Amitai Etzioni is most recently the author of Limits of Privacy (New York: Basic Books, 1999). It contains extensive discussion of medical privacy.

Any day now, the Clinton administration will issue the final version of 600 pages of regulations all aimed ensuring that Americans' medical privacy is respected. The rules are highly needed given that many employers buy medical records and refuse to hire or promote people they consider a poor risk.

Banks also have called in loans of people who have had heart attacks. And the pharmaceutical industry uses information it corrals from drug stores to urge patients to ask their doctors for the pills they push, which often are more expensive and not necessarily better than the ones the patients already are taking.

All this is now supposed to end. The Clinton administration has posted suggested regulations, and for the last half-year the Health and Human Services Department has been struggling to address 48,000 public comments and revise the regulations accordingly. The process is about to be completed.

The case for regulation

While Congress has limited the reach of these regulations to apply only to electronic records, that constitutes a rapidly growing proportion of all records. The new regulations also amount to the first large-scale introduction of government controls in cyberspace. They will lay to rest the fantasy that cyberspace could become a new world in which people govern themselves without state intervention.

Surprisingly, most people -- who seem largely unaware of the extent to which their medical records are an open book -- have not commented on the regulations. One reason might well be that people basically appreciate what they see. One of the greatest virtues of the suggested regulations is that they eschew the libertarian philosophy that information about a person is his property and hence he must consent to each specific use, secondary use and sale to third parties.

Given that each piece of information is used numerous times, people would be spending half their days clicking "yes,"no," and "first, pay me" if they had to adhere to that approach. People also would need lawyers to understand privacy "contracts." (Did you notice that the consent form you regularly sign in doctors' offices and hospitals, to release your medical information to your HMO or health insurance company, in no way limits what they can do with the data?)

Instead the suggested regulations rely on government protection.. Accordingly, personal medical information can be shared with health-care professionals and health insurers but not with employers, banks, marketers and others who no have legitimate business seeing it.

The penalties for violating the suggested new regulations are quite hefty. An unintended violation may lead to a $25,000 penalty. A willful violation doubles the fine and potentially may result in a year in jail for the violator. Someone attempting to sell information for "commercial advantage, personal gain or malicious harm" may be hit with a $250,000 fine and 10-years prison sentence. These teeth are likely to get the attention of potential violators of medical privacy.

Another attractive feature of the new regulations is that they call for releasing only minimal information rather than a person's whole medical record. Thus an employer processing an insurance claim for a work-related injury would not get the employee's entire medical history. The employer has no need or right to know if the person had herpes or an abortion.

Answering the critics

Critics have objected vehemently to one proposed regulation. It would let patients to see their medical records and demand that their doctors correct the records if the patients think the information is invalid. If the doctors refuse, they must endure an administrative review process. Critics claim that the rule would cost health-care providers some $4 billion over five years. The government, which assumes that only 1 percent of patients will want to see their records, argues that the costs at most half that amount.

My concern is a different one. Ever since recommendation letters written by professors have become a document their students can scrutinize, most professors have become rather leery about saying anything unflattering. Consequently, the letters have lost much of their value.

If the same happens to medical records, physicians soon will cease to note that someone has alcoholic tendencies and instead may note that the patient has a "fine appreciation of wine." The notation "obese" will be replaced with "well nourished" and so on.

Interviews with a half-dozen doctors reveal that they feel extremely beleaguered and are flooded by paperwork as it is. The last thing they want is to have to quarrel with patients over file notations. "I'll put in anything they want," said one irked physician.

The issue could be minimized if patients could augment their file, adding their own views but not requiring physicians to change theirs. And the regulations should require that the comments accompany the patient's file wherever it travels.

Privacy vs. medical research

The regulations also need to be recast for another reason: They undermine some common good. In this case, the effort to better protect privacy seriously threatens medical research by requiring the removal of personal identifiers (names, addresses, phone numbers, Social Security numbers) from medical data and "destroying them at the earliest opportunity." The rule would make it impossible to combine such data with most existing data that are arranged by personal identifiers.

Instead of eliminating personal identifiers on all medical information, it would make sense to create a small number of medical data "Fort Knoxes" to hold personal identifiers. Bonded personnel at the forts would combine new data with old information.

Surely some other compromises might be achieved, but medical research is too important for all of us, to be severely hobbled in order to strengthen medical privacy. All in all, in an age when we are often critical of what the government does, and for a good reason, the new regulations are a giant leap forward, the largest since the right to privacy was created.

For now, though, your records are still readily available on the Internet.