Will the loss of privacy due to the digitization of medical records overshadow research advances that take advantage of such records
Will the loss of privacy due to the digitization of medical records overshadow research advances that take advantage of such records?
Viewpoint: Yes, the loss of privacy due to the digitization of medical records has already had a negative impact on patient care, and necessary safeguards have not been enacted by the health-care industry.
Viewpoint: No, the loss of privacy due to the digitization of medical records is being minimized by new legislation, and the potential advances in patient care made possible by the digitization of medical records are enormous.
For many, the thought of large numbers of people—authorized or otherwise—having access to their personal medical records is an uncomfortable and worrying notion. It is, therefore, not surprising that the digitization of medical records, and their accumulation into enormous databases, is viewed with increasing alarm. There is strong public opposition against not just the improper use of such databases, but to their existence in the first place. However, supporters of digitization argue that online medical records are secure, allow for improved health care and better research, and reduce paperwork and costs. Medical researchers fear that the public resistance toward digital medical records could reduce the effectiveness of research, and potentially cost lives.
Any time a patient receives treatment from a health worker, whether it be a physician, dentist, chiropractor, or psychiatrist, medical records are created. These contain your medical history, such as any diseases you have had, the results of laboratory tests, prescribed medications, and may also contain information about your lifestyle, such as participation in high-risk sporting activities, whether you smoke, have used drugs, and other personal details. Until recently such records were only kept as paper documents, or as computer records for single institutions. However, with the advent of networking and the Internet, medical records can be collected from many sources into massive digital databases that are instantly available to a growing number of people.
The concept of patient privacy dates back to the fourth century b.c. and the Oath of Hippocrates, which made those who intended to be doctors swear that; "Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets." Today the concept of doctor-patient privilege remains a strong legal restraint and offers psychological reassurance. The purpose of such confidentiality is to allow patients to feel safe and completely open when discussing what may be very personal, embarrassing, or potentially dangerous personal details, in order to receive the most appropriate treatment. However, there are real concerns that the doctor-patient relationship is under threat from public fears over electronic medical records, and the growing numbers who have access to them. Many patients no longer feel comfortable revealing potentially damaging information which they fear will later be used inappropriately, and thereby may be hindering their own medical treatment.
In many ways, however, the confidentiality of medical records has been a myth for a number of years. Even before the widespread introduction of electronic databases, the number of organizations that could legally view your medical records was increasing. All the electronic revolution has done is increase the speed that such information can be sent and viewed.
With the introduction in many Western countries of "managed health care," such as that provided by a health maintenance organization (HMO) in the United States, many doctors are required to share a single patient's medical history. HMO patients agree to use a specific network of medical providers in order to receive a broader range of medical coverage, and so may see many doctors in a short space of time. As a result patient records are handled by many more people, not just doctors, but also administrative and accounts personnel.
In the interests of saving money, many doctors are now sending voice dictation of patients medical notes to other countries to be transcribed, India being the most popular destination. Compressed voice files are sent electronically, and rooms of typists sit with medical dictionaries and reference works, transcribing the personal medical details of British and American patients. Although such work has to be done by someone, the sending of medical details over telecommunication lines, as well as the potential for embarrassing or dangerous mistakes to enter medical records, makes many uneasy.
However, areas other than health care cause the most worry to the public. Health records are often used by potential employers, insurance companies, and drug manufacturing companies. Many people feel their careers have been destroyed by the release of information in their private medical files, and insurance premiums can soar, or be discounted, depending on a person's medical history. This legal access to medical records has civil rights organizations up in arms, as they believe that many of these actions are another form of discrimination.
However, the illegal or accidental access or release of private medical information receives the most media attention, and generates the widest public fears. Computer hacking is not generally well understood by most, and so is often demonized beyond its impact. Even though computer firewalls and safeguards are never invulnerable, there have been few serious breaches into medical databases by hackers. A more legitimate threat is the accidental release of files to the public, and a number of such releases have already occurred. The digital age has also sped up the rate at which mistakes can be made, and increased the volume of files that can be transferred inadvertently with the "press of a button."
The potential benefits of digitized medical records must be weighed up against the disadvantages. Proponents argue that electronic databases allow for improved care, are safer than paper documents (as access can be electronically fingerprinted and tracked), save time and money, and offer incalculable future benefits in the form of improved medical research. By enabling quick and accurate cross-referencing, electronic medical databases have already revolutionized research, allowing for large-scale studies of the effectiveness of, and problems associated with, particular treatments and medication. Also, the trend to digitization seems unstoppable, and any backward steps would be costly and potentially dangerous to patients.
However, opponents of digitized medical records argue that potential problems related to the weakening of doctor-patient confidentiality outweighs the possible benefits. There are also the questions of who owns the medical records, and whether such information should be sold or transferred between companies. The lack of clear legislation, growing public fears, and the media attention on breaches of security mean that the issue is likely to be hotly debated for many years.
—DAVID TULLOCH
Viewpoint: Yes, the loss of privacy due to the digitization of medical records has already had a negative impact on patient care, and necessary safeguards have not been enacted by the health-care industry.
When a patient deals with his or her doctor, it is naturally expected that anything discussed will remain between the two of them. That expectation has been around for a long time.Indeed, the Oath of Hippocrates, which dates back to the fourth century b.c. clearly states that patient information should be treated as "sacred secrets," making the unwarranted disclosure of such information a serious professional and moral infraction. After all, how many people would talk freely with their doctors if they knew that what they said would be shared with other parties? Clearly, such knowledge would inhibit the free flow of information, especially with regard to sensitive medical cases. However, before the electronic age, privacy issues seemed controllable by legislation and the physical environment, and the availability of medical information given to third parties for research purposes seemed more limited and somehow less threatening. Medical records were safely stored in file cabinets or on microfiche and destroyed after a suitable period of time. Medical research was conducted, but it was carried out within the confines of the physical environment.
It's a New World
With the advent of computer technology and the digitization of medical records, things radically changed. Privacy can no longer be relied upon as it was once. Thanks to computers and databases, even the most intimate details of one's medical history are only a few keystrokes away and the number of people with access to them has also increased.
Researchers argue that the availability of medical records is of paramount importance, especially with regard to long-term research projects. The benefits of this research, they claim, could greatly improve medical treatment and could allow researchers to track certain diseases over time. Drug companies could, for example, use the information for drug research and to gauge the performance of the drugs they manufacture. Proponents of digitization also say that large databases reduce paperwork and organize information. This may be true, but at what cost to patient privacy?
In an ideal world, only researchers would have access to a patient's confidential records and patients would not only be able to control how the information was used, but decide whether it should be used at all. However, in our not-so-ideal world, as soon as information is added to a database, it can be accessed by virtually anyone. Even encrypted databases have been shown to be vulnerable in the event of high employee turnover and employee carelessness. And even when mechanisms are put in place to protect patient confidentiality, the threat of hackers who, despite the possible penalties, seem to be challenged by the idea of breaking into an encrypted system is always with us. Confidentiality has become only a pleasant memory, much like doctors who make house calls. In a world where information is a commodity, many people are eager to acquire as much information as they can get, and not always for altruistic reasons. Personal information is regularly sold to the highest bidder, sometimes without the permission of the people involved. Many consumers, including pharmaceutical companies, health-care providers, government agencies, and insurance companies, are eager to acquire medical information. What they do with that information is not always to the benefit of the subject.
In fact, some research is carried out simply for the sake of knowledge, and has no real application. Researchers might argue that the laws governing the protection of human subjects are so complex and bureaucratic that the implementation of medical research for practical purposes (or otherwise) have become needlessly difficult. However, laws governing the protection of human subjects are strict for a reason—to protect patient privacy—and many people are concerned that they are not uniform or strict enough. When it comes to what information can be shared without the patient's consent, not every state has the same set of laws.
The Issue of Consent
Asking a subject to take place in the study seems more agreeable than digitizing medical records and using them without the patient's consent. Informed consent seems essential, given that digitalization could open up the opportunity for abuse. In a 1993 Lou Harris Poll, 85% of the people polled believed that protecting the confidentiality of medical records is absolutely essential in health-care reform. In the same poll, 64% of the respondents said they do not want medical researchers to use their records for studies, even if they are never identified personally, unless researchers first get their consent. Furthermore, 96% believed that federal legislation should designate all personal medical information as sensitive and impose penalties for unauthorized disclosure. However, this is easier said than done. Alderman and Kennedy, authors of The Right to Privacy are quick to point out that technology is fast and the law is slow. Plus, the laws vary from state to state and do not apply to all situations. Alderman and Kennedy report that there simply is not a comprehensive body of law established to deal with all the privacy concerns arising in the digital age.
Informed consent has been a hot topic for years, and the insistence on it from the general public is growing. The results of a recent Gallup survey on medical privacy sponsored by the Institute for Health Freedom showed that individuals overwhelmingly believe that their medical information should not be given out without their permission and that consent is a right they are entitled to. Statistically, 92% oppose nonconsensual access by the government and 67% by researchers. The highest opposition was noted with regard to the hotly debated topic of genetic testing, with 9 out of 10 adults insisting that medical and governmental researchers should first obtain permission before studying their genetic information. It seems abundantly clear that a lose of privacy is not a price the public is willing to pay in exchange for the benefits of medical research, regardless of how important the research may be.
Long-Term Ramifications
To complicate matters, not all patients who give their consent truly understand the long-term implications of allowing their medical records to be utilized for research purposes. After all, your medical information can include everything from physical health to sexual behavior to feelings expressed during psychotherapy. Many worry that information from medical records could effect their admission to college, credit, employment, and insurance. For example, what if the company doing the research is a hospital, but the department interested in the data (and the one using it) is really a managed-care department interested in limiting long-term insurance liability. What effect could that information have on the subject's ability to obtain insurance, or even employment, in certain circumstances? Some worry that the negative effects could be far too great and that the risks simply do not outweigh the possible benefits that could be gained, benefits in some cases that have more to do with corporate financial gain than health-related research.
Take, for example, the well-publicized case in 1995 involving Merck & Co., a pharmaceutical company, and Medco, a division of Merck, which concerned 17 states. Medical information regarding patient prescriptions was obtained, and Medco-employed pharmacists, without identifying the corporate connection between the two firms, called physicians and encouraged them to change prescriptions, with Merck often benefiting from the switch. The settlement involved a variety of measures including restitution, and Medco's agreement to advise consumers of their rights and to what extent confidential information would be used. To assume that information is safely stored, regardless of who originally requested it, is to make a very unwise assumption. In fact, privacy advocates worry that some patients will avoid seeking medical attention or filling necessary prescriptions rather than risk their personal privacy.
Because long-term research studies track patients over time, patients with illnesses that carry a stigma may never feel free of their disease. In the case of a curable, sexually transmitted disease, for example, the patient may want to consider the disease a thing of the past. That will be nearly impossible to do if his or her medical records are permanently stored in some database. Also, doesn't this open the door for discrimination if the information were to fall into the wrong hands? What if information brokers were to sell personal information to employers or rental agents, for example? It could certainly effect employment or housing opportunities.
Control of the Information
Not all information that is computerized is disclosed on purpose. Take for example the unfortunate situation that was reported by Robert O'Harrow Jr. of the Washington Post involving the pharmaceutical company, Eli Lilly & Co. Eli Lilly, the makers of Prozac, an antidepressant prescribed to treat depression, bulimia, and obsessive-compulsive disorder, had begun a daily e-mail program that reminded patients to take their medicine. These people had signed up for the service on the company website, but they had not consented to what ultimately happened. When Eli Lilly discontinued the program, they sent out messages to all the people on the list. However, rather than get a private e-mail from the company, each recipient received the names and e-mail addresses of every other recipient. Everyone who received the message was then in possession of the addresses of hundreds of Prozac users. Although Eli Lilly was highly apologetic, the damage was already done. Who knows what future repercussions the dissemination of that information will pose to those patients? Once the information was disclosed, it could hardly be taken back. After information has been digitized; mistakes are sometimes made, and the cost to personal privacy may overshadow the benefit of the research or program.
Indeed, this main theme is often echoed throughout the privacy versus health research debate. People fear that employers might have access to private medical information that could be used to deny them job advancement or future employment. They also fear that the failure to safeguard their medical information could result in their being identified as a "high insurance risk," which could affect their ability to obtain insurance. Assurances from researchers who point to internal review boards (IRBs) as a mechanism to maintain privacy and integrity are not comforting. This was clearly reiterated by Bernice Steinhardt and her team in a 1999 United States General Accounting Office report, which stated that while reviews made by IRBs may help protect the privacy of subjects and maintain confidentiality of data used for research, privacy advocates and others argue that any use or disclosure of an individual's medical information should require the individual's informed consent. Furthermore, it is unclear how effective IRBs actually are in protecting privacy, with or without consent. Steinhardt's report discloseed that several examples of breaches of confidentiality had been reported to the Office for the Protection from Research Risks at the National Institutes of Health.
Proponents for using computerized medical records in research argue that it is easy to remove or code personal identifiers, such as a patient's name or social security number, so that researchers cannot see them. However, this "de-identification" process is not a true protection against human error or abuse. Mistakes happen every day. What if someone fails to delete sensitive information unintentionally? What if someone thinks the information is blinded from the recipient, but later finds out the data appeared in more than one place and was not deleted from every computer field? What if the de-identification methods used were faulty, or if the employee hired to maintain the database did not care about doing a good job? Data entry clerks are paid per entry. Are they taking their time and worrying about accuracy, or are they hurrying in order to meet quotas? Not all workers take pride in doing a good job, and once the information is disclosed, the damage is done and an apology is of little use. It is also overly optimistic to assume that everyone in charge of storing data is sensitive to privacy issues. Greed is a powerful thing, and if cutting corners saves or earns money, there will always be someone willing to sacrifice privacy for monetary gain. Again, the rules and penalties regarding informed consent vary depending on the state and situation. Therefore, the warm and fuzzy blanket of protection some argue is provided by informed consent is moth-eaten at best.
Conclusion
Such harmful invasions of personal privacy could, in fact, overshadow any benefits gained by using digitized medical information for research. Until appropriate and secure safeguards are put in place to assure patient confidentiality, there will always be an unacceptable risk to personal privacy. With the new kinds of research now being conducted, including genetic research, and the sophisticated computerized studies that utilize various medical databases, it seems unlikely that a uniform solution to the problem of privacy assurance is anywhere in sight. Given the mishaps that have already taken place, medical privacy should not be taken for granted, it should be protected in spite of the possible benefits to research the digitalization of medical records might provide.
—LEE ANN PARADISE
Viewpoint: No, the loss of privacy due to the digitization of medical records is being minimized by new legislation, and the potential advances in patient care made possible by the digitization of medical records are enormous.
Barbara Kirchheimer, news editor at Modern Healthcare, a weekly newsmagazine for health-care executives, says in "Public Fears Enter Into Equation," that the benefits gleaned by the health-care community through access to electronic patient records far surpass any additional steps that community must take to protect patient privacy. Kirchheimer also quotes Stephen Savas, health-care analyst at the New York investment firm Goldman, Sachs & Company, as saying: "The reality is that [the patient record] is probably more safe in digital form than it is in paper form … because it's not actually hard to track anyone who accesses the information." The trade-off for digitized records, says Savas, is improved health care.
"In the future, electronic records will be the norm," writes Norman M. Bradburn, a professor emeritus at the Harris Graduate School of Public Policy Studies at the University of Chicago, in the introduction to his paper "Medical Privacy and Research." Technological changes in data storage mean that researchers and the health-care community as a whole must address the issue of patient privacy and legitimate access to medical records. In the first section of Privacy and Health Research, William W. Lowrance, an international consultant in health policy, says: "The policy and technical challenges are to devise improved ways for preserving individuals' informational privacy, while at the same time preserving justified research access to personal data in order to gain health benefits for society."
The Changing Concept of Confidentiality
Bradburn notes that the high value individuals and society place on being healthy are "very strong motives and have led to an almost insatiable demand for health care services." He believes an important component in the privacy issue surrounding those services is the concept of the "norm of confidentiality." In this norm, he says, a person seeking medical treatment gives up the right to privacy—gives up the right to withhold information from their physician. If the patient withholds information, the physician is unable to treat effectively.
The next "norm of confidentiality" is the situation outside the closed doors of the physician's office. Although this norm remains in full force, changes in the health-care industry precipitated by managed care have forced changes. Managed-care companies require medical histories before authorizing payment of medical fees. Therefore, physicians must disclose patient information to insurers if patients expect insurance companies to pay for their medical treatment. According to Bradburn, the confidentiality issue must now extend to those records and the people accessing them, as they are now part of the doctor/patient relationship. Therefore, training such personnel in confidentiality requirements and imposing sanctions when confidentiality is violated are imperative. However, Bradburn stresses the importance of setting confidentiality limits that restrict the use of records in a manner harmful to the individual, while allowing access that will protect and improve public health.
Privacy Issues
The trend from paper to digital records has heightened anxiety about privacy. Patients wonder: Will confidential information escape from the computer in my doctor's office? If so, to where and to whom; and how will it be used or, more drastically, will it be misused or abused? The public is generally aware of horror stories about the misuse and abuse of confidential information. The author of "Health Records and Computer Security," quotes Dr. Ted Cooper, national director of confidentiality and privacy at Kaiser Permanente (one of the largest HMOs in California), as saying: "There are a lot of problems in the way medical information is handled. But currently the breaches that happen have very little to do with computers and more to do with the people that handle them." The article notes that, although the issue of digitized records and privacy is being discussed, debated, and addressed by hoards of individuals, institutions, and government agencies, paper records are a greater concern than digitized information. "Any person in a white coat in a hospital environment can walk up to a medical chart and have a look," says Jeff Blair, vice president of the Medical Records Institute.
Is the Issue One of Privacy, or Paranoia?
Barbara Kirchheimer points out that a report by the Robert E. Nolan Company questions whether there is truly a "crisis" where privacy issues are concerned, and that, while concerns are legitimate, breaches of privacy are rare. After researching the issue, Blue Cross and Blue Shield Association found fewer than two complaints per 100,000 Americans that pertained to violations of privacy.
Robert Gellman, a member of the advisory committee that reviews regulations in the Health Insurance Portability and Accountability Act (HIPAA) first proposed in 1996, disputes the very premise of personal information privacy, pointing out that the word "confidential" has virtually no meaning for any form of personal records. This includes an individual's banking records or student records which are routinely disclosed to any number of entities with or without the consent—or even the knowledge—of the individual involved.
Medical records are viewed by dozens of people, including personnel handling third-party insurance claims, hospital personnel, public health authorities, medical researchers, government agencies, cost-containment managers, licensing and accreditation organizations, coroners, and many other entities. "Medical records aren't confidential; they haven't been confidential for decades," says, Gellman. He states that, of all the different types of records maintained on individuals, medical records are probably the most widely accessed. "Computer records, network records are not inherently evil. It depends on what you do with them," he says.
Protecting Personal Information
Gellman, also a privacy and information policy consultant based in Washington, D.C., and former chief counsel to the House of Representatives subcommittee on Information, Justice, Transportation, and Agriculture, believes that no progress will be made if the objective is solely to protect the "sanctity" of records. "We have too many decisions that require the sharing of records to act like we can preserve the illusion of confidentiality. We need to be more honest with the public. We need to lower expectations."
Gellman also says that technology is a two-edged sword, making it easier to exploit records for profitable purposes such as creating marketing lists but, at the same time, making it more difficult to access confidential information without authorization. De-identification of records, for example, is easily facilitated by computers. Rules have long been in place that govern the need for physicians and institutions to obtain "informed consent" from patients participating in research that does require personally identifiable information. And electronic records can be "sliced and diced," as Gellman puts it, to remove identifying information such as name, address, birth date, and Social Security number, so that end-users such as researchers receive information that contains only the medical data needed for that research.
Privacy concerns have created a burgeoning industry focused on technological ways to protect information. While these are essential, a 1997 report by the Computer Science and Telecommunications Board concludes that protection is best accomplished by a combination of technical and organizational measures. Technical measures can protect information from outside "hackers" and even trusted "inside" employees. Firewalls, audit trails that record and analyze all access to digitized records, access controls, data encryption, passwords, and the like, are all readily available. They limit unauthorized access, yet allow access by authorized personnel to large data sources for essential purposes such as treatment procedures and medical research. Organizational security methods include adequately training personnel in the importance of confidentiality, implementing policies and procedures dictating who has access to information and how to restrict that access, and imposing heavy penalties for breaching confidentiality. The HIPAA has determined that inappropriate breeches of privacy are punishable by 10 years in prison and up to $250,000 in fines—a significant deterrent.
In a letter to the U.S. Department of Health and Human Services (HHS) written on behalf of 93,100 members of the American Academy of Family Physicians, board chair Bruce Bagley, M.D., writes: "Only in a setting of trust can a patient share the private feelings and personal history that enable a physician to comprehend fully, diagnose logically, and treat properly….The Academy supports the development and use of electronic medical records because, under proper procedural constraints, these offer an opportunity for greater protection of the patient confidentiality than paper records."
Research and Records
Medical research, and therefore individual and public health, benefits immensely from digitized patient information. In just one example, one physician will see only a small number of patients with a particular disease or disorder; however, cumulatively, hundreds of physicians will see thousands of patients with that particular disease or disorder. Accessing those thousands of records, and abstracting the medical information from them, is highly labor intensive and expensive when they are in paper form, requires extensive training and supervision of the abstractors, and is prone to error. When that information is accessible from a computerized central data bank such as clinical data registries, fewer errors are likely; coordinated studies by researchers make possible large clinical trials, retrospective studies, and evaluation of different types of treatment possible; along with reducing costs.
In his article "Rx for Medical Privacy," Noah Robischon gives an example of how researchers' access to a database of individual health records might speed the discovery of drug-related disorders such as that caused by DES, a hormone originally prescribed to pregnant women to help prevent miscarriage. "It took researchers 20 years," writes Robischon, "to track down afflicted patients and learn that DES caused a rare form of vaginal cancer in the daughters of women who took the drug. If everyone's record were in a database, the discovery would have come much more quickly."
Even though all sectors of the heath-care industry agree to the concept of patient information privacy, most sectors, as well as the HHS, agree protection must not interfere with a patient's access to, or quality of, health-care delivery. "How Research Using Medical Records Helps Improve Your Medical Care," an article published on-line by the Mayo Clinic, states, "Many people do not realize that one of the most important aids to medical process has been the medical record…. Without research that used medical records, medical care could not have advanced as far as it has."
The U.S. Government Enacts Regulations
Both state and federal governments have, over the decades, enacted laws to address the privacy issue. The HIPAA introduced significant reforms to the health insurance industry, including "Standards of Privacy of Individually Identifiable Health Information." This rule, generally known as the Privacy Rule, was enacted in 2001. It is the first comprehensive effort to govern the privacy of health information, and dictates under what circumstances protected health information may be disclosed by covered entities (entities governed by the rule) for the purpose of research. Covered entities include health insurance companies, health-care clearing houses, and health-care providers who conduct electronic transactions for financial and administrative purposes.
A major concern for researchers and public health entities has been the potential for national privacy policies to hinder research. The HIPAA, however, provides procedures through which researchers and other affected parties can apply for adjustments to the rule. In an overview explaining the rule and its implications, the HSS Office for Civil Rights (OCR) says: "We can and will issue proposed modifications to correct any unintended negative effects of the Privacy Rule on health care quality or access to such care." The overview also expresses the belief that, instead of hindering medical research, the rule will enhance it by helping patients and health plan members feel more comfortable participating in research knowing their information has much greater protection than before.
David Kirby, head of information security for Duke University Medical Center, agrees. In an article in The Scientist by Katherine Uraneck, Kirby is quoted as saying: "People won't participate [in research] unless they are convinced that you will do well with this issue of privacy … it's something that we need to do well."
In "Privacy in Medical Research: How the Informed Consent Requirement Will Change Under HIPAA," Jackie Huchenski, a partner with the law firm Moses & Singer LLP, and Linda Abdel-Malek, an associate in their Health Care Group, conclude by saying: "The amount of research being conducted should not decrease as a result of the Privacy Rule, however, since the Privacy Rule adds administrative obligations that are somewhat minimal for federally funded research and broader for nonfederally funded research."
As Norman M.Bradburn says, individuals and society place a high value on being healthy. Health-care services require records, and records are quickly becoming digitized. In "Hot Topics—Health and Privacy," Linda Tilman quotes Peter Squire, chief privacy counselor of the U.S. Office of Management and Budget, as saying: "Records save lives. We want [consolidated medical information] but with better privacy." And Squires is optimistic this can occur.
—MARIE L. THOMPSON
Further Reading
Alderman, Ellen, and Caroline Kennedy. The Right to Privacy. New York: Alfred A. Knopf, 1995.
Beauchamp, Tom L., and James F. Childress. Principles of Biomedical Ethics. 3rd ed. New York: Oxford University Press, 1989.
Gellman, Robert. "The Myth of Patient Confidentiality." <http://lists.essential.org/medprivacy/msg00449.html>.
Health and Human Services. Office for Civil Rights. "Standards for Privacy of Individually Identifiable Health Information." <http://www.hhs.gov/ocr/hipaa/finalmaster.html>.
"Health Records and Computer Security."<http://webmd.lycos.com/content/article/1691.50035>.
"How Research Using Medical Records Helps Improve Your Medical Care."<http://www.mayo.edu/records/Medauth.html>.
Huchenski, Jackie, and Linda Abdel-Malek. "Privacy in Medical Research: How the Informed Consent Requirement Will Change Under HIPAA." <http://www.mosessinger.com/resources/priv_medres.shtml>
Institute for Health Freedom. "Gallup Survey Finds Americans' Concern About Medical Privacy Runs Deep." <http://www.forhealthfreedom.org/Publications/Privacy/RunsDeep.html>.
Kirchheimer, Barbara. "Public Fears Enter Into Equation." Modern Healthcare. <http://www.modernhealthcare.com/article.php3?refid=61>.
Levine, Robert J. Ethics and Regulation of Clinical Research. 2nd ed. Baltimore, MD: Urban and Schwarzenberg, 1986.
Lowrance, William W. Privacy and Health Research: A Report to the United States Secretary of Health and Human Services. Washington, DC: United States Department of Health and Human Services, 1997.
National Research Council. Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. Computer Science and Telecommunications Board. For the Record: Protecting Electronic Health Information. Washington, DC: National Academy Press, 1997.
O'Harrow, Robert Jr. "Prozac Maker Reveals Patient E-Mail Addresses." Washington Post (July 4, 2001).
Robischon, Noah. "Rx for Medical Privacy."<http://www.cnn.com/TECH/9709/03/netly.news/>.
Steinhardt, Bernice. Medical Records Privacy: Access Needed for Health Research, But Oversight of Privacy Protections Is Limited. Washington, DC: United States General Accounting Office, 1999.
Tilman, Linda. "Hot Topics—Health Privacy."Computers, Freedom, and Privacy Conference 2000. <http://cfp2000.org/news/student_reports/health-tilman.html>.
Uraneck, Katherine. "New Federal Privacy Rules Stump Researchers." The Scientist 15, no. 18. (September 17, 2001): 33.
U.S. Congress, Houses of Representatives Committee on Government Operations. Health Security Act Report. H. R. Rept. 103.
U.S. National Institutes of Health. Office for Protection from Research Risks. Protecting Human Research Subjects: Institutional Review Board Guidebook. Bethesda, MD: U.S. National Institutes of Health, 1993.
U.S. National Institutes of Health. Office of Human Subjects Research. Guidelines. Preface. Washington, DC: U.S. National Institutes of Health, 1995.
Westin, Alan F. Computers, Heath Records, and Citizens Rights. National Bureau of Standards Monograph. Washington, DC: U.S. Government Printing Office, 1976.
KEY TERMS
DATA ENCRYPTION:
To convert information into a unique code that can be read only once it is deciphered.
DE-IDENTIFIED PATIENT INFORMATION:
Removal of all personal information that could trace medical information back to a specific individual.
INFOBROKERS:
People who illegally obtain and sell information on individuals that is stored in government data banks.
INFORMED CONSENT:
Agreement of a person (or legally authorized representative) to serve as a research subject, in full knowledge of all anticipated risks and benefits of the experiment.
NORM:
Authoritative standard, a model; a pattern or trait taken to be typical in the behavior of a social group.
PROTECTED HEALTH INFORMATION:
All medical records and other individually identifiable health information.
PUBLIC HEALTH:
Any medical issue that affects the health of many people.