Economists talk a lot about scarcity. Scarcity occurs when we have fewer resources than are necessary to fill our basic needs and wants. Price is usually a good indicator of scarcity. Despite the recent short-term glut of oil, for instance, increasing demand and decreasing supplies of fossil fuels means that gasoline prices will inevitably rise in the coming years.
Ethicists like myself also talk about scarcity. Medical resources are often in short supply and must be rationed. The limited number of beds in the intensive care unit means that doctors must sometimes make difficult choices about which critically ill patients are admitted to the ICU and which are not. Vaccines may also be rationed. In the event of a serious flu epidemic, for example, the New York State Department of Health has a four-tiered vacccine allocation system, with critically needed staff such as doctors, nurses, police and firefighters given priority over grocery clerks, plumbers, mechanics, and stay-at-home dads. But one thing we never thought would be an increasingly scarce resource, at least in the medical setting, was privacy
Everyone is increasingly concerned about privacy today, and rightfully so. In a progressively wired and interconnected age, there is little about a person that isn’t public knowledge. In fact, despite all our protestations, we as individuals are largely responsible for this loss of personal privacy.
We give up our personal privacy in a myriad of seemingly innocuous ways: posting status updates on Facebook and Twitter, writing blog articles, and uploading pictures to Instagram. Everything we say or do online leaves behind a trail of personal information that can be used by public agencies and private businesses to track us, watch us, and selectively market goods and services to us.
This is true even when it comes to our personal health. As mentioned before, much of this is our own doing. We comment about our various aches and pains online, use databases like WebMD to self-diagnose and self-treat minor illnesses and injuries, and purchase over-the-counter and prescription drugs using our CVS ExtraCare card. But one thing that we would never expect is that our conversations with our physicians and psychotherapists could also become public knowledge.
If anything, maintaining patient privacy and confidentiality is one of the key ethical obligations placed upon physicians. It is an obligation that has its roots in two millennia of Hippocratic practice, and it is the foundation of the doctor-patient relationship. Patients must feel that they can share all sorts of personal information with their physician, no matter how embarrassing or stigmatizing. This information is often necessary to ensure proper diagnosis, testing and treatment.
A sixteen-year-old girl who is experiencing pain when urinating, for example, may simply have a urinary tract infection. But she may also have a more serious condition like chlamydia, gonorrhea or some other sexually transmitted infection. If she is not willing to share the fact that she is sexually active, perhaps out of fear that her parents will find out, her doctor may inaccurately diagnose and treat her.
Maintaining patient privacy and confidentiality is so important that it has been put into practice and codified into law. Following a groundbreaking observation study of what doctors, nurses and medical students shared with each other in public elevators (spoiler alert: they shared way too much), many hospitals instituted strict policies about what can and cannot be said about patients in public settings. Anyone who has been to a hospital in recent years has undoubtedly seen the signs in the hallways and elevators reminding staff of this fact. Hospital staff can reprimanded and even fired for breaching confidentiality, as happened at Cedars-Sinai Medical Center after six employees inappropriately accessed the medical records of reality television star Kim Kardashian
State and federal laws restrict the types of information that can be shared about patients. One key federal law, the Health Insurance Portability and Accountability Act (HIPAA), places strict limits on who can access or share your medical records or your health insurance and billing information. Doctors, hospitals, and insurance companies bound by HIPAA regulations can face severe civil and criminal penalties for violating this law, including fines of $1.5 million and prison sentences of up to ten years.
Unfortunately, this privacy law is rife with loopholes. HIPAA only applies to so-called ‘covered entities,’ such as health providers and health insurance companies. It does not apply to others who may have private health information, such as life insurance companies, employers, workman’s compensation programs, law enforcement agencies, or schools. This is a significant problem, as highlighted by a recent case involving a student at the University of Oregon.
That student was allegedly raped by three University of Oregon basketball players. In a Title IX lawsuit filed against the school, she claims that the school deliberately delayed its investigation so that the men could play in an important NCAA tournament.
So what does this case have to do with medical privacy? The University is using the student’s own medical records to defend itself in court. Because the student sought clinical treatment and psychological counseling at the University health clinic, her medical record belongs to the school. A federal law known as the Family Educational Rights and Privacy Act (FERPA), ironically meant to the protect the privacy of a student’s educational records, exempts campus medical records from HIPAA’s privacy rules.
Sadly, as morally repugnant as this is, the University is well within its legal rights to do this. Until laws like HIPAA and FERPA are amended to close these loopholes, we all should be more than a little wary. Students, for example, may wish to seek off-campus counseling or treatment in order to protect the privacy of their records, even if this means that they or their families may be forced to shoulder the cost. Meanwhile, the rest of us should be a little more diligent about the types of medical information we share with agencies and organizations not covered by HIPAA, and to pause for a moment before we complain about our neck aches and back pains on social media.
[This blog entry was originally presented as an oral commentary on Northeast Public Radio on March 12, 2015, and is available on the WAMC website.]