Congress faces many challenges in the area of health care reform, including the need to combat renewed and ill-conceived attempts to regulate managed care through "patient's bill of rights" proposals. But a deadline is approaching on another health care issue that is of equal concern: how to protect the privacy of a patient's medical information.
The Kennedy-Kassebaum Health Insurance Portability and Accountability Act of 1996 (HIPAA) provided that either Congress would enact privacy protection legislation by August 1999 or the authority to promulgate rules would revert to the Secretary of the U.S. Department of Health and Human Services. This is tricky territory; the Senate attempted to pass a confidentiality bill during the last Congress but became so entangled in the complexities and paradoxes of the issue that the effort failed.
Whether patients are frustrated by the restrictions on their access to doctors or services that are imposed by managed care, or concerned about the privacy of information in their health file, the underlying issue comes down to one question: Who should own and control each American's health coverage?
In today's private health insurance system, employers generally control the amount and type of health coverage their employees receive, because the tax code provides a strong incentive for health insurance to be tied to the workplace. In addition, as the direct purchaser of coverage, an employer has a legitimate need to access claims information about employees in the process of paying claims and assessing costs. Understandably, many Americans are very concerned about their employers having such personal information.
Fortunately, solutions are garnering increasing attention on Capitol Hill that would mitigate privacy concerns as well as reduce pressure for destructive "patient protection" regulation. These solutions would foster greater individual control over health coverage by encouraging individual ownership and choice of health insurance. The key to this is to make changes in the tax system that would reduce the bias against employees choosing and owning their own health plans--and medical information.
Examples of such measures include proposals to provide income tax credits to Americans who purchase their own health plans (perhaps with a contribution from their employer), such as legislation being developed by Representative James McCrery (R-LA) and Ways and Means Health Subcommittee Chairman William Thomas (R-CA), and legislation developed by Representative Jim McDermott (D-WA).
Similarly, proposals to permit employees to make more extensive use of flexible spending accounts (Section 125 plans), such as permitting employees to "roll over" unused balances from year to year, would give workers greater opportunities to purchase coverage directly and thus avoid employer access to medical information. A similar result would follow from steps to widen the use of medical savings accounts.
Employers are certainly not alone in having access to personal medical records of their employees. A number of entities with different interests have access to patients' health information that, in some states, even the individual patient does not have the right to access.1
Primary users of personal health information are those directly linked to the provision of care, such as doctors, nurses, and lab technicians whose access to patient medical records is critical to a patient's care.
There are secondary users, such as clinical researchers and epidemiologists, many of whom are publicly financed researchers at the National Institutes for Health (NIH) and the Centers for Disease Control and Prevention (CDC), and other federal and state public health officials and law enforcement officers.
Pharmaceutical companies and medical device manufacturers also have access for research and marketing purposes.
Finally, health insurers collect large amounts of patient data to process claims and, increasingly, to monitor enrollees' health and judge the appropriateness of medical procedures.2
Although the interests of most of those who see an individual's medical records are well-intended (to improve public health and/or advance research), it only follows that the greater the number of second and third parties with access to patients' personal health information, the greater the potential for abuse of that information. It also can be argued that employers would not need access at all were it not for the fact that many of them are making the purchasing decisions on behalf of their employees. This is an inevitable result of today's job-based health care system.
Americans are effectively locked into the current system because workers receive strong encouragement from the tax code to obtain their health insurance at work. But to do so, they must turn over control of the decisions and medical information to their employers. As long as the employer writes the check, the full value of a health insurance premium contribution is excluded from the employee's income--in other words, it is tax-free. Current tax policy also properly allows the employer to deduct the full cost of the insurance premium as a cost of doing business.
This tax policy has a number of perverse effects, both on the health system and on the ability of individuals to access care. One of the main problems is that it effectively prohibits individuals from choosing and owning their own health coverage. Instead, employers make the choices about the type of health plan and benefits employees will receive. With this responsibility, employers amass large amounts of data about their employees' health and utilization of medical services.
The employer's need for this sensitive information is heightened by the manner in which health coverage is delivered today, with 70 percent of the privately insured population in some form of managed care. Managed care plans collect large amounts of patient data to monitor enrollees' health, develop treatment protocols, and assess claims and payment activities.
The access of employers to their employees' personal health information is a direct result of employer-owned health coverage. Insurers are obligated to show their clients--the employers--what they are getting for their money. Therefore, insurers are accountable to employers who pay them. On this issue, Ian Schaefer, the medical director of Value Behavioral Health, has commented,
[Privacy advocates] think that we are seeking personal detail. But we're seeking clinical accountability. Ten years ago, there was no accountability. They sent in a claim and it was paid. Today, we ask for information....3
The problem is sharpened for employers who "self-insure" (that is, who pay claims directly rather than pay premiums to an insurance company for coverage). In this case, employers pay the bills and need to know what they are paying for--and are increasingly interested in making sure they get what they are paying for.
One major concern is that it may shape personnel decisions. In 1996, David Linowes, Professor of Political Economy and Public Policy at the University of Illinois at Urbana-Champaign, conducted a survey of Fortune 500 companies and found that, of the 84 companies that responded, 35 percent reported that they used personal medical information in making personnel decisions. The survey also found that while 93 percent of corporations received written permission from workers or prospective hires when collecting data, only 32 percent of the companies informed workers about the type of information they were seeking.4
Based on his surveys, Professor Linowes says, "The thrust is that employers don't hesitate to use this information. It's something that enters the equation concerning their investment in personnel."5
Employers who do access personal health information may have different motives for seeking this information. Some are interested in improving employee health. Some employers will ask their health insurers to screen employees for various conditions, looking for clues as to which employees are not getting treatment or may be getting the wrong treatment. For example, Sara Lee, Inc., asked its health insurer, Lovelace Health Systems, to screen its 500 employees at a factory in Las Cruces, New Mexico, for depression. Sara Lee said it wanted to determine whether there was a link between untreated depression and lower work productivity, and, if so, to ensure that its employees got the proper treatment.6
There also are cases in which an employer's access to health information can work against an employee or prospective employee. According to Dale Emerson of the Illinois Department of Insurance, employees often authorize access to personal health records when applying for a job or filing a claim without even knowing that they are doing it. Employers can examine claims records to verify treatment, track health costs, or request information on prospective employees to assess their level of risk.7 If an employee believes he has been fired or kept back at his job because of an illness, he can sue under the Americans with Disabilities Act. Such discrimination can be difficult to prove, however, and some reports indicate that employers do use this information when making employment decisions.
An employer's ability to access personal health information has been upheld in the courts as well. In 1992, a Pennsylvania Transit Authority worker (John Doe) filed a lawsuit against his employer and Rite Aid pharmacy for violating his privacy.8 The Transit Authority contracted with Rite Aid to dispense prescription drugs to its employees and requested that Rite Aid provide claims information for auditing purposes. This information revealed that the worker in question was taking AIDS medications, and his supervisor was informed.
The worker did not make a claim in court that he suffered from employment discrimination, but only that people treated him differently as a result of this disclosure. The federal appeals court ruled against the transit worker in this case. The following is an excerpt from the appeals court brief:
[The employer] had a genuine, legitimate and compelling need for the document she requested.... [She] had a responsibility and an obligation to keep insurance costs down and to detect fraudulent and abusive behavior. The report [from Rite Aid] was intended for that purpose. Employers have a legitimate need for monitoring the costs and uses of their employee benefit programs....9
In the current employer-based health system, employers clearly have a need for certain types of information in order to assess whether they are getting good value for their money. But it does not have to be this way. Employers who make defined contributions to employee health plans, although concerned about rising health costs, have less of a direct interest in learning detailed cost information because their contribution to their employees' health care is fixed. If individuals were able to select and own their own health coverage, employers' interest in their detailed medical information would be minimized.
Changing the employer's role as direct purchaser and controller of the employee's health benefits does not remove all threats to the privacy of personal health information, nor does it answer tricky questions of legitimate uses of this information. But the question of the employer's role in determining employees' health coverage and access to medical treatment is an important element to be considered in the upcoming debate over how to protect the privacy of patient health records.
Congress will not be able to address the privacy issue fully until it addresses the tax treatment of employer-provided health coverage. Providing tax credits directly to individuals so that they can purchase and own their own health insurance would vastly improve confidentiality of medical records and minimize regulatory intrusion into the patient-doctor relationship.
Stuart M. Butler, Ph.D., is Vice President for Domestic and Economic Policy Studies at The Heritage Foundation. Carrie J. Gavora, who completed this paper in her position as Health Care Policy Analyst at The Heritage Foundation, is now Policy Director at the Healthcare Leadership Council in Washington, D.C.
2. National Academy of Sciences, For the Record: Protecting Electronic Health Information, 1997, esp. Chapter 1. This list is not intended to represent a comprehensive list of all the different parties with access to personal health information today.