ethic

INFORMATION POLICY FOR THE U.S. HEALTH SECTOR:
ENGINEERING, POLITICAL ECONOMY, AND ETHICS

ETHICAL ISSUES

Fair information principles

In formulations around the world there is agreement on the broad principles of "information fairness." The 1974 US Privacy Act’s provisions were built on a set of five "fair information practices," first published in a Department of Health, Education and Welfare report (Advisory Committee on Automated Personal Data Systems, 1973). They are: (1) There must be no personal-data record-keeping systems whose existence is a secret; (2) there must be a way for individuals to find out what information about them is collected, and how it is used; (3) there must be a way for individuals to prevent information obtained for one purpose from being used for other purposes without consent; (4) there must be a way for individuals to correct or amend identifiable information about themselves; and (5) organizations creating, maintaining, using or disseminating identifiable personal information must assure the reliability of the data for its intended use, and must take reasonable precautions to prevent misuse. Similar enumerations can be found in 1970s declarations in Britain, Canada, France, Germany and Sweden, and in reports by the Council of Europe and the Organization for Economic Cooperation and Development (Flaherty, 1989; Bennett, 1992).

Following Bennett (1992), the various international renderings can be condensed into a generic four: (1) openness (that is, anti-secrecy), (2) access and correction (to/of information about oneself), (3) security (anti-access protections appropriate to the data in the system) and (4) minimalism (no more collection, use or disclosure of data than necessary to achieve the system’s goals). To these one can add a over-arching fifth principle that flows from democratic values: consent. Either individuals must consent to practices that apply to them, or society as a whole must consent, via a regime of data protection legislation and regulation that sets the rules that will apply to all.

Fair information details Rendered as generalities, the principles are unexceptionable; the specifics are obviously a different matter. The principles of openness and access/correction are perhaps the least controversial. But even they are not without disagreement. Pro-secrecy arguments are commonly made to promote the public goals of law enforcement and national security. Some level of secrecy is also in the interests of private institutions, for whom the corporate data store has competitive value. In health care, secrecy is sometimes advocated to protect vulnerable patients (such as the mentally ill), innocent third parties (who may have contributed data on a patient, or are implicated by data the patient has provided), and on behalf of providers (who may come to fear making candid comments in a health record).

Security is harder still. "Appropriate" security controls requires a clear sense of potential attackers and modes of attack, and of the abilities of various technologies to resist intrusions. It also requires a consensus on the "value" of keeping the data secure. Empirical data sufficient to articulate a clear "threat model" is lacking for health care; so is agreement on the precise value of confidentiality in particular health settings. Security regimes also require a clear sense of the privileges appropriately accorded to various classes of users. It is precisely the demands for data made by large numbers of individuals, in large numbers of organizations not directly involved in the provision of care, that makes health care data policy so difficult (National Research Council, 1997). Even inside care-providing institutions, large numbers of persons may need access to records. Balancing security provisions while promoting easy access for appropriate uses is a challenge.

Minimalism is perhaps the hardest principle of the four. It requires a clear sense of appropriate goals, and the link between data practices and the achievement of those goals, to judge what it truly "minimal." As discussed, the information systems goals for health care – for administration, clinical care, research and public health – are quite expansive and open-ended. Read broadly, they would "justify" systems of almost any scale and intrusiveness to achieve socially-valued ends.

Variations on consent It is the conjunction of socially-valued ends set against individual risk that forms the core problem of information fairness, particularly in health care, and particularly in the United States. Individuals may value privacy for its own sake, being loath to have intimate details of their lives available to any and all comers. This is particularly true of the intimate details contained in a health record. More critically, in a society where personal information disclosures may have adverse consequences, such as in loss of insurance or employment, privacy has a clear instrumental value. Beyond the narrow confines of clinical care, where an EMR system may improve the quality of care a patient receives, the benefits of health information technologies are society-wide, indeed inter-generational. While research and public health surveillance may benefit particular individuals in the long run, the link is tenuous, and not nearly as compelling in one’s decision calculus as the individual risks. Given the structure of risks and rewards, attempting to "opt out" – and "free ride" on the data contributions of others – is the only rational choice to make.

Modern western biomedical ethics is grounded on autonomy, and of consequence elevates a model of individual consent. It is the standard for the clinical setting, where a competent adult is presumed to direct the course of his or her care. It is the standard for research, with informed consent to experimental participation expected for all but situations involving minimal risk to the subject (Beauchamp and Childress, 1994). Only public health, with an orientation toward the welfare of groups, consciously rejects the individualized model. Political philosophy affords a broader range of "social consent" models. In democratic models, a majority may consent for all. Depending on the issue, assent by a plurality (less than half) may be sufficient, or a "super-majority" (more than half) may be required, as for constitutional questions in the US system. While accidents of history may explain much of how issues are categorized and decided , the democratic principle is that the more important, onerous or burdensome a choice is for individuals, the more compelling it is to seek individual consent if it is practical to do so. Since data protection issues are relatively new ones; there is little social-historical guidance on how to categorize them to decide on an appropriate model of consent. And there is little empirical data to suggest the risks and benefits actually visited upon individuals, to know the degree of "burden" implied by such choices.

Public opinion, public debate In a 1993 survey focused on health information privacy, 41 percent of respondents were concerned that medical information might adversely affect their employment; 50 percent were concerned about the use of computer-based information systems; 60 percent objected to the sharing of personal health information (such as with pharmacists or direct marketers) without consent; 64 percent opposed the use of their health records for research without consent – even if the information did not identify them (Harris-Equifax, 1993). In the same survey, 7 percent reported not seeking medical or psychological treatment because they did not want to harm their "job prospects or life opportunities"; some 11 percent reported they did not file insurance claims in order to protect their privacy. In a more general privacy survey conducted two years later, almost 80 percent of respondents felt they had lost control over personal information about them collected in computerized systems; 74 percent were "very" or "somewhat" concerned with the negative effect on privacy of computerized medical systems (Equifax-Harris, 1995). Yet the same survey confirmed a strong belief in the benefits of electronic information, however, implying some willingness to trade off risks to privacy.

Given the engineering and policy uncertainties, the terms of trade cannot be articulated with precision. But it is surely possible to have a general debate, on the value of privacy and confidentiality, compared to that from clinical, research and public health improvements linked to information technology. Indeed, the National Research Council (1997) has recently added its voice to the call for "a national debate on these issues." Most health professionals are convinced of the benefits. Statistics like the above suggest a considerable educational burden for those who wish to convince the public that they are worth the risks.