This article was originally prepared for the online magazine TNTY Futures. Written by Daniel Drell (U.S. Department of Energy) and Anne Adamson (Oak Ridge National Laboratory). It speculates about how genetic advances sparked by the Human Genome Project may affect the practice of medicine in the next 20 years.

The first phase of the ambitious international effort to determine the entire sequence of the human chromosome set is virtually complete. Human Genome Project scientists plan to finish the human sequence by 2003, along with a database of the most common sequence variations that distinguish one person from another. This knowledge base, freely available to any interested person over the Internet, will revolutionize biology and medicine. But how? What will be different 20 years from now because the human genome was sequenced?

Only time will prove the accuracy of the following predictions, but here is a list of some effects we might expect in 2020. (That is a very long wait. Is there a way to accelerate it? )

More Effective Pharmaceuticals

A virtually complete list of human gene products will give us a vast repertoire of potential new drugs. From 500 or so drugs in 2000, at least six times this number will have been identified, tested, and commercialized in 2020. All will be manufactured by recombinant DNA technology so they will be "reagent-grade pure," just as human insulin and growth hormone are today.

Your medical record will include your complete genome as well as a catalogue of single base-pair variations that can be used to accurately predict your responses to certain drugs and environmental substances. This will permit you to be treated as a biochemical and genetic individual, thus making medical interventions more specific, precise, and successful. In addition, the increased power of medicine to predict susceptibility to specific diseases will allow you to alter your lifestyle to reduce the likelihood of developing such diseases or to be treated with preventive or disease-delaying medicine.

Treatment failures occasionally happen today with drugs for hepatitis C infections, antihypertensives, and certain anti-depressants (selective serotonin reuptake inhibitors like Prozac). In the next 15 to 20 years, more effective drugs will be developed, and doctors will test individual genetic profiles against panels of drugs available for a specific condition and choose the treatment with the greatest potential benefit.

Today, some 100,000 people die each year from adverse reactions to drugs, and millions of others must bear uncomfortable or even dangerous side effects. We see such current examples as heart-valve abnormalities from diet drugs, muscle damage from some hormone-regulating drugs, and nervous system effects with certain types of anti-depressant medications. As genes and other DNA sequences that influence drug response are identified, we can expect the number of toxic responses to drop dramatically and most side effects to be eliminated.

Societal Implications

Another consequence of greater knowledge about individual variation is more disturbing, and we may face some unpleasant consequences unless society makes some hard choices. These considerations include the likelihood that your medical information will be available to others not in the medical profession--your insurer or employer, perhaps. Employers may have a strong motive to learn about your risks of developing certain conditions and to avoid hiring you or restrict the kinds of work you may do.

Genetic Testing, Therapy

Although now plagued by technical difficulties, gene therapy for single-gene diseases will be routine and successful in 20 years. Certain aberrant disease-associated genes will be replaced with normally functioning versions, and several hundred diseases will be curable. Neonatal genetic testing for these treatable conditions will be routine.

Some of the mysteries of early embryonic development will be solved. We should know the timing of expression of most, perhaps all, of the human gene set. We may have learned how to direct differentiation so that a desired cell type or even relatively "simple" organs and parts of more complex organs can be grown for transplantation. In 2020, we will have made substantial progress towards true "cloning" of certain organs, but many difficult technical steps will remain before successful cloning of a heart or liver.

As genetic testing using DNA sequence becomes more common, less expensive, and more accurate, it will be used commonly and reliably in cases of mistaken identity, false or misattributed paternity, and the identification of missing persons. Misguided attempts to ascribe behavioral tendencies to a person's genes will cause many problems, not least for the courts that must resolve disputes when an individual's behavior and actions conflict with laws. Should society (via the courts) interpret behavior as a consequence of free will or as influenced by genetic constitution? At what point does society mitigate responsibility or punishment?

Understanding Life

On the brighter side, an inevitable consequence of the genome project will be a much greater understanding of fundamental biology. Already, some three dozen organisms (mostly one-celled microbes) have been completely sequenced. The fruit fly, the latest organism to be sequenced, is being used to model the essential features of human disorders such as Parkinson's, making possible a powerful genetic approach to garnering knowledge about diseases as well as to developing more effective treatments. In 2020, perhaps 1000 complete genomes will be in hand. Besides furnishing insights into evolution, this vast repertoire of new genes and their products can be explored for their potential in solving challenging problems such as environmental cleanup.

We will fitfully and slowly gain some insights into biological complexity. In 2020, we will know how to build a functioning cell capable of free-living existence. We will understand certain pathways used by this simplest cell, but there still will be unanswered questions about it. We will be virtually no closer than we are today to the mysteries of such true "emergent" properties as intelligence in complex multicellular organisms.

Challenges

So the Human Genome Project will have vast and largely positive impacts on people living in 2020. Of the various predictions noted above, the last two are the most profound because the most powerful and momentous impacts come from fundamental knowledge, usually in unforeseen ways. As this astonishing treasure trove is introduced into society, we need to be alert to challenges and misuses of the knowledge about ourselves. Society as a whole, not just genome scientists, must address these considerations. It has to be all of us. [Daniel Drell (DOE) and Anne Adamson (HGMIS)]

Database Nation

The Death of Privacy in the 21st Century

By Simson Garfinkel
1st edition January 2000
1-56592-653-6, Order Number: 6536
320 pages, $24.95

As the 21st century dawns, advances in technology endanger our privacy in ways never before imagined. Purchasing databases, surveillance cameras, mobile phone tracking, wiretapping, misuse of medical records and genetic testing--all put privacy, the most basic of our civil rights, in grave peril. Database Nation, Simson Garfinkel's captivating blend of journalism, storytelling, and futurism, is a call to arms. It will frighten, entertain, and ultimately convince us that we must take action now to protect our privacy and identity before it's too late.

Chapter 6

To Know Your Future

Most Americans consider their medical records to be the most sensitive pieces of personal information that they have. Medical records are beacons into our past. They reveal secrets about families. They strip us naked, as if we had been prepped for surgery. They remind us about things we would rather forget--and things that we don't want others ever to discover.

Medical records are also windows into our future. They are imperfect oracles, to be sure--a healthy person walking across the street can be hit by a truck--but many illnesses and medical conditions follow a predictable path. People with untreated blockage of their coronary arteries tend to have heart attacks; diabetics who can't control their blood sugar are apt to go blind; people with untreated chronic depression are inclined to attempt suicide. Genetic records can be even more revealing.

But medical records tell as much about the temporarily healthy as they do about the chronically ill. In a world of uncertainties, the precision that comes from knowing a healthy person's weight, blood pressure, and cholesterol level conveys a feeling of predictability. A doctor can't say for sure that you'll live to be 92, but a statistician can tell you that your odds of doing so are 35%. Insurance companies use this information to set rates. Businesses can use this information to help decide who they should train and promote for positions of responsibility.

No Bigger Gap

Medical records are also among the most difficult kinds of personal information to protect. While the actual paper or electronic files can be protected with locks or passwords, individual facts from those records are easily revealed out of malice, for profit, or even by accident.

  A doctor can be disciplined or lose his or her license for violating patient confidentiality. Hospitals are required under the state's hospital regulations to have a medical records department that "ensure[s] the confidentiality of patient records". But few state or local laws criminalize the unauthorized release of medical records themselves. A secretary or a janitor who walks into the hospital's records room and faxes out the records might be violating the hospital's rules, but they are rarely committing a criminal act.

"Most people think it's illegal to release medical records. They are unaware that no law exists," says Robert Ellis Smith, publisher of The Privacy Journal.  

As of 1995, 43 U.S. states lacked laws criminalizing the release of medical records. Likewise, there is no federal law criminalizing the improper release of medical records.

"Most patients would be surprised at the number of organizations that receive information about their health record: their provider, insurer, pharmacist, state public health organizations--perhaps even their employer, life insurance company, or marketing firms," says Paul D. Clayton, who chaired the National Research Council's Committee on Healthcare Privacy and Security. "Sharing of information within the healthcare industry is largely unregulated and represents a significant concern to privacy advocates and patients alike because it often occurs without a patient's consent or knowledge."

Once upon a time, medical records had a very specific purpose: they provided a detailed record of a person's encounters with the medical establishment so that future encounters might have a higher chance of having a positive outcome. People had a vested interest in making sure that their medical records were correct.

"A person's willingness to share sensitive, often embarrassing information is dependent on being assured confidentiality. It is the basis of trust in the relationship," says Nagel. Recovery from many kinds of mental trauma and diseases requires that the issues discussed during therapy remain secret. The U.S. Supreme Court reached the same conclusion in the 1995 case Jaffe v. Redmond. Nagel notes, when the Court ruled that conversations between a patient and a licensed social worker or therapist, even one who does not have a medical license, are nevertheless protected conversations about which testimony cannot be compelled unless the judicial need for disclosure clearly outweighs the patient's privacy interests. "Quality healthcare is rooted in the imperative need for confidence and trust," and that trust must not be lightly breached, the Court concluded.

Privacy Is Your Doctor's Responsibility

A placard on the wall of my local hospital says "Please Respect Patient Confidentiality." And in a very important way, this sign says it all. Hospitals and other medical facilities need to rely on the ability of their employees to hold patient secrets. Doctors, nurses, clerks, and even janitors all see highly charged information. A hospital that tried to shield its employees from all sensitive patient information would quickly cease to function.

Fortunately, in most cases, this trust seems well placed. I have never met a doctor or a healthcare professional who did not seriously undertake their responsibility for patient confidentiality. Patient privacy is at the very core of the healthcare profession. It goes all the way back to Ancient Greece and the Hippocratic Oath, which says, in part: "All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal."

What complicates the confidentiality process is the fact that between 50 and 75 people need access to a patient's chart during a typical hospital visit. Keeping a secret requires everybody's cooperation: revealing it requires just one bad apple. Many hospitals hire temporary administrative workers who have little or no training in medical ethics. Other healthcare facilities are actively downsizing, creating employees who have a grudge against their employer.

Over the past 50 years, military intelligence agencies and major corporations have developed techniques for preventing the theft of confidential information and for tracing the sources of leaks. People are given personalized copies of records. Photocopies are logged. People have their bags searched upon entering or leaving a secure facility. These techniques are simply impossible to implement in the healthcare workplace. And for the most part, they are unnecessary.

 Some people take the reverse point of view. They think that the best way to handle the morass of medical privacy is simply to eradicate it: unlock the files and the databanks, and make everybody's medical records freely available. David Brin, author of the Transparent Society, is a big proponent of this viewpoint. I actually believed it once myself; transparency has a simple elegance. I figured that everybody has some sort of medical condition or problem: the best way to destigmatize our diseases is to air them in public.

The problem with opening everybody's medical records is that everybody has a different body. Some of those bodies are diabetic. Some have asthma. Some have inherited genetic diseases. Some have brains that are mildly schizophrenic, but controllable with medication. And some bodies are genuinely healthy. Opening up everybody's medical history to public scrutiny opens up people to all manner of discrimination and personal attack, for which there are seldom workable remedies. One of the purposes of privacy in society is to protect us from other social problems that we have not yet eradicated.

Even if some futuristic and enlightened society manages to respect and value the sick in ways that we can't today, there is yet another overriding reason to abide by patient privacy. People who have managed to master their own physical or mental ailments deserve to go about their day-to-day lives without being constantly reminded of those problems by well-wishers.  

People deserve and require control over their own medical matters and privacy for their medical records. Doctors and nurses understand this. But the healthcare establishment increasingly doesn't care.

The American public may feel otherwise. According to the 1993 Harris-Equifax survey on healthcare privacy issues, 15% of those who had their medical confidentiality violated--representing 7.5 million people--said that it had been violated by insurance companies.

Forcing Physicians to Lie

Indeed, insurance companies obtain information from a variety of sources, including the Disability Insurance Record System (DIRS) and the Health Claims Index. And the fact that insurance companies are lawfully allowed to deny consumers health or life insurance because of preexisting conditions has put doctors under a tremendous amount of pressure. On the one hand, doctors clearly have a professional and legal requirement to keep accurate records on their patients and submit truthful billing statements. On the other hand, doctors know that if they are truthful in their diagnoses, they might be creating notations in their patients' healthcare records that will prevent the patient from getting insurance in the future. Even without a written diagnosis, much of what insurance companies want to learn can be gleaned automatically from billing codes.

"Insurance companies collect tremendous amounts of information," says Dr. Peter Tarczy-Hornoch, who directs numerous telemedicine projects at the University of Washington Medical Center. The information is "not the really cool sexy information." Instead, it's things like "What medical diseases did your grandmother have? Have you ever been hospitalized with a drug or alcohol problem? Do you have a problem that is expensive to take care of that you have previously taken care of? They are not particularly concerned with accuracy. It's a screening process. Ninety percent is good enough for a lot of this stuff."

Ninety percent is good enough for a medical insurance company to figure out if it should try to sell you life insurance, or if it should turn down your application. Ninety percent is good enough to decide how far to hike your or your company's insurance rates when it's time to renew. Ninety percent is good enough to systematically exclude the people most likely to need health insurance in the first place. And what if you happen to be one of the unlucky 10% who are denied insurance or face higher premiums even though there is really nothing wrong with you? Your best bet is to try another insurance company and hope that your erroneous information hasn't been forwarded to MIB.

Faced with this dilemma, some doctors have chosen to lie. Instead of putting down a particular diagnosis or billing code, they use a code that has a similar reimbursement rate but lacks the social stigma and long-term insurance implications. For example, says Tarczy-Hornoch, a doctor might use the billing code for "adjustment disorder" instead of "depression."

Medical professionals call these alternate diagnoses surrogates. The practice has questionable legality--it is a kind of fraud, after all--and there are no good statistics regarding its prevalence. But it is clear that surrogates create a kind of cat-and-mouse game between doctors and insurers, with insurance companies constantly trying to figure out what surrogates are currently in vogue, and with doctors trying to figure out new ones. 

 In August 1996, President Clinton signed the Health Insurance Portability and Accountability Act. Under this law, U.S. health insurance companies are forbidden from excluding new employees from their employer's group health insurance packages because of preexisting conditions. But that is as far as the act goes. Insurance companies must offer coverage for preexisting conditions, but they can do it at astronomical rates. They can also choose not to renew an entire company's health insurance package because one person joined the company who had an expensive preexisting condition. This might not impact a company like IBM or Exxon, but it can be a major factor for small businesses. The act covers only employees who are changing from one employer's health insurance program to another--it doesn't cover people who are self-employed, or those who have to buy their own health insurance because they work at companies that don't provide health insurance to their employees. Finally, the act says nothing about life insurance, which has a long history of using medical records in a discriminatory manner. After all, it's life insurance companies that created MIB in the first place.

A Right to Your Self

As we move into the twenty-first century, it is unthinkable that people would be denied access to their own medical records. Indeed, 96% of Americans believe that the right to be able to obtain a copy of their own medical record is important, and 84% believe it is "very important." Yet for many Americans, no such right exists.

According to the Privacy Journal compilation of state and federal privacy laws, only 23 states give patients the right to view their own medical histories (see the boxed list). Despite the laws, however, even residents of these states sometimes find that their doctors deny them access to copies of their records.

States That Grant Patients the Right To View Their Own Medical Records Arizona California Colorado Connecticut Florida Georgia Hawaii Illinois Indiana Kansas (mental records only) Louisiana (partial access) Maryland (partial access) Massachusetts Nevada New York Ohio (law applies only to hospitals) Oregon (law only encourages open access) Rhode Island Tennessee (law applies only to hospitals) Utah (records provided to patient's attorney, not to patient) Virginia Wisconsin

According to the 1993 Harris-Equifax survey, most Americans (87%) believe that they "know everything" or "have a general idea, but don't know in detail" what's in their medical records. And approximately one in four Americans have asked to see the contents of their medical records. When they've asked to see it, 92% were able to get a copy. Of those who were denied this fundamental right, 31% were told that the medical record couldn't be located; 25%, representing four million Americans, were simply denied the request, with no reason given.

Denying people access to their own medical records is fundamentally wrong. Twenty-five years ago, the drafters of the Code of Fair Information Practices realized that there must be no records kept on a person that the person cannot inspect and correct. It is astonishing that, even in countries with progressive privacy protection, this practice continues.

Ironically, increased access to a patient's own records is one of the benefits of the lack of medical records privacy today. With physicians so willing to send medical records to insurance companies and to other doctors, it's all but impossible to keep these records out of the hands of a determined patient. In fact, the combination of patient rights movements, increased health insurance portability, and the trend toward self-employment will all likely result in giving people increased access to their own medical records in the coming years.

 The ultimate goal of the computerization process is medicine's equivalent of the paperless office--the computerized patient record. This record will contain the patient's full medical history, from conception, including immunizations, meetings with doctors, childhood diseases, and results from annual physicals. The record will include payment information, reminders for future checkups, and notes. X-rays will be digitized and stored in the record, as will laboratory test results.

Part of the push for computerized patient records comes from the need to handle increasing amounts of information more efficiently. Many hospitals are legally forbidden to throw out patient records. As a result, they spend millions storing paper records in warehouses. This same information can be digitized and stored in just a few cubic feet using modern data storage techniques. The savings of storage space, combined with decreased costs for film and processing, is one of the primary reasons why hospitals are turning to digital X-ray systems.

Moving to a computerized patient record poses tremendous technical challenges. When you first walk into a doctor's examination room, a nurse or medical assistant writes down your blood pressure and pulse. How does this information get into the computer? Likewise, how do the doctor's notes get digitized? When the doctor wants to order medical tests or X-rays, they're usually written down on a piece of paper--it's faster than typing them into a computer. When you go down to the lab, there's more paper still.

Advancing technology, combined with new business practices, is overcoming many of these problems. For example, at one hospital I visited in Seattle, doctors are now dictating their notes into tape recorders. The doctor's voice is then transmitted electronically to India, where labor is cheap and English is widely spoken. There, skilled transcribers listen to the doctor's voice and type the notes into computers. The text is then sent back over a computer network.

The Japanese film company Fuji, meanwhile, has developed an electronic plate that is sensitive to X-rays. This plate can be used with conventional X-ray equipment to directly digitize an X-ray and send it into a computer. Although the plate costs nearly a thousand dollars, it is reusable--saving substantial money in film. And once the X-rays are digitized, they can be stored on magnetic tape for a fraction of the cost of a climate-controlled warehouse.

One of the factors contributing to the rise in the cost of medical care is the large number of repeated medical tests. Tests are repeated because the results get lost, or because a patient transfers to another institution without all of his or her records. The 1997 Kennedy-Kassebaum healthcare portability legislation tried to solve the problem of repeated tests by forcing healthcare providers to adopt a universal healthcare identification number. The idea of the legislation was simple: if all hospitals and doctors offices used the same identification number, then test results would be less likely to get lost. The legislation justified the adoption on the grounds of "administrative simplification." However, implementation has temporarily been halted by Congress, largely as the result of objections by privacy groups.

Once the medical record is computerized, the information can be put to many new uses. One simple technique is to have the computer scan its records each time a patient shows up, and print a little reminder if there is some routine test that's overdue. The reminders can make sure that women get Pap smears and mammograms; they can encourage parents to have their children tested for lead; they can even prompt adults to be checked regularly for high blood pressure and cholesterol. The reminders are written in English and printed on the patient's chart. When the patient shows up with a complaint or for a routine checkup, the doctor sees the reminder and, during the visit, performs or schedules the needed procedure.

When Dr. Harold Goldberg, a specialist in medical informatics at the University of Washington, first proposed the idea of reminders to his fellow physicians, they sneered--the physicians said that they had been trained to remember which patients needed what procedures. But when the program was implemented, something miraculous happened: the rate at which patients got their necessary tests skyrocketed.

Computerized Patient Records:
The Threat

Physicians are less sanguine about the potential threat to privacy that computerized patient records will bring. According to the Harris-Equifax 1993 survey, 74% of physicians thought that computerized systems were "almost certain to weaken" medical confidentiality, compared to 26% who thought that computers "could be managed to strengthen confidentiality."

The problem is the inherent difference between the physical and the electronic. Paper records are physical. Paper records can only exist in one place at one time. And while paper records can be faxed all over town, a person must be physically holding the records in order to do so.

The principal advantage of electronic records is that they are easy to manipulate, but this ease cuts both ways. With electronic laboratory records, it's unlikely that the results of a patient's last blood test will be lost. That's good for patients--especially patients who don't like getting stuck with needles. But computerized record systems make it equally likely that a curious nurse or intern might walk up to an unattended terminal, type in a name, and see the results of that person's test. And since that same computerized file can be accessed at hundreds of terminals throughout a hospital at the same time, controls are all the more difficult.

In its 1997 report on medical records privacy issues, the National Research Council identified the following five "threat levels" for information stored in healthcare computers:

1. Insiders who make "innocent" mistakes and cause accidental disclosures of confidential information. This could be as simple as a lab sending a fax to a wrong phone number, or a nurse pulling up one patient's medical records instead of another.

    

2. Insiders who abuse their record access privileges. Browsing seems to be a problem with many electronic record systems. The Internal Revenue Service, for example, has had persistent problems with curious employees looking through the tax records to which they have access. It's unreasonable to think that hospitals will somehow avoid this affliction.

    

3. Insiders who knowingly access information for spite or for profit.During the 1992 Democratic primaries, a pathologist I know at Beth Israel Hospital in Boston was contacted by a member of the press who wanted access to candidate Paul Tsongas's medical records. The reporter offered good money, and a less ethical pathologist could easily have retrieved the file without leaving a trace.

    

4. An unauthorized physical intruder who gains access to information. Many hospitals rely on physical security to protect information stored inside a computer: the terminals are put in a special room or behind a desk to which only authorized personnel are supposed to have access. But hospitals are not as secure as hospital administrators would like the public to believe. If that journalist had simply put on a white lab coat and a fake badge, he could probably have retrieved Tsongas's medical records unassisted.

    

5. Vengeful employees and outsiders, such as vindictive patients or intruders, who mount attacks to access unauthorized information, damage systems, and disrupt operations. A doctor who practices at an HMO recently told me of a problem that her group has been having: an employee--they think they know who--has been accessing the HMO's scheduling computer and deleting patient appointments. The scheduling desk then thinks the appointment slot is free, and two or three patients show up at the same time.

There are a variety of techniques that can be used to minimize the threats of unauthorized access. At Beth Israel Hospital in Boston, for instance, certain patient files are marked as "VIP." When these files are accessed for any purpose, the name of the person making the access is logged; a human has the duty of auditing the log files on a regular basis to make sure that all of the accesses were legitimate.

Just who should be a VIP? Currently, the hospital marks files as VIP if there is some reason that employees at the hospital might be curious about the person's records. Celebrities and political figures are obvious candidates. But hospital employees and their families also get VIP status, in order to cut down on inquiries from nosy (or well-meaning) coworkers. Ideally, anybody who wants the VIP label should get it. In practice, Beth Israel does not notify patients that they have this right.

Some computer professionals suggest that encryption can be used to create a simple solution for the problems caused by computerized patient records. Give everyone a copy of their medical history that they can carry around on a smart card. Store a copy of the medical record someplace else, to guard against the theft of the card, and encrypt that backup so no one can access it without authorization.

But doctors are worried about such cryptography-driven technological fixes. They fear that in an emergency, it might become impossible to decode or even locate a person's medical history. Most people, they argue, are not willing to die for the right to their privacy.

Other Threats

Computerization creates other privacy risks that are only now becoming apparent. Take the case of those dictation services in India. What if an employee of the Indian transcription firm recognized the name of one of the people whose medical charts were being transcribed and decided to sell this information to an American tabloid newspaper? Even assuming that the leak could be traced back to that employee, it is hard to imagine how the employee could be adequately punished.

But computerization also opens up the possibility for improved patient confidentiality. The person in India doesn't need to know the true name of the individual whose medical records are being transcribed--a code number would work just fine. And instead of making that code number the patient's Social Security number, make it a case number, or the time of day the patient was seen, or some other kind of code generated by the admitting hospital. The records being transcribed could essentially be anonymous--at least from the point of view of the person in India.

The ability of computers to shield identity and hide information is perhaps one of the reasons that a slim majority (53%) of hospital CEOs think that computers will actually strengthen patient confidentiality. Among insurance company CEOs, the majority is even higher--61%, compared with 35% who think computers will harm confidentiality.

Why the disparity between the CEOs and the doctors? Probably because the CEOs know what is possible with information technology, but doctors see the way it's actually being implemented. And doctors know that any technology that makes it harder for people in a hospital to access medical information could cost some patient his or her life in an emergency. Even simple anonymizing codes increase the chances that two patients' records will be confused--with potentially disastrous results. Would you want to be treated in an emergency room where the computer forces people to type usernames and passwords before ordering a test?

When the University of Washington Medical Center installed its medical record system, the information technology managers gave each physician and nurse his or her own username and password. The system was designed to make people accountable for the files they saw by logging every access. The system even had a timeout feature, so that if somebody left a terminal while still logged on and walked away, that person would be automatically logged out. But a month later, a scan through the log files revealed that the only person using the system on a particular ward was the chief resident. A walk up to the terminal revealed why: the chief resident's username and password had been written on a sticker and pasted to the terminal, so when the chief resident was logged out, any nurse or doctor who happened to be standing near the terminal could log the chief resident back in.

Today, we can easily imagine a better solution to the problem of auditing access to medical records at places like this medical center. First, make sure the terminals are placed in secure locations, so only authorized individuals can access a patient's medical record. Then place a small video camera on top of each terminal, so when each access is made, the image of the person making the access is recorded. Currently, such videotaping systems are purely hypothetical.

Rethinking Medical Care
and Medical Insurance

Most Americans consider their medical records to be the most sensitive pieces of personal information they have. But for HMOs and insurance companies, medical records are merely scoreboards for an elaborate game of musical chairs. Insurance companies know that if they wait long enough, there's a good chance that any given patient will soon be covered by another insurance company--because that person (or their company) switched carriers, because they lost their job, or because they turned 65 and are now covered by Medicare--the United States' socialized medical insurance program for the elderly. Insurance companies that have a high churn rate actually have an incentive to avoid offering preventive care and to close their eyes during the early, cheaper stages of most diseases--hoping that by the time the disease progresses, the patient will be somebody else's financial responsibility.

When they are taking on new contracts, insurance company underwriters use medical records the way a bookmaker uses a sports lineup--as rate cards for calculating odds. Underwriting, in fact, is the real devil of health and life insurance. Fundamentally, the underwriting process weighs the premiums paid by the insured and the profits on that revenue against the chance of a possible payout. It's an inexact science, but one that is getting increasingly more accurate as insurance companies consider more and more pieces of information. And there are few limits on what kind of information can be considered. Today, an insurance company might think that a person who has high blood pressure or high cholesterol is a bad risk and needs to be charged a correspondingly higher monthly premium; tomorrow, the insurance company might adjust your premiums on a month-by-month basis depending on how many pizzas you are eating.

A great many of the abuses mentioned in this chapter could be solved by fundamentally changing the way that medical care is paid for in the United States. Instead of tying health insurance to employment (a policy that dates to the wage and price controls of the 1940s), health insurance could be based on residency and citizenship. The simplest, easiest way to end discrimination in health insurance would be to adopt universal, state-sponsored health insurance. Doing so, however, is politically impossible given the size and wealth of the nation's health insurance industry--an industry that makes its money by gambling on the lives of the healthy and the diseases of the sick.

In the absence of a systemwide redesign, consumers are best protected by the combination of transparency and regulation--transparency of insurance industry practices to prevent the most egregious antiprivacy cases, and regulation to protect consumers in their day-to-day interactions with the medical establishment. Without a policy turnaround, things will only get worse.