Frequently asked questions on privacy report
Initiated by the Institute for Ethics at the American Medical Association in 1997, Ethical Force is a broad-based effort to develop performance measures for ethics that will be useful throughout the health care system. It was founded on the belief that, because patients often enter the health care system while vulnerable and unable to protect their own interests effectively, high ethical standards must permeate the entire health care system. That is, every participant in health care must hold some shared fundamental ethical obligations. Moreover, if specific shared expectations for ethical action can be developed, then knowing how well each participant lives up to these shared expectations would be of tremendous value. Thus, the program aims to develop useable performance measures in specific domain of health care ethics, which can be applied to all participants in health care -- from hospitals and physicians to health plans, employer/purchasers, investors, and more.
Although the AMA's Institute for Ethics convened the Ethical Force Program®, and thus the AMA has been the program's primary (but not sole) financial sponsor, it is the Oversight Body that has the authority to direct the program, including selecting topic areas to address and developing and approving consensus reports. Each member of the Oversight Body has been free to share early drafts of the consensus document with their respective employers, as well as other experts and interested parties. This allowed for broad input into the recommendations. However, final votes on whether to include specific items in the document rested solely with the Oversight Body members. Voting was confidential, and at this time the document is not necessarily the official policy of any of the organizations from which Oversight Body members have been drawn.
Protecting the privacy of sensitive, patient-identifiable health information is the first ethical topic area that the Ethical Force Oversight Body has chosen to address. In making this selection, the Oversight Body considered the rapid evolution of health care informatics and the potential that these advances provided, both to better protect patient information and to allow rapid, massive, and possibly silent breaches of patient confidentiality. When these possibilities were assessed -- together with rising public concerns about health care privacy and the perception that there is a fundamental ethical obligation to carefully protect information given to health care providers in confidence and out of necessity -- the Oversight Body felt that protecting privacy was a clear example of an ethical obligation that must span the entire health care system.
Every individual or organization that has access to or uses identifiable health care information has that information because a patient entrusted the information to someone -- either to him or her or to someone with whom they are associated. Therefore, every individual or organization with access to this sensitive information is considered to be a "health information trustee." Being a health information trustee is a privileged position, which, like most privileges, entails special obligations. The Ethical Force recommendations are a specification of some of the ethical obligations of every health information trustee.
Using aggregate information, which cannot reasonably be traced back to individuals, is critical for many research, quality assurance, law enforcement, and other legitimate purposes. Fortunately, using this sort of information also does not generally pose a significant risk to individual privacy interests, and thus is not covered by the Ethical Force recommendations -- except insofar as there is a recommendation that deidentification protocols should be carefully defined and assessed by the health information trustees that use them.
The primary use of a patient's personal health information should be to better care for that patient. Indeed, patients assume that the information they give to physicians and other health practitioners will be used primarily, if not solely, for their direct benefit -- as they should. Thus, protecting confidential health information should do two things. First, it should allow patients to entrust sensitive information to their caregivers without fear that the information will be used to harm them in any way. Second, it should allow them to do so in the comfort that the information will be used as effectively as possible to help them avoid illness or get better if they are ill. For these reasons, consent to use and share information for the direct therapeutic benefit of a patient may generally be presumed when the patient presents for care. But by the same token, any use of information beyond this must require additional ethical justification.
When a claim is submitted for payment, or when a health plan is asked to cover a service, the patient is implicitly authorizing the insurer to access information needed to assess whether to pay the claim. However, if a patient pays out of pocket for a service, without requesting insurance reimbursement, then the patient should be allowed to decline any further circulation of information arising from this service, except as required by law (such as public health reporting requirements).
The HHS regulations are complex and there are many potential points of comparison. But it is most important to note that the Ethical Force process preceded the development of the federal regulations and that Ethical Force addresses privacy and confidentiality from the point of view of providing ethical guidance rather than a regulatory or legal framework. The Ethical Force program® in general should be recognized as a collaborative effort to address areas of health care ethics that are not merely legal or regulatory issues -- the ethical issues that Ethical Force is addressing are important to promote and preserve the trust that must be at the heart of health care. Therefore, whether or not specific actions are or are not legal according to state or federal rules was not directly relevant to the development of the consensus report, which addresses legitimate ethical -- and not simply legal -- expectations.
In brief, the Data Disclosure Board is proposed as a mechanism to ensure accountable oversight for those uses of identifiable information where full informed consent is not obtained. In some cases, such oversight already is in place using existing accountable committees. For instance, many research projects that use patient information already receive review by an Investigational Review Board (IRB) and do not require further review. But many non-research uses of such information, such as quality assurance and improvement projects, disease management programs, and public health tracking programs, may receive little or no accountable oversight today, despite the fact that they may involve collecting and using individually identifiable health information. Every such program or project should be reviewed at least periodically by an accountable committee, and documentation as to the committee's rationales for allowing any uses of information without consent, or with limited consent, should be maintained.
Individuals or small groups that wish to use patient-identifiable information for purposes other than direct patient care and billing -- such as for quality improvement projects, for marketing new services, or in non-IRB approved research projects -- should either obtain their patients' consent or use another organization's Data Disclosure Board for review (such as that of a health plan with which the individual or small group contracts). As with medical research on human subjects, there is discernable risk involved in using patients' health information in ways that the patients have not approved. To do so with no accountable oversight would not be prudent medical practice.
This is a difficult, and perhaps sometimes impossible, distinction to draw, since some marketing materials can provide valuable health information. Still, as the old saw goes, you'll know a commercial when you see one, and many are concerned that their health information may be used simply to pitch products. For this reason, any proposed use, whether ostensibly commercial or not, should receive the same accountable oversight by a Data Disclosure Board (or a similarly charged committee), which must document why it allowed the use to occur and what protections are in place (e.g., opt-in or out-out provisions, notice provisions) to ensure that inappropriate disclosures or uses do not occur.