Author: Polito, Jacquelyn M
Date published: March 1, 2012
The explosion of technological advances in Internet usage for storing, communicating, and referencing medical information has undeniably enhanced patient care and, concomitantly, created a slippery slope of ethical-legal considerations.
It is widely accepted that patients have the right to obtain and control their medical records, including who gets to see the records and to what extent. Key questions necessarily arise regarding who will be responsible for maintaining confidentiality, how will confidentiality be monitored, and who will be held accountable for breaches and to what degree. In addition, will caregivers be able to trust that records given to them by patients are up-to-date and complete, without crucial omissions or alterations that patients may not wish current or future caregivers to see? How will patients who are storing personal health records on websites built for that purpose be assured of privacy and confidentiality? How much patient information should be shared by caregivers on public social network websites?
Physicians, technologists, and other healthcare professionals increasingly access the Internet to obtain the latest developments in disease management and to discuss treatment options with colleagues. How can they be sure of the integrity and security of the information obtained in this manner? Internet use broadens access to information and permits links and associations that are not always secure. Internet transmission of medical information can be retrieved, copied, and retransmitted by anyone with access and passwords. How will this access affect the level of trust between patient and caregiver, as well as safeguarding privacy?
This paper will illuminate some of the ethical concerns arising with the dizzying increase in online access to and sharing of medical information and how these concerns have been addressed thus far. In fact, many of these concerns have yet to be brought before the court system (Weiss 2004). In many cases, new precedents have yet to be set with regards to conflict resolution arising from the expansion of Internet use for medical information.
Conservative estimates are that there exist hundreds of thousands of World Wide Web sites that are used by 90% of physicians and 86% of adults with Internet access to obtain medical information. These websites vary widely in degrees of quality and accuracy (Harrison and Lee 2006). For example, one study compared information from 60 websites on childhood diarrhea to recommendations from the American Academy of Pediatrics and found that 80% of those sites contained inaccurate information. Furthermore, most medical health websites are sponsored by large drug and durable medical supply companies who pay large sums of money for endorsements (Anderson and Goodman 2002) creating opportunities for conflicts of interest.
THE PRIVACY RULE
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. Title I of HIPAA protects health insurance coverage for workers who change or lose jobs. Title II requires the establishment of national safeguards for electronic healthcare transactions and creates provisions for the safety and privacy of health information. The HIPAA Privacy Rule, enacted in 2003, is further divided into several essential sections, including:
* The Privacy section, which protects patients' privacy and provides patients access to their medical records.
* The Security section, which includes:
* An Administrative component, requiring formal documented practices, security measures to protect data, and policies and procedures to regulate the conduct of personnel in protecting data.
* A Physical Safeguards component, protecting computer systems and network systems from physical intrusion and hazards.
* A Technical Security Services component, regulating the safety and security of stored data on the network,
* A Technical Security Mechanisms component, addressing how protected health information (PHI) is transmitted by encryption over a communication network such as the Internet (Pozgar 2007).
HIPAA seeks to balance protecting the privacy of patients' health information and assuring that this information is available to those who need it to provide health care, payment for care, and for other important purposes (Office for Civil Rights 2011). Moreover, the Office for Civil Rights (OCR) specifies that "a central aspect of the Privacy Rule is the principle of 'minimum necessary' use and disclosure. A covered entity (such as medical facilities and their staff) must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request." The Rule does grant authorization to disclose health information with the individual's or a personal representative's written permission (Office for Civil Rights 201 1).
Additionally, there exist many other laws and regulations at both the state and federal level regarding the privacy and confidentiality of medical information. One of the most important of these is the Privacy Act of 1974, in which Congress mandates that "the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information" and that the right to privacy is an individual's Constitutional right (Klemens 2008).
Indeed, the regulatory framework can be a seemingly chaotic tangle of laws and policies by local, state, and federal agencies. Several of the most important of these rule-making organizations include The Joint Commission, the Office of the Attorney General, the Centers for Medicare and Medicaid Services (CMS), and the Occupational Safety and Health Administration (OSHA) to name a few. All these layers of regulatory agencies impact legal decisions in the court systems and vice versa, as well as impacting how health providers deliver care. Moreover, technologists and healthcare providers must be knowledgeable of their own facility's policies and procedures with regards to privacy and security.
With such ambiguous wording and layers of potentially confusing regulations, therein lies the capacity for different interpretations and misunderstandings among Healthcare providers, patients, and their families. The following case example illustrates the need for greater clarification, education, and regulation regarding sharing health information electronically. Identifying information has been changed to protect participants' privacy.
In late 2009, Ms. R, a previously healthy, 49-year-old female, suffered a left hemispheric closed head trauma, resulting in coma. She was brought to one of the most highly-respected neurological intensive care units in the United States. While there, her family set up a journal on the hospital's sponsored website, similar to carepages.com, caringbridge.org, or mylifeline.org. Friends and family could post well-wishes and words of encouragement during the patient's recovery. After creating a user name and password once, a user can access any patient's established journal by typing in a patient's name.
Ms. R was the charismatic manager of a popular venue where many famous performers have appeared. As word spread of her unfortunate condition, many people began accessing the site; in part, drawn by a fascination for journal entries made by several celebrities. In addition, there were several entries signed by a person identifying herself as Ms. R's nurse, with her first and last name, email address, credentials, and the name of the hospital.
The nurse's stated purpose of these entries was to post updates on Ms. R's condition and included detailed references to course of treatment and neurological status. The nurse's notations also included that the patient was on a ventilator, responded to noxious stimulation, and showed signs of unilateral weakness. In one post, she encouraged anyone to come by during her shift and ask questions. She added that Ms. R's sibling had given her written permission to share "any information with everyone so please feel free to ask me anything."
Did the sibling really know what she was giving away permission for and understand the potential ramifications of her decision? Perhaps her worry and loneliness over her sister's condition clouded her judgment. As a professional, should the nurse know better than to accept such permission and use it to invite the electronic world into Ms. R's hospital room? What policies does this hospital, or any hospital, have with regards to patient privacy and how 'much education and accountability is required of staff? Clearly, it is the responsibility of each of us as technologists, nurses, physicians, and other healthcare professionals to develop and comply with comprehensive patient privacy policies, especially with respect to the rapidly growing capabilities of Internet technology.
Prior to Ms. R's hospitalization, she had secured money from investors to purchase her own venue. One of the investors expressed the desire to withdraw his investment. The investor's decision was based on the neurological deficits described by the nurse, one who is perceived to be close to the scene and trusted as having advanced medical knowledge. What are the consequences for Ms. R's future earning potential if her investors consider her a bad risk? What of potential insurers, since Ms. R was intending to change employment, who can and do access this type of information to screen for high-risk customers?
Ethics can be defined as a subjective standard of behavior guided by moral values, in sharp contrast to law, which is an objective rule of conduct or action. Ethics addresses issues about "whether an action is good or bad, right or wrong, appropriate or inappropriate, praiseworthy or blameworthy" (Anderson and Goodman 2002). The nurse in the above example potentially did nothing wrong legally, but were her actions appropriate? In considering the general principles of the HIPAA rule, were the disclosures, albeit made with written permission from a family representative while Ms. R was incapable of speaking for herself, the "minimum necessary to provide health care, payment for care, and for other important purposes"? Should written permission grant carte blanche in sharing information?
In Ms. R's case, one can propose that the harm of disclosure (loss of trust by her investors and possible inability to be insured by a new carrier of her choice if she becomes a business-owner) outweighs the benefit (words of encouragement for a comatose patient who cannot read them just yet).
One of the most widely used frameworks for identifying and reflecting on medical ethics issues is The Four Principles Approach developed by authors Beauchamp and Childress (2001). These four principles are general guidelines for moral decisionmaking in health professions and are briefly outlined below:
Respect for Autonomy
Healthcare professionals must respect the decision-making capacities of autonomous persons, enabling them to make reasoned, informed choices. In the case of those of limited, compromised, or diminished autonomy, such as a child or comatose patient, respect should be given to what decisions would render the least risk of harm and the most likelihood of benefit (Beauchamp and Childress 2001). Had Ms. R been able to speak for herself, she may not have wished that such confidential information be posted for possible investors to know. Furthermore, consideration must be given to what the patient most likely would have chosen if decision-making capacity was not diminished, regardless of whether the health professionals or family members agree with it.
The healthcare professional should balance the benefits of treatment against the risks and costs. Beneficence "asserts the duty to help others further their important and legitimate interests" (Beauchamp and Childress 2001). While well wishes and expressions of concern may have offered great comfort to the family, posting detailed medical information on Ms. R's condition may have been detrimental to Ms. R's livelihood and should not have been included. Ms. R was, in fact, discharged from the hospital and began to resume her previous responsibilities.
The healthcare professional should not harm the patient, where harm is defined as an adverse effect on a patient's interests. Invasive procedures such as surgery or simple needle sticks cause harm, and therefore, the benefit of the treatment must outweigh the harm. For example, putting a comparatively healthy patient without complicating co-morbidities at risk during a carotid endarterectomy would outweigh the risk of stroke and possible death from not removing artery-blocking plaque. Moreover, Beauchamp and Childress (2001) specify that the principle of nonmaleficence includes not "depriving others of the goods of life."
Benefits, risks, and costs should be distributed fairly and patients in similar positions should be treated in a similar manner. An injustice occurs when a benefit is denied for no valid reason or when a burden is placed unduly on any particular person or segment of society. Beauchamp and Childress (2001) reference examples throughout history of the inequality of the burdens of medical research falling on prisoners, the poor or the mentally incompetent, while the more affluent portion of society reaped the benefits. Two of the more heinous examples are the unwilling research subjects in Nazi concentration camps and the 1 94Os Tuskegee syphilis study, which used disadvantaged black men to track the untreated effects of the disease.
THE DANGERS OF SOCIAL NETWORKING
Social networking sites are gaining popularity at an astonishing rate. Of note, such social networking sites have recently been in the news for unprofessional comments made by medical students. A 2008 article cites online posts by medical students who breached patient confidentiality by describing medical situations in which the unnamed patient could be identified. In a poll of medical school administrators nationwide, 60% said they were aware of unprofessional postings and 13% of those postings contained breaches of patient confidentiality (Boyles 2008).
Furthermore, the use of social networking for gathering the latest medical information, for consulting medical experts on difficult cases, and for offering medical opinions and advice has tripled. In one recent poll, nearly 86% of physicians have acknowledged using the Internet for such purposes (Derse 2010). Remarkably, many organizations that offer electronic health records, such as those by Google, Inc. (Google Health), Microsoft Corporation (Health Vault) and others, are not required to follow the rules of HIPAA (Wynia 2008). According to Internet Business Law Services (IBLS) Internet Law, "any companies running health care sites can amend or change their privacy policies at any time, without consent" (O'Connell 2008). Moreover, privacy laws vary from state to state; a fragmentation that would make legal resolutions difficult in an age of instant transference of medical information around the world.
Without doubt, electronic medical information has many important advantages. It can streamline patient care, cut costs, improve accuracy, prevent errors, keep caregivers informed in a quickly evolving field, and bring the latest, most specialized information to more rural areas. If physicians are relying increasingly on Internet consultations and since failure to consult is punishable by law, then not using the Internet could have legal and ethical consequences for caregivers. Federal and state governments have created laws and policies to safeguard patient privacy and confidentiality. Unfortunately, these are inadequate against the rapid and innovative use of electronic health websites. Despite nearly two decades of burgeoning Internet use, no online activities can be guaranteed absolute privacy. Clearly, these sites and their usage must be closely monitored, yet by whom and how? As technologists and healthcare professionals, we need to be ever mindful of safeguarding privacy, of the uncertain integrity of information received, and of emerging policies and laws with regard to Internet use of electronic protected health information with every patient, every time. Much work remains to be done by technology systems, policymakers, and healthcare organizations to ensure quality health care without compromising patients' fundamental rights.
Anderson JG, Goodman KW. Ethics and Information Technology: A Case-Based Approach to a Health Care System in Transition. Secaucus, NJ: Springer- Verlag, Inc.; 2002.
Beauchamp TL, Childress JF. Principles of Biomédical Ethics: Fifth edition. Oxford: Oxford University Press; 2001.
Boyles S. Med students put unprofessional info online. 2009. WebMD Health News. On the Internet at: http://www.medscape.com/viewarticle/709406Accessed February 2010.
Derse AR. Social media consults may harbor dangers. Feb. 8, 2010. American Medical News. On the Internet at: http://www.ama-assn.org/amednews/2010/02/08/prca0208.htm Accessed February 2010.
Klemens J. Ethical considerations of privacy and cyber-medical information. March 2008. On the Internet at: http://ezinearticles.com/7EthicaI-Considerations-of-Privacy-and-Cyber-MedicalInformation&id= 1077289 Accessed February 2010.
Harrison JP, Lee M. The role of e-Health in the changing health care environment. Nurs Econ 2006; 24:283-88.
O'Connell K. Internet law - Internet medical records project not protected by federal privacy act. IBLS Internet Law - News Portal. March 2008. On the Internet at: http://www.ibls.com/ internet_law_news_portal_view.aspx?id=2005&s=latestnews Accessed February 2010.
Office for Civil Rights. The HIPAA privacy rule and electronic health information exchange in a networked environment. 2010. On the Internet at: http://www.hhs.gov/ocr/privacy/hipaa/ understanding/special/healthit/introduction.pdf Accessed March 2010.
Office for Civil Rights. Health information privacy. 201 1. On the Internet at: http://www.hhs.gov/ ocr/privacy/hipaa/understanding/consumers/index.html Accessed July 201 1.
Pozgar GD. Legal Aspects of Health Care Administration: Tenth edition. Sudbury, MA: Jones and Bartlett Publishers, 2007.
Weiss N. E-mail consultations: clinical, financial, legal, and ethical implications. Surg Neurol 2004; 61:455-59.
Wynia MK. Electronic personal health records: should doctors worry? August 2008. On the Internet at: http://www.medscape.com/viewarticle/579181 Accessed February 2010.
Jacquelyn M. Polito, R. EEG T., RPSGT, RST, MHA
South Shore Hospital