To Secure These Rights: Maryland\’s Infringement of Medical Privacy

The 1990s will come to be known as the heyday of the information age. The cost will be the loss of personal privacy. Privacy will become the legislative issue of the late 1990s. If we maintain that government can only be for the cause of the governed, then government must rein in the erosion of privacy, a right which we in the United States have taken for granted for over two centuries. To come to the point, no personal medical data should be utilized by the state for statistical purposes without patients’ consent. Never.

Maryland has become one of the nation’s most scrutinized states in this respect because of precedent-setting 1993 legislation abandoning the right to medical privacy without each citizen’s consent. Privacy advocates on a national level have monitored our state’s lack of success in restoring personal medical privacy. For the past two years, Delegate Jim Kelly’s (R-Baltimore County) and Senator George Della’s (D-Baltimore City) Patients’ Consent Act has failed to emerge from committee because of opposition by the General Assembly’s leadership (HB 557/SB 702 in 1996; HB 834/SB 813 in 1997). The Kelly/Della bill would have granted Maryland citizens the right to choose whether their personal medical data should become part of the state’s Medical Data Base. At present, patients do not have that option. You have no option. Data are automatically compiled.

To understand this whole complex issue, we must review the original enabling legislation, the Maryland Health Care Reform Act (HB 1359) which was rushed through in the final hours of the 1993 session by Senate President Thomas V. “Mike” Miller (D-Price George’s) and now-House Speaker Casper R. Taylor, Jr. (D-Allegany).

It was a very complex bill, aimed at preempting any Clinton health-care reform act that might have emerged that same year, but which of course never did. One aspect of HB 1359 was the establishment of the Health Care Access and Cost Commission (HCACC), with its many bureaucratic roles. One of these functions was to create a statewide Maryland Medical Data Base – on which patient-specific medical information from every out-patient health-care encounter is now encoded in permanent electronic storage. No patient notice or consent is required; at the time, the only legislative precaution was that these data be collected in a confidential manner as determined by HCACC.1 Otherwise, the statute left HCACC to collect the data as it saw fit.

Privacy advocates, consumers and health-care professionals – who are, in the case of the latter, by ethical mandate inherent privacy advocates – only began to understand the scope of this data-collection effort in 1994. Some began an effort to restore the right to medical privacy.2HCACC responded by stonewalling. It established an internally-appointed “workgroup on privacy and confidentiality,” chaired by an HCACC commissioner (who is also the benefits director of Baltimore Gas & Electric Company). Privacy advocates considered membership to be stacked in favor of data collection, business and researchers’ interests, and against consumer concerns.3

Ultimately, HCACC instructed this work group not even to consider the issue of patient consent before data-base inclusion because the commission itself had determined that such consent was unnecessary. The work group deliberated for well over a year – and accomplished nothing that reassured privacy advocates. Its own consultant on computer security, the national Center for Democracy and Technology, encouraged patient consent rights and it endorsed the Patients’ Consent Act, designed to restore that right to Maryland citizens.4

The Maryland Medical Data Base was established to curtail health-care costs, an issue which was certainly a fiscal priority in 1993. But this was before the managed- care trend trimmed virtually all possible health-care fat (and perhaps care) these last four years. The specific intentions were to ferret our expensive and presumably inefficient “outlying providers” and clip their wings via fee-setting. Because of this particular goal, the very large, diverse and non-partisan consent coalition which has gradually taken shape has been deliberately misunderstood and even denigrated as an effort to “protect providers” from such cost containment.5

It is true that health-care professionals are no more fond of mediocrity-inducing fee-setting measures than any other professionals are, but provider protection is simply not the consent coalition’s goal. How so? Most members of the coalition are consumer advocates. Examples? How about the American Association of Retired Persons (with a state membership of 700,000), the American Civil Liberties Union, the Maryland Mental Health Association, the Maryland Public Interest Research Group, Maryland Women’s, Family and Disability Law Centers and even the Christian Coalition? In fact, convinced that providers only had their own interests at heart, HCACC offered them a “compromise” in November 1996 by which provider confidentiality would be ensured. The health-care professional societies turned it down because patient privacy was and is the goal of the consent coalition. Anyway, HCACC cannot hope to discern “inefficiency” of providers when it does not collect any information about severity of illness, quality of care or patient outcome.6

What data do HCACC collect on each of us? The commission has the right to gather everything used as billing information as long as it does not collect patients’ names. This allows the government to claim that the data are anonymous. That may have been plausible prior to the information age, but nowadays we know that nameless data with enough specific demographic information can be cross-referenced or matched with the growing number of existing public-access data bases to determine either probable or certain named identities of individuals. Furthermore, HCACC’s raw data are vulnerable to the usual techniques of insider bribing.

The HCACC collects plenty of information to make electronic matching techniques possible: sex, month and year of birth, zip code, diagnoses, treatments, provider identification and address, universal claims number and an encoded specific patient identifier number.7 The commission had the original intent and statutory right to collect even more, though privacy watchdogs beat this back. Nonetheless, even as the matter currently stands, who on earth provides scrutiny to monitor what actually is collected? There is no outside audit, no “privacy commissioner” to oversee the data collection. Marylanders have no reason whatsoever to rest assured when these data-gathering bureaucrats say our private medical information is safe in their hands. Even HCACC has acknowledged in writing that it cannot guarantee confidentiality and that no data security system is foolproof.8

Why is the Patients’ Consent Act endorsed by the national ACLU, the national PIRG, the National Coalition for Patients’ Rights, the national Consumer Project on Technology, the American Medical Association, the American Psychiatric Association and the National Association of Social Workers? Because patient consent is the traditional national standard for such extensive and inclusive medical data bases. Consent is what the Patients’ Consent Act seeks to restore. Consent is what privacy advocates know to be our best protection in this information age against total loss of personal privacy, medical or otherwise.

Maryland has yet to tackle what is the civil-liberty issue of our era. Constituents and legislators correctly complain of the egregious medical privacy intrusions by managed-care companies, but so far our assembly has not taken up the cause of curtailing these intrusions, as it should and must. Maybe it cannot – for to do so would be to acknowledge that its role is to protect our medical privacy rather than compete in the data-gathering whirlwind.

That is why the patients’ consent legislation is so pivotal in the broader civil-liberties battle. If our state cannot acknowledge that it has no right to gather these personal data without consent, how can it take on the role of protecting us against managed-care intrusions? It cannot. How can it redress the larger threat to each of us – our loss of privacy in the information age? It cannot. One thing that repressive and tyrannical countries the world over have in common is the absence of personal privacy. We dare not ignore this initial loss of privacy in Maryland.

The state assembly’s leadership pulled out all the stops to kill the Patients’ Consent Act this year and last. Why? Pride of authorship in the HCACC? A naive and unwarranted belief that this data base will be safer than all the other data bases that have been violated – including the Defense Department’s and NASA’s? A bet that any data leaks will not come to public attention, and thus will not become a political scandal? An uninformed belief that HCACC can achieve enough medical cost slashing, without compromising care, to justify its privacy-jeopardizing, five-million-dollar-a-year data base budget?

The consent bill’s sole opposition – apart from the assembly’s leadership – has consisted of HCACC itself, big business leadership and a few other data-dependent interests, such as the Maryland Hospital Association, the Maryland AFL-CIO, the Maryland Association of County Health Officers and the Health Services Cost Review Commission – all of whom testified against the bill. But these opponents certainly should know that there are time-honored ways to do valid research that do not bypass patient consent.

National polls repeatedly show that between 87 percent 9 and 96 percent 10 of Americans rank privacy as their highest priority, medically, and want their consent asked before their personal information is entered into computerized data bases. The 13 percent who do not agree have held the rest of us hostage so far here in Maryland, via their enormous political clout.

Next year is an election year, and citizens will pay very close attention to the issue of medical privacy. If Marylanders’ interests mirror those of the rest of the country, then at least 87 percent of them will look to their legislators to begin the process of protecting and restoring the civil liberty of privacy by supporting legislation to restore our rights. Just whose medical information is it anyway?

Dr. Katze is in the full-time practice of psychiatry in Towson, Maryland, and is a member of the American Psychiatric Association’s Committee on Confidentiality.

End Notes
[Top] 1. Code of Maryland, Health General,

Posted in: Health Care, News Series