Health information-both paper and electronic-is used for many purposes by a variety of individuals and organizations within and outside the health care industry (Table 3.3). Primary users include physicians, clinics, and hospitals that provide care to patients. Secondary users employ health information for a variety of societal, business, and government purposes other than providing care.9 They include organizations that pay for health care benefits, such as traditional insurance companies, managed care providers, or government programs like Medicare and Medicaid. As part of their management functions, these payer organizations also conduct analyses of the quality of health care delivered by provider organizations and its relative costs. Other secondary users include medical and social science researchers, rehabilitation and social welfare programs, public health services, pharmaceutical companies, marketing firms, the judicial system, and the media. They use health information for purposes such as researching the costs and benefits of alternative treatment plans, determining eligibility for social programs, understanding state and local health needs, news reporting, and targeting possible markets for new or existing products. Marketing firms and vendors of health-related products also obtain health information that will help them target particular types of patients for direct marketing.10
The types of information collected by primary and secondary users vary greatly across individual organizations. Exchanges of data among these organizations are highly complex and dynamic. Rather than attempting to enumerate every possible flow, the discussion below traces the records of a hypothetical, but typical, patient named Alice. Alice's story is a representative, although by no means comprehensive, description of how health records are shared between organizations and individuals.
Alice is in her late twenties, married, and employed by a small company. Bob, her husband, is employed by a large firm. Bob's company offers its employees a choice of three health benefit plans: (1) a health maintenance organization (HMO) that operates its own clinics and pharmacies and permits referrals to outside physicians only under strict guidelines; (2) a preferred provider organization (PPO) that provides pharmacy benefits and reimburses charges from participating physicians at a higher rate than those from nonparticipating physicians, but allowing patients to choose physicians freely; and (3) a conventional indemnity insurance program in which all charges are reimbursed at the same rate after an annual deductible is met, with supplementary major health insurance to cover extraordinary expenses. Differences in the ways their health records may be stored and controlled are not outlined in the program descriptions, and Alice and Bob do not consider this factor in their decision. Hoping to save money but preserve choice of physicians, Bob and Alice choose the PPO option. Bob's employer is self-insured—an increasingly popular strategy for many large employers—though this fact is not stated openly during the enrollment process.
When they set up housekeeping in their current location, Alice and Bob consult friends, colleagues, and local sources of information to find primary care providers. On her first visit to a prospective primary physician, who is a member of a small group practice, Alice is asked to fill out a medical history form and specify how she will pay for her care in the future. She indicates that she will use the health insurance benefits available to her through her husband's job. Since Alice specifies that some of her charges will be covered by a party other than herself, she is also given a form to sign that would authorize the physician's office to send information to the insurer for payment of claims. This release covers all future visits Alice makes to this practice.
Alice's initial visit is satisfactory, and she decides to use this physician as her primary care provider. Records for her initial examination are recorded on paper and held in the physician's office. Blood samples taken from her during the visit, however, are sent to an outside laboratory for analysis. Automated analysis equipment records the laboratory results and prints a paper copy that is returned to the physician; the laboratory bills Alice for the service. The laboratory also retains a record of the test and of Alice's identity. Through the third-party administrator used by Bob's firm to manage health care benefits, Bob's firm receives a claim from Alice for the office visit and the blood test, and approves payment.
The following year, Alice's annual checkup reveals hypertension, and blood tests show mild anemia. The physician prescribes two medications, and Alice fills the prescriptions at a local pharmacy. The pharmacy's charges are reimbursed through a pharmacy benefits program connected with the health insurance option selected by Bob. The pharmacy records Alice's name and address, reads her pharmacy benefits card, notifies the benefits program, and is reimbursed. Parts of Alice's health record now reside with the retail pharmacy and the pharmacy benefits provider, as well as her care provider.
When Alice becomes pregnant, she develops a condition that her primary care provider wishes to discuss with another physician outside the group. She requests Alice's permission to release information to the consulting physician, since Alice may wish a second opinion, and Alice will pay for part of the cost. Acting in accordance with the rules specified by Bob's firm, the third-party administrator approves both the consultation and part of the consultant's fee. The primary care provider trusts the consultant to keep information in Alice's record confidential.
The child is delivered at a local hospital used by the group practice. Prior to Alice's admission, she provides evidence of her ability to pay by showing her insurance card, and she signs a form authorizing the hospital to release to paying parties any data from this admission required for payment. The hospital performs a variety of tests and procedures during Alice's stay and creates a related set of records, some automated and some on paper. The child's birth is recorded with the state, which also opens an immunization record for the child.
Subsequently, the hospital is visited by an accrediting body, which, as a routine part of its investigation, checks on the record-keeping procedures at the hospital. As it happens, Alice's records are among those reviewed, but the accreditors do not remove them from the hospital or make any copies. They simply check the records for accuracy and completeness and to ensure that they are stored in compliance with accrediting procedures.
Bob's company, feeling competitive pressures, considers ways to save money and increase productivity. Improving employees' health seems to be a positive step, since it may both decrease claims and improve performance. Since Bob's company is self-insuring, it asks the third-party administrator to provide it with claims information pertaining to its employees. Though reluctant to share patient-identifiable information because of concerns over privacy, the third-party administrator has no legal basis on which to refuse the request and, to maintain good relations with its client, provides the information to Bob's employer.11 Since her claims are paid by Bob's company, Alice's record, as well as Bob's, is also forwarded. Alice's company, under similar pressure, initiates a company clinic on-site and a ''wellness" program. Although she continues to be insured by Bob's company, Alice uses the clinic occasionally and, on her first visit, provides the clinic with her history, including a list of medications she is taking.
After the birth of their child, Bob and Alice realize that they need life insurance. Both of their companies provide some group coverage, but it is inadequate for their needs. Alice applies for coverage with a large, respected firm, which will provide the coverage she wants if she passes a physical examination. The life insurance company will pay for the examination, but she must sign a release permitting the results of the examination to be forwarded to the Medical Information Bureau (MIB). The life insurance company decides to accept the risk of insuring her but forwards the hypertension results to the MIB in accordance with the industry's practices because her hypertension, although under control, may potentially affect her longevity.
The group practice Alice uses is purchased by a managed care firm, which installs its automated records program. Results of Alice's office visits are now stored on a local computer system. The managed care firm, facing the same competitive pressures as Bob's company, periodically reviews records from each of its many groups to ensure both the quality and the appropriateness of the care provided.
The managed care firm denies a request from another patient within the practice to consult a specialist for a condition similar to the one for which Alice was treated. The patient subsequently sues the practice, and her lawyers request disclosure of records from similar cases within the practice. The court grants a subpoena for the records involved, including Alice's, and the practice is compelled to provide copies of the records to lawyers. Alice's name is removed from the record.
A researcher wants to investigate the long-term effects of the hypertension medication Alice has been taking. He gets a federal grant to support the study and gains approval of his organization's institutional review board. He then writes to hospitals and physicians to request access to their records. Alice's physician contacts Alice and several other patients to ask if they are willing to participate in the study. Alice agrees and signs a consent form granting her physician permission to provide her records to the researcher for purposes of this study, but she insists that her identity not be revealed. The records are provided as requested, but with the name, address, and Social Security number fields scrambled in such a way as to allow Alice's records to be linked without divulging her identity.
At this point, parts of Alice's health record are held by a wide variety of organizations: her primary care physician's practice, a clinical laboratory, the local pharmacy, the pharmacy benefits provider, the practice of the consulting physician, the local hospital, the state bureau of vital statistics, the hospital accrediting agency, her husband's employer, her life insurance company, the Medical Information Bureau, the outcomes researcher, and various lawyers (Figure 3.1). Most of these organizations have information that specifically identifies Alice. She has explicitly consented to grant access to some of these holders; she is aware of others to whom she has not granted access; of others, she may be entirely unaware. If Alice and Bob had chosen a different health plan, the flows might differ. A comprehensive HMO, providing medical, hospital, and pharmacy service, might have more flows within it and fewer outside organizations, for example.
If Alice were an impoverished single parent receiving government benefits, additional flows of data would involve state and federal social services agencies. The federal government collects data for reimbursement of care provided under Medicare and Medicaid, but states also collect large amounts of patient-identifiable information for their own purposes. State health agencies can provide services and collect identifiable data about patients just as providers in private health care entities would. Functioning as providers, they would release identifiable data with patient consent to insurers and other providers depending on the need to know. State health agencies collect data for the purposes of analyzing and disseminating information on health status, personal health problems, population groups at risk, availability and quality of services, and health resource availability.12 The categories of data collected are dependent on the services and functions each health department has within its authority. Environmental services, Medicaid, professional and facility licensing, and alcohol and drug abuse or mental health services are not located consistently in all state health departments across the country.
State health departments generally collect patient-identifiable data related to health service utilization and costs, personal health status and risk (health surveillance data), alcohol and drug abuse services, and mental health services, among other categories. The types of data systems related to each of these categories can be extensive (Table 3.4).
Databases created for these purposes generally have a designated steward who is responsible for managing the protection and the uses of the data. These types of data are released in an identifiable form only in select situations: (1) research purposes for which there has been an approved human subjects review and a data-sharing agreement that outlines restrictions on the use of data, destruction of data at the end of research, and the penalties for violating the agreement; and (2) the investigation of a reportable disease or condition for the purposes of protecting the public's health. In the latter case, identifiable data are released to specially authorized public health investigators or private physicians who are responsible for care of the person believed to have a reportable condition or disease (e.g., measles, sexually transmitted disease, tuberculosis, birth defect, cancer). The steward of the database determines which staff members are allowed to access identifiable data for the purposes of analyzing them. Finally, state laws include penalties that prohibit improper release of data by a state government employee.