Off the Record

Anyone who's visited more than one doctor's office can relate to the frustration of having to fill out lengthy forms that ask many of the same questions: What drugs are you taking? What allergies do you have? Have you ever had major surgery?

It has been a long-held dream of physicians and other medical professionals to create a single electronic medical record that a patient would, in essence, carry for a lifetime. From a medical point of view, the benefits are significant. Not only could doctors see one complete record, presumably allowing for more thorough and efficient care, but they could have access to large numbers of patient records, which could help researchers find new insights into how diseases spread. There's a counterterrorism application here, too, in that officials with real-time access to hospital admission rolls might spot the signs of biological attack before it affected many people.

The hitch in this grand vision, however, has always come down to patient privacy. Would anyone be allowed to peruse a patient's medical history? Would insurance companies get access? If so, might they decide to limit coverage because of a pre-existing medical condition, or some indication in the record that a person was predisposed to a particular illness?

The legal backbone of patient privacy is the Health Insurance Portability and Accountability Act, enacted in 1996 amid recognition that advances in information technology threatened patient privacy. In December 2000, the Health and Human Services Department issued a privacy rule that set national standards for protecting health information. Now, medical providers must implement procedures to ensure privacy.

That's a particularly nettlesome challenge for public health care providers, especially at the Defense and Veterans Affairs departments, whose patients number in the tens of millions. State and federal agencies also are building large repositories of patient records, which are shared among hospitals and clinics.

Consider Defense's Composite Health Care System, a giant repository of more than 4 million records of active-duty personnel and their dependents. Over the next two-and-a-half years, the system will be deployed to all Defense hospitals worldwide, about 102 facilities. Eventually, it will double in size to hold about 9.5 million patients' records.

Protecting privacy is a legal requirement. So, how can it be accomplished?

Among the many techniques is "anonymizing" patient data-that is, stripping a record of any information that could reveal who a person is. The Defense system, scrambles patient's names and Social Security numbers, says Larry Albert, the senior vice president of the health care practice at Integic Corp., the Chantilly, Va., company that built the system. It also scrambles some demographic data, Albert says, through a technique called hashing. The data is encrypted so that it's meaningless to anyone who doesn't have the proper key to unscramble it. Hashing provides some level of comfort, particularly when the data resides in a single repository viewed by many people. But it's no guarantee when the data is moved-for instance, when a doctor in one hospital queries data held in the records of another.

Albert says data is most vulnerable when it's in transit. Someone could place an electronic eavesdropping device on a data line and grab patient records as they pass. Hashing helps, but another technology, known as a privacy appliance, may provide even greater control over data as it shuffles about cyberspace. Privacy appliances are still largely in the research stage. An appliance-probably a piece of hardware-would be controlled by the person or agency that "owns" the data or by a third party, adding another layer of protection between the data owners and the people looking at it.

Select individuals might have access to information such as names or Social Security numbers, but the privacy appliance would act as a filter so that analysts and noncleared persons could query the data without seeing such identifiers. The appliance could be customized to let people with higher clearances view larger portions of a record. Access to such information could help reveal disease trends without disclosing who the patients are.

Some of the more advanced research of privacy appliances has focused on counterterrorism. The device could assist intelligence and security agencies, where the policy of "need to know" guides which analysts and officials can see sensitive information.

The Defense Department's Terrorism Information Awareness program researched the use of privacy appliances to detect terrorists' plans by examining commercial transactions such as credit card purchases. Teresa Lunt, one of the chief scientists involved in that work, says a privacy appliance could be tuned so that it would stop users from seeing too much anonymous data from multiple sources if it might, collectively, indicate who the person likely is. Lunt worked for the Palo Alto Research Center, a subsidiary of Xerox Corp., under a contract with TIA's parent agency, the Defense Advanced Research Projects Agency. TIA managers also considered policies that would require government officials to obtain a court order to decode data. The program was halted amid controversy over its aims and privacy concerns.

The Defense Department's health care system may be the best test cases. Albert says designers built privacy controls into the system from the beginning. But they also recognized that sometimes privacy restrictions have to be lifted quickly during emergencies.

If an unconscious patient arrives at an emergency room, Albert says a feature in the Defense system lets a medical worker "break the glass" and see the full record. Then the system tracks more closely than normal, right down to the mouse clicks, what information the worker views, Albert says.

Ultimately, strict tracking of how a patient record is used may be the only way to ensure that privacy regulations are enforced. Patient advocates and federal officials have wondered whether the HIPPA rules really are strong enough, an issue indelicately laid bare in 2002 by a spokesman for Health and Human Services Secretary Tommy Thompson. Referring to a consent rule that required patient permission before records could be transmitted, the spokesman said the rule was never very effective and he supported doing away with it.

Without the ability to restrict who sees what patient information, it seems even the strongest hashing techniques or privacy appliances will provide patients little comfort.