The Responsibility of the Healthcare Industry in an Electronic Environment

In 1996, Congress adopted new rules that affected the entire healthcare industry and would change the way a patient's health information is handled. The Health Insurance Portability and Accountability Act (HIPAA) originally focused on enabling individuals to maintain their health insurance benefits when they changed jobs, even if they (or family members) had pre-existing medical conditions. HIPAA also created national standards to protect the privacy and security of a patient's protected health information. The privacy rule went into full effect in 2003 and according to a recent presentation by Cynergis Tek, a national information security firm, since that time "nearly 11,000 complaints have been filed to the federal government by patients and others" (2005, January).

Hospitals and healthcare entities are concerned with all aspects of HIPAA. However, most are mainly concerned with how to guarantee the privacy and security of an individual's protected health information (PHI). HIPAA creates significant obstacles when establishing written and electronic protocols concerning patient health information because the hospital and healthcare entities need to address the various audiences that may come in contact with, and potentially utilize, PHI.

When discussing HIPAA, it is important to understand exactly what is considered protected health information. Essentially, it is certain health information that identifies the individual and/or contains enough detailed information that the individuals can be identified. Identifiers related to protected health information include: information that relates to a person's physical or mental condition, the provision and/or payment of healthcare, general identify information (e.g., name, address, social security number, account numbers, etc.), is created or received by another entity and can be transferred through various mediums such as electronic, written or oral.

With the increased used of technology in the healthcare environment and employees having access to large amounts of confidential information, it is a challenge for hospitals and healthcare providers to guarantee a patient's total privacy. For the most part, employees handle health information is a secure, ethical manner, however there are those few who create potential vulnerabilities or use the information inappropriately (either intentionally or unintentionally). Take into account the following two occurrences, presented by Mac McMillan of Cynergis Tek (2005, January) that demonstrate how violations of protected health information can occur and the ethical aspects of access to patient health information and technology.

Occurrence 1 - Unauthorized Access
A nurse was reviewing the daily Emergency Room (ER) admissions as part of her routine job responsibilities. While reviewing the admissions, she noticed that her estranged son-in-law had been admitted to the ER. The nurse continued to track her son-in-law's progress throughout the day, genuinely interested in his well being. It was later discovered that the nurse accessed her son-in-law's health information inappropriately and she was sanctioned and received a two week suspension without pay as a result of her actions.

Occurrence 2 - Extortion
The University of California San Francisco Medical Center received a threat from Lubna Baloch, a Pakistani transcriptionist in Karachi, working for a contractor's subcontractor's subcontractor. Baloch learned that the hospital paid U.S. transcriptionists 18 cents per line, while she was paid only three cents per line. She threatened to release the hospital's files online unless she was paid money she believed she was owed. Baloch later withdrew the threat after the University of California San Francisco Medical Center met her demands and she received the funds.

Providers have taken great lengths to avoid incidences of negligence, health information misuse, theft and extortion. Efforts such as security awareness and training, business associate agreements, facility access controls and workstation security have all become the norm. At the Lourdes Health System, employees must complete annual HIPAA education and each year, employees must sign and comply with privacy agreements. There are two separate privacy agreements; one for employees who have computer access and one for employees who do not have computer access. Samples of the two agreements are included as addendums to this case study (Attachment A - non computer access and Attachment C - computer access). The purpose of the two distinct agreements is to raise awareness of the distinct challenges and opportunities for privacy violation that occur with the introduction of technology.

As Kaplan (2004) suggests, "Our new powers to affect the entire planet open up a new dimension of responsibility that was previously inconceivable. Accordingly, ethics must grow to encompass this new dimension" (p.228) HIPAA was implemented as a direct result of the increased use of technology to transport large amounts of data and to also respond to societal concerns, such as Internet activities, identify theft and general national security.

When protected health information and technology are combined, the question of technology and ethics becomes more evident. Kaplan (2004) notes: "All technologies raise implicit ethical questions. Anything humans make and do is subject to ethical evaluations about appropriate uses, aceptable consequences, and right or wrong actions and intentions" (p. 227).

HIPAA and the use of technology within the healthcare environment relates to the general concern raised in class during one of our earlier lectures - when writing for the electronic environment, what is the proper medium? Examples given in class of potential improper electronically based items included jury notices, legal documentation and birth certificates.

It seems as though the government and healthcare professionals fully support the use of technology and consider it to be a proper medium for delivering and administering healthcare. Not only is protected health information entered and utilized in an electronic environment, the healthcare industry is also moving in the direction of computerized physician order entry (CPOE) and electronic medical records (EMR). Healthcare is becoming more and more technologically based, which can help protect the patient's rights and safety, but also lead to future consequences.

According to an article published in the March 2003 edition of e-Ethics, "As more health providers move from paper files to the EMR, issues of confidentiality become more complex, in part because access by appropriate parties is so obviously essential." Adding to healthcare's challenges, "Will implementation of the privacy provisions of HIPAA adequately safeguard a patient's EMR" and "will the information technologies used by physicians, nurses, hospitals and emergency personnel provide sufficient access to a patient's medical record when treatment is urgently needed?" (But You're Not in the Computer! 2003).

With the advancement of such technological structures, the healthcare community needs to ask itself, just because we can make it, should we make it? Just because the world is becoming more and more technologically based, should we be moving towards total e-health?

Questions that come to mind after reading Laurence H. Tribe's article and the e-Ethics article are in line with the general concerns of technology as a whole. For EMR, what kinds of health information should be available to whom? What is considered appropriate access and what if your healthcare provider does not have the means or ability to comply with advanced technology? Is EMR, and electronic patient information in general, flexible enough to accommodate societal changes and differences in culture and religion?

Healthcare is at a point where technology is beginning to take over. One can also argue that technology in healthcare has been set up as an "ethics of care", claiming enhanced patient safety. At the Lourdes Health System, we have implemented enhanced technology that includes Pyxis, which supplies medication and supplies throughout the hospital; medication administration bar coding, which verifies the administration of various medications in an effort to reduce medication errors and adverse drug effects; and have most recently incorporated a 64-slice computed tomography (CT) scanner, which provides unprecedented improvements in image quality, resolution and speed. By incorporating these technologies, we have improved patient safety, but we have also created an industry that is becoming more and dominated by the use of robotics to complete tasks that were once done by humans. Even the introduction of the CT scanner was met with great opposition because the interventional cardiologists felt that the CT's noninvasive benefits would "put them out of business" because the CT had the ability to visualize the smallest details of blood vessels in the heart and blockages in coronary arteries have could now be diagnosed by the CT scanner.

Is technology becoming the substitute for patient care? Can we, as patients, totally trust the emergence of technology in the healthcare environment? Are we threatening a patient's privacy and does government still have a lot of work to do to ensure that our privacy is met and if violated, dealt with in a timely fashion?

We are all the most vulnerable when we are hospital patients and our personal health information is the most vulnerable when it is incorporated into an electronic community. "Advocates of the right of privacy have long recognized that the most serious threats to privacy stem from systemic flows of information throughout the healthcare industry." (Gostin, 1997)

Similar to the issues presented in Kaplan's book, healthcare is experiencing significant changes related to the transfer of electronic patient health information. I believe it is only time before more and more patients receive their direct patient care through avenues of telemedicine and individuals are carrying their entire health history on their cell phone or some other type of portable device. But we must have a better understanding of the environment we are in when dealing with technology and what changes need to occur within our current system (or if the system changes), because with these advances come a whole new set of ethical issues and responsibilities that will need to be addressed.

References
"But You're Not in the Computer!" (2003, March). E-Ethics, The Park Ridge Center for Health, Faith and Ethics. Retrieved February 20, 2006. from http://www.parkridgecenter.org/ethics_march03.html

Gostin, Lawrence, JD (1997) Healthcare Information and the Protection of Personal Privacy: Ethical and Legal Considerations. Annals of Internal Medicine, 127 (8, Part 2), 683-690. Retrieved February 20, 2006. from http://www.annals.org/cgi/content/full/127/8_Part2/683

Kaplan, David M. (Ed.). (2004) Readings in the Philosophy of Technology. Oxford UK: Rowman & Littlefield Publishers, Inc.

McMillan, Mac, Cynergis Tek. (2005, January 11) HIPAA Security Awareness for Leadership. Presented at the January Leadership Meeting at Our Lady of Lourdes Medical Center.