Trusted systems and medical records: lowering expectations.

• Author: Greely, Henry T.

Our world--perhaps especially our academic world--is intensely specialized. Expertise in privacy and the Internet would seem readily transferable to issues of the privacy of electronic medical records, but there is a very real gap. Jonathan Zittrain has taken his knowledge of the possible uses of "trusted systems" in the electronic delivery and control of music and applied it to electronic medical records, a field with many experts and a voluminous literature,(1) which Zittrain, quite understandably, has not mastered. (Neither have I.) These forays across the growing number of deep disciplinary and subdisciplinary chasms are dangerous. Specialists may well dismiss the interloper with a curt "he doesn't know the territory." But the risk must be taken. Unless we can compare similar problems in different settings, our ability to learn, and to improve, is crippled. Given the falling odds that even one person will be expert in both fields, efforts like Zittrain's need to be encouraged, not trashed.

But, in fact, Zittrain doesn't know this territory. The issues that are important for the privacy of electronic medical records are quite different from those that affect the use of trusted systems in music distribution. Each is just another collection of ones and zeros to a computer, but their cultural significance, and uses, are critically different. Zittrain admits that trusted systems would not be a panacea for the problems of medical records privacy, but argues they may be useful. I agree that they may have some uses, but I am considerably less optimistic about their value in this context. This commentary briefly explains my reasons.

Two key problems limit the application of trusted systems in the medical context. First, trusted systems do not speak to the crucial questions. Music companies want to use trusted system to distribute the ones and zeros of their product to people while limiting subsequent uses--mainly copying and distribution. Their problem is how to control subsequent uses by those who first receive the product. As to the initial recipient, only one question is very important--has he paid for the music? Third parties do not have important roles in this private entertainment transaction.

Patients, the "trustors" in Zittrain's vision of electronic medical records, want to use those systems to make sure that their information is available to many potential users. The identities of the relevant users cannot be specified in advance, nor can the patient count on being physically or mentally able to authorize their access when most needed. In addition, many third parties will have either compelling or powerful claims to access to those medical records. And patients will be far less able to insist on the full strength of their trusted systems than either music companies or music consumers. Thus, with medical records, the crucial question is not how to control secondary access but who should get primary access. The answers to that substantive question may greatly reduce the protective power of trusted systems. I will expand on this point at length below.

But, first, consider another key difference between digitally recorded music and digital medical records. The music company sends a product that is only valuable if it can be used in a digital format, with all its ones and zeros, to reproduce the music.(2) For the distributor's interests to be substantially harmed, the whole file (or a large portion of it) has to be transferred to another digital apparatus. The electronic medical record, though encoded in ones and zeros, is largely words (with a few pictures). The patient's interests might be harmed by a very small part of that file--for example, the words "acute depression" or "HIV positive" or "elective abortion." And that harm can take place when those words are transferred, not just to another computer or other digital instrument, but to a printout, a photograph, a piece of scratch paper--or a human brain. This second difference makes controlling the subsequent uses much, much more difficult.

Now, let's look at the substantive question of who should have access to a patient's medical records. Consider issues of access to patient medical records by medical providers, health care payers (including employers), medical researchers, marketing users, and the patients themselves.

Interstate 80 runs from the Manhattan end of the George Washington bridge to the San Francisco end of the Oakland-Bay Bridge. A driver might have an accident on any of the intervening 3,000 miles and need emergency medical care. That care might well be improved by access to the patient's medical records. Will emergency room physicians be able to see them? Assume the accident results in a long hospitalization. Who in the hospital might need access to the patients' records? All doctors who might be on duty during the hospitalization. All the nurses. The hospital pharmacy. The surgeons, anesthesiologists, and intensive care specialists. The resident on duty when the patient codes.(3) Almost any professional in the hospital could have a valid need for that information, at any hour, whether or not the patient is able or willing to give her permission to see it.

One could imagine a trusted system that permitted a patient to choose which health care providers...