Compelled Authorizations for Disclosure of Health Records: Magnitude and Implications

Each year individuals are required to execute millions of authorizations for the release of their health records as a condition of employment, applying for various types of insurance, and submitting claims for benefits. Generally, there are no restrictions on the scope of information released pursuant to these compelled authorizations, and the development of a nationwide system of interoperable electronic health records will increase the amount of health information released. After quantifying the extent of these disclosures, this article discusses why it is important to limit disclosures of health information for nonmedical purposes as well as how it may be possible to do so.

Privacy and confidentiality have been foundational principles of medical ethics since the time of Hippocrates. In 1847, the American Medical Association's first Code of Ethics exhorted physicians to safeguard the confidentiality of patient communications (American Medical Association 1847, 93 art. I, §2). Similar provisions have appeared in every subsequent revision of this code as well as in the ethical codes of nurses, dentists, pharmacists, and other healthcare professionals (Gorlin 1999). Without assurances of confidentiality, patients would be reluctant to disclose sensitive health information on which their own treatment and the public's health depend.
Efforts to protect the privacy and confidentiality of health information largely have focused on preventing the unauthorized use and disclosure of information. At a time when health information increasingly is being collected, stored, and distributed in electronic form, many members of the public are concerned about electronic files being accessible to snoops, hackers, and other unauthorized persons. Occasional, highly publicized stories of inadequate electronic security or negligent or wrongful disclosure resonate with the public. Consequently, in public opinion polls, the primary privacy concern of respondents is that individual health records are not "safe" (Harris Interactive 2005).
Unquestionably, it is essential to protect the security of health records in paper or electronic form from unauthorized access. Nevertheless, the authorized access to health information pursuant to a compelled authorization represents a significant and largely overlooked threat to privacy and confidentiality. In short, it is lawful for employers, insurers and other third-parties to require that individuals sign authorizations of unlimited scope for the release of their health records as a condition of applying for or obtaining employment, insurance, or benefits under numerous essential programs and services.
The Privacy Rule promulgated by the United States Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act (HIPAA) sets forth the technical requirements for authorizations. For example, authorizations must be signed and dated and specify what information is to be released to whom. The Privacy Rule, however, does not regulate the substance of authorizations. It does not prohibit entities not covered by HIPAA (e.g., employers, life insurers) from compelling the signing of an authorization as a condition of employment or insurance. It also does not regulate the amount or nature of health information released pursuant to an authorization, and therefore authorizations compelled by third parties can be of unlimited scope. The Privacy Rule defines "protected health information" (PHI) as individually identifiable health information (45 C.F.R. §164.501). After a covered entity discloses PHI to a non-covered entity pursuant to an authorization, the information is no longer PHI, and it is no longer covered by the Privacy Rule (45 C.F.R. §164.508(c)(2)(B)(iii)).
Before efforts can be undertaken to address the issue of compelled authorizations, it is necessary to quantify the extent of the problem. In this article we present the initial estimates of compelled authorizations for the most common uses of health information. We then discuss the implications for privacy and confidentiality of compelled authorizations of unlimited scope and conclude with a proposed method to limit the scope of such disclosures to relevant and essential health information.

Employment Entrance Examinations
Employers long have been interested in selecting healthy employees because these employees are likely to be more productive, have lower rates of absenteeism and turnover, and cost less money for sick leave and health benefits. Under the Americans with Disabilities Act (ADA), employers with 15 or more employees are prohibited from asking health-related questions to applicants or requiring them to undergo a pre-employment medical examination. After a conditional offer of employment, however, the employer may insist that individuals undergo a pre-placement medical examination and sign an authorization to release all their health records (42 U.S.C. §12112(d) (3)). Of course, employers are not required to review health records or conduct medical examinations, and there are no precise figures on how many health records are disclosed. In addition, these examinations are unrelated to whether the employer offers a health benefits plan. Indeed, under HIPAA, an employer generally may not alter the terms of participation in a health plan based on health status (42 U.S.C. §300gg-1(a)(1)).
Based on the Bureau of Labor Statistics finding of an average of 4.8 million hires per month for the 12-month period ending in March 2006, there were approximately 57 million new employees hired in the United States in that period (U.S. Department of Labor 2006). Because the ADA prohibits medical examinations and inquiries before a conditional offer of employment, it is not necessary to consider the number of applicants for employment. The total of new hires underestimates the number of conditional offerees, because it does not include offerees who were not hired as a result of the examination or who declined the job before commencing employment. The American Management Association conducts employer surveys on medical testing of employees. According to the 2004 survey, 35.8% of employers required medical examinations to assess fitness for duty (American Management Association 2004). The percentage varies by employer size (large employers are more likely to require medical examinations) (American Management Association 2004) and industry (manufacturing employers are more likely to require medical examinations than service employers) (American Management Association 2004). For the 12-month period ending in March 2006, multiplying the number of new hires, 57 million, by 35.8% results in 20,406,000 medical examinations. Because large employers are more likely to require medical examinations than small employers, a higher percentage of employees will be subject to examinations than the 35.8% of employers that require them. There are no figures available for the number of preplacement authorizations for the release of health information. Although the number of medical examinations does not correlate precisely with the number of medical authorizations, it is a reasonable proxy. The large number of new hires each year is attributable to the inclusion of part-time employees by the Bureau of Labor Statistics and the substantial turnover in low-wage jobs in the service sector.
We reduced the gross figure of 20.4 million medical examinations by a "best guess" 50% discount to yield the estimate of 10.2 million authorizations for release of health records by conditional offerees. A substantial reduction is appropriate because it is unknown how many employers that perform preplacement medical examinations require the release of health records as well as how many employers that do not perform such examinations require the release of health records. The estimate of 10.2 million authorizations per year does not consider the authorizations signed by current employees to disclose their health records or disclosures of employees changing jobs and facing different health risks, or those seeking to return to work after a medical leave of absence.
Throughout this article, as illustrated in Table 1, we have used a "best guess" reduction factor of 50% for applications and 20% for claims. Applications may be withdrawn or remain incomplete for a variety of reasons, whereas health status is an integral part of the claims process and individuals submitting claims are highly motivated to complete their files.

Individual Health Insurance Applications
Most individuals covered by health insurance receive their coverage through employer-sponsored group health plans (Kaiser Family Foundation 2005, 9). For purposes of risk classification, the important unit is the group. Individual health insurance, however, is medically underwritten on an individual basis. Coverage and pricing decisions are based on, among other factors, the individual's health history. Thus, health insurers consider it essential to have access to the health records of applicants.
America's Health Insurance Plans (Washington, DC) is the trade association representing companies that sell health insurance. Based on a survey of its members, from June 30, 2003, to June 30, 2004, member companies received approximately 1.1 million applications for individual health insurance coverage (Center for Policy and Research 2005, 9). Approximately 15% of the applications were not processed or were denied, resulting in 900,000 individual policy coverage offers, representing approximately 800,000 individuals (Center for Policy and Research 2005, 9). Health insurance companies usually require some or all applicants to complete a medical questionnaire and to release their health records before an individual health insurance policy will be issued (Privacy Rights Clearinghouse 2006). To calculate the number of health records disclosed in the application process, we discounted the figure of 1.1 million applications by 50%. Therefore, we estimate that 550,000 medical records are released each year in the process of obtaining individual health insurance coverage.

Individual Life Insurance Applications
Whereas most health insurance is group coverage, most life insurance is individually underwritten (American Council of Life Insurers 2005, 82). By considering age, medical conditions (e.g., hypertension, diabetes), and lifestyle factors (e.g., cigarette smoking), underwriters attempt to place individuals into a category with those of similar risk. To obtain sufficient information for underwriting, life insurers usually require that applicants complete a medical questionnaire, submit to a medical examination (the scope of which is often determined by the amount of the policy), and sign an authorization for disclosure of their health records. According to the trade association of the life insurance industry, the American Council of Life Insurers (Washington, DC), in 2004 there were 12,851,000 individual life insurance policies sold (American Council of Life Insurers 2005, 82; Table 7.1). Considering the denial rate is approximately 6%, the total number of applications in 2004 was approximately 13.6 million (National Conference of State Legislatures 2001, 27). Assuming that medical records are sought for only 50% of applications, approximately 6.8 million medical records are disclosed each year in the individual life insurance application process.

Individual Long-term Care Insurance Applications
The aging of the population and increasing healthcare costs are two of the reasons contributing to the increasing appeal of long-term care insurance policies. Individual long-term care insurance is individually underwritten and priced, in part, because the cost of long-term care can vary greatly depending on whether the individual is likely to require more expensive skilled nursing care (as is the case when an individual has Alzheimer's disease). Health records are used in the underwriting process.
In 2004, there were approximately 362,000 individual long-term care insurance policies sold (Coombes 2005). With a denial rate of approximately 10%, there were approximately 400,000 applications (American Academy of Actuaries 2002a). Assuming that health records are sought for only 50% of applications, we estimate that 200,000 health records are disclosed each year in applications for individual long-term care insurance.

Individual Disability Insurance Applications
Disability insurance may be long-term or short-term, groupbased or individually-based. Although most disability insurance is group coverage (Leder 2005), for purposes of assessing the use of health records in underwriting disability insurance applications, our focus is on individual, long-term disability. These policies, which serve to replace a percentage (usually 50% to 70% percent) of lost income resulting from premature disability, are often sold to self-employed professionals, such as physicians and lawyers. Medical underwriting, including the use of health records, is extremely important because of the high income of many policy holders combined with the potential for decades of payments.
In 2004, there were approximately 372,000 individual disability insurance policies sold (Leder 2005). With a denial rate of approximately 10%, this means that there were approximately 400,000 applications (American Academy of Actuaries 2002a). These figures exclude "buy-up" policiesadditional coverage beyond that provided in a group plan, for which individual underwriting is often used. Assuming that medical records are sought for only 50% of applications, we estimate that 200,000 health records are disclosed each year in applications for individual disability insurance.

Disability Insurance Claims
Claims processing for both individual and group disability insurance requires a determination of whether the individual is disabled within the meaning of the policy. Verifying the medical evidence on which claims are based requires that claimants authorize the release of their health records (UnumProvident 2006b).
Industry-wide figures of individual and group disability insurance claims are not available, but we can estimate the number in the following way. UnumProvident Company states that it received approximately 412,000 claims in 2005 (UnumProvident 2006a). Because this company has approximately 22% of the market for disability insurance based on number of lives covered, it can be estimated that there are approximately 1.9 million claims filed with all disability insurance companies (JHA 2005, 15, 17). Because of the essential role of health records in verifying claims, we assume that records are released in 80% of claims filed. Therefore, we estimate that there are approximately 1.5 million disclosures of health records each year in the disability insurance claims process.

Automobile Insurance Claims
Automobile insurance policies provide coverage for the medical and related expenses caused by personal injuries sustained by insured drivers, passengers, and other persons (e.g., other drivers, pedestrians). In many instances, claimants are required to authorize release of their medical records to document the extent of their injuries. For some injuries, the claimant and insurer cannot resolve the claim, and the claimant files a lawsuit to compel payment. We have captured the medical disclosures made in the course of litigation in our estimate of personal injury litigation.
There were 1.70 million claims for bodily injury from automobile accidents nationwide in 2002 (National Association of Insurance Commissioners 2005, 34, Table 6B). Assuming that health records are released in 80% of these claims, we estimate that 1.36 million health records are disclosed each year in the course of automobile insurance claims.

Social Security Disability Insurance Applications (Claims)
The Social Security Act of 1935 provided for payments to qualified retirees and their dependents in the form of a pension. In 1956, the Social Security Act was amended to provide payments to qualified workers age 50 to 64 years who become permanently and totally disabled (Social Security Administration 2006a). Although the first step in obtaining benefits is to file an "application" with the Social Security Administration, all qualified workers are covered and therefore the "application" is really a claim for benefits rather than a request for coverage. The applicant must submit health records to verify a claim of disability (Social Security Administration 2006c).
According to the Social Security Administration, in calendar year 2005 there were 2,122,100 claims for Social Security Disability (Social Security Administration 2006b). Based on the assumption that health records are disclosed in 80% of cases, we estimate that 1.7 million health records are disclosed annually in the Social Security Disability process.

Workers' Compensation Claims
Separate workers' compensation laws have been enacted in every state to provide no-fault compensation (medical expenses and partial income replacement) for work-related injuries and illnesses of covered employees. Workers' compensation awards are typically made by a state agency, and employers may contest a claim on the ground that the injury or illness was not compensable or the nature and extent of the injury or illness. Health records of the claimant are generally required to support a claim for compensation, especially in contested cases (American Academy of Actuaries 2002b).
According to the Bureau of Labor Statistics, in 2005 there were approximately 150 million workers older than age 16 years in the workforce (U.S. Department of Labor 2006b). With 1.3 workers' compensation claims per 100 workers, there were approximately 1.95 million workers' compensation claims (DiDonato and Brown 2005, 2). Assuming that health records are disclosed in 80% of the claims, we estimate that approximately 1.56 million health records are disclosed in the workers' compensation claims system each year.

Veterans' Disability Claims
The Veterans' Benefits Act, as amended, provides compensation for veterans who have service-related disability. The amount of compensation is determined by the veteran's percentage of disability. Medical documentation is an integral part of the claims process, and applicants are required to submit health records to support their claims (Department of Veterans Affairs 2005b).
According to the Department of Veterans Affairs, in 2005 there were 790,000 claims for Veterans' Disability (Department of Veterans Affairs 2006). Assuming that health records are disclosed in 80% of claims, we estimate that about 632,000 health records are disclosed each year in the veterans' disability claims process.

Personal Injury Lawsuits
When a plaintiff brings a lawsuit claiming that the defendant's wrongful act has caused personal injury or illness, the courts hold that, as a matter of law, the plaintiff has placed in controversy the issues of the nature and extent of his or her injury or illness (Schlagenhauf v. Holder, 379 U.S. 104 [1964]). Therefore, the defendant has a right to require that the plaintiff disclose his or her health records. In theory, defendants are entitled only to health records bearing on the plaintiff's claim, but it is difficult to tell in advance what health information may be relevant. Therefore, the courts generally take a broad view of the scope of discovery.
There is no precise figure available for the total number of personal injury lawsuits filed in the United States each year. According to the National Center for State Courts, in 2003 there were 564,000 tort cases filed in the state court system (National Center for State Courts 2005, 198; Table 16).
Because the data do not include some small states, representing 3.8% of the population, a population-adjusted number would be 585,000 cases. There also were 99,000 tort cases filed in the federal courts (Cohen 2005, 1). Approximately 90% of tort cases allege personal injury (Cohen 2005, 1). Thus, there are approximately 600,000 cases in the state and federal courts each year alleging personal injury. There are no good estimates of the number of cases that are withdrawn, dismissed, or settled before the discovery phase. We estimate that health records are disclosed in 50% of the cases, or in approximately 300,000 personal injury lawsuits each year.

Total Annual Compelled Disclosures
The preceding estimates for the number of health record disclosures are admittedly imprecise because there are few, if any, accessible compilations of the information. Thus, various levels of inference and estimation were required to reach each specific estimate. Despite this lack of precision, however, we believe that the total number, if anything, underestimates the annual compelled disclosures in the United States. Each of the component estimates includes a discounting process by which the maximum total disclosures were significantly reduced. In addition, the list of possible types of compelled disclosures is not comprehensive. For example, our estimate of the total number of disability insurance claims filed does not capture disability claims filed by employees of self-insured state and local government employers. Our insurance claims data also do not include claims filed under homeowner's, renter's or commercial premises liability policies for injuries occurring on the property of the policyholder. We concentrated only on the major, quantifiable sources of disclosure. The total of the estimated compelled disclosures of health records is approximately 25 million per year.

IMPLICATIONS
The 25-million compelled authorizations each year in the United States are lawful inquiries by entities with a legitimate need to know about an individual's health status. Our concern is that the scope of the health information routinely disclosed often exceeds the information reasonably needed for the purpose of the disclosure. In addition, the amount of information disclosed via each authorization is likely to expand significantly over the next several years. In 2004, President Bush announced a federal initiative to create within 10 years the Nationwide Health Information Network (NHIN), a system of interoperable, longitudinal, comprehensive, electronic health records (EHRs) for every person in the country. The NHIN has the potential, among other things, to improve care by providing immediate access for healthcare providers to detailed health information; it is also expected to improve quality by reducing adverse drug reactions and to save money through elimination of duplicative tests and services.
The NHIN raises significant issues of privacy and confidentiality because the amount of health information re-vealed within the healthcare setting and to third parties pursuant to an authorization will be much greater than is disclosed in the current, fragmented system of largely paper records. Consequently, more sensitive health information from multiple providers will be routinely disclosed pursuant to an authorization, regardless of the current clinical utility or the intended use of the information. Health information disclosed through the NHIN could include yearsor decades-old reports about minor drug and alcohol problems, temporary mental health issues, testing for pregnancy or sexually transmitted diseases, reproductive health issues, and domestic violence reports.
The specifics of the NHIN are still being developed, and the local and regional components of the network may differ. One of the key unresolved questions is to what extent historical paper records will be converted to electronic form. Two possibilities being discussed are scanning or abstracting extant records. Although it is unlikely that all of today's old paper records will be converted to electronic form, the inclusion criteria for EHRs will operate prospectively. Thus, unless limitations are imposed, health records generated today will be maintained indefinitely and might, in the future, become the old, possibly irrelevant, and highly sensitive information about which individuals are deeply concerned.
It is beyond the scope of this article to explore the right of individuals to control the contents of their health records, including EHRs, or the nature of their health information disclosed via the NHIN. We have focused on one important aspect of the problem-unlimited disclosures of health information for nonmedical purposes pursuant to a compelled authorization.
With paper-based health records, it is often difficult or impossible to limit the scope of disclosures pursuant to an authorization. With EHRs and the NHIN, it is possible to limit disclosure to relevant health information, thereby protecting the health privacy of individuals.
Successful implementation of a strategy to refine and limit the nature of disclosures will require the following three developments. First, legislation must be enacted to restrict the scope of the disclosures to the information needed by the third-party user. For example, legislation would be needed to limit employers' access to information about a conditional offeree's ability to perform job-related functions.
Some legislation along these lines already exists, such as workers' compensation laws that restrict health records disclosures to information relevant to the particular claim and section 102(d)(4) of the ADA, which restricts employermandated medical examinations and inquiries of current employees to matters bearing on whether the employees can perform job-related functions. Even these modest restrictions are difficult or impossible to achieve in practice, because there is no easy way to determine what information is job-related and relevant and therefore, as a practical matter, custodians of health records simply send a copy of the entire file.
There are likely to be formidable political obstacles to amending the various disclosure laws or enacting new laws to limit the amount of information that can be disclosed.
Commercial entities, such as employers and insurers, are accustomed to receiving comprehensive files, and they are likely to view with suspicion any limitations on their prerogatives. It will be necessary to demonstrate that such restrictions are in their own interests (or, at least, not inconsistent with their interests) as well as the privacy interests of the affected individuals. For example, after a conditional offer of employment, employers receive both job-related and non-job-related health information about potential employees, even though they are legally permitted to use only jobrelated information in deciding employability. Thus, employers would receive HIV status information even though using such information in deciding employability would very likely violate federal and state law. If employers received only job-related health records, however, there might be a reduction in the number of lawsuits filed by individuals who believed that an adverse employment decision was based on the employer's use of non-job-related health information. According to the American College of Occupational and Environmental Medicine (Elk Grove Village, IL), "the less medical information they possess about employees, the less exposure the employer will have to accusations of making adverse employment decisions based on an employee's health status" (Tacci 2006, 9).
An example of industry-imposed restrictions on access to health information involves life insurance. To underwrite individual life insurance policies, life insurers traditionally have required individuals to complete an application form, undergo a medical examination, and release their health records. The amount of medical review has tended to increase with the amount of the policy. Recently, some life insurers have recognized that medical underwriting for many policies only requires a discrete subset of health information that can be obtained through a standardized telephone interview. "Tele-underwriting," as the process is called, was adopted as a cost-saving measure, but it also has had the effect of protecting the confidentiality of health information deemed unnecessary for underwriting.
A second essential element in protecting privacy is that there must be a fast, cheap and easy way to limit the disclosures. In a recent article (Rothstein and Talbott 2006), we proposed that contextual access criteria should be developed and applied through the NHIN to limit the scope of disclosures. Contextual access criteria are computer software algorithms for each of the different nonmedical uses of health information. For example, life insurers need information about the risk of premature mortality. An expert group would need to agree on the medical conditions that result in premature mortality, the medical information in individual health records that bear on these medical endpoints, and a way of isolating these data points in health records. Similar criteria would need to be developed for all of the various nonmedical uses of health information. Life insurance would probably be the easiest case, because there is a single endpoint to measure, whereas employment would probably be the most difficult because of the thousands of different job classifications that would need to be aggregated into more manageable sets based on similarity of physical and mental demands.
It is important to note that the use of contextual access criteria is still at the research and development stage, a process that has been slowed by a lack of financial and political support. Once the feasibility of this approach has been demonstrated in research and pilot projects, development of contextual access criteria could take place in the following way. A convening entity, such as a standards development organization (e.g., the American National Standards Institute [Washington, DC]), would appoint a series of expert panels comprised of representatives of all affected interests in each application (e.g., life insurance, employment). The panels would meet to devise a consensus standard regarding the essential health endpoints to be assessed, the health information in records bearing on these endpoints, and the manner of isolating the data in a usable format. Thereafter, health information scientists and computer engineers would develop a protocol for extracting the minimum necessary health information. Each protocol would then be field tested to determine whether the data retrieved were adequate for the intended purpose and did not contain extraneous health information.
Contextual access criteria would be impractical or impossible in a paper-based health record system, but the shift to EHRs makes it technically feasible and practically essential because of the increased capacity of an NHIN to link comprehensive, longitudinal files. It is also imperative that feasibility studies of contextual access criteria are undertaken immediately. Once the system architecture is completed for the NHIN, it may be impossible or prohibitively expensive to add these features.
Third, there must be a public realization of the extent and consequences of compelled disclosures of health information and a willingness to accept the political and economic costs of limiting these disclosures. Many individuals and public officials support health privacy and confidentiality in the abstract, but they confuse privacy and confidentiality with computer security. System developers and supporters in both the public and private sectors must recognize the worth of this effort and be willing to commit the resources and effort necessary to adopt a system of contextual access criteria in an interoperable network of EHRs. End users may need to be convinced that it is in their interests and that of the public to implement these health information controls and that their decision making abilities will not be hindered.
It is impossible to predict all of the consequences of using contextual access criteria. Undoubtedly, there will be costs associated with research, development, and implementation. We would argue that these are acceptable costs for a modicum of privacy protection in the age of interoperable EHRs. Furthermore, it is important to recognize that significant, tangible interests are at stake in protecting health privacy and confidentiality. Concerns about privacy and confidentiality figure prominently in individuals' decisions about seeking health-care (Bishop, Holmes and Kelly 2005), especially for some particularly stigmatizing conditions, such as alcohol and substance abuse, mental illness, sexually transmitted diseases, domestic violence, genetic risks, HIV/AIDS, and reproductive health matters. Thus, individual and public health are likely to be adversely affected if we fail to limit the scope of health information disclosed pursuant to compelled authorizations.