Vanderbilt Law Review

First Page



Advances in technology have given new life to debates concerning privacy.' Specifically, issues surrounding increased access to personal medical records have recently garnered attention. On one side of the debate, healthcare providers and insurers support expanded access to medical records for treatment, research, and insurance claims purposes. At the same time, however, many patients legitimately expect their medical records to remain private. The advent of Internet access to patient records and electronic medical insurance claims submissions has heightened patients' concerns that computerized medical records will offer less protection and more potential for unauthorized disclosure than paper files in locked cabinets. This has prompted commentators to argue that, as medical information becomes increasingly accessible via means outside a patient's control, the need for privacy protection grows even stronger. Though threats to privacy exist in all media of information, electronically stored information lies particularly vulnerable to abuse and thus requires heightened protection.

For example, one former employee of a state health plan discovered during a computer training class that he could access records of several insurance subscribers. When he typed in his own name, he was startled to see his private psychiatric records, including the name of the antidepressant medication he was taking. Similarly, one woman who had purchased a used computer found 2,000 patient records from a pharmacy that had simply been left stored on the computer's hard drive. These records contained the names, addresses, Social Security numbers, and lists of every medication prescribed for customers of the pharmacy, including prescriptions for AIDS and psychiatric conditions. A third illustration shows the unique dangers of electronic websites: one chief executive officer of a loan company that allows customers to apply for credit cards and loans on-line initiated a strict privacy policy. Though he took several steps to safeguard customer privacy-including baring his technicians from using "cookies," the CEO was stunned to learn that parts of his Web site did in fact employ cookies." The cookies were placed on the site as a result of the company's acquisitions and mergers with other Internet lenders who allowed the use of cookies on their websites, even though the company had paid $250,000 for a privacy audit conducted by an outside firm.