federal rules, “without explicit authorization by the patient, there must be no ifs, ands, or buts” about ensuring that patients have absolute control over the uses to which their psychotherapy records are put, no matter how noble a particular research mission may be.

There is no escaping the fact that the trend in this country is to use computer technology to collect more data on everything, emphasized computer-privacy expert Latanya Sweeney, Ph.D. Two mantras that guide those who assemble computer databases are “collect specifically” instead of “collectively,” and “collect if you can,” maintained Sweeney, an assistant professor of public policy and computer science at Carnegie-Mellon University. That means, she explained, collect as much person-specific data as possible and collect anything that you can.

She cautioned that patients and their doctors should not rely on HIPAA rules to protect medical confidentiality. “It regulates the heck out of the first few parties who get the information,” Sweeney said, “but it won’t change the ability of determined people to gain access to the data.”

APA Vice President Marcia Goin, M.D., sounded the alarm over the lack of security for communications sent between physicians and patients over the notoriously porous Internet.

Goin described this problem as “the sinister side” of the growing popularity of the Internet for patient screening and telepsychiatry and e-mail for patient communication. A wide variety of parties ranging from insurers and employers to prying Web surfers would love to gain access to medical information, she noted, but computer users often give little thought to how vulnerable these data are.

“The advent of electronic devices has seriously increased the risk of private data being revealed,” said Borenstein. “In fact, a lot of people are beginning to wonder if privacy really exists at all anymore.”

Computer technology “certainly has great communication potential, but remember all the problems that come with it,” Goin warned. She added that it is a myth that encryption software solves the problem of confidentiality breaches.

Remember, Sweeney advised psychiatrists at the symposium, in the end, “privacy issues are really all about money.” ▪