Ethical Issues in Health Information Management
By David G. Curry, RN-C, MSN
According to Merriam Webster's Collegiate Dictionary, ethics is defined as "the discipline dealing with what is good and bad, and with moral duty and obligation" or "a set of moral principles or values." Those of us who deal with health care information relate to ethics not as our primary field, but rather as a set of accepted professional standards of conduct. In fact, the Association of Record Managers and Administra-tors Inc. (ARMA International) adopted a revised "Code of Professional Responsibility" in 1995. This code is discussed in detail in J.M. Pemberton's article in Record Management Quarterly.1
A detailed discussion of the ARMA Code is beyond the scope of this article, but several of the code's principles should be mentioned, as they are basic to the work of all those who handle information. The first is a social principle, which affirms the right to privacy of all individuals. We must protect the privacy of the individual while allowing those needing information to freely access that information. We achieve these contrary ends through appropriate policies and procedures.
The second principle is a professional one--to maintain the confidentiality of privileged information. This principle encompasses more than just individual privacy, but rather speaks to information as the property of the organization. Herein lies one of the basic conflicts of all health records--who owns an individual medical record?
Health information managers from hospitals to private offices know that the organization owns the record. But individuals, myself included, believe that the data in that record belong to the individual. Both views are essentially correct and seldom result in conflict. However, a recent example of such a conflict resulted when pharmacies sold the names of patients who had filled prescriptions for various medications to pharmaceutical companies.
Let's imagine that you have been prescribed statin X for your elevated cholesterol. The maker of statin X buys your name from your druggist and sends you a discount coupon for your next prescription and puts you on a mailing list for low-fat recipes. The druggist de-fends the action because that prescription information is part of his business property. The pharmaceutical company defends the practice be-cause they are actually en-couraging you to be more compliant with your medication and promoting your longevity. You argue that the prescription information is yours. Who is correct?
Let's complicate this example by adding the provider who wrote the prescription and the insurance company (including Medicare or the Veterans Administration) who paid for the prescription. Both the provider and the insurer have some claim to the information in that prescription. The pharmaceutical company could just as easily approach either of these groups to purchase the same information.
The conflict over ownership of this type of information is not a new problem. What is new is the ability to acquire and sell this information in a cost-effective way. Computers have made this possible. In the past, information was not such a liquid commodity. The provider, the druggist, the insurer and the drug company kept paper records, and searching and compiling a list of all patients taking statin X was impractical. Thus the ethics of selling such information was never an issue. Now it is--and one that needs the input of health information management (HIM) professionals to resolve.
Computers also create an access problem that, though possible with paper records, is much greater with electronic records. With a paper record, one must make copies or fax documents to share data with other members of the health care system, as the originals must be preserved at the site of origination. The existence of these copies creates problems that must be addressed under the principles of privacy and confidentiality, but these problems pale compared to what can happen with computers.
While a hospital will have tight control over the local users of its information system, the addition of remote connections opens a security leak. In a remote pro-vider's office, the person accessing the hospitals database is not a hospital employee. While that person may have signed a confidentiality statement, the hospital has no way of policing offsite access and enforcing such an agreement. The hospital promotes offsite access for providers because those providers are the hospital's customers. Giving offsite access can become a competitive advantage in recruiting and retaining providers. Un-fortunately, the HIM director's interests (and ethics) may be sacrificed for a business decision unless he or she is included in the decision-making process.
Computer and information technologists handle computers. They are expert in their field, but not necessarily knowledgeable about record management. Further, the knowledge explosion in their nascent field has created an ethical vacuum.2 This vacuum is further deepened by the tendency of experts to ignore or marginalize specialists outside of their discipline. This tendency can be overcome through the growing convergence that accompanies the rapid growth of technology.3 Here is where the end-users of medical information must join with the information managers. One place this is happening is in response to the Health Insur-ance Portability and Account-ability Act of 1996 (HIPAA).
HIPAA required that Con-gress pass legislation by August of this year that would clearly define the protections that Americans can expect for their private health information. Having missed the deadline, the duty falls to the Depart-ment of Health and Human Services (DHHS) to write regulations that will perform the same function. Those regulations should be issued by Spring 2000. The Joint Healthcare Information Tech-nology Alliance (JHITA), which in- cludes the American Health Information Management Association (AHIMA), has an excellent Web site with information both about the proposed regulations and their response to them at www.jhita.org.
So what can we expect in the future? On one hand, technology will improve our ability to monitor records and those ac-cessing them. Patients will be able to authorize who can access their record, and HIM professionals will be able to enforce their wishes. The downside will be the continued trend toward larger health care systems, with the management of records becoming more complex. Managing rec-ords in a managed care environment will require balancing the privacy of the individual against the profit motive of the organizations. Patients and patient data could be bought and sold just as mortgages are bought and sold by banks. A medical record can become a source containing highly profitable material to an organization lacking professional ethics.4 And decisions about the use of data will become more em-broiled in ethical issues as genetic data becomes part of the record.
In summary, the role of HIM professionals, whether they are managing paper-based or electronic records, will become more difficult as new technology and new data sources become available. Infor-mation managers and end users will have to work with consumers and technicians to find consensus on what constitutes a sound ethical foundation for managing health information in the 21st century.
1. Pemberton, JM. "Through a glass darkly": ethics and information technology. Records Management Quarterly. 32(1) p76 (9).
2. Laudon, KC. Ethical concepts and information technology. Communications of the ACM. 38(12) p33(7).
3. Pemberton, JM. Canadian information professionals sound the ALARM and ARMA and SAA reach out. Records Management Quarterly. 31(4) p62(4).
4. Davidson, JR, Davidson, T. Confidenti-ality and managed care: ethical and legal concerns. Health and Social Work. 21(3) p208(8).
David G. Curry is the owner of PrimeCare Consulting of Plattsburgh, NY, specializing in information systems solutions for health care organizations, and a doctoral student in Information Science at Rockefeller College, Albany, NY.