In a building in Westwood, Mass., sits a room with a computer on which more than 20 million files wait, growing in number and complexity every day, each one starting with a name. They are medical files, and they include information about a person’s penchant for hang gliding or weakness for smoking. They are available in real time to any of the 600 insurance companies that pay for their upkeep and contribute data. The insurance companies use them to detect fraud.
And to deny life insurance to people deemed high-risk.
About 180 people work in the building where this computer is housed. They work for the Medical Information Bureau. And they’re just the leading edge of a revolution in the way medical data and other personal information is created, collected and analyzed.
This month doctor groups announced high-powered lawsuits against managed-care companies, including industry leader Aetna. Newspapers recounted familiar horror stories about how greedy insurance companies adjust their plans and policies in order to save money, placing patient care second; about how they use "capitation," the practice of paying doctors a flat fee no matter how many procedures they perform, giving them an incentive to do less; and about how their lobbyists chum Congress with dollars in an effort to deny or limit your right to sue HMOs. But at the eye of the gathering storm over managed care is a key fact that goes all but unmentioned: "rationing" is inevitable because health care is not an infinite resource.
What is not understood by most patients is that this rationing will be -- and to some degree, already is -- controlled not by doctors or even by headset-wearing insurance company clerks, but by computer programs.
And that those computer programs even now make decisions based on their analysis of giant databases made up of medical records -- yours and mine -- that we usually think of as private.
Though you may not realize it, you give away your medical records every time you see a doctor who must be paid under an insurance plan -- be it employer-provided, government-funded or a plan you bought on the private market. When you signed up for your health insurance, you signed a form, and down near the bottom, just above your signature, a sentence similar to this one (from a Physicians Health Service form) appeared: "I authorize any physician, hospital, insurer, or other organization or person having any records or information concerning the health and treatment (including psychiatric, substance abuse, and confidential HIV related information) of me and my family member(s) to furnish such records as may be requested by PHS or its authorized representative for purposes relating to coverage."
That’s carte blanche.
Every flu shot you get, every prescription, every cold or broken arm is coded into a bubble sheet and submitted. The insurance company won’t pay your doctor if the form doesn’t arrive. And the company audits your doctor to make sure he isn’t "upcoding" -- claiming your ailments are more serious than they really are in order to get more money.
But the data can be used for much more than that. And C. Peter Waegemann, executive director of Medical Records Institute in Newton, Mass., has for the past eight years been working to set standards under which these medical records will be electronically compiled -- and accessed -- by hospitals, private physicians, researchers and insurance companies.
"We believe that electronic patient records will make more of a difference than a cure for cancer," says Waegemann.
The revolution began in 1991 with a report from the Institute of Medicine titled, "Computer-based Patient Records: An Essential Technology for Health Care," which defined a vision for the management of health-care information. Standards groups like the Medical Records Institute and the Computer-based Patient Record Institute (CPRI) followed, and an industry quickly sprang up to handle the formidable task of transforming millions of paper records into electronic form, and creating the software that will allow medical institutions to use the data. Insurance companies are driving the effort.
An article last year in the trade journal Healthcare Informatics surveyed the field, quoting executives from several HMOs and software companies whose stated goal was to sell their systems to the insurance industry. The article summed up the consensus of executives in the field by noting that the "ultimate value" of the computerized records will be to allow something called "decision support." That can be as simple as your doctor knowing you’re already taking a drug that might interfere with the one he or she is about to prescribe, or as complex as looking at millions of cancer cases to determine what combination of radiation and chemotherapies leads to the longest average survival rate.
The system "will allow guidelines and protocols," says Waegemann. "People in Maine are 18 times more likely to have their tonsils out than people in Utah; there are many cases where doctors’ specialty means care is administered in certain ways."
The electronic medical records will be available to any doctor anywhere instantly, saving precious time when, for example, a bus in Kuala Lumpur hits a vacationer. The much-hyped phenomenon of telemedicine is also dependent on electronic patient records, Waegemann says. "Medicine is so complex these days that one person cannot manage it any more."
Waegemann has spent a lot of time considering the security of electronic medical records. His institute’s working theory is that such records should be the property of the patient. "A future medical record would be on a secure website," Waegemann explains. "You go to the pharmacist, you might not give them the key to the mental health information. The patient would only give it out when needed."
But what about the keepers of the data? What if the health plan’s sponsor itself decides to use the database to compute, for example, that a terminal cancer patient, in a nursing home, will die an average of four months sooner if her pain medication is cut by half, saving an average of $38,000 in treatment?
"It’s possible," says Waegemann, "but I haven’t heard of anyone talking about it." His greater worry is that employers -- the insurance companies’ customers -- use employee medical data unethically. "We saw a company that had to downsize," he recounts. "[It] laid off 800 people. It was done on the basis of medical bills, [although] we cannot prove it."
Today there are no significant barriers to stop a corporation from making personnel decisions this way. A 1996 survey of 84 Fortune 500 companies by the Survey Research laboratory of the University of Illinois found that nearly one-third admitted to using medical information to make hiring, firing and promotional decisions. Victims of this kind of management can sue their former employers and, theoretically, discover a paper trail that will net them a tidy settlement.
Proving it in the case of your HMO is next to impossible for two reasons. First, the actuarial methods used by insurance companies to calculate risk are closely held trade secrets. Second, insurance companies are exempt from antitrust laws to the extent that they share information that helps them make the actuarial decisions. With a computer program making the decisions, few if any insurance employees would even know how or why the decisions were being made. A whistleblower would have to have extraordinary knowledge of the workings of a vast computer system -- something the company could prevent simply by outsourcing the design of the program to several different software consultants.
This is the dark vision of Michael W. Freeny, a psychotherapist in Longwood, who realized about five years ago that the codes he filled out on the insurance forms his patients gave him told the insurance company extraordinarily sensitive information. "If I gave it to anyone, I could lose my license," he says. "But they can make tons of money selling this data. Marketers will pays tons of money to find out who in New England has hemorrhoids."
Freeny wrote a novel called "Terminal Consent," outlining a scenario in which an evil HMO develops a computer program that makes all care decisions based on cost. The program tells the nice person wearing the headphones what to say when your doctor calls. It knows your medical history, your financial situation and that of all your relatives. Freeny calls the program "MOM." His book received uniformly good reviews -- including a blurb from Waegemann.
So how close is his fantasy to reality?
"If you’re talking about how MOM is implemented in the credit world, MOM is here," Freeny says. "If you’re talking about how MOM is implemented in the medical world, we don’t know. All the elements were in place three years ago."
All they need is the data set.
Perhaps not surprisingly, Congress would like to help them get the data, but in its bungling way has been somewhat of an impediment. Included in the Health Insurance Portability and Accessibility Act of 1996 -- Congress’s last major overhaul of our troubled health-care system -- was a set of provisions that related to encouraging standards for health-care information systems.
The law called for the Department of Health and Human Services to adopt standards for the exchange of health-care data between providers and payers, and these regulations should be issued by the end of this year, according to Jeffrey Blair, a colleague of Waegemann who also sits on the board of the National Committee on Vital Health and Statistics, the public advisory body to the Secretary of Health and Human Services.
But those standards are the easy part. The hard part is establishing "data security requirements, and identifiers" -- how attached to your name will your data be -- for insurance purposes, says Blair. "But the Department of Health and Human Services is deferring any discussion of a patient identifier until after Congress passes legislation to protect the privacy of health-care information."
This was supposed to be done by August, but was not.
So now it’s up to Health and Human Services to make its own rules, which is supposed to happen by February. "Those regulations probably will not be identical -- or have the impact and breadth that the federal legislation would have," Blair says. "Nobody knows whether Congress will accept the regulations that HHS puts forth." Various groups, including AIDS rights organizations, state insurance commissioners and consumer advocates, are hoping to influence the process. Insurance companies are by far the loudest voice in the process, however.
But they aren’t depending on the government.
"These companies are not sitting around waiting for the government to set standards," Freeny says. "The farther out they can push this envelope the more power they will have when, 10 years later, the government catches up."
Does Blair believe Freeny’s scenario is cause for concern?
"I think I will simply acknowledge that these are issues that everyone is concerned about," Blair says. "How do you put into place public policies that have a proper balance between providing quality care and doing so in a cost efficient manner? I think the public’s confidence that our health-care system does this well has been shaken."
Blair says America and the world must press on and computerize medical records because the benefits of doing so are so great. "These benefits of the information age have already been exploited by automobile manufacturers, by financial institutions, in the reservations systems that our transportation system uses -- by most other sectors of our economy," Blair says. "They are just now starting to be used by the health-care system in the finance and administration areas. But it won’t be until we apply them to the clinical part that we get the real big improvements in quality and cost."
But haven’t the automobile companies routinely calculated, for example, that the cost of lawsuits arising from deaths caused by unsafe gas tanks or airbags would be less than the expense of a recall, thus consigning random people to die in order to save money?
"First, I have to acknowledge the fact that information can be misused," Blair responds. "Then we have to move on to the deeper questions. What is the consensus of the values of our society? GM puts a price on human life ... is that wrong? In Congress will we kick it there and say if you don’t put a cap on [care per person] we have to limit overall access to health care?"
Blair, an MBA and management engineer who worked for IBM for 30 years, says his experience suggests nefarious scenarios like the one envisioned by Freeny are unlikely to occur: "Those concerned with cost wouldn’t invest the money" in technology.
But that was then, argues Freeny.
"It’s hard to measure stuff like quality of life, like pain," Freeny acknowledges. "But deaths per 1,000 is not. Cost per patient is real easy to quantify. My whole issue is, who is in control of this?
There are other worries.
Dr. Arnold Koff, an Avon internist, is one of the estimated 30 percent of American doctors already filing their patients’ records electronically. He has a computer in his examining room and looks forward to the day when medical records will be stored on the World Wide Web. But he isn’t oblivious to the uses this information can be put to by managed-care companies, and notes that the rise of "single disease companies," which subcontract from HMOs the management of, say, multiple sclerosis and split the cost savings with the insurer, are developing the power to ratchet down the level of care while shielding the insurer from liability. "It kind of takes it out of the hands of the doctor," he says.
And there’s the looming prospect of genetic predictors playing a self-fulfilling role in determining the availability of insurance, financial services and almost every other product needed for a reasonable life in modern times.
One company already has all the data for an entire country.
On Dec. 17, 1998, the Parliament of Iceland adopted a law allowing a private company to build an electronic database of the health and genetic records of all 270,000 citizens of Iceland. That company, DeCODE Genetics, is headquartered in Reykjavik, but chartered in Delaware.
The law gives DeCODE exclusive rights to the commercial exploitation of the database until 2010. DeCODE promptly entered into a contract with pharmaceutical company Hoffmann-LaRoche, reportedly worth up to $200 million, for the purpose of researching the genetic origins of 12 common diseases.
The company makes no secret, however, of its intention to use the information it compiles to help save money as well as lives. "DeCODE’s proposed Healthcare Database is a powerful new tool for medical research and health care management," says the text on the company’s database website.
DeCODE offers assurances that the information on the database will be "triple coded" and that "it will never be possible to extract information on individuals who are included in the database." But that’s small consolation to the patient who submits to a blood test for an insurance provider, only to have it checked against the database to determine if, for example, her chromosome 2p 13 shows a predilection for pre-eclampsia, a major cause of both infant and maternal mortality that affects 3 percent to 7 percent of pregnancies worldwide. The insurance company could use the information to design a better policy -- maybe to save the patient’s life.
Or it could simply deny coverage.
DeCODE announced it found that genetic link on Sept. 20.
