This article is based on Amitai Etzioni's latest book, The Limits of Privacy, published in 1999 by Basic Books. He teaches at George Washington University. He can be reached at etzioni@gwu.edu.

By far the most encompassing drive to regulate medical privacy in the United States, which also entails the first grand regulation of cyberspace, is taking place as you read this. And the media have paid next to no attention to it, despite the fact that it will affect everyone's health.

The key new regulation builds on a distinction among three groups: the immediate circle who directly care for the patient; the intermediary circle who deal with reimbursement and management of health care, especially health insurers and HMOs; and the outer circles of employers, pharmaceutical corporations, banks and the media. The regulation requires that the immediate circle release to the intermediary circle only the most minimal medical information needed and bans many disclosures to members of the outer circle, which today occur with great frequency. The ban would prevent employers from using personal medical information to fire or refuse to hire people; pharmaceutical companies from using medical records to push doctors and patients to take their drugs; and banks from calling in loans, etc.

While some fear that the new regulations may be toothless, actually those who break these rules may be penalized quite heavily. A single violation may draw a civil penalty of $25,000. (Given that this is per person, if thousands are involved, as is often the case, this could amount to quite a hefty sum). Moreover, a willful violation could land someone a fine of $50,000 and one-year imprisonment. Finally, someone who attempts to use or sell the information for "commercial advantage, personal gain or malicious harm" will be fined $250,000 and imprisoned for 10 years.

Underlying principles

The private sector has posed the greatest threats to privacy

At first glance there may seem to be nothing "philosophical" or remarkable about the administration's approach -- protecting medical privacy seems an admirable goal. However, on closer examination the following feature stands out: these regulations protect patients not from the traditional enemy that civil libertarians rail against, Big Brother. On the contrary, the regulations recognize that over the last two decades the private sector has posed the greatest threats to privacy. The violators include insurers, employers and drug producers as well as corporations that specialize in trading in personal medical information (for instance, the Medical Information Bureau and Metromail). Big Bucks have replaced Big Government as the biggest danger to privacy. Moreover, the government is now cast as the main protector of privacy rather than its enemy.

The new regulations largely forgo the libertarian principles previously championed by many civil libertarians and Vice President Al Gore. This approach presumed that information about a person was his property and that if someone wished to use it they should gain the consent or "contract" with the owner for whatever use they intended to put that information. And if the information is transmitted to third parties or put to work for purposes not previously covered, the individual owner would again need to be consulted.

Instead, the new rules rely on the government to curb numerous usages of personal medical information -- without requiring any action on the side of the individual. Individuals may allow information about them to be used for additional purposes if they are so inclined, but otherwise their records may be used "primarily to help treat patients and pay their medical bills."

Ditching the libertarian principle is important for both practical and philosophical reasons. Practical issues arise out of the fact that the average item of information about a person is used numerous times, some say as many as 130 times. If the "owner" must be consulted each time, people would need to spend a considerable amount of their time at their computers clicking their assent or refusal.

Moreover, studies have shown that people, especially with a serious illness, may not act as reasonable persons. They often do not understand the consent forms. In short, if their privacy is to be protected, patients need a protector. The new century seems to open with more tolerance for a governmental role in such matters than was seen during the deregulating 1990s.

While recently states have taken on numerous domestic missions, often at the urging or requisite of the federal government (e.g. the Brady Bill, speed limits, collection of child support), the new medical privacy regulations rely squarely on the federal government. Moreover, while states are free to set still higher standards, the new federal regulations pre-empt the state laws that lower privacy protections. This approach makes good sense as the Internet knows no state lines, and personal medical information zooms from computer to computer in ways that states are helpless to reign in.

Privacy and the common good

Most discussions of privacy start from the viewpoint that it is one of the most important individual rights. Many refer to it as a "sacred" right; others believe that liberty, autonomy, individuality and human dignity would all be lost without the right to privacy. These strong commitments to privacy pay no mind to the fact that far from being one of the rights enumerated by the founding fathers, privacy is not so much as mentioned in the U.S. Constitution, and it was fashioned as a constitutional right as recently as the mid-1960s.

Indeed, scores of books and hundreds of articles recently written about privacy argue that the right to privacy is under severe attack from numerous sources (e.g. leakages of cell phones; lack of control over the routes messages take on the Internet; new eavesdropping devices; secret windows that Microsoft and Intel installed in PCs; corporations profiling their customers, and so on).

In championing privacy, rights advocates have followed the same pattern they have followed in the advocacy of other rights, such as lending strong support for women's rights, minorities and handicapped persons. They favor expanding the right to privacy, with limited concern for the effect of such steps on the common good. (The ACLU often argues that protecting rights is the common good.)

Privacy, though, as students of public health know all too well, is one of those rights that must be balanced with concerns for public interest. True, up to a point privacy and the common good can be reconciled. For instance, data show that stronger protections of medical privacy make it more likely that patients will show up to be treated and allow health-care providers to keep the proper records required by the patients' treatment.

However, there are also significant areas in which the right to medical privacy and health concerns come into conflict, and the proper balance is not always struck. For instance, I have argued elsewhere that in the case of infant testing for HIV and disclosure of the results to their mothers, we have been too mindful of the mothers' privacy and not sufficiently attentive to the well-being of children. (Similar issues arise in the treatment of all contagious diseases, especially TB.)

A new approach

The way the new regulations approach this matter is highlighted by the way they treat law enforcement needs versus patient privacy. Rather than according the police unfettered access to medical records or allowing patients to treat them as sacrosanct, the regulations provide a compromise, attentive to both public needs and individual rights. Accordingly, federal, state and local law enforcement officials will be required to obtain permission from either a judge or an administrative hearing office to gain access to someone's medical records. Authorities could gain access in this way to medical records without the patient's consent or knowledge, under conditions similar to those in which they could open sealed personal mail or tap a phone.

When all is said and done, these regulations are so promising for the public at large and detrimental to various private interests that one wonders if the various lobbies will not push Congress to find some way to hobble them. If they are allowed to stand, the natural next step would be to apply them to offline records, where most personal medical information is still lodged.