A version of the BMA security policy was accepted for presentation at the IEEE Symposium on Security and Privacy at Oakland, which is the premier conference on computer security, and we submitted a condensed version that incorporated much of the early feedback [8]. After the paper was presented (on the 7th May), there was a panel discussion at which an academic, a doctor and a representative of the healthcare computing industry presented their views of the policy. Then, on the 10th May, the policy was presented again at a workshop in Washington at which doctors, lawyers, rights activists and congressional staffers discussed the issues from a US viewpoint.
The main lesson learned from this trip was that the real privacy problem in the USA comes from the claims databases operated by the insurance companies that pay for most US healthcare. These databases are coming to replace the casenotes in the doctor's office as the primary record for many Americans; the convenience of having a lifetime's record in one place outweighs the fact that these records were not generally designed for clinical use.
The sidelines the security debate. US hospital computer systems have much greater variety than their UK counterparts, and their level degree of security also varies widely. But there is a feeling that, since patient records can be obtained by almost anyone from the insurance industry, why should more money be invested in making hospital systems any better?
One of the Oakland speakers revealed that his company sees the seven million records kept by its health systems division as a major business asset, and would strongly resist any attempt by legislators or others to restrict the ways in which this could be used to produce revenue. As we noted in the policy, this business structure has led to practices that would be considered highly abusive in the UK. For example, forty percent of insurers disclose personal health information to lenders, employers or marketers without customer permission [18]; over half of America's largest 500 companies admitted using health records in personnel decisions [16]; and US firms are regularly taken over for the value of the medical records under their control. Indeed, most Americans are coming to feel that these practices are worrying, and a quarter have personal experience of abuse [33].
This has led to a number of bills being introduced or proposed at both state and federal level, and is the subject of papers elsewhere in this volume. Here we will remark that aggregated records make a tempting target. For example, at the Washington meeting a district attorney discussed his use of medical records in criminal investigations. He saw nothing remiss in issuing a subpoena for insurance company files that he thought might be helpful --- and insurance files (being considered financial rather than health records) enjoyed no special privilege.
Another serious aspect of claims-based longitudinal records is that they are not accurate. It is common to `inflate' diagnoses so as to be able to claim higher fees, so that, for example, non-specific chest pain will be recorded as ischaemic heart disease. This might be qualified as a tentative diagnosis in the clinical notes, but as the `unified computer record' supersedes this, the false diagnosis may prevail. It was mentioned that some 20% of alleged clinical facts in the computer record were wrong; if this is even the right order of magnitude, then the risks to health are significant.
The social effects of insurance-driven data aggregation are also becoming understood. At the Washington meeting, a primary care physician told us that over the last twenty years, US patients have moved from complete trust in their family doctor to a much more guarded relationship, in which patients suppress facts that are potentially embarrassing or harmful. The risks of this should also be clear.