ETHICAL ISSUES IN HEALTH
INFORMATION TECHNOLOGY
LDR 668 Politics,
Policy & Ethics
By Lori Reau
HEALTH INFORMATION TECHNOLOGY

HIT (Health Information Technology)
 The
use of health information technology (HIT) is
becoming increasingly important in medical
providers’ efforts to support decision-making and to
promote quality health care delivery (Fleming)
BASIC HEALTH INFORMATION TECHNOLOGIES




Telehealth: Delivery of health-related services and information via
telecommunications technologies, including both health care and education
Electronic Medical Records: Computer-based patient records
Electronic Clinical Support Systems: Computer-based knowledge
management technologies that support the clinical decision-making process
from diagnosis and investigation through treatment and recovery
Online Health Care Resources: Web-based resources that market to health
care consumers, as well as providers, linking to information and education
about products, medical and dental services, alternative health care,
hospitals, providers, employment, publications, and mental health (Fleming)
PREVENTING ETHIC CONFLICTS WITH
HEALTHCARE INFORMATION TECHNOLOGY





Telehealth Respect privacy and confidentiality; ensure adequate informed
consent
Electronic Medical Records Ensure accuracy, accessibility and
accountability by providers; seek information transferability between
systems
Electronic Clinical Support Systems Ensure access and reliability of
decision support systems for local sites, with support from tertiary care
sites when needed
Online Health Care Resources Ensure accuracy and reliability of information
being accessed; encourage careful scrutiny by those accessing such
information
Additional Protections Establish policies and procedures to ensure
consistency, generalization, and quality; develop informational material for
providers and patients; provide community-wide education on health
information technology (Fleming)
HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996


Title I of HIPAA protects health insurance coverage for workers
and their families when they change or lose their jobs.
Title II of HIPAA, known as the Administrative Simplification (AS)
provisions, requires the establishment of national standards for
electronic health care transactions and national identifiers for
providers, health insurance plans, and employers.


The Administration Simplification provisions also address the security
and privacy of health data. The standards are meant to improve the
efficiency and effectiveness of the nation's health care system by
encouraging the widespread use of electronic data interchange in the
U.S. health care system.
The Privacy Rule is balanced so that it permits the disclosure of
personal health information needed for patient care and other
important purposes.
(Centers for Medicare & Medicaid Services)
HIPAA PRIVACY RULE





Gives patients more control over their health information;
Sets boundaries on the use and release of health records;
Establishes appropriate safeguards that the majority of healthcare providers and others must achieve to protect the privacy of
health information;
Holds violators accountable with civil and criminal penalties
that can be imposed if they violate patients' privacy rights;
Strikes a balance when public health responsibilities support
disclosure of certain forms of data;
HIPPA PRIVACY RULE





Enables patients to make informed choices based on how
individual health information may be used;
Enables patients to find out how their information may be used
and what disclosures of their information have been made;
Generally limits release of information to the minimum
reasonably needed for the purpose of the disclosure;
Generally gives patients the right to obtain a copy of their own
health records and request corrections; and
Empowers individuals to control certain uses and disclosures of
their health information.
HIPPA SECURITY RULE
THE SECURITY RULE SPECIFIES A SERIES OF
ADMINISTRATIVE, PHYSICAL, AND TECHNICAL
SAFEGUARDS FOR COVERED ENTITIES TO USE TO ASSURE
THE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY OF
ELECTRONIC PROTECTED HEALTH INFORMATION
What Information is Protected?
Electronic Protected Health Information. The HIPAA Privacy Rule
protects the privacy of individually identifiable health information,
called protected health information (PHI). The Security Rule protects a
subset of information covered by the Privacy Rule, which is all
individually identifiable health information a covered entity creates,
receives, maintains or transmits in electronic form. The Security Rule
calls this information “electronic protected health information” (ePHI).3 The Security Rule does not apply to PHI transmitted orally or in
writing. (Centers for Medicare & Medicaid Services)
SAFEGUARDS

Physical Safeguards



Technical Safeguards





Access Control
Audit Controls.
Integrity Controls.
Transmission Security.
Organizational Requirements



Facility Access and Control.
Workstation and Device Security.
Covered Entity Responsibilities.
Business Associate Contracts.
Enforcement and Penalties for Noncompliance

Compliance.
HEALTH INFORMATION TECHNOLOGY FOR
ECONOMIC AND CLINICAL HEALTH ACT (HITECH
ACT)
This bill accomplishes four major goals that advance the use of health
information technology (Health IT), such as electronic health records by:
 Requiring the government to take a leadership role to develop standards
by 2010 that allow for the nationwide electronic exchange and use of
health information to improve quality and coordination of care.
 Investing $20 billion in health information technology infrastructure and
Medicare and Medicaid incentives to encourage doctors and hospitals to
use HIT to electronically exchange patients’ health information.
 Saving the government $10 billion, and generating additional savings
throughout the health sector, through improvements in quality of care
and care coordination, and reductions in medical errors and duplicative
care.
 Strengthening Federal privacy and security law to protect identifiable
health information from misuse as the health care sector increases use
of Health IT.
(Committees on Energy and Commerce, Ways and Means, and Science and
Technology, 2009)
HTTP://WWW.HIPAASURVIVALGUIDE.COM
TOP (REPORTED) PRIVACY BREACH CAUSES
Theft
 Loss of electronic media or paper records
containing protected health information
 Unauthorized access to protected health
information-intentional or unintentional
 Human error
 Improper disposal
(Matre, 2012)

HITECH BREACH NOTIFICATION REQUIREMENTS







Includes unauthorized and disclosures uses of
“unsecured”PHI.
Similar to breach disclosures of financial and credit card
institutions.
"unsecured PHI" essentially means "unencrypted PHI
Patients are to be notified
If the breach number is greater than 500 the HHS must be
notified.
Under certain conditions the local media will also be notified.
Notification must occur regardless if it is an internal or
external breach.
(The HIPPA Survival Guide)
SECURITY HEADLINES
(Matre, 2012)
MEANINGFUL USE AND AMERICAN RECOVERY
AND REINVESTMENT ACT 2009


“Two regulations have been released, one of which defines the
“meaningful use” objectives that providers must meet to qualify
for the bonus payments, and the other which identifies the
technical capabilities required for certified EHR technology.
•Incentive Program for Electronic Health Records: Issued by
the Centers for Medicare & Medicaid Services (CMS), this final
rule defines the minimum requirements that providers must
meet through their use of certified EHR technology in order to
qualify for the payments.” (Glossary of EMR Requirements)
16
ARRA QUALIFYING PERIOD TIMELINE



Latest qualifying period start date for Stage 1 is 7/3/13
With this start date, the full year one payment can be
obtained along with all payments as long as attestation is
done for all
The challenge is that a higher Stage level will need to be met
in a shorter time period with a later initial qualifying period
start date
BALANCING TECHNOLOGY REGULATION
AND ETHICAL OBLIGATIONS TO PATIENTS





Regulations only help to alleviate risk-benefit balance related
ethical dilemmas by eliminating so called unethical implications
committed against the patient.
The ethical obligations pertain to actions taken on patients’
behalf, to improve their health status and protect their personal
information.
The ethical dilemmas do not lie in the crimes, they arise when we
have to decide if the benefits of implementing an IT system
outweigh the risk of computer crimes which harm the patient.
Unintended harms must be considered in pursuit of the intended
good. Do no harm.
Who gets to define harm in this technological arena?
(Ethical Dilemmas of Healthcare Delivery in the Information Technology Age, 2003)
BROADER ETHICS CONCERN




That confidentiality may become less important, or more difficult to
enforce, as health information technologies become more universally
available and applied, particularly as human curiosity continues to
promote behavior that derails even the most secure system.
Breaches in confidentiality can be both visual and auditory. Such
breeches may be quite innocent, such as when a passer-by
inadvertently views or hears a provider’s videoconference
interactions with patients.
Other concerns include unauthorized viewing of patient images or
clinic notes in an electronic database that is shared
The digital divide whereas patients are particularly vulnerable to
geographic, physical, cognitive, or economic barriers to health care
services
ETHICS TRAINING AND EDUCATION

Elementary school.
 Understand
Moral “right” and “wrong”
 Understand privacy and safety
…Aristotle is deeply indebted to Plato’s moral philosophy, particularly
Plato’s central insight that moral thinking must be integrated with
our emotions and appetites, and that the preparation for such unity
of character should begin with childhood education… (Stanford
Encyclopedia of Philosophy, p.2). (Martens)
ETHICS TRAINING AND EDUCATION

High School and College
‘netiquette’, intellectual property rights, plagiarism, piracy and
privacy. Information integrity, information confidentiality and
information availability/non-availability , authentication, speed of
computers- information that cannot be deleted once sent. (Martens)
 Psychological Distance or Anonymity does not excuse the immorality
of an action or behavior.
 Criminal, Societal and Personal Repercussions


Workforce
Regulation
 Non-compliance Penalties
 Yearly Updates and Acknowledgements
 Criminal, Societal and Personal Repercussions (Rikowski, 2003).

CYBER LICENSING


Professionals-physicians, psychologists, psychiatrists, and social
workers-are licensed by their respective professional agencies and
therefore required to follow a certain professional code of conduct
established by their professional boards
Many states already require licensure in their state before an out-ofstate physician can electronically provide services to patients



the provider would need to be licensed in the state the patient was
residing, severely limiting the practice of cyber medicine, e-psychiatry, or
e-therapy
Special training programs
Establishment of an independent, international body to assess
"cyber-docs," issue a special license to practice in cyberspace, and
then monitor their practice
CONSUMER AND PATIENT
Knowledge is power
 HIPAA
 Rights-to know, to privacy, to property, to
confidentiality
 Understand access, safety and security
 Reliable online resources

CONSUMER AND PATIENT
Questions Patients Should Ask When Using Medical Web Sites/PHI
Portals
 Who maintains the site?
 Is there an editorial board or listing of names and credentials of
those responsible for preparing and reviewing the site’s content?
 Does the site link to other reliable sources of medical information?
 Does the site provide references to reliable sources?
 When was the site last updated?
 Has the site been reviewed for mistakes in grammar or spelling?
 Are informative graphics and multimedia files such as video or audio
clips available?
 Is the site HIPAA/HITECH compliant?
 Is there a security or trustmark symbol?
CONSUMER AND PATIENT

Patients are uniquely empowered, because they are now able to
access health information directly, without depending on physicians,
clinics, and hospitals to select what they read and hear about health
and health care.

It must be the responsibility of each individual user, whether
professional, public or private, to check the accuracy, reliability, and
overall trustworthiness of information given on health-related Web
sites EMR or portals.

The ultimate responsibility of access to patient healthcare
information lies with all of us. People are the consumer, the patient,
the licensed professional who drives the ethical goodness, well-being
and dignity of humankind.
HOW DO YOU
KNOW YOUR
INFORMATION IS
PROTECTED?
THANK YOU
REFERENCES









Centers for Medicare & Medicaid Services. (n.d.). Retrieved April 2012, from CMS.gov:
http://www.cms.gov/Regulations-and-Guidance/HIPAA-AdministrativeSimplification/HIPAAGenInfo/index.html
Committees on Energy and Commerce, Ways and Means, and Science and Technology. (2009,
January 16). Retrieved April 2012
Ethical Dilemmas of Healthcare Delivery in the Information Technology Age. (2003). Singapore Med J ,
44(3), 145-148.
Fleming, D. A. (n.d.). Ethics Conflicts in Rural Communities: Health Information Technology. Retrieved
April 2012, from http://geiselmed.dartmouth.edu/cfm/resources/ethics/chapter-14.pdf
Glossary of EMR Requirements. (n.d.). Retrieved April 2012, from Greenway:
http://www.meaningfuluse-emr.com/glossary/1#term7
http://www.hipaasurvivalguide.com
Matre, K. (2012, May). I am a patient perspective data privacy in healthcare. HIMSS Virtual
Conference .
Martens, B. (n.d.). Computer Ethics in Secondary and Teacher Training. Retrieved April 2012, from
http://bibliotecavirtual.clacso.org.ar/ar/libros/raec/ethicomp5/docs/pdf_papers/43Martens,%20Be
rn.pdf
Rikowski, R. (2003). Teaching ethical issues in Information Technology: how and when. Retrieved
April 2012, from http://www.libr.org/isc/issues/ISC23/B9a%20Ruth%20Rikowski.pdf