stored, and used under health care reform will occur and that these changes will ... Affiliation of the author: Department of Medical Humanities,. Southern Illinois ...
Journal of the American Medical lnformatics Association
Volume 1 Number 4 Jul / Aug 1994
Privacy- and Medical Record Information GEORGE
J. AGICH PHD
I first want to commend ACMI for planning this debate and for stimulating discussion of this important question. I do not believe that Americans should be prepared to accept a loss of privacy in order to achieve a cost-effective, widely accessible, high-quality health care system in the United States, for a number of reasons. In the first place, it is unclear whether a cost-effective, widely accessible, highquality health care system necessitates a medical record that would not be private in the relevant sense; nonetheless, it is reasonable to assume that some changes in the way medical information is recorded, stored, and used under health care reform will occur and that these changes will carry with them potential threats to privacy. The question is how to address the concerns for privacy. It has been argued that because modern technology involves such an enormous increase in power, especially in terms of its far-reaching consequences, a fundamentally new sense of responsibility is required. This new sense of responsibility involves not only obligations to present individuals, individuals whom one knows through determinant social and moral relationships, but also obligations to individuals whom we do not know personally and who might not even exist yet. (The far-reaching implications of the electronic medical record extends to even the unborn and merge with developments under way in the Human Genome Project. Clearly, these are neither speculative nor merely theoretical worries.) This sense of responsibility also requires a careful and critical reflection on the consequences of the technology before and during, rather than after, its use.
Affiliation of the author: Department of Medical Humanities, Southern Illinois University, School of Medicine, Springfield, IL. Correspondence and reprints: George J. Agich, PhD, Department of Medical Humanities, Southern Illinois University, School of Medicine, P.O. Box 19230, Springfield, IL 62794-9230. Received for publication: 3/15/94; accepted for publication: 3/18/94.
Privacy is a basic right of individuals that is anchored in the fundamental principle of autonomy or selfdetermination. I can only assert this point rather than argue it. On its basis, however, privacy should not be treated as an element to be traded off for efficiency in running some future health care system; rather, it is not only a value that needs protection, but also a complex issue that needs rigorously critical analysis and discussion. I want to sound a cautionary note that unless issues of privacy are addressed early and in a thoughtful way, they are likely to come back to stymie development and implementation of what many of you have devoted your professional lives to achieving. The issue of privacy of personal medical information involves two different, but equally important, components-the social and the technical--that need to be considered synergistically because the problem of privacy lies at the intersection of these domains, not solely in one or the other. I discuss the technical component first and more briefly because this component is quite familiar to this audience and because I know just enough about informatics to know that in the present company humility is probably the safest course. The question is whether computerized medical records will simply magnify the opportunities for breaches of confidentiality and privacy in ways that we cannot control-a prospect that recommends resistance to development and implementation of computerized medical records-or, whether in the design of computerized medical information systems, the employment of encryption, security, and monitoring measures can either prevent or significantly diminish the risk posed so that the advantages will clearly outweigh any compromise of privacy that might occur. Whenever medical records are part of systems integrated into networks, the issue of privacy acquires a more complex twist. Wireless communication raises further problems. The existence of hackers and others who might breach computer security systems is but one of the many problems that are part of the general concern over the security of computerized record sys-
324
AGICH,
terns and, as such, is a bit beyond our topic. The relevant point is that privacy concerns are thus allied with other concerns such as general system security and therefore need not be approached as a separate concern. I leave it to others on this panel and in the audience to address the issues of hardware and software design for privacy protection, but it seems to me that while the technical problems are difficult, they are not necessarily intractable. The important point is that privacy needs to be a central goal in the design of such systems. If it is not, then as a developer you expose yourself to a good deal of criticism. The danger, however, is that the problem of privacy will be seen as a merely technical problem for which the fix can or, indeed, could only be technical. That is an approach that might be foisted on developers by administrators and others who want to confine the privacy worries to a technical domain for political and other reasons. My advice is that you should resist such efforts because the more significant dimension of this problem involves the social aspect. The design of computing systems and software must necessarily take into account the human interface. How various kinds of personnel in the health care system use medical records is an important and essential feature of any satisfactory analysis of the problem of privacy. Identifying the needs and work style of each group of users, of course, has implications not only for the selection of hardware and software, but also for the question of access, security, and monitoring. For example, in one of our hospitals, any physician with a valid password can access any medical record whether or not he has any professional relationship with the patient in question. Such ready access is, of course, a boon to busy private practitioners who prefer no restrictions on their personal work styles, yet such a practice holds tremendous opportunities for mischief. A merely technical fix, however, is likely to be insufficient because ingrained practice patterns and expectations run counter to it. Creating technical access barriers to clinical systems would not only frustrate the most important group of users, but would also create political problems that would obfuscate rather than clarify the various dimensions of the problem. The issue here is clearly one of human or social, not software, engineering. The worry that not only health care professionals
but
1993 ACMI
Debate
also insurers, employers, and others might peruse medical records without patient consent is magnified by the prospect of the computerized medical record, but it is not created by it. Insurers, in particular, now gain access to medical information with the blanket consents that patients give under the guise of releasing information for the purposes of reimbursement. Quality assurance similarly creates problems. These are clearly social problems; nevertheless, the expertise represented in ACMI could be put to good use by developing position papers and by helping legislators and policy makers to understand these issues more adequately. One fear is that the issue of protecting the privacy of the medical record is likely to be touted by physicians who will predictably view any prospect of oversight of their individual medical decisions as an intrusion into their own professional autonomy. This is a further reason why attention to the social impediments to the computer-based medical record is necessary and why the examination of the social goals of access and use is essential. In conclusion, I want to comment on the way that medical records in academic medial centers currently are and conceivably under health care reform should ideally be open for research purposes. Here, the issue is not simply one of securing Institutional Review Board (IRB) approval for individual studies, but also of designing systems that will facilitate socially approved kinds of access but store information in ways that will protect patient privacy (e.g., by stripping identifiers from records while retaining the core components of the chart or by creating secondary identifiers known only to medical records personnel). The designs of such systems do not usually, if ever, come under the review of IRBs nor do designers routinely seek the advice of hospital ethics committees or ethics consultants, though their collaborative involvement at the design stage might help to avoid many future problems. The goals of fostering record review research and protecting privacy might actually merge if intelligent analysis of the problems and issues were undertaken early enough. As designers and consultants, it will be important for you to remember that the social aspect of privacy protection intersects with other social agendas and concerns and that an exclusively technical approach to these problems in medical informatics is likely to be quite inadequate.
