-
Neurodiagn J.52:34-41, 2012 ASET, Missouri
Ethical Considerations in Internet Use of ElectronicProtected
Health Information
Jacquelyn M. Polito, R. EEG T., RPSGT, RST, MHA
Neurology DepartmentSouth Shore Hospital
Weymouth, Massachusetts
ABSTRACT. Caregivers, patients, and their family members
areincreasingly reliant on social network websites for storing,
communicat-ing, and referencing medical information. The Health
Insurance Porta-bility and Aceountability Act (HIPAA) Privacy Rule
seeks balance byprotecting the privacy of patients ' health
information and assuring thatthis information is available to those
who need it to provide health care.Though federal and state
governments have created laws and policies tosafeguard patient
privacy and confidentiality, the laws are inadequateagainst the
rapid and innovative use of electronic health websites. AsInternet
use broadens access to information, health professionals mustbe
aware that this information is not always secure. We must
identifyand reflect on medical ethics issues and be accountable for
maintainingprivacy for the patient.
KEY WORDS. Autonomy, beneficence, confidentiality,
electronichealth records, ethics, Health Insurance Portability and
AccountabilityAct (HIPAA) Privacy Rule, Internet, medical
information, nonmalefi-cence, online, patient privacy, protected
health information, socialnetwork. '
INTRODUCTIONThe explosion of technological advances in Internet
usage for storing,, communi-
cating, and referencing medical information has undeniably
enhanced patient careand, concomitantly, created a slippery slope
of ethical-legal considerations.
Received: July 20, 2011. Accepted for publication: September 20,
2011.
34
-
ELECTRONIC PROTECTED HEALTH INFORMATION 35
It is widely accepted that patients have the right to obtain and
control their medicalrecords, including who gets to see the records
and to what extent. Key questionsnecessarily arise regarding who
will be responsible for maintaining confidentiality,how will
confidentiality be monitored, and who will be held accountable for
breachesand to.what degree. In addition, will caregivers be able to
trust that records given tothem by patients are up-to-date and
complete, without crucial omissions or altera-tions that patients
may not wish current or future caregivers to see? How will
patientswho are storing personal health records on websites built
for that purpose be assuredof privacy and confidentiality? How much
patient information should be shared bycaregivers on public social
network websites?
Physicians, technologists,,and other healthcare professionals
increasingly accessthe Internet to obtain the latest developments
in disease management and to discusstreatment options with
colleagues. How can they be sure of the integrity and securityof
the information obtained in this manner? Internet use broadens
access to informa-tion and permits links and associations that are
not always secure. Internet transmis-sion of medical information
can be retrieved, copied, and retransmitted by anyonewith access
and passwords. How will this access affect the level of trust
betweenpatient and caregiver, as well as safeguarding privacy?
This paper will illuminate some of the ethical concerns arising
with the dizzyingincrease in online access to and sharing of
medical information and how theseconcerns have been addressed thus
far. In fact, many of these concerns have yet to bebrought before
the court system (Weiss 2004). In many cases, new precedents
haveyet to be set with regards to conflict resolution arising from
the expansion of Internetuse for medical iriformation.
Conservative estimates are that there exist hundreds of
thousands of World WideWeb sites that are used by 90% of physicians
and 86% of adults with Internet accessto obtain medical
information. These websites vary widely in degrees of quality
andaccuracy (Harrison and Lee 2006). For example, one study
compared informationfrom 60 websites on childhood diarrhea to
recommendations from the AmericanAcademy of Pediatrics and found
that 80% of those sites contained inaccurate infor-mation.
Furthermore, most medical health websites are sponsored by large
drug anddurable medical supply companies who pay large sums of
money for endorsements(Anderson and Goodman 2002) creating
opportunities for conflicts of interest.
THE PRIVACY RULEThe Health Insurance Portability and
Accountability Act (HIPAA) was enacted by
Congress in 1996. Titie I of HIPAA protects health insurance
coverage for workerswho change or lose jobs. Title.l requires the
establishment of national safeguards forelectronic healthcare
transactions and creates provisions for the safety and privacy
ofhealth information. The HIPAA Privacy Rule, enacted in 2003, is
further divided intoseveral essential sections, including:
-
36 ELECTRONIC PROTECTED HEALTH INEORMATION
The Privacy section, which protects patients' privacy and
provides patientsaccess to their medical records.
The Security section, which includes:o An Administrative
component, requiring formal documented practices,
security measures to protect data, and policies and procedures
to regulate theconduct of personnel in protecting data.
o A Physical Safeguards component, protecting computer systems
and networksystems from physical intrusion and hazards.
o A Technical Security Services component, regulating the safety
and securityof stored data on the network.
o A Technical Security Mechanisms component, addressing how
protectedhealth information (PHI) is transmitted by encryption over
a communicationnetwork such as the Internet (Pozgar 2007).
HIPAA seeks to balance protecting the privacy of patients'
health information andassuring that this information is available
to those who need it to provide health care,payment for care, and
for other important purposes (Office for Civil Rights
2011).Moreover, the Office for Civil Rights (OCR) specifies that "a
central aspect of thePrivacy Rule is the principle of 'minimum
necessary' use and disclosure. A coveredentity (such as medical
facilities and their staff) must make reasonable efforts to
use,disclose, and request only the minimum amount of protected
health informationneeded to accomplish the intended purpose of the
use, disclosure, or request." TheRule does grant authorization to
disclose health information with the individual's ora personal
representative's written permission (Office for Civil Rights
2011).
Additionally, there exist many other laws and regulations at
both the state andfederal level regarding the privacy and
confidentiality of medical information. One ofthe most important of
these is the Privacy Act of 1974, in which Congress mandatesthat
"the privacy of an individual is directly affected by the
collection, maintenance,use, and dissemination of personal
information" and that the right to privacy is anindividual's
Constitutional right (Klemens 2008).
Indeed, the regulatory framework can be a seemingly chaotic
tangle of laws andpolicies by local, state, and federal agencies.
Several of the most important of theserule-making organizations
include The Joint Commission, the Office of the AttorneyGeneral,
the Centers for Medicare and Medicaid Services (CMS), and the
Occupa-tional Safety and Health Administration (OSHA) to name a
few. All these layersof regulatory agencies impact legal decisions
in the court systems and vice versa,as well as impacting how health
providers deliver care. Moreover, technologistsand healthcare
providers must be knowledgeable of their own facility's policies
andprocedures with regards to privacy and security.
With such ambiguous wording and layers of potentially confusing
regulations,therein lies the capacity for different interpretations
and misunderstandings among
-
ELECTRONIC PROTECTED HEAL TH INFORMA TION 3 7
healthcare providers, patients, and their families. The
following case example illus-trates the need for greater
clarification, education, and regulation regarding sharinghealth
information electronically. Identifying information has been
changed toprotect participants' privacy.
CASE REPORTIn late 2009, Ms. R, a previously healthy,
49-year-old female, suffered a left
hemispheric closed head trauma, resulting in coma. She was
brought to one of themost highly-respected neurological intensive
care units in the United States. Whilethere, her family set up a
journal on the hospital's sponsored website, similar
tocarepages.com, caringbridge.org, or mylifeline.org. Friends and
family could postwell-wishes and words of encouragement during the
patient's recovery. Aftercreating a user name and password once, a
user can access any pafient's establishedjournal by typing in a
patient's name.
Ms. R was the charismatic manager of a popular venue where many
famousperformers have appeared. As word spread of her unfortunate
condition, many peoplebegan accessing the site; in part, drawn by a
fascination for journal entries made byseveral celebrifies. In
addition, there were several entries signed by a person
identify-ing herself as Ms. R's nurse, with her first and last
name, email address, credentials,and the name of the hospital.
The nurse's stated purpose of these entries was to post updates
on Ms. R's condi-tion and included detailed references to course of
treatment and neurological status.The nurse's notations also
included that the patient was on a ventilator, responded tonoxious
stimulation, and showed signs of unilateral weakness. In one post,
sheencouraged anyone to come by during her shift and ask questions.
She added thatMs. R's sibling had given her written permission to
share "any information witheveryone so please feel free to ask me
anything."
Did the sibling really know what she was giving away permission
for and under-stand the potential ramifications of her decision?
Perhaps her worry and lonelinessover her sister's condition clouded
her judgment. As a professional, should the nurseknow better than
to accept such permission and use it to invite the electronic
woridinto Ms. R's hospital room? What policies does this hospital,
or any hospital, havewith regards to patient privacy and how much
education and accountability isrequired of staff? Clearly, it is
the responsibility of each of us as technologists,nurses,
physicians, and other healthcare professionals to develop and
complywith comprehensive patient privacy policies, especially with
respect to the rapidlygrowing capabilities of Internet
technology.
Prior to Ms. R's hospitalization, she had secured money from
investors to purchaseher own venue. One of the investors expressed
the desire to withdraw his investment.
-
38 ELECTRONIC PROTECTED HEALTH INFORMATION
The investor's decision was based on the neurological deficits
described by the nurse,one who is perceived to be close to the
scene and trusted as having advanced medicalknowledge. What are the
consequences for Ms. R's future earning potential if herinvestors
consider her a bad risk? What of potential insurers, since Ms. R
was intend-ing to change employment, who can and do access this
type of information to screenfor high-risk customers?
ETHICS ANALYSISEthics can be defined as a subjective standard of
behavior guided by moral values,
in sharp contrast to law, which is an objective rule of conduct
or action. Ethicsaddresses issues about "whether an action is good
or bad, right or wrong, appropriateor inappropriate, praiseworthy
or blameworthy" (Anderson and Goodman 2002).The nurse in the above
example potentially did nothing wrong legally, but were heractions
appropriate? In considering the general principles of the HIPAA
rule, werethe disclosures, albeit made with written permission from
a family representativewhile Ms. R was incapable of speaking for
herself, the "minimum necessary toprovide, health care, payment for
care, and for other important purpses"? Shouldwritten permission
grant carte blanche in sharing information?
In Ms. R's case, one can propose that the harm of disclosure
(loss of trust by herinvestors and possible inability to be insured
by a new carrier of her choice if shebecomes a business-owner)
outweighs the benefit (words of encouragement for acomatose patient
who cannot read them just yet).
One of the most widely used frameworks for identifying and
reflecting on medicalethics issues is The Four Principles Approach
developed by authors Beauchamp andChildress (2001). These four
principles are general guidelines for moral decision-making in
health professions and are briefly outlined below:
Respect for Autonomy
Healthcare professionals must respect the decision-making
capacities of autono-mous persons, enabling them to make reasoned,
informed choices. In the case ofthose of limited, compromised, or
diminished autonomy, such as a child or comatosepatient, respect
should be given to what decisions would render the least risk of
harmand the most likelihood of benefit (Beauchamp and Childress
2001). Had Ms. R beenable to speak for hei-self, she may not have
wished that such confidential informationbe posted for possible
investors to know. Furthermore, consideration must be givento what
the patient most likely would have chosen if decision-making
capacity wasnot diminished, regardless of whether the health
professionals or family membersagree with it. , . .
-
ELECTRONIC PROTECTED HEALTH INFORMATION 39
Beneficence
The healthcare professional should balance the benefits of
treatment against therisks and costs. Beneficence "asserts the duty
to help others further their importantand legitimate interests"
(Beauchamp and Childress 2001). While well wishes andexpressions of
concern may have offered great comfort to the family, posting
detailedmedical information on Ms. R's condition may have been
detrimental to Ms. R'slivelihood and should not have been included.
Ms. R was, in fact, discharged fromthe hospital and began to resume
her previous responsibilities.
Nonmaleficence
The healthcare professional should not harm the patient, where
harm is definedas an adverse effect on a patient's interests.
Invasive procedures such as surgery orsimple needle sticks cause
harm, and therefore, the benefit of the treatment mustoutweigh the
harm. Eor example, putting a comparatively healthy patient
withoutcomplicating co-morbidities at risk during a carotid
endarterectomy would outweighthe risk of stroke and possible death
from not removing artery-blocking plaque.Moreover, Beauchamp and
Childress (2001 ) specify that the principle of nonmalefi-cence
includes not "depriving others of the goods of life."
JusticeBenefits, risks, and costs should be distributed fairiy
and patients in similar posi-
tions should be treated in a similar manner. An injustice occurs
when a benefit isd.enied for no valid reason or when a burden is
placed unduly on any particular personor segment of society.
Beauchamp and Childress (2001 ) reference examples through-out
history of the inequality of the burdens of medical research
falling on prisoners,the poor or the mentally incompetent, while
the more affluent portion of societyreaped the benefits. Two of the
more heinous examples are the unwilling researchsubjects in Nazi
concentration camps and the 1940s Tuskegee syphilis study,
whichused disadvantaged black men to track the untreated effects of
the disease.
THE DANGERS OF SOCIAL NETWORKINGSocial networking sites are
gaining popularity at an astonishing rate. Of note, such
social networking sites have recently been in the news for
unprofessional commentsmade by medical students. A 2008 article
cites online posts by medical studentswho breached patient
confidentiality by describing medical situations in which
theunnamed patient could be identified. In a poll of medical school
administratorsnationwide, 60% said they were aware of
unprofessional postings and 13% of thosepostings contained breaches
of patient confidentiality (Boyles 2008).
-
40 ELECTRONIC PROTECTED HEALTH INFORMATION
Furthermore, the use of social networking for gathering the
latest medical infor-mation, for consulting medical experts on
difficult cases, and for offering medicalopinions and advice has
tripled. In one recent poll, nearly 86% of physicians
haveacknowledged using the Internet for such purposes (Derse 2010).
Remarkably, manyorganizations that offer electronic health records,
such as those by Google, Inc.(Google Health), Microsoft Corporation
(HealthVault) and others, are not requiredto follow the rules of
HIPAA (Wynia 2008). According to Internet Business LawServices
(IBLS) Internet Law, "any companies running health care sites can
amendor change their privacy policies at any time, without consent"
(O'Connell 2008).Moreover, privacy laws vary from state to state; a
fragmentation that would makelegal resolutions difficult in an age
of instant transference of medical informationaround the world.
CONCLUSIONWithout doubt, electronic medical information has many
important advantages.
It can streamline patient care, cut costs, improve accuracy,
prevent errors, keep care-givers informed in a quickly evolving
field, and bring the latest, most specializedinformation to more
rural areas. If physicians are relying increasingly on
Internetconsultations and since failure to consult is punishable by
law, then not using theInternet could have legal and ethical
consequences for caregivers. Federal and stategovernments have
created laws and policies to safeguard patient privacy and
confi-dentiality. Unfortunately, these are inadequate against the
rapid and innovative useof electronic health websites. Despite
nearly two decades of burgeoning Internet use,no online activities
can be guaranteed absolute privacy. Clearly, these sites and
theirusage must be closely monitored, yet by whom and how? As
technologists andhealthcare professionals, we need to be ever
mindful of safeguarding privacy, of theuncertain integrity of
information received, and of emerging policies and laws withregard
to Internet use of electronic protected health information with
every patient,every time. Much work remains to be done by
technology systems, policymakers,and healthcare organizations to
ensure quality health care without compromisingpatients'
fundamental rights.
REFERENCESAnderson JG, Goodman KW. Ethics and Information
Technology: A Case-Based Approach to a
Health Care System in Transition. Secaucus,-NJ: Springer-Verlag,
Inc.: 2002.Beauchamp TL, Childress JE. Principles of Biomdical
Ethics: Fifth edition. Oxford: Oxford
University Press: 2001.Boyles S. Med students put unprofessional
info online. 2009. WebMD Health News. On the Internet
at: http://www.medscape.com/viewarticle/709406Accessed February
2010.
-
ELECTRONIC PROTECTED HEALTH INFORMATION 41
Derse AR. Social media consults may harbor dangers. Feb. 8,
2010. American Medical News.On the Internet at:
http://www.ama-assn.org/amednews/2010/02/08/prca0208.htm
AccessedFebruary 2010.
Klemens J. Ethical considerations of privacy and cyber-medical
information. March 2008. On theInternet at:
http://ezinearticles.com/7Ethical-Considerations-of-Privacy-and-Cyber-Medical-Information&id=
1077289 Accessed February 2010.
Harrison JP, Lee M. The role of e-Health in the changing health
care environment. Nurs Econ 2006-24:283-88.
O'Connell K. Internet law - Internet medical records project not
protected by federal privacy act.IBLS Internet Law - News Portal.
March 2008. On the Internet at:
http://www.ibls.com/internet_law_news_portal_view.aspx?id=2005&s=latestnews
Accessed February 2010.
Office for Civil Rights. The HIPAA privacy rule and electronic
health information exchange ina networked environment. 2010. On the
Internet at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/introduction.pdf
Accessed March 2010.
Office for Civil Rights. Health information privacy. 2011. On
the Internet at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
Accessed July 2011.
Pozgar GD. Legal Aspects of Health Care Administration: Tenth
edition. Sudbury, MA: Jones andBartlett Publishers, 2007.
Weiss N. E-mail consultations: clinical, financial, legal, and
ethical implications. Surg Neurol 2004-61:455-59.
Wynia MK. Electronic personal health records: should doctors
worry? August 2008. On the Internetat:
http://www.medscape.com/viewarticle/57918l Accessed February
2010.
-
Copyright of Neurodiagnostic Journal is the property of ASET -
The Neurodiagnostic Society and its contentmay not be copied or
emailed to multiple sites or posted to a listserv without the
copyright holder's expresswritten permission. However, users may
print, download, or email articles for individual use.
