State's data agency to offer patient privacy safeguards Commission favors confidentiality steps approved by Senate

The state's health data collectors are prepared to adopt new measures designed to improve confidentiality of records -- in effect, obeying a state law which was never passed. But critics say the new steps are still too little to protect patient privacy.

The staff of the Health Care Access and Cost Commission will ask the commission tomorrow to approve new guidelines that include: Reaffirmation that the state will not collect data from patients who choose to pay for their care themselves rather than having an insurance company pay.


Records in the commission's database will include the month and year of the patient's birth, but not the day.

The patient's identification number -- already changed by the insurance company with a code unknown to the state -- will go through a second encoding once the state has the record.


John M. Colmers, HCACC executive director, said the steps are derived from a bill passed by the state Senate during the 1996 session but not passed by the House of Delegates.

"When the General Assembly considered these changes, we thought they made sense," Colmers said. "Having made a commitment to the General Assembly to protect privacy, we have agreed to implement them."

But Dr. Jennifer Katze, a Towson psychiatrist who opposes the data collection, said Colmers' proposed changes are "hollow concessions, public relations concessions."

Working with the Maryland Psychiatric Society and the state medical association, Katze helped develop a flier that doctors and psychiatrists have started to distribute to patients that warns, "The state data collection puts your medical privacy at risk."

Katze said she and other advocates will return to the General Assembly next year to seek stronger legislation on privacy which guarantees that no records will be collected without the patients' consent.

Without such protections, critics say, the database could be misused. For example, an employer who got the data and cracked the code could discriminate against an employee who sought psychiatric treatment or had AIDS.

Katze said voluntary action by the commission is not as good as protection written into law. "It's a voluntary abiding" with the terms of the Senate bill, she said, "and they can voluntarily stop abiding."

Colmers, however, argues that data on who is receiving treatment and what it is costing are needed to make informed decisions about health policy "to separate fact from fiction, to answer questions of what and where, not of who."


For example, he said, the General Assembly considered legislation this year on whether health maintenance organization patients were getting fair access to emergency room treatment. While both sides in that debate could present witnesses with anecdotes, Colmers continued, the health database could offer facts.

The legislature created the commission as part of a broader health reform bill in 1993. The commission is empowered to collect data to monitor who is getting health care in Maryland and what they are paying for it.

Beginning next year, the data collection will be mandatory. But the commission already has been collecting data from Blue Cross and Blue Shield of Maryland Inc., commercial insurers, Medicare and Medicaid.

Basically, it is seeking to record each encounter any Marylander has with the health care delivery system.

Double encoding

In its first annual report, released in February and based on voluntarily submitted data from 1992 and 1993, the commission reported that in most of Maryland the most common medical procedure is a chest X-ray, but in the Washington suburbs the most common is a psychotherapy session. It reported that 31.8 percent of health spending in Maryland was on inpatient hospital treatment, 6.9 percent was on prescription drugs and 1.7 percent was on home health services.


Colmers said the double encoding -- once by the insurance company, then separately by the state's data contractor -- should protect records. Already, he said, the state does not know what kind of identification number an insurer uses -- Social Security, policy number or some other system -- or what kind of encoding the insurer is using.

Stuart Comstock-Gay, executive director of the American Civil Liberties Union of Maryland, said changes such as those Colmers is proposing are not the same as requiring the consent of the patient.

"I think any increases in attempts to assure privacy are good," Comstock-Gay said. "But the big problems still remain -- the prospect that the records can be discovered, that data can be disclosed.

"Every time you turn around, another [computer] encryption system has been broken."

Pub Date: 5/09/96