GUEST: Janlori Goldman
I’m Richard Heffner, your host on The Open Mind. And I generally consider myself to be a fairly sophisticated person. Surely I’m old enough to be so!
Yet it’s really only now – challenged by the work today’s guest has been doing over many years in the realm of personal privacy – that I’ve come to recognize how urgent it is that as a people we Americans work hard at reconciling public health and personal privacy concerns.
Research Scholar at the Center on Medicine as a Profession at Columbia University’s College of Physicians and Surgeons, attorney Janlori Goldman directs the Health Privacy Project which she created in 1997. It – and she – are devoted to ensuring that people’s privacy is safeguarded in a health care environment.
And that, of course, is why I should start our Open Mind conversation today by asking my guest why her concerns in this area have become so pressing.
GOLDMAN: Well I am just very concerned that people are now at a point where they are afraid to talk to their doctors. They’re afraid to fill out medical history forms. They’re afraid to get blood tests, they’re afraid to get mental health care. They’re afraid of getting genetic testing. Why are they afraid?
HEFFNER: Yes. That’s the question.
GOLDMAN: They’re worried that it’s going to limit them in an ability to get a job. That it might limit their ability to get health insurance. That they might be embarrassed or exposed with a family member or in their community in a way that they would not like. They’re worried it may even effect their children, with a genetic test. Your genetic history. Your genetic imprint, basically, affects how your children might be dealt with in the world of insurance or employment as well, since it’s an inherited condition.
So we’re really at a point where we need some real limits and we need a thoughtful public policy that says “How do we encourage people to get care and put some limits on how we can use this highly sensitive information.”
HEFFNER: Janlori let me be perfectly frank and then …
HEFFNER: … ask you a question that isn’t hostile, but as a result of my puzzlement I’ve read a lot of what you’ve written about …
HEFFNER: … and I come and ask myself now, “Is Janlori Goldman … is she the one and her colleagues in the Civil Liberties Movement … are they the ones who are concerned about this?”
HEFFNER: You say patients are. Now are you projecting a little here?
GOLDMAN: (Laughter) Do you mean, “Am I a club of one on this issue of medical privacy?”
HEFFNER: One or two or six or seven.
GOLDMAN: Well, unfortunately it’s a larger club than just myself and my civil liberties colleagues. Back in the mid-nineties I was pushed to answer that question. And I realize that while on the front page of the paper, on a regular basis, on the TV, we hear stories about people losing their jobs or being discriminated against in some way. We hear these kind of medical privacy horror stories.
I was pushed to answer the broader question, “Does it really matter? Who really cares about this?” And there was a national survey done that showed that about 20% of people will do something to protect their privacy that undermines the health care that they get. They might leave information out of a medical history form. They may ask a doctor to miscode a diagnosis. They might say, “Put down that I’m anxious, not depressed. Or put down that I had a D& C, not an abortion.” Or “I want to pay out of pocket for this genetic test or this mental health care. I don’t want it in my record.”
Some people don’t get care at all because they’re so worried. So we have empirical proof and we’ve now re-done the survey recently to show that the numbers are still about 20% of people will do something, what I’ve called “privacy protective behaviors” to safeguard themselves because they feel they’ve lost control and they have real fears.
So I would say that the club is, unfortunately, larger than just myself.
HEFFNER: Well, that’s important because as I read the materials … I know maybe it’s because I’m an old fogy and what the heck …
GOLDMAN: (Laughter) Right.
HEFFNER: I watch people in doctor’s offices …
HEFFNER: … and in hospitals …
HEFFNER: … and I watch me …
HEFFNER: … and I get the privacy notice and I, I really pay very little attention. But I have … reading you …
HEFFNER: … wondered whether it wasn’t possible that I was doing the projecting and projecting my own … I guess old aged indifference to it. And you’re saying, statistically … we see that people are damaging themselves potentially out of concerns for their privacy.
GOLDMAN: Right. I mean, Let’s, let’s use some real examples. If you are in a job where you don’t have job security and you are worried that your employer might find out that you have breast cancer or that you’re being treated for depression or that you have multiple sclerosis or any of these conditions which are not only expensive but may affect your ability to do the job, and they’re expensive for the employer, if they have any share in paying for your health care, which some employers still do … then there may be a real issue as to whether you would be fired or you might not get promoted, or if it’s a pre-employment physical that you’re taking you might not get hired at all. So there are people who really feel that their jobs are at risk and they want to be able to control who gets to see their medical records.
HEFFNER: All right. Now. What’s being done about that?
GOLDMAN: Well, a number of years ago we were successful in getting a Federal regulation in place … called the Medical Privacy Regulation. And it does limit, to a pretty good extent, what doctors can share about you and what health plans can share about you.
The law is not perfect. It’s not air tight, it has some major gaps that we need to address. We are hoping to go back to the Congress at some point and try to fix some of those things.
But one of the real problems is, is that technology has moved so quickly that the law that was put in place a few years ago is already out-dated on some level.
That we’re talking about the creation of medical information networks around the country at a local level, at a Federal level … sharing of information with public health officials, like the CDC.
Homeland Security has gotten involved in looking at health records because they say we need to anticipate and prevent and respond to a potential bioterrorist event.
Well, of course, we’re all concerned about that. We would want to take steps to limit that. But in the name of that, networks are being set up where information is reported directly to the Federal government on the kind of care that we’re getting. Admissions to emergency rooms, or hospitals, even absenteeism on the job. Which may not appear to have a direct, kind of medical, context … is important information for the Federal government if they’re looking at trends and syndromes that might be popping up.
HEFFNER: Well, now …
GOLDMAN: So things have moved very quickly in the last few years.
HEFFNER: You seem to be say that this is important information for the Federal government to have. And, indeed, this is a real concern, not just a function of privacy invasion.
GOLDMAN: Yes. I think it is a real concern. And, in fact, I take the position, which does surprise some of my Civil Liberties colleagues that we need information to better understand diseases, to improve quality of care, to lower the cost of care. Personal medical information is actually quite useful and also, if, if there is any kind of a bioterrorist event, some information could give you an early warning about that.
If you see a cluster of people in a particular area with high fever or with other kinds of symptoms, maybe some rashes, that could give you a little bit of an alert … early on that there’s a problem and we should go investigate.
The issue is, does the information need to be identifiable? Does it need to have my name and my address and my Social Security number? Could the information not be identifiable and still be useful for the research that needs to get done? For the public health activities? And that’s what our government is not focused on right now.
HEFFNER: If the answer were “yes” and your answer is “yes”…
HEFFNER: … that you can protect individuals. What do you find in the medical profession? Are most physicians you deal with also saying, “Yes, we don’t need to identify the individuals involved.”
GOLDMAN: Well, for, for treating people you absolutely need identifiable data. There’s no question.
So what we need to do is to ask in every circumstance how much information do you need? To treat people, the more information the better. There’s no question about that. Now to pay a claim … let’s think about it. If I have a genetic test, does my insurer need to know the result of that genetic test to pay the claim? Or do they just need to know that I had a genetic test? I would say they only need to know that I had the test. And they should reimburse for that. They don’t need to know the result of the genetic test. So …
HEFFNER: Janlori …
GOLDMAN: … these are just … we just want to ask those kinds of questions so that we limit who has what about you. And we limit the exposure that people have and their vulnerability that they have to stigma and discrimination.
HEFFNER: Are you very good at spitting against the wind?
GOLDMAN: (Laughter) I seem to be, don’t I?
HEFFNER: Because that’s what you’re doing.
GOLDMAN: Well, I think that’s a fair point. I think that’s a fair point, although I think it’s important that somebody talk about these issues and, and I want to say that it’s not completely spitting against the wind.
I’ve worked in this field for 20 years and I started in this field when we had no Federal law and no Federal policy whatsoever on medical privacy. And in the last ten years we now have a Federal privacy regulation; a number of states have moved ahead to pass laws that are consistent with what we have at the Federal level and maybe even more protective.
Because again what we did at the Federal level was kind of a first step. And it has some real problems. So we’ve seen some progress and we’ve even seen some companies doing things voluntarily.
I mean IBM, for instance, took the position that they do not want genetic information and that they will voluntarily agree not to use genetic information in a way that would discriminate against their employees. So they … they’re not required to do that by Federal law, but they chose to do that because they want their employees to get tested.
If you think you have a pre-disposition for a condition and there’s something you could do about it, then they want to encourage you to get tested and not worry that you might think, “Will this keep me from getting a job, will it keep me from promoted?”
So in some instances we see people doing the right thing because it’s good for health care.
HEFFNER: Which way is it going?
GOLDMAN: That’s a hard thing right now. I … I am an optimist, which is probably why you say that I spit against the wind … optimists often do. I’m an optimist and I think that when you make the case that protecting privacy is good for health care, then I think that the health care system is bound to do the right thing. If you’re pushing people away from care and they’re endangering themselves because they’re not getting tested or they’re not being honest with their doctors. That’s a serious health care issue.
And when you look at how it affects access to care and quality of care … if you look at how it affects racial and ethnic minorities, who are a greater risks for disparities, and you know that those groups are the ones who are most anxious about being discriminated against. How can you not do the right thing?
So I, I believe that things are moving in that direction. We are moving in, in trying to regulate how information can be used and for what purpose.
HEFFNER: Who’s … who’s on your side and who’s against you? Not who the enemy is. But are doctors … I guess what I’m getting at …
HEFFNER: … again is the question of …
HEFFNER: … physicians themselves.
GOLDMAN: Oh, I think it’s critical. I mean most doctors have been very frustrated in the last 10 and 20 years about the changes in healthcare. Because many doctors have lost control of their own information. They are required to report so much information about their patients … to insurers, to people who come in to do studies. They don’t have a whole lot of control and they are doing their best to try to maintain that doctor-patient bond. And it’s, it’s been challenging for them. I’ve talked to a lot of doctors who say, “I keep separate records. I have records that I keep in my office, and then I have records that I send to the insurer.”
Or they’ll say, “I intentionally will miscode a diagnosis to protect my patient. And I put a little note in the file … a little … like they have their own code to tell them what the accurate information is. Can this be good for health care? Probably not. But it’s what doctors are doing to try to protect that relationship, to try to maintain that confidentiality bond that is so important for good health care.
HEFFNER: And just between the two of us …
HEFFNER: … how liable are they …
GOLDMAN: MmmHmm. MmmHmm.
HEFFNER: … for doing that?
GOLDMAN: Liability is an issue. Right? So doctors are really forced into this terrible conundrum. Do they open themselves up to liability by not putting information accurately in a record, which then could have some effect downstream? Right?
Or telling their patient, I recognize your concern and I want you to trust me. That’s a terrible bind for doctors to be in. It’s not the right thing, but they have to make these judgments every day. And they make these judgments particularly in areas where people are really getting care for very sensitive conditions. We have a kind of a persistent stigma in this country against people who get mental health care. Or people who have HIV. Or people who have certain kinds of conditions that are, that are really quite stigmatizing.
And so doctors are sensitive to that, particularly if that’s their specialty and they want to do what they can to give their patients good care.
HEFFNER: Janlori do we have much evidence that this is more than a fear. You’ve described the fears and the concerns. Can you also describe instances … adequate to be…
HEFFNER: … numerically … to be a real basis, scientific basis for other concerns, that doctors … patients in particular …
HEFFNER: … are in jeopardy when they do reveal this information. I know, I know you can say “This may happen.”
GOLDMAN: Oh, no. We have, we have documented instances of major privacy debacles. And, you know, 10 years ago those debacles involved rifling through a file drawer and pulling out somebody’s record and either sharing it with the media or making it available to an employer and people lost jobs because of it.
Now we have the kinds of horror stories that involve computerized information systems, where you have the VA … I mean this is a very recent story that was, you know, in the New York Times for days.
At the Veterans Administration, somebody took a hard drive home … as a good public servant to do work at home … it was stolen and 26 million veterans had their medical records exposed.
HEFFNER: Yes, but …
GOLDMAN: 26 million
HEFFNER: Yeah, but Janlori I’m asking a different question. I, I followed that story, too. And I understand what a threat it poses …
HEFFNER: … But I’m asking you whether, in reality …
HEFFNER: … people have lost their jobs because of the revelation that the records require?
GOLDMAN: Absolutely. People have lost their jobs. I have talked with those people, I have met with them, people have lost jobs, they have not been promoted, or they didn’t get the jobs in the first place.
There was a famous memo that was leaked … the Wal-Mart was considering – that showed that they were trying to avoid hiring unhealthy workers. We know that people’s health care is extremely important in the market place. It maybe an indication of their ability to do a job, but more importantly it’s indication of how expensive they might be, if they have a particular kind of condition. The condition may not affect their ability to do the job at all, but it might be expensive.
EFFNER: And the records were revealed and therefore were not hired?
GOLDMAN: They were looking at how to avoid hiring, or promoting, or retaining unhealthy workers. So and it was …
HEFFNER: That’s a wonderful lawyer’s answer …
HEFFNER: Because I’m asking you whether there … you have evidence that, indeed, the desire to hire only healthy workers has resulted in a), b) and c) not being hired.
GOLDMAN: Oh, absolutely.
HEFFNER: … because of the revelation …
GOLDMAN: Absolutely. When the, when the privacy regulation was issued…
GOLDMAN: … by President Clinton, one of the people who stood up in support of the law is a woman by the name of Terri Sergeant, who was fired from her job because she got a genetic test that showed she had a particular condition … it had no impact on her ability to do the job … she was considered a stellar employee … but it was a very expensive condition and she was fired from her job.
HEFFNER: Are there many Terri Sergeants?
GOLDMAN: There are many Terri Sergeants. There are many. There is no protection in this country unless it’s covered by the Americans with Disabilities Act, which the Supreme Court has narrowed to the point where it was really not very effective and is not the kind of civil liberties and civil rights law that it was intended to be.
A genetic predisposition is not necessarily considered a disability. All kinds of run of the mill health conditions are not considered a disability, and you can be fired.
HEFFNER: So you’re working on the assumption that it is possible that when the apple has been chewed upon and we have knowledge …
HEFFNER: … that it can be … what? Maintained silently? Not spread around. That there can be a condition … a physical condition … of person A or B or C …
HEFFNER: … and it is possible to maintain its privacy, its “between you and me”?
GOLDMAN: I think that’s right. I mean I think that in a perfect world, which we’re not ever going to attain, but what we should do is have the ideal which is that when you share information with your doctor, it should stay within the health care system. Let’s at least say that. Because clearly some information needs to be shared with insurers to pay claims, researchers that have access to some information under certain circumstances. But within the health care system.
But should an employer be able to look at your medical records? Even if its useful for them? Even if its important information for them? And, and you might want to argue, “Why should you hire someone who’s going to cost you a lot of money?”
HEFFNER: And when the employer is the insurer?
GOLDMAN: Then you have to build a wall. Right? And that’s what the law says right now, you’ve got to build a wall. If the employer is the insurer they have to wear different hats. Tough to enforce. But that’s what the law says. That you should pay the claim, but if you’re working in Personnel, you don’t get to walk over and say, “Hmm, what’s going on over here with Janlori Goldman’s medical records?”
HEFFNER: It’s like say that in journalism, in the newspaper world, the editorial people don’t speak to the advertising …
HEFFNER: … nonsense.
HEFFNER: Doesn’t happen.
GOLDMAN: Well, if it does happen, though you would … you know, it, it …the law would say you’ve done the wrong thing and we would hope that our government would enforce the law. That’s one of the biggest problems with the Privacy Law right now is a lot of people aren’t taking it seriously. Because it is up to the Federal government to enforce the law and they have done an abysmal job of that.
There have been about 20,000 complaints in the last couple of years filed against employers and insurers and doctors and hospitals … with people claiming that the law has been violated. Not one penalty has been assessed by the Federal government. It is up to the Department of Health and Human Services to enforce the law. The Office of Civil Rights. We have met with them many times and they say, “We think that voluntary compliance is the way to go.” They do not want to enforce this law. And it’s, it’s troubling. Because the message is, “We don’t need to take it seriously.”
HEFFNER: Does the law itself require something other than “voluntary”?
GOLDMAN: Well the law allows for civil and criminal penalties if there’s been a violation. And we haven’t seen any civil penalty assessed. Unfortunately, one of the main problems is you don’t have the right to sue under the law if you think that your privacy rights have been violated. That’s a major limitation. So you have to rely on the Federal government to go out there, investigate and do something. And they have really been quite lax in that.
HEFFNER: Well, now, now … I don’t quite understand. My privacy is violated …
HEFFNER: … under Federal law I cannot do anything unless the branch of the Federal government to which I apply says, “Yes, indeed, and we’re going to enforce the law.”
GOLDMAN: It’s a little shocking. You do understand.
HEFFNER: It is shocking.
GOLDMAN: It is shocking. The, the law does not allow people a right to sue. Under many Civil Rights laws there is … what they call a “private action”, a right of private action where you can go to court and you can say “the law has been violated.”
Now you can still bring a privacy action, you can go to court and say “My privacy has been violated.” But the particular regulation that was put in place to protect people’s privacy in the health care system does not allow you to sue.
HEFFNER: Have many people gone to court saying “my privacy has been violated?”
GOLDMAN: They have not. They have not. I mean one of the real problems is if you don’t have a right to sue it’s a very hard case to make, lawyers are reluctant to take those kinds of cases. And you’re totally dependent on the Federal government to try to enforce your rights. Now, a different Administration may be more aggressive in trying to make the law meaningful as, you know, Senator Kennedy has often said, “A right without a remedy is meaningless.” And, and I would hope that we … since we have the law in place, that there may come a time, either with a different Administration or, or somebody who actually cares about this issue and isn’t afraid to impose some penalties, that we’ll see some good done here.
HEFFNER: And on the state level?
GOLDMAN: The state level. The states have been a little, there are some states that have been a little bit more active, so California, for instance, or New York, they’ve been a little bit more active either through the Attorney General’s office or through state regulators to try to give people real rights.
I mean one of the greatest things about the Federal law is it says to people, “you can get a copy of your own medical records.” Everyone else gets to look at your medical records, but until this law went into effect, people couldn’t get a copy of their own medical records. So that’s been a key piece, people have been looking at their medical records and saying, “That’s what’s in my record!” And sometimes there are inaccuracies or sometimes there are things that people disagree with. And this is information that is used to make all kinds of decisions about people and finally now, if you want, you can actually look at your own records.
HEFFNER: You write about a number myths that have prevailed …
HEFFNER: … about what the law does and doesn’t do. What are some of the more important ones? That sort of bollocks up the whole thing anyway.
GOLDMAN: Well, you know, there have been so many misunderstandings about the Federal law and we, we’ve tried to put together something that’s really clear and tells people, “You have new rights under this law.”
One of the most distressing things is most people in this country … we’ve done a survey of this also … don’t know that there’s a medical privacy law in place. They don’t know that they have new rights, they don’t know that, you know, that some information cannot be share. So one of the great myths is that that form that you get when you go to the doctor that everybody says, “I’ve got this form …
HEFFNER: That I don’t read.
GOLDMAN: … that you don’t read and nobody else reads either …(laughter) … you’re not alone, it is not club of one. People think that they are required to sign this form. There is no requirement to sign the form. In fact the form is just to tell you there’s a new law here and the law gives you the right to see your medical records, the law says your doctor cannot share the information without your permission unless it’s to treat you or to pay for your care. The law is just to tell you what your rights are. But it is … the notice that people are given is so poorly written … it’s written by too many lawyers and too many people worried about liability. It just … we just want something that clearly says, “Here are your rights. Here’s what you should know, you’re not required to sign it. It’s not a consent form.” That’s a huge myth.
HEFFNER: I gather that from what you’ve written, it’s not just the poor civilian, the patient … like myself …
HEFFNER: …but the medical profession itself is puzzled as to what the law requires.
GOLDMAN: A lot of doctors got bad legal advice. They hired fancy consultants and a lot of lawyers to write these notices. The Federal government could have taken the lead and said, “Here’s a one page … know-your-rights.”
In fact we did that at our website … at healthprivacy.org there’s a one page “know-your-rights” and it tells you what you need to know. One of the great myths is that a lot of doctors think they can’t share your medical records with another doctor. The law doesn’t say you can’t share medical records with another doctor. But they’re worried about liability and so they say, “I want to get you to sign a consent form.”
In most states you do not have to sign anything for your doctors to share information with each. You should be able to, you know, walk around with your medical records on a CD if you want so you can stop getting duplicate tests and if you’re traveling you can carry some critical information; if you have a chronic illness. If you’re taking care of a sick relative, it should be really easy for you to get your records and for doctors to share information with each other and for you to carry around your own medical records. So that’s an unfortunate myth about the law. It’s supposed to encourage the sharing of information in health care, but limit it outside of the health care system.
HEFFNER: Do you think we’ll get there, where you want to be?
GOLDMAN: Oh, I think we will. I think we will.
HEFFNER: And if someone watching us wanted to get some basic information, where would they write or put …what would they put on their computer?
GOLDMAN: Well I’d like to think that the website that the Health Privacy Project has is kind of the place to go if you want to understand what the law says, if you think your rights have been violated and you want to file a complaint, we tell you how to do that. If you want to keep up to date on some of these horror stories … unfortunately they, they are … we have 20 pages of horror stories just from the last few years. If you want to look at those it’s healthprivacy.org.
HEFFNER: healthprivacy.org And there you get all of this information.
GOLDMAN: There you get it all. And we’re the only organization. We do this and this is all we do.
HEFFNER: And you are an optimist aren’t you?
GOLDMAN: I am. I am an optimist and I, I have some reason to be optimistic. I’ve seen some good things happen. So …
HEFFNER: That’s good. Janlori Goldman … I’m really so pleased that you came and let me needle you today …
GOLDMAN: (Laughter) I hope I persuaded you a little bit and brought you over to the Club.
HEFFNER: You have indeed.
GOLDMAN: That’s good.
HEFFNER: Thanks very much.
GOLDMAN: You’re welcome.
HEFFNER: And thanks, too, to you in the audience. I hope you join us again next time, and if you would like a transcript of today’s program, please send $4.00 in check or money order to The Open Mind, P. O. Box 7977, FDR Station, New York, New York 10150.
Meanwhile, as an old friend used to say, “Good night and good luck.”
N.B. Every effort has been made to ensure the accuracy of this transcript. It may not, however, be a verbatim copy of the program.