- Email: [email protected]
Informed consent and the security of the electronic health record (EHR): some policy considerations
International Journal of Medical Informatics (2004) 73, 229—234
Informed consent and the security of the electronic health record (EHR): some policy considerations Eike-Henner W. Kluge Department of Philosophy, University of Victoria, P.O. Box 3050, Victoria, BC, Canada V8W 3P4
KEYWORDS Electronic health record; IMIA Code; Health Information Professionals
Summary Various codes of ethics, and in particular the IMIA Code of Ethics for Health Information Professionals (HIPs), stipulate that the subject of an electronic health record (EHR) has a series of security rights with respect to her/his EHR, and that to some degree these rights center in the notion of informed consent. This paper examines the ethical basis of this position, outlines its implications for professionals, institutions and society in general, and identifies its limits. Further issues that will be discussed include who carries the responsibility for informed consent, what nature it should take, whether web-based EHRs present ethically unique problems, and related security implications. © 2003 Elsevier Ireland Ltd. All rights reserved.
1. Introduction It generally recognized, and it is explicitly mentioned in the IMIA Code of Ethics for Health Information Professionals (HIPs) [1], that potential subjects of electronic health records (EHRs) should be made aware of the existence of any systems, programs or devices for collecting and/or communicating data about them, and that they have a right of informed consent to the actual construction of such records as well as to the use, storage, communication, manipulation and other processing of these records and of the data that are contained in them. Further, it is generally agreed that the subjects of EHRs have the right to know who is collecting, storing, accessing, communicating or processing the data, for what purpose this is being done, where the data will be kept, to whom they will be communicated, for what purpose, etc. Finally, it is accepted that subjects of EHRs (or their duly empowered repreE-mail address: [email protected] (E.-H.W. Kluge).
sentatives) have the right to examine these data and to have corrections entered [2–5]. As has been discussed elsewhere, this panoply of consent-oriented rights derives from the special relationship between EHRs and their subjects, and from the patient-analogue role that EHRs play in information- and decision-space [5]. The question arises, precisely what the notion of informed consent entails for professional and institutional stakeholders, what it means with respect to security and, finally, where the limits (if any) are to be drawn. What follows attempts to clarify some of these issues. It will be suggested that while the consent-rights of subjects of EHRs are great, they are not unlimited and may be curtailed under certain circumstances; that a properly developed security architecture for health information systems (HIS) must contain protocols that protect the consent-rights of the subjects of EHRs under normal circumstances but allow an abbreviation of these rights for good and sufficient reasons; and that this architecture must also contain means for reassigning the consent-rights of the subjects of
1386-5056/$ — see front matter © 2003 Elsevier Ireland Ltd. All rights reserved. doi:10.1016/j.ijmedinf.2003.11.005
230
E.-H.W. Kluge
EHRs to duly authorized proxy decision-makers as and when the occasion demands. Finally, it will be suggested that the obligation to ensure that these measures are properly effectuated ultimately and primarily rests with those who are responsible for the establishment of the EHRs in the first instance, and derivatively devolves onto the relevant HIS and the professionals who function as agents of the originating party.
competent and voluntary consent is said to obtain when the patient has been given all the information that the objective reasonable person in the patient’s position would want to know before making a choice; further, that the patient must have understood the information at a subjective level, must also have understood the likely consequences of any choice that s/he might make, and must have made the choice in an authentic fashion [8,10].
2. Informed consent as a security concern
2.2. Informed consent and security
However, before proceeding with these considerations, it is important to be clear about what the phrase ‘‘informed consent’’ means and in what sense informed consent is involved in security concerns.
2.1. Informed consent As to the phrase itself, it is short for ‘‘informed, competent and voluntary consent’’. Each of these terms is susceptible of various interpretations. For instance, is someone ‘‘informed’’ if s/he has been given all the information that s/he has asked for (subjective standard of disclosure), or is the standard higher such that s/he is informed only if s/he has been given all the information that the reasonable professional would convey (professional standard of disclosure)? Further, is merely conveying the relevant information sufficient to guarantee that the subject is informed (objective standard of comprehension), or does being informed require that the subject actually understands the information (subjective standard of comprehension)? Similarly, the notion of competence loses its initial clarity once it is realized that competence need not be an all-or-nothing affair: that someone may be competent in one area—say finances or personal information—but not another—say, health care; or that someone may be intermittently competent [6,7]. Finally, under what circumstances is a consent voluntary? Does the mere absence of physical force suffice or should psychological pressure be taken into account? What about cultural determinants of volition, such as are encountered in societies that value men more than women, or in religious groups or ethnic collectivities that tend to exert a conditioning influence on their members [8]? The debate over what constitutes informed consent in health care has a long and convoluted history [9] that cannot be reproduced here. Suffice it to say that in modern ethical thinking informed,
This brings up the question, in what sense informed consent is involved in informatic security concerns. The answer can be found in the informatic version of the principle of autonomy and respect for persons and in the nature and role of EHRs. The principle is to the effect that everyone has a fundamental right to self-determination that is limited only by unjust infringement in the rights of others. On the material plane, this translates into the patient’s right of inviolability; in decision-making contexts, it expresses itself as the right of informed consent. The informatic version of the principle goes as follows: [5]. ‘‘The electronic patient record should be treated never as a mere thing but always as a personanalogue in information and decision-space’’. In other words, by reason of their nature and role, access to EHRs is the electronic equivalent of material access to the person who is the subject of the EHR. In a manner of speaking, therefore, unauthorized access to an EHR may be likened to electronic voyeurism, whereas the alteration of an EHR without appropriate right or permission is similar to non-consensual interference with the body of the subject of the EHR. It therefore constitutes the electronic version of assault and battery. And just as patients may ethically grant access to their bodies to any individual of their choice, so the subjects of EHRs may grant others permission to access their records (epistemic analogues) either on the basis of a contractual relationship or on the basis of a relationship that is fiduciary in nature. Still, in each instance the principle of autonomy and respect for persons entails that any such access must always be on the basis of informed consent. Further, it follows that the subject of an EHR has a prima facie right to the integrity of the record, and the right not to have the record altered without express and informed consent; that the subject has a prima facie right not to have the record used or employed in a way not previously agreed to by him/her and a prima facie right not to have the record sold or otherwise disposed of without informed consent
Security of the EHR [1,5,11,12]. Finally, just as the material person has a dispositionary right over her or his body parts so too, by parity of reasoning and with due alteration of detail, the subject of an EHR has a dispositionary right over any patient-specific information that is constitutive of the EHR [1,5]. All of these issues are matters of security, and all of them involve informed consent. Consequently, informed consent is a security concern in the context of EHRs, and any ethically defensible HIS must incorporate informed consent into its security protocols.
2.3. Informed consent and different kinds of patients The preceding considerations assume a competent patient. Not all patients fall into that category. Some are incompetent, and even here there are several sub-categories, e.g., children, the congenitally incompetent, incompetent patients who previously were competent, etc. An ethical security structure will include tests for competence in its protocols and will engage appropriate substitute consent mechanism in accordance with standard criteria for proxy- or substitute decision-making. Likewise, a patient’s mode of entry into the health care system on a given occasion, and therefore a patient’s engagement with the HIS, may present unique security problems. That is to say, no special problems will obtain in so-called normal cases. The patient engages the health care system on a voluntary basis and the normal informed consent protocols apply. However, these protocols will be inappropriate for emergency patients who are cognitively or volitionally compromised and are unaccompanied by duly authorized proxy decision-makers and have no advance directive. In these cases, the standard medical approach is to provide treatment on the basis of presumed consent: One assumes that unless there are clear and binding indications to the contrary, the patient would agree to the interventions that are professionally indicated and that the reasonable person in the patient’s position would normally accept. This has informatic implications. Since appropriate health care cannot be delivered without developing or accessing EHRs and sharing information with relevant stakeholders, the underlying assumption of presumed consent also extends to information processing in these cases. Consequently, an ethically structured security protocol must include routines that identify not only the competence status of the patients but also their mode of entry so that the relevant provisions can be engaged. As in all other cases of EHR processing, an audit trail should also be generated in these
231 contexts. However, in contrast to standard situations, presumed-consent information processing should always be flagged for automatic review by an information control officer.
3. Abbreviation of standard consent-rights The preceding may have given the impression that the security structures and protocols of an ethical HIS must treat the subject’s informatic consent-rights as supreme. This is not the case. The general ethical principle of impossibility entails that health service providers and institutions cannot fulfil their obligations if they do not have access on a need-to-know basis to EHRs and to the data contained in them [5]. Consequently, the informatic version of this principle—the principle of legitimate infringement—entails that the consent-rights of EHR subjects are limited by the genuine informatic needs of the health care professionals (HCPs) who stand in a fiduciary relationship to them, and by their need to make appropriate modifications of the EHRs as the situation demands. Therefore, the consent protocols for providing health care must contain a clause that alerts patients to this limitation of their informatic rights, and it must inform them of the fact that unless this is accepted, the ability to provide health care may be severely limited or entirely abrogated [1,5]. A similar situation obtains on the institutional plane. Health services require planning and financing, and involve the coordinated efforts of many groups and individuals. The principle of legitimate infringement therefore also requires an attenuation of the normal EHR security barriers. However, the principle of information-privacy and disposition and the principle of openness require that the patient should be alerted to this in the normal consent process that coincides with the patient’s entry into the institutional setting. Moreover, the principle of the least intrusive alternative demands that when this right of infringement is claimed, it must be demonstrably necessary and it must not exceed the least degree that is necessary to achieve the purpose that triggers the infringement in the first place. The preceding attenuations of the consent-rights of subjects of EHRs involve informed consent not only because the subjects should be informed of the possible attenuation of their security rights but also because they (or their duly empowered proxy decision-makers) may refuse the relevant health services in order to retain their security rights intact. However, subjects of EHRs are embedded in a social context, and the very existence of society
232 requires health data for epidemiological, research and social planning purposes. Consequently, in keeping with the principle of legitimate infringement, the subject’s fundamental right of control over the collection, storage, access, use, manipulation, communication and disposition of personal data is conditioned by the legitimate, appropriate and relevant data-needs of a free, responsible and democratic society, and by the equal and competing rights of other persons. Therefore, the data contained in an EHR may be accessed and processed without informed consent as long as the data are demonstrably necessary for the bona fide purposes just indicated, as long as the data are de-identified and used in a statistical form only, and as long as the individuals who access and process the data are duly accredited representatives of the authorized planning or research authorities. Finally, while it would be politic and psychologically beneficial to alert the subjects of EHRs to the possibility of such non-consensual data-processing, strictly speaking this is not necessary since, like the use of anaesthesia for surgery, it is a necessary concomitant of social existence and underlies the very possibility of health care. Consequently, as in the case of anaesthesia, no special consent is required in this situation.
4. Who is responsible and how should it be achieved? The preceding considerations prompt two questions: In cases where consent is mandated, who is responsible for obtaining this consent? and, When it is mandated, what form should it take? Since they are closely related, these questions will be dealt with together. In attempting an answer, informatics can once again draw on the ethics of informed consent from other health care sectors. It has long been the rule that the HCP who is responsible for carrying out a procedure has the responsibility of obtaining informed consent for that procedure. Translated to the informatic setting, this means that if the development or processing of an EHR is integral to the professional functioning of the HCP, then it falls to the HCP to obtain the informed consent [12]. It is also essential that in this informed consent process, the HCP make it clear to the subject of the EHR that the informatic consent extends to all members of the health care team that are (or are reasonably be expected to be) involved in caring for the patient. On occasion, this may mean that explicit reference must be made to HCPs who are external consultants or otherwise not in immediate
E.-H.W. Kluge contact with the patient. It may also mean that the subject must be informed of the method by which the information will be shared—for example, through telemedicine or over the Internet. In each case, the underlying reason is the fact that the ability to access and process the EHR is integral to providing the health care in the first instance, and that consultation may be necessary to achieve the desired therapeutic aim. In other words, it is underwritten by the general ethical principle of impossibility. Consequently, as was mentioned above, it is essential that this consent should be an integral but explicit part of the informed consent process that surrounds the delivery of health care in the first place, since the patient may decline to accept that care once the nature and extent of information disclosure and processing is made clear. On the other hand, and by parity of reasoning, if access to the EHR is for research, epidemiological, administrative or other purposes, the obligation to obtain the consent lies with the researcher, epidemiologist, administrator or whoever seeks access to the EHR for bona fide purposes—or with their otherwise duly empowered representatives. Here, as elsewhere, the informed consent process requires disclosure of what is planned, for how long, by whom, for what purpose, within what limits, under what security conditions and with what oversight mechanisms to ensure that the relevant security conditions will in fact be maintained. Finally, it is essential that for research, administrative, planning or other purposes there be some guarantee to the subject of the EHR that the EHR will be accessed and used only for the stated bona fide purposes. In this connection, certification of the proposed undertaking by the institution’s data control officer or by the institutional ethics committee would be appropriate, as would surveillance to ensure that the relevant guidelines are in fact being followed. Further, there lies an independent ethical duty on the institutional HIPs to ensure that the construction of the informatic architectures and protocols are sufficient to achieve these ends. The IMIA Code of Ethics for Health Information Professionals may serve as a guide in this regard. More technical assistance may be found in the reports of the SEISMED Consortium [13]. Finally, all parties who have a duty to obtain informed informatic consent also have a duty to advise the subjects of EHRs of the existence of the mechanisms that are designed to guarantee adherence to the alleged security measures, and of any limitations that these measures might have. It is also essential that there be protocols to inform the subjects of EHRs (or their duly empowered proxy decision-makers) of any lapses in the security
Security of the EHR measures that might have occurred [14] and of appeals mechanisms that have been established.
5. Consent for different technical domains Modern health care delivery is a complex affair and EHRs play different roles in different settings. However, the factor that unifies them is the patient who migrates from one domain to another and whose EHR provides the epistemic tool that makes the delivery of health care possible. These different technical domains present different security problems, which in turn may call for distinct security architectures and protocols. This is not the place to detail why these architectures and protocols should have a unifying underlying logic. Suffice it to say that if this is not the case, then the operational frameworks in which the EHRs have to function may well be logically inconsistent—which will make it likely that the distinct HIS in which the EHRs are embedded will not mesh. This may have disastrous consequences for patients. However, even if different security architectures and protocols are mandated for different technical modalities, whether these be web-based approaches, smart cards, intranet usage, stand-alone systems, etc. this does not affect the logic of the consent process that should surround the development and processing of EHRs. The set of fundamental informatic patient rights is logically the same for all of these settings. Therefore, the logic of the informed consent process must be the same for all of these domains. The content of the processes may differ insofar as they may have to be adjusted to accommodate distinct material possibilities of security compromise. In other words, differences in operational execution should only occur in the contents of the fields that are demarcated by the categories of the rights themselves. Further, it is important that this process will alert the subjects of the EHRs (or their duly empowered proxies) to these informatic rights as well as to their limitations, and that they be given all the information that the reasonable person in the subject’s position would want to know before making a decision, and that s/he be allowed to make a competent and voluntary decision.
6. Conclusion Informed consent is not a state: it is a process. As such, it must meet certain criteria. The least important of these is that a signature has been
233 obtained. For, if the process is absent or faulty, the signature is ethically and legally worthless. The subjects of EHRs have a right to informed consent; consequently, the relevant professionals and institutions have a corresponding duty to ensure that this right is satisfied. However, like any right, even the right to informed consent has limits. An appropriately structured security architecture will recognize these limits. In order to ensure that the conditions that have just been outlined are in fact being met, it may be appropriate to establish a trusted and arms-length certification authority whose role would be to ensure not only that the security structures and protocols of any HIS meet high-level policy requirements and more specific standards, but also that the informed consent protocols that are part of the HIS security environment satisfy the ethical standards that have been indicated. Indeed, the principle of fidelity entails that neither HIPs nor HCPs nor institutions can countenance anything less.
Acknowledgements The preceding considerations were developed in response to a request of the General Council of IMIA at its meeting in Taipei, 4 October 2002.
References [1] IMIA Code of Ethics for Health Information Professionals, 2002, http//:www.imia.org. [2] J.G. Anderson, K.W. Goodman, Ethics and Information Technology: A Case-based Approach to a Health Care System in Transition, Springer, Berlin, 2002. [3] S. Callens, H. Nys, A health informatics deontology code, in: SEISMED Consortium (Ed.), Data Security for Health Care: User Guidelines, vol. II, IOS Press, Amsterdam, 1996. [4] European Community Directive 95/46/EC, On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, OJ L281/31-50, 24 October 1995. [5] E.-H.W. Kluge, The Ethics of Electronic Patient Records, Peter Lang, New York, 2001. [6] M.A. Jones, Assessing the patient’s competence to consent to medical treatment, Med. Law Int. 2 (2) (1996) 107— 147. [7] J.V.M. Welie, A patient decision making competence: outlines of a conceptual analysis, Med. Health Care Philos. 4 (2) (2001) 127—138. [8] I. Hyun, A waiver of informed consent, cultural sensitivity, and the problem of unjust families and traditions, Hastings Center Rep. 32 (5) (2002) 14—22. [9] R.R. Faden, T.L. Beauchamp, A History and Theory of Informed Consent, Oxford University Press, New York, 1986. [10] H.J. Gert, Avoiding surprises: a model for informing patients, Hastings Center Rep. 32 (5) (2002) 23—32.
234 [11] S. Kokolakis, D. Gritzalis, S. Katsikas, A draft standard for high level security policies for health care establishments, in: B. Barber, et al. (Eds.), Security Standards for Health Information Systems, IOS Press, Amsterdam, 2002. [12] G. Pangalos, A draft security medical database standard, in: B. Barber, et al. (Eds.), Security Standards for Health Information Systems, IOS Press, Amsterdam, 2002.
E.-H.W. Kluge [13] SEISMED Consortium (Ed.), Data Security for Health Care: User Guidelines, vol. II, IOS Press, Amsterdam, 1996. [14] B. Barber, F.-A. Allaert, E.-H.W. Kluge, Info-vigilance or safety in health information systems, in: V. Patel, R. Rogers, R. Haux (Eds.), Proceedings of the 10th World Congress on Medical Informatics, IOS Press, London, 2001, pp. 1229–1233.
Informed consent and the security of the electronic health record (EHR): some policy considerations Eike-Henner W. Kluge Department of Philosophy, University of Victoria, P.O. Box 3050, Victoria, BC, Canada V8W 3P4
KEYWORDS Electronic health record; IMIA Code; Health Information Professionals
Summary Various codes of ethics, and in particular the IMIA Code of Ethics for Health Information Professionals (HIPs), stipulate that the subject of an electronic health record (EHR) has a series of security rights with respect to her/his EHR, and that to some degree these rights center in the notion of informed consent. This paper examines the ethical basis of this position, outlines its implications for professionals, institutions and society in general, and identifies its limits. Further issues that will be discussed include who carries the responsibility for informed consent, what nature it should take, whether web-based EHRs present ethically unique problems, and related security implications. © 2003 Elsevier Ireland Ltd. All rights reserved.
1. Introduction It generally recognized, and it is explicitly mentioned in the IMIA Code of Ethics for Health Information Professionals (HIPs) [1], that potential subjects of electronic health records (EHRs) should be made aware of the existence of any systems, programs or devices for collecting and/or communicating data about them, and that they have a right of informed consent to the actual construction of such records as well as to the use, storage, communication, manipulation and other processing of these records and of the data that are contained in them. Further, it is generally agreed that the subjects of EHRs have the right to know who is collecting, storing, accessing, communicating or processing the data, for what purpose this is being done, where the data will be kept, to whom they will be communicated, for what purpose, etc. Finally, it is accepted that subjects of EHRs (or their duly empowered repreE-mail address: [email protected] (E.-H.W. Kluge).
sentatives) have the right to examine these data and to have corrections entered [2–5]. As has been discussed elsewhere, this panoply of consent-oriented rights derives from the special relationship between EHRs and their subjects, and from the patient-analogue role that EHRs play in information- and decision-space [5]. The question arises, precisely what the notion of informed consent entails for professional and institutional stakeholders, what it means with respect to security and, finally, where the limits (if any) are to be drawn. What follows attempts to clarify some of these issues. It will be suggested that while the consent-rights of subjects of EHRs are great, they are not unlimited and may be curtailed under certain circumstances; that a properly developed security architecture for health information systems (HIS) must contain protocols that protect the consent-rights of the subjects of EHRs under normal circumstances but allow an abbreviation of these rights for good and sufficient reasons; and that this architecture must also contain means for reassigning the consent-rights of the subjects of
1386-5056/$ — see front matter © 2003 Elsevier Ireland Ltd. All rights reserved. doi:10.1016/j.ijmedinf.2003.11.005
230
E.-H.W. Kluge
EHRs to duly authorized proxy decision-makers as and when the occasion demands. Finally, it will be suggested that the obligation to ensure that these measures are properly effectuated ultimately and primarily rests with those who are responsible for the establishment of the EHRs in the first instance, and derivatively devolves onto the relevant HIS and the professionals who function as agents of the originating party.
competent and voluntary consent is said to obtain when the patient has been given all the information that the objective reasonable person in the patient’s position would want to know before making a choice; further, that the patient must have understood the information at a subjective level, must also have understood the likely consequences of any choice that s/he might make, and must have made the choice in an authentic fashion [8,10].
2. Informed consent as a security concern
2.2. Informed consent and security
However, before proceeding with these considerations, it is important to be clear about what the phrase ‘‘informed consent’’ means and in what sense informed consent is involved in security concerns.
2.1. Informed consent As to the phrase itself, it is short for ‘‘informed, competent and voluntary consent’’. Each of these terms is susceptible of various interpretations. For instance, is someone ‘‘informed’’ if s/he has been given all the information that s/he has asked for (subjective standard of disclosure), or is the standard higher such that s/he is informed only if s/he has been given all the information that the reasonable professional would convey (professional standard of disclosure)? Further, is merely conveying the relevant information sufficient to guarantee that the subject is informed (objective standard of comprehension), or does being informed require that the subject actually understands the information (subjective standard of comprehension)? Similarly, the notion of competence loses its initial clarity once it is realized that competence need not be an all-or-nothing affair: that someone may be competent in one area—say finances or personal information—but not another—say, health care; or that someone may be intermittently competent [6,7]. Finally, under what circumstances is a consent voluntary? Does the mere absence of physical force suffice or should psychological pressure be taken into account? What about cultural determinants of volition, such as are encountered in societies that value men more than women, or in religious groups or ethnic collectivities that tend to exert a conditioning influence on their members [8]? The debate over what constitutes informed consent in health care has a long and convoluted history [9] that cannot be reproduced here. Suffice it to say that in modern ethical thinking informed,
This brings up the question, in what sense informed consent is involved in informatic security concerns. The answer can be found in the informatic version of the principle of autonomy and respect for persons and in the nature and role of EHRs. The principle is to the effect that everyone has a fundamental right to self-determination that is limited only by unjust infringement in the rights of others. On the material plane, this translates into the patient’s right of inviolability; in decision-making contexts, it expresses itself as the right of informed consent. The informatic version of the principle goes as follows: [5]. ‘‘The electronic patient record should be treated never as a mere thing but always as a personanalogue in information and decision-space’’. In other words, by reason of their nature and role, access to EHRs is the electronic equivalent of material access to the person who is the subject of the EHR. In a manner of speaking, therefore, unauthorized access to an EHR may be likened to electronic voyeurism, whereas the alteration of an EHR without appropriate right or permission is similar to non-consensual interference with the body of the subject of the EHR. It therefore constitutes the electronic version of assault and battery. And just as patients may ethically grant access to their bodies to any individual of their choice, so the subjects of EHRs may grant others permission to access their records (epistemic analogues) either on the basis of a contractual relationship or on the basis of a relationship that is fiduciary in nature. Still, in each instance the principle of autonomy and respect for persons entails that any such access must always be on the basis of informed consent. Further, it follows that the subject of an EHR has a prima facie right to the integrity of the record, and the right not to have the record altered without express and informed consent; that the subject has a prima facie right not to have the record used or employed in a way not previously agreed to by him/her and a prima facie right not to have the record sold or otherwise disposed of without informed consent
Security of the EHR [1,5,11,12]. Finally, just as the material person has a dispositionary right over her or his body parts so too, by parity of reasoning and with due alteration of detail, the subject of an EHR has a dispositionary right over any patient-specific information that is constitutive of the EHR [1,5]. All of these issues are matters of security, and all of them involve informed consent. Consequently, informed consent is a security concern in the context of EHRs, and any ethically defensible HIS must incorporate informed consent into its security protocols.
2.3. Informed consent and different kinds of patients The preceding considerations assume a competent patient. Not all patients fall into that category. Some are incompetent, and even here there are several sub-categories, e.g., children, the congenitally incompetent, incompetent patients who previously were competent, etc. An ethical security structure will include tests for competence in its protocols and will engage appropriate substitute consent mechanism in accordance with standard criteria for proxy- or substitute decision-making. Likewise, a patient’s mode of entry into the health care system on a given occasion, and therefore a patient’s engagement with the HIS, may present unique security problems. That is to say, no special problems will obtain in so-called normal cases. The patient engages the health care system on a voluntary basis and the normal informed consent protocols apply. However, these protocols will be inappropriate for emergency patients who are cognitively or volitionally compromised and are unaccompanied by duly authorized proxy decision-makers and have no advance directive. In these cases, the standard medical approach is to provide treatment on the basis of presumed consent: One assumes that unless there are clear and binding indications to the contrary, the patient would agree to the interventions that are professionally indicated and that the reasonable person in the patient’s position would normally accept. This has informatic implications. Since appropriate health care cannot be delivered without developing or accessing EHRs and sharing information with relevant stakeholders, the underlying assumption of presumed consent also extends to information processing in these cases. Consequently, an ethically structured security protocol must include routines that identify not only the competence status of the patients but also their mode of entry so that the relevant provisions can be engaged. As in all other cases of EHR processing, an audit trail should also be generated in these
231 contexts. However, in contrast to standard situations, presumed-consent information processing should always be flagged for automatic review by an information control officer.
3. Abbreviation of standard consent-rights The preceding may have given the impression that the security structures and protocols of an ethical HIS must treat the subject’s informatic consent-rights as supreme. This is not the case. The general ethical principle of impossibility entails that health service providers and institutions cannot fulfil their obligations if they do not have access on a need-to-know basis to EHRs and to the data contained in them [5]. Consequently, the informatic version of this principle—the principle of legitimate infringement—entails that the consent-rights of EHR subjects are limited by the genuine informatic needs of the health care professionals (HCPs) who stand in a fiduciary relationship to them, and by their need to make appropriate modifications of the EHRs as the situation demands. Therefore, the consent protocols for providing health care must contain a clause that alerts patients to this limitation of their informatic rights, and it must inform them of the fact that unless this is accepted, the ability to provide health care may be severely limited or entirely abrogated [1,5]. A similar situation obtains on the institutional plane. Health services require planning and financing, and involve the coordinated efforts of many groups and individuals. The principle of legitimate infringement therefore also requires an attenuation of the normal EHR security barriers. However, the principle of information-privacy and disposition and the principle of openness require that the patient should be alerted to this in the normal consent process that coincides with the patient’s entry into the institutional setting. Moreover, the principle of the least intrusive alternative demands that when this right of infringement is claimed, it must be demonstrably necessary and it must not exceed the least degree that is necessary to achieve the purpose that triggers the infringement in the first place. The preceding attenuations of the consent-rights of subjects of EHRs involve informed consent not only because the subjects should be informed of the possible attenuation of their security rights but also because they (or their duly empowered proxy decision-makers) may refuse the relevant health services in order to retain their security rights intact. However, subjects of EHRs are embedded in a social context, and the very existence of society
232 requires health data for epidemiological, research and social planning purposes. Consequently, in keeping with the principle of legitimate infringement, the subject’s fundamental right of control over the collection, storage, access, use, manipulation, communication and disposition of personal data is conditioned by the legitimate, appropriate and relevant data-needs of a free, responsible and democratic society, and by the equal and competing rights of other persons. Therefore, the data contained in an EHR may be accessed and processed without informed consent as long as the data are demonstrably necessary for the bona fide purposes just indicated, as long as the data are de-identified and used in a statistical form only, and as long as the individuals who access and process the data are duly accredited representatives of the authorized planning or research authorities. Finally, while it would be politic and psychologically beneficial to alert the subjects of EHRs to the possibility of such non-consensual data-processing, strictly speaking this is not necessary since, like the use of anaesthesia for surgery, it is a necessary concomitant of social existence and underlies the very possibility of health care. Consequently, as in the case of anaesthesia, no special consent is required in this situation.
4. Who is responsible and how should it be achieved? The preceding considerations prompt two questions: In cases where consent is mandated, who is responsible for obtaining this consent? and, When it is mandated, what form should it take? Since they are closely related, these questions will be dealt with together. In attempting an answer, informatics can once again draw on the ethics of informed consent from other health care sectors. It has long been the rule that the HCP who is responsible for carrying out a procedure has the responsibility of obtaining informed consent for that procedure. Translated to the informatic setting, this means that if the development or processing of an EHR is integral to the professional functioning of the HCP, then it falls to the HCP to obtain the informed consent [12]. It is also essential that in this informed consent process, the HCP make it clear to the subject of the EHR that the informatic consent extends to all members of the health care team that are (or are reasonably be expected to be) involved in caring for the patient. On occasion, this may mean that explicit reference must be made to HCPs who are external consultants or otherwise not in immediate
E.-H.W. Kluge contact with the patient. It may also mean that the subject must be informed of the method by which the information will be shared—for example, through telemedicine or over the Internet. In each case, the underlying reason is the fact that the ability to access and process the EHR is integral to providing the health care in the first instance, and that consultation may be necessary to achieve the desired therapeutic aim. In other words, it is underwritten by the general ethical principle of impossibility. Consequently, as was mentioned above, it is essential that this consent should be an integral but explicit part of the informed consent process that surrounds the delivery of health care in the first place, since the patient may decline to accept that care once the nature and extent of information disclosure and processing is made clear. On the other hand, and by parity of reasoning, if access to the EHR is for research, epidemiological, administrative or other purposes, the obligation to obtain the consent lies with the researcher, epidemiologist, administrator or whoever seeks access to the EHR for bona fide purposes—or with their otherwise duly empowered representatives. Here, as elsewhere, the informed consent process requires disclosure of what is planned, for how long, by whom, for what purpose, within what limits, under what security conditions and with what oversight mechanisms to ensure that the relevant security conditions will in fact be maintained. Finally, it is essential that for research, administrative, planning or other purposes there be some guarantee to the subject of the EHR that the EHR will be accessed and used only for the stated bona fide purposes. In this connection, certification of the proposed undertaking by the institution’s data control officer or by the institutional ethics committee would be appropriate, as would surveillance to ensure that the relevant guidelines are in fact being followed. Further, there lies an independent ethical duty on the institutional HIPs to ensure that the construction of the informatic architectures and protocols are sufficient to achieve these ends. The IMIA Code of Ethics for Health Information Professionals may serve as a guide in this regard. More technical assistance may be found in the reports of the SEISMED Consortium [13]. Finally, all parties who have a duty to obtain informed informatic consent also have a duty to advise the subjects of EHRs of the existence of the mechanisms that are designed to guarantee adherence to the alleged security measures, and of any limitations that these measures might have. It is also essential that there be protocols to inform the subjects of EHRs (or their duly empowered proxy decision-makers) of any lapses in the security
Security of the EHR measures that might have occurred [14] and of appeals mechanisms that have been established.
5. Consent for different technical domains Modern health care delivery is a complex affair and EHRs play different roles in different settings. However, the factor that unifies them is the patient who migrates from one domain to another and whose EHR provides the epistemic tool that makes the delivery of health care possible. These different technical domains present different security problems, which in turn may call for distinct security architectures and protocols. This is not the place to detail why these architectures and protocols should have a unifying underlying logic. Suffice it to say that if this is not the case, then the operational frameworks in which the EHRs have to function may well be logically inconsistent—which will make it likely that the distinct HIS in which the EHRs are embedded will not mesh. This may have disastrous consequences for patients. However, even if different security architectures and protocols are mandated for different technical modalities, whether these be web-based approaches, smart cards, intranet usage, stand-alone systems, etc. this does not affect the logic of the consent process that should surround the development and processing of EHRs. The set of fundamental informatic patient rights is logically the same for all of these settings. Therefore, the logic of the informed consent process must be the same for all of these domains. The content of the processes may differ insofar as they may have to be adjusted to accommodate distinct material possibilities of security compromise. In other words, differences in operational execution should only occur in the contents of the fields that are demarcated by the categories of the rights themselves. Further, it is important that this process will alert the subjects of the EHRs (or their duly empowered proxies) to these informatic rights as well as to their limitations, and that they be given all the information that the reasonable person in the subject’s position would want to know before making a decision, and that s/he be allowed to make a competent and voluntary decision.
6. Conclusion Informed consent is not a state: it is a process. As such, it must meet certain criteria. The least important of these is that a signature has been
233 obtained. For, if the process is absent or faulty, the signature is ethically and legally worthless. The subjects of EHRs have a right to informed consent; consequently, the relevant professionals and institutions have a corresponding duty to ensure that this right is satisfied. However, like any right, even the right to informed consent has limits. An appropriately structured security architecture will recognize these limits. In order to ensure that the conditions that have just been outlined are in fact being met, it may be appropriate to establish a trusted and arms-length certification authority whose role would be to ensure not only that the security structures and protocols of any HIS meet high-level policy requirements and more specific standards, but also that the informed consent protocols that are part of the HIS security environment satisfy the ethical standards that have been indicated. Indeed, the principle of fidelity entails that neither HIPs nor HCPs nor institutions can countenance anything less.
Acknowledgements The preceding considerations were developed in response to a request of the General Council of IMIA at its meeting in Taipei, 4 October 2002.
References [1] IMIA Code of Ethics for Health Information Professionals, 2002, http//:www.imia.org. [2] J.G. Anderson, K.W. Goodman, Ethics and Information Technology: A Case-based Approach to a Health Care System in Transition, Springer, Berlin, 2002. [3] S. Callens, H. Nys, A health informatics deontology code, in: SEISMED Consortium (Ed.), Data Security for Health Care: User Guidelines, vol. II, IOS Press, Amsterdam, 1996. [4] European Community Directive 95/46/EC, On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, OJ L281/31-50, 24 October 1995. [5] E.-H.W. Kluge, The Ethics of Electronic Patient Records, Peter Lang, New York, 2001. [6] M.A. Jones, Assessing the patient’s competence to consent to medical treatment, Med. Law Int. 2 (2) (1996) 107— 147. [7] J.V.M. Welie, A patient decision making competence: outlines of a conceptual analysis, Med. Health Care Philos. 4 (2) (2001) 127—138. [8] I. Hyun, A waiver of informed consent, cultural sensitivity, and the problem of unjust families and traditions, Hastings Center Rep. 32 (5) (2002) 14—22. [9] R.R. Faden, T.L. Beauchamp, A History and Theory of Informed Consent, Oxford University Press, New York, 1986. [10] H.J. Gert, Avoiding surprises: a model for informing patients, Hastings Center Rep. 32 (5) (2002) 23—32.
234 [11] S. Kokolakis, D. Gritzalis, S. Katsikas, A draft standard for high level security policies for health care establishments, in: B. Barber, et al. (Eds.), Security Standards for Health Information Systems, IOS Press, Amsterdam, 2002. [12] G. Pangalos, A draft security medical database standard, in: B. Barber, et al. (Eds.), Security Standards for Health Information Systems, IOS Press, Amsterdam, 2002.
E.-H.W. Kluge [13] SEISMED Consortium (Ed.), Data Security for Health Care: User Guidelines, vol. II, IOS Press, Amsterdam, 1996. [14] B. Barber, F.-A. Allaert, E.-H.W. Kluge, Info-vigilance or safety in health information systems, in: V. Patel, R. Rogers, R. Haux (Eds.), Proceedings of the 10th World Congress on Medical Informatics, IOS Press, London, 2001, pp. 1229–1233.