A friend went to India recently and got sick. Unsurprising, you might think, except that the reason she got sick was that her doctor in Pennsylvania didn't know that the anti-malaria medication he prescribed would interact badly with the anti-acid reflux drug he had also prescribed. The Indian doctor (who, ironically, had trained in Pennsylvania) knew all about it. Geography.
Preventing this kind of situation, at least on a national level, is part of the theory behind the NHS data spine; for Americans, it's a giant database onto which patient information from all parts of Britain's National Health Service is going to be put. It's also presumably part of the reason that pharmacists think they should be allowed to edit and add to patient records; American pharmacies have for years marketed the notion that if you fill all your prescriptions at the same place they'll be able to tell you if you're prescribed something stupid.
Personally, I can see a lot of merit in this idea. Also in the idea that medical personnel would have access to my records, that my allergies would be known to all and sundry (it would be a help, in a medical crisis, if someone didn't try to revive me by feeding me peanut butter).
The problem is that this is a fantasy. It seems appealing to me, I suppose, only because a) I have hardly any medical records – all my doctors either died, refused to give me my records, or destroyed them after they hadn't heard from me for too long – and b) I can't imagine anything bad happening to me if any of my medical history were disclosed. This is not true for most people, and it ignores the most important thing we know about all databases: they contain errors. This is how the campaign to opt out of the database was born: its organiser, Helen Wilkinson, discovered that her medical records had erroneously labeled her an alcoholic. (Not that there's anything wrong with that.) Getting that corrected took years and questions in Parliament.
The problem with all these systems is that they seek to replace knowledge with information. Your GP may know you; the database merely holds information about you and can make no intelligent judgments about what's relevant to a particular situation or distinguish true from false.
Last year, the World Privacy Forum released a report on medical identity theft. Identity fraud, they concluded, happens at all levels in the US medical system. Medical personnel or clinics seeking to pad their income may add treatments they have never delivered to patient records and present them to insurers for payment. Thieves may use doctors' information to forge prescriptions. Patients without insurance or who do not want particular types of treatment to appear on their own records may steal another's identity. In the US, where most treatment is funded by private medical insurance, the consequences can be far-reaching for the victims of such fraud: their credit ratings, employment prospects, and ability to get medical insurance can all be hit hard. A lot of the complaints, therefore, about the Health Insurance Portability and Accountability Act are that it opens medical records to far too many people and, like the NHS Data Spine, does not provide a way for individuals to correct their own records.
In the UK, things are a bit different. Here, GPs are gatekeepers to all care. According to Fleur Fisher, a consultant on ethics and health care practice, and probably the leading expert on medical privacy in the UK, there have, however, been serious frauds in dentistry in the UK, where dentists may claim for big treatments they haven't actually performed.
The problem in the UK, she says, "is not that people will assume your medical identity so they can get treatment. It's much more that it will open people's health records."
A key part of the NHS plan seems to be to provide data to researchers to help determine public policy. Again, in a lot of ways this makes sense; but there is an old and recurring conflict between the desire for privacy of patients with, say, AIDS, and the legitimate interest of society at large to halt the disease's spread. One thing you should not rely on is that the data will be unidentifiable, even if the NHS confirms that it will be "anonymized". Years ago, Latanya Sweeney showed just how unreliable this is by analyzing supposedly anonymized data from the health system in the state of Massachusetts by matching it against publicly available motor vehicle rolls. With only a few database fields she was able to identify almost all of the individuals in the medical data.
Opting out has turned out not to be so simple, despite the fact that according to Ross Anderson, who has been working on medical privacy for well over a decade, most GPs are unhappy about the forced uploading of patient data to a centralised database. That being the case, as Phil Booth notes in the No2ID forum on the topic, if you want to opt out treat your GP as your ally unless he proves otherwise.
Meantime, if you really want emergency personnel to know the important stuff about you, wear an alert bracelet or some other identifier.
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to firstname.lastname@example.org (but please turn off HTML).