Many businesses have found that the use of modern computers has provided for them a level of service and record-keeping that would be otherwise impossible. For companies in very competitive markets, always pressed to do more with less, the computer has been in many ways an immeasurable boon. However, with such rapid and easy access to information, sometimes in ways not possible before automation, comes equally significant concerns with how, and by whom, that information is gathered and used.
Nowhere is this more poignant that in the medical field. Medicine is a business and a service that is highly dependent upon quick access to reliable records. New advances in computer and communications technology hold great promise for improving the speed and ease of access to various types of medical information, even if such information is highly decentralized. Access to medical records is always a controversial issue, raising concerns of privacy versus expediency.
Use of the Internet, and in particular, the World Wide Web (WWW), as the vehicle for providing information access and integration of both decentralized and diverse types of data (textual and graphical) is gaining much attention (Kazmer, 1996) & (Kohane, 1996). However, legal issues of confidentiality over the Internet are still being debated. There are a number of issues, more of an ethical rather than technological concern, which need addressing before technology opens Pandora’s box.
The Association of Computer Machinery (ACM) has a Code of Ethics that is employed in this paper to discuss the ethical issue of medical records on the Internet. The Question of Access Why: The Need of Access One of the ACM guiding principles in the Code of Ethics states, “Avoid harm to others”. The question of access should be considered in light of this principle. The need for access to a patient’s records by medical professionals is fairly obvious.
One might successfully argue that the modern hospital simply could not operate without its computerized record keeping systems, even ignoring the use of computer systems for diagnostic procedures. With the obvious concern for documenting patient treatment, whether it be for tracking the effect of certain modes of treatment over time, providing a historical record for future treatment or providing documentation to defend against possible litigation, medical records take on a central role in the business of medicine. However, simply storing the information is only one aspect.
Just as important is access to those medical records, at the appropriate time and place. Conventional wisdom is that information flows readily from our physician’s office to the local hospital and in the opposite direction, such is not always the case. It does not take much imagination to think of very real scenarios where a patient enters a hospital, cannot give a medical history, and there is no one available to supply critical information. Consider the case of a patient who simply cannot recall certain past treatments that may have a bearing on their current medical condition.
The case may be of an unconscious patient admitted in an emergency room in another state (or country), at a time when critical medical information may mean the difference between life and death. It may be that of a deceased patient hindered in their generosity in being an organ donor by the lack of timely medical records. According to John Haughom, M. D. , vice president for healthcare improvement at PeaceHealth in Seattle, “More people have been harmed by the lack of good information in the hands of physicians as opposed to the improper release of information” (Braly, 1996).
Certainly, if such necessary data were available using modern computers and communications, the benefits could range from being a convenience to being of critical importance. After establishing the need for access, the means of access is the next item to consider. This is because the means of access will typically affect subsequent issues, such as access restrictions, timeliness, and point of access. How: The Provision of Access The ACM Code advises “Contribute to society and human well being”. This axiom is a good guide for questions on providing access.
Questions of how we may provide such accesses are quickly being answered. At one time, it seemed that the direction to pursue would be that of a national medical records database. By having one place to store and access all such information, we could adequately address questions of security, in terms of access to and backup of data, and reliability, in terms of being up to date, accurate, and available. However, the volume of such data would require such a massive database system, yet one that must be able to respond with the desired information within a reasonable time frame.
Such a system seems always destined to perish from its own immensity. One might easily imagine that a system that stored the medical records for every man, woman and child, over their lifetimes, would eventually dwarf the massive systems of the IRS. It is likely that graphical data, such as x-rays, nuclear magnetic resonance imaging, and CAT scan results, would be incorporated, making the problem of size only worse. A corollary system to this is the medical records card, which keeps a patient’s record on a chip. This system, while having certain advantages, is subject to many disadvantages as well.
One might well ask whether a chip could hold the amount of data required for a complete medical record. Furthermore, what happens with a lost or destroyed card? Will the need for compatible systems to maintain existing card-based information and to issue new cards be an insurmountable burden? Additionally, there is the issue of reluctance of the of people to carry such a card. Apparently, there is a need for a system that provides a means of accessing medical information dispersed over a wide geographic area and over a significant range of time.
Furthermore, it should be able to handle data in a volume too large for a centralized database, accessible via a range of incompatible computer systems. Lastly, the system should utilize a common medium accessible from virtually anywhere in the world, without requiring the patient to be responsible for the location of this information. Clearly, a decentralized network, which can handle data presented in multiple forms of media (text, graphics, perhaps even sound and video), that is generally available, and that is based on an open-system is required.
This is exactly what is provided in the Internet. Who: The Restriction of Access ACM’s code also states, “Access computing and communications resources only when authorized to do so” and this concisely states the argument for access restrictions. However, there are certain issues that arise when dealing with any sensitive information made available via the Internet, when dealing with medical records the question of who has a need to access is always pertinent. Unfortunately, the answer to that question is not always entirely clear, even with dispersed paper-based (or microfilmed) medical records.
In signing a release for information, the patient (or their representative) often signs a “blanket waiver” form, providing for the release of any and all information to their insurance company. Although it is obvious that an insurance company has a need to know some pertinent information, with such a waiver they get access to the entire medical record. This can become even more troubling if the patient works for a self-insured company, for now the employer has access to the patient’s entire confidential medical record. Some have suggested a modification of the blanket waiver to a more restricted and specific waiver (Mukai, 1996).
There have been instances of insurers using medical information against an insured, and the source of information that most often forms the base for such discrimination today is the medical record (Friend, 1996). Such information available, comprehensively, from virtually any location in the world only exacerbates the issue. Physicians are the obvious primary candidates for granting access, whether that be from their offices, on the wards at a hospital, or emergency rooms, trauma centers, or other immediate-care (or long-term care) facilities.
Does that mean that anyone who is a bonafide physician should have access to your medical records? Certainly, one would want their personal or family physician to have access. Also, if taken to a hospital emergency room where you had never been a patient, you would still want the attending physician to have access to required medical information, so that they might provide correct medical decisions and treatment. Consider physicians who practice at a teaching institution. Should they be able to access medical records, even of those who are not their own patients, for the purpose of instruction?
What of the physician who is doing medical research? Should they have access to medical records, in aggregate or in detail, even though they have never treated the patient and most likely never will? It may be that certain patterns of disease and treatment, which could open new vistas for medical research, are not ‘visible’ when dealing with medical record information in an aggregate form. The need to balance personal privacy against the potential ‘greater good’ of time-based, detailed medical records for research purposes provides for difficult ethical choices.
Is access by other medical personnel, such as nurses, emergency medical technicians, laboratory technicians, and so forth acceptable? Do all categories of medical personnel receive direct access to such a wealth of patient information, or should they have to get it ‘second hand’ through a physician? Does vigorous enforcement of such a limitation provide the potential for litigation because of improper or untimely treatment, due to restricted access to the needed medical records? When: The Time of Access
“Acknowledge and support proper and authorized uses of an organization’s computing and communications resources” is another of the ACM’s principles. Determination of proper authorization raises many questions. Let us say, for the purpose of discussion, that such questions regarding who has access to medical records have been answered. Even if a given person should have access due to the nature of their position and the nature of the immediate situation, one must ask if there is a limit on when they should have access, and if so, how to control such a limit.
While it is true that the emergency room physician (or other medical personnel) may need access to such records at the time of treatment, and for the duration that the patient is under their care, should their access continue unabated long after the care has terminated? It would seem that the obvious answer is that it should not. However, one might ask how to determine such an ‘on again, off again’ access. People typically do not plan visits, as patients, to hospital emergency rooms; hence, authority for access to our medical records under such circumstances cannot be granted in advance.
If a physician does not have access prior to the need to treat the patient, and is not granted access until after treatment is complete, how is access granted during the window of ‘legitimate’ treatment time? A similar question arises for any emergency medical personnel, including the EMTs in the rescue vehicle, who typically are not a physician. This question could be even more problematic for the technician who may never ‘see’ the patient directly, and who may need to deal with updating the patient’s medical record at some point after completion of treatment.
Restriction of access based upon time of access relative to time of treatment would seem to be fraught with dilemmas. Where: The Place of Access Should access to medical records be restricted to certain facilities? Certainly, it is easier to control who has access if access is restricted to specific sites, but this does not provide as certain a level of security as some may think. Often, security breaches are not due to technology issues. People often overestimate the security for paper-based information, versus computer-based information, according to Haughom (Braly, 1996).
The tendency is to think of geographically bound ‘sites’, such as hospitals, emergency care and/or trauma facilities, and doctor’s offices, as the places where access to medical records is needed. With the advent of cellular communications, it might be quite probable to have access to such information in portable, or even moving, vehicles such as an EMT rescue vehicle. With police having on-line vehicle registration and criminal information in their cruisers, it is not inconceivable to think of medical personnel having similar access in mobile situations.
This could even be applicable to non-emergency situations, such as a ship’s doctor on board a cruise ship. Opening the place of access to virtually any location, which is a strength of the Internet, increases problems of controlling access. Yet to limit access to certain physical sites risks preventing access when it is essential, to say nothing of curtailing certain advantages of making such records available of the Internet. Is there a line to draw, and if so, where? The Question of Reliability
The ACM Code of Ethics states, “Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks”. Beyond the questions of who should have access to a patient’s medical records, from where, and for how long, there is the question of who is responsible for updating these records. Since we are speaking of a highly distributed network of data, is each node, and therefore potentially each “authorized viewer”, to be granted the right to make changes to the medical record?
Perhaps only that data entered by them within their domain will be the data for which a given site is responsible and to which they should have update access. If so, are they responsible for having reliable backup for the data, and for ensuring that the data is readily accessible to the network? Are they potentially liable if such information is not available? Will failure to provide up-to-date medical record information via the Web be tantamount to having an improper or incomplete medical record, and will the provider in such a situation be legally and financially responsible?
This could place a new burden on the reliability and accessibility of hospital computer systems, particularly the reliability of their Web server(s). Allowing updates across the Web, is everyone allowed to update who have access to the data? If anyone who has access to the data can potentially change it, does this necessitate that the update be verified by some alternate means before it becomes a part of the record? If alternate verification is required, how is it to be done in a timely manner, and is there a window of liability between the submission of changes and their verification?
This issue concerns the ability of a provider to disseminate correct information, and prevent dissemination of incorrect information, to an authorized party. The opposite issue is also a major concern: how to prevent the dissemination of correct information to an unauthorized party. These issues come together under the question of security. The Question of Security Security: The loss of control The ACM address this issue by addressing professional standards, “Acquire and maintain professional competence”.
While the issue of security is inherent in all of the previous issues, in that there is a need to be able to restrict access to those who need it, when they need it, and for legitimate purposes only, and face the real possibility of unauthorized access. Imagine the consternation that only one computer virus unleashed on the Internet could cause if that virus were to affect any medical records. A virus is typically a “publicized” type of malicious and unauthorized access. Professionals must also consider the possibility of “quiet” access by an unauthorized party who does not want to let it be known that security has been breached.
Given the reticence of major corporations to admit to security breaches, would a hospital or consortium of health care providers be any more willing to raise an alarm? In a day of increasing competition, public perception of the quality of care, including the security of confidential information, can have a substantial impact on the corporate “bottom line”. With such high stakes, who would admit to such a loss of control, with respect to access to and dissemination of medical records? Security: The loss of data Legal responsibility is always a thorny question for computer professionals.
The ACM advises, “Know and respect existing laws pertaining to professional work”. It is not uncommon for someone who has inserted a link on a Web page to learn that the site that they are referencing no longer exists. If medical records are decentralized, and if a given site goes out of existence (as with other businesses, hospitals do close), who gets the data and the responsibility to maintain it? What about natural disasters or machine outages? As mentioned earlier, even the issue of timely and secure backup of data must be the clear responsibility of a given party.
There are legal as well as ethical ramifications for the protection against loss of data, whether due to natural disasters, technical malfunctions, corporate financial complications, or intentional destruction. Security: The misuse of data If we were able to successfully address all of the above concerns, the area with perhaps the greatest ethical issue would still exist; the misuse of data. The ACM guiding principle in the Code of Ethics states, “Respect the privacy of others”. Even with a system, if ever one could be devised, where only authorized access takes place, that data may still be used in ways not intended by the “owner”.
Who makes the decision as to what constitutes “misuse” and who will police such intrusions? This is not at all clear. Researchers, who today must deal with aggregate data, will have the potential to garner much more detail than ever before possible, and to do so over a period of time so as to track treatment results and trends. While this portends good for medical research, it has much potential for invasion of privacy. And what of insurance companies? Do they, perhaps under the auspices of research, gain access to the point of being able to profile individuals based on such detailed records?
It is conceivable that they could accurately match their own records with that of detailed, historical records, even if patient’s identities are expunged, and that they might discover such protected identities. Once discovered, they may be misused against the individual, as mentioned earlier. Another possibility is that such detailed records over time might allow profiling to the point that insurers deny coverage for individuals with medical records that indicate a trend toward some future negative outcome.
In effect, medical and health insurers might be able to institute a “redlining” process equivalent to what lenders have done against neighborhoods in the past. It is obvious with so many outstanding issues, that there is ample opportunity for ethical abuses. While this paper could not hope to address all of these issues, that this last issue is the most important to address. Clearly medical records can and will be put on the Web (Kohane, 1996). As the public overcame caution with regard to bank machines, and is acclimating to doing business over the Web, acceptance of the transmission of medical records over the Web is only a matter of time.
In prototypes, there has been a reported high degree of user acceptance (Kohane). The technical details are being addressed. Most of the issues listed above have a potential technical solution, with the possible exception of the last. In spite of the real needs for access, there will be a strong temptation to use this privilege for other purposes. Who are those with a stake in this process? There are a number of parties: health care providers, insurance companies, medical researchers, including medical schools, and, of course, patients.
From the perspective of health care providers as internal stakeholders, the medical research community is a joint stakeholder. Insurers may require similar information, but they have interests beyond those of diagnosis and treatment. In many ways, the insurers and patients hold the position of customers, which is that of an external stakeholder. Patients are external stakeholders because they receive the treatment and the information is about them. Insurers stand in the place of the patient with respect to their incurring the brunt of financial liability.
Although both are external stakeholders, they are not the same. For the internal stakeholders, there are corporate stakes. Corporations, even hospitals, medical consortiums, and research and teaching institutions must at least break even, if not make a profit, to maintain their very existence. To survive, quality of care must improve continuously while reducing costs (Marsh, 1996). Establishing that access to electronic medical records via the Web contributes to either or both of these goals, will make it a matter of self-preservation to acquire that capability.
Thus having such a capability moves from being a utilitarian issue of being able to provide better service, to one of ethical egoism in the most basic sense — not simply self-interest but continued existence. With respect to the misuse of data, there would be obvious financial repercussions if such an occurrence were to be exposed, so the corporate players would certainly be operating in their own interests to try to avert any incident. This is true as well for the external stakeholders, at least for the insurers. By the same principle of ethical egoism, they would try to avoid misuse of data.
However, here is where the definition of misuse comes into play. For what may constitute misuse in the view of the other external stakeholder mentioned (the patient), may constitute an act of self-preservation in the view of the insurer (or even possibly the research or teaching institution). For the patient, there may be issues of ethical egoism (not wanting certain information to be known because there could be negative repercussions), but also an ethical formalism could hold: that it is simply “not right” to disseminate a patient’s medical record without express permission, regardless of the possibility for the “greater good”.
Because of the great financial pressures that could come to bear on these corporate stakeholders, internal and external, competing ethical principles could come into play. While they may initially have a well-founded reluctance to misuse data, simply because it is “not right”, the desire for self-preservation could dominate. The individual patient may have the least leverage, from an economic sense, and may well not even be aware of any abuses unless there is a direct negative effect. Even in such a case, the cost of litigation, both financial and emotional, can dissuade the individual from seeking recourse.
To help ensure respect for the rights of the individual patient, while providing for a reasonably “level playing field” for all corporate concerns, another external stakeholder could and will come into play. The government has long been in the business of regulating health care standards, and there is no indication that this arena would be any different. The U. S. Senate bill, S. 1360, the Medical Records Confidentiality Act of 1995 (Bennett, 1995), and its corresponding House bill, HR 435 (Thomas), show that the government will weigh in on this issue. Conclusion Future Outlook
The advances in the computer and communication systems of today and for the foreseeable future provide the possibility that we may soon develop the resources to quickly access accurate and timely medical records from diverse sources. That there are those who are intent on developing this capability is evident. There is little doubt that it can be done, will be done, and even is being done at this very time. While such access, by the appropriate personnel at the appropriate time and place, holds the potential for improved, and perhaps less costly, medical care, we must be aware of the immense ethical concerns imposed by such technology.
More importantly, it is necessary to give sufficient consideration to answering such concerns before the implementation of this technology becomes a reality. Financial issues, regulatory issues, and quality of care issues will provide such pressure on medical providers, researchers, and insurers, that this scenario will become a full-blown reality, perhaps in the not too distant future. With the increasing acceptance of doing business over the Internet, the placement of medical information into that arena may eventually cause little, if any, stir.
Furthermore, with government “assuring” the public that their rights will be protected against possibly abuse, acceptance could come rather easily, perhaps too easily. The government may become a partner with the individual in promoting ethical use of such data, from the viewpoint of an ethical formalism; that is, legislating “right” and “wrong” with financial and criminal penalties, so that the ethical egoism of the corporate players is aligned with personal privacy concerns. Will all of this really happen?
Our only hope is to be vigilant in ensuring that once the technical hurdles have been overcome, there is an ethic in place to forestall the (at least, deliberate) misuse of the most personal and private of information, one’s medical record. If not, each of us will have failed in our ethical responsibilities to each other and to ourselves.
References
Bennett, R. F. S. 1360: The Medical Records Confidentiality Act of 1995. http://rs9. loc. gov/cgi-bin/query/z? c104:S.
1360: Braly, D. (1996). Security combines awareness with technology issues. Health Management Technology, 17, No. 10, 42-44. Friend, Tim. Researchers uncover genetic discrimination. USA Today on-line. 12 April 1996. http://wsf2. usatoday. com/life/health/lhs461. htm. Kazmer, J. , Oliver, K. , Crosby, A. (1996). The creation of a virtual electronic medical record. Proceedings of Healthcare Information and Management Systems Society. Kohane I. S. , Greenspun, P. , Fackler, J. , Cimino, C. , & Szolovits, P.
(1996). Building national electronic medical records systems via the World Wide Web. In press: Journal American Medical Informatics Association. Marsh S, & Swanson S. (1996). Client/server systems cut I/S costs in half. Health Management Technology, 17, No. 10, 52-55. Mukai, K. D. (1996) Privacy in the Information Age. http://www. princeton. edu/~kdmukai/blanket. html Thomas Legislative Information On the Internet. H. R. 435 Detailed Legislative History. http://rs9. loc. gov/cgi-bin/bdquery/z? d104:h. r. 00435: