ETHICAL ISSUES IN HEALTH INFORMATION TECHNOLOGY LDR 668 Politics, Policy & Ethics By Lori Reau HEALTH INFORMATION TECHNOLOGY HIT (Health Information Technology) The use of health information technology (HIT) is becoming increasingly important in medical providers’ efforts to support decision-making and to promote quality health care delivery (Fleming) BASIC HEALTH INFORMATION TECHNOLOGIES Telehealth: Delivery of health-related services and information via telecommunications technologies, including both health care and education Electronic Medical Records: Computer-based patient records Electronic Clinical Support Systems: Computer-based knowledge management technologies that support the clinical decision-making process from diagnosis and investigation through treatment and recovery Online Health Care Resources: Web-based resources that market to health care consumers, as well as providers, linking to information and education about products, medical and dental services, alternative health care, hospitals, providers, employment, publications, and mental health (Fleming) PREVENTING ETHIC CONFLICTS WITH HEALTHCARE INFORMATION TECHNOLOGY Telehealth Respect privacy and confidentiality; ensure adequate informed consent Electronic Medical Records Ensure accuracy, accessibility and accountability by providers; seek information transferability between systems Electronic Clinical Support Systems Ensure access and reliability of decision support systems for local sites, with support from tertiary care sites when needed Online Health Care Resources Ensure accuracy and reliability of information being accessed; encourage careful scrutiny by those accessing such information Additional Protections Establish policies and procedures to ensure consistency, generalization, and quality; develop informational material for providers and patients; provide community-wide education on health information technology (Fleming) HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. The Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. (Centers for Medicare & Medicaid Services) HIPAA PRIVACY RULE Gives patients more control over their health information; Sets boundaries on the use and release of health records; Establishes appropriate safeguards that the majority of healthcare providers and others must achieve to protect the privacy of health information; Holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights; Strikes a balance when public health responsibilities support disclosure of certain forms of data; HIPPA PRIVACY RULE Enables patients to make informed choices based on how individual health information may be used; Enables patients to find out how their information may be used and what disclosures of their information have been made; Generally limits release of information to the minimum reasonably needed for the purpose of the disclosure; Generally gives patients the right to obtain a copy of their own health records and request corrections; and Empowers individuals to control certain uses and disclosures of their health information. HIPPA SECURITY RULE THE SECURITY RULE SPECIFIES A SERIES OF ADMINISTRATIVE, PHYSICAL, AND TECHNICAL SAFEGUARDS FOR COVERED ENTITIES TO USE TO ASSURE THE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY OF ELECTRONIC PROTECTED HEALTH INFORMATION What Information is Protected? Electronic Protected Health Information. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI). The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (ePHI).3 The Security Rule does not apply to PHI transmitted orally or in writing. (Centers for Medicare & Medicaid Services) SAFEGUARDS Physical Safeguards Technical Safeguards Access Control Audit Controls. Integrity Controls. Transmission Security. Organizational Requirements Facility Access and Control. Workstation and Device Security. Covered Entity Responsibilities. Business Associate Contracts. Enforcement and Penalties for Noncompliance Compliance. HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (HITECH ACT) This bill accomplishes four major goals that advance the use of health information technology (Health IT), such as electronic health records by: Requiring the government to take a leadership role to develop standards by 2010 that allow for the nationwide electronic exchange and use of health information to improve quality and coordination of care. Investing $20 billion in health information technology infrastructure and Medicare and Medicaid incentives to encourage doctors and hospitals to use HIT to electronically exchange patients’ health information. Saving the government $10 billion, and generating additional savings throughout the health sector, through improvements in quality of care and care coordination, and reductions in medical errors and duplicative care. Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care sector increases use of Health IT. (Committees on Energy and Commerce, Ways and Means, and Science and Technology, 2009) HTTP://WWW.HIPAASURVIVALGUIDE.COM TOP (REPORTED) PRIVACY BREACH CAUSES Theft Loss of electronic media or paper records containing protected health information Unauthorized access to protected health information-intentional or unintentional Human error Improper disposal (Matre, 2012) HITECH BREACH NOTIFICATION REQUIREMENTS Includes unauthorized and disclosures uses of “unsecured”PHI. Similar to breach disclosures of financial and credit card institutions. "unsecured PHI" essentially means "unencrypted PHI Patients are to be notified If the breach number is greater than 500 the HHS must be notified. Under certain conditions the local media will also be notified. Notification must occur regardless if it is an internal or external breach. (The HIPPA Survival Guide) SECURITY HEADLINES (Matre, 2012) MEANINGFUL USE AND AMERICAN RECOVERY AND REINVESTMENT ACT 2009 “Two regulations have been released, one of which defines the “meaningful use” objectives that providers must meet to qualify for the bonus payments, and the other which identifies the technical capabilities required for certified EHR technology. •Incentive Program for Electronic Health Records: Issued by the Centers for Medicare & Medicaid Services (CMS), this final rule defines the minimum requirements that providers must meet through their use of certified EHR technology in order to qualify for the payments.” (Glossary of EMR Requirements) 16 ARRA QUALIFYING PERIOD TIMELINE Latest qualifying period start date for Stage 1 is 7/3/13 With this start date, the full year one payment can be obtained along with all payments as long as attestation is done for all The challenge is that a higher Stage level will need to be met in a shorter time period with a later initial qualifying period start date BALANCING TECHNOLOGY REGULATION AND ETHICAL OBLIGATIONS TO PATIENTS Regulations only help to alleviate risk-benefit balance related ethical dilemmas by eliminating so called unethical implications committed against the patient. The ethical obligations pertain to actions taken on patients’ behalf, to improve their health status and protect their personal information. The ethical dilemmas do not lie in the crimes, they arise when we have to decide if the benefits of implementing an IT system outweigh the risk of computer crimes which harm the patient. Unintended harms must be considered in pursuit of the intended good. Do no harm. Who gets to define harm in this technological arena? (Ethical Dilemmas of Healthcare Delivery in the Information Technology Age, 2003) BROADER ETHICS CONCERN That confidentiality may become less important, or more difficult to enforce, as health information technologies become more universally available and applied, particularly as human curiosity continues to promote behavior that derails even the most secure system. Breaches in confidentiality can be both visual and auditory. Such breeches may be quite innocent, such as when a passer-by inadvertently views or hears a provider’s videoconference interactions with patients. Other concerns include unauthorized viewing of patient images or clinic notes in an electronic database that is shared The digital divide whereas patients are particularly vulnerable to geographic, physical, cognitive, or economic barriers to health care services ETHICS TRAINING AND EDUCATION Elementary school. Understand Moral “right” and “wrong” Understand privacy and safety …Aristotle is deeply indebted to Plato’s moral philosophy, particularly Plato’s central insight that moral thinking must be integrated with our emotions and appetites, and that the preparation for such unity of character should begin with childhood education… (Stanford Encyclopedia of Philosophy, p.2). (Martens) ETHICS TRAINING AND EDUCATION High School and College ‘netiquette’, intellectual property rights, plagiarism, piracy and privacy. Information integrity, information confidentiality and information availability/non-availability , authentication, speed of computers- information that cannot be deleted once sent. (Martens) Psychological Distance or Anonymity does not excuse the immorality of an action or behavior. Criminal, Societal and Personal Repercussions Workforce Regulation Non-compliance Penalties Yearly Updates and Acknowledgements Criminal, Societal and Personal Repercussions (Rikowski, 2003). CYBER LICENSING Professionals-physicians, psychologists, psychiatrists, and social workers-are licensed by their respective professional agencies and therefore required to follow a certain professional code of conduct established by their professional boards Many states already require licensure in their state before an out-ofstate physician can electronically provide services to patients the provider would need to be licensed in the state the patient was residing, severely limiting the practice of cyber medicine, e-psychiatry, or e-therapy Special training programs Establishment of an independent, international body to assess "cyber-docs," issue a special license to practice in cyberspace, and then monitor their practice CONSUMER AND PATIENT Knowledge is power HIPAA Rights-to know, to privacy, to property, to confidentiality Understand access, safety and security Reliable online resources CONSUMER AND PATIENT Questions Patients Should Ask When Using Medical Web Sites/PHI Portals Who maintains the site? Is there an editorial board or listing of names and credentials of those responsible for preparing and reviewing the site’s content? Does the site link to other reliable sources of medical information? Does the site provide references to reliable sources? When was the site last updated? Has the site been reviewed for mistakes in grammar or spelling? Are informative graphics and multimedia files such as video or audio clips available? Is the site HIPAA/HITECH compliant? Is there a security or trustmark symbol? CONSUMER AND PATIENT Patients are uniquely empowered, because they are now able to access health information directly, without depending on physicians, clinics, and hospitals to select what they read and hear about health and health care. It must be the responsibility of each individual user, whether professional, public or private, to check the accuracy, reliability, and overall trustworthiness of information given on health-related Web sites EMR or portals. The ultimate responsibility of access to patient healthcare information lies with all of us. People are the consumer, the patient, the licensed professional who drives the ethical goodness, well-being and dignity of humankind. HOW DO YOU KNOW YOUR INFORMATION IS PROTECTED? THANK YOU REFERENCES Centers for Medicare & Medicaid Services. (n.d.). Retrieved April 2012, from CMS.gov: http://www.cms.gov/Regulations-and-Guidance/HIPAA-AdministrativeSimplification/HIPAAGenInfo/index.html Committees on Energy and Commerce, Ways and Means, and Science and Technology. (2009, January 16). Retrieved April 2012 Ethical Dilemmas of Healthcare Delivery in the Information Technology Age. (2003). Singapore Med J , 44(3), 145-148. Fleming, D. A. (n.d.). Ethics Conflicts in Rural Communities: Health Information Technology. Retrieved April 2012, from http://geiselmed.dartmouth.edu/cfm/resources/ethics/chapter-14.pdf Glossary of EMR Requirements. (n.d.). Retrieved April 2012, from Greenway: http://www.meaningfuluse-emr.com/glossary/1#term7 http://www.hipaasurvivalguide.com Matre, K. (2012, May). I am a patient perspective data privacy in healthcare. HIMSS Virtual Conference . Martens, B. (n.d.). Computer Ethics in Secondary and Teacher Training. Retrieved April 2012, from http://bibliotecavirtual.clacso.org.ar/ar/libros/raec/ethicomp5/docs/pdf_papers/43Martens,%20Be rn.pdf Rikowski, R. (2003). Teaching ethical issues in Information Technology: how and when. Retrieved April 2012, from http://www.libr.org/isc/issues/ISC23/B9a%20Ruth%20Rikowski.pdf