Group Homework

Session 4
Chapters 7 & 10 Questions
Kluge Article
Padman Article

MMI 403-INTRODUCTION TO MEDICAL INFORMATICS

Group 2
Judi Binderman, MD
Suzi Birz
Nicki Cliffer
Deborah Michaelson
Candyce Thompson
 Chapters 7 & 10 Questions
How have some of the standards discussed in the
chapter (7) impacted policies and procedures on
the job for you or a colleague?

Some of the standards discussed in the chapter that have impacted the policies and
procedures on the job for the clinical staff where I work include nursing
terminologies from the North American Nursing Diagnosis Association (NANDA)
codes, the Nursing Interventions Classification (NIC) and the International Standards
Organization (ISO). These are some of the nursing organizations that have been
actively developing the standard coding systems for documenting and evaluating
nursing care. The Systematized Nomenclature of Medicine (SNOMED) has impacted
the policies and procedures also – it has evolved beyond an abstracting scheme to
become a comprehensive coding system. The Logical Observations, Identifiers,
Names and Codes (LOINC) originally created a naming system for tests and
observations and have extended to include non-laboratory observations such as
vital signs and electrocardiograms.

The International Classification of Disease (ICD), Current Procedure Terminology

(CPT), and Diagnosis-Related Groups (DRG) while clinical in intent have had a large
impact on the hospital and physician office billing policies and procedures.
Medicare, Medicaid and other payors require the use of these codes for
reimbursement to providers. The billing staff and information services used by
those staff support the entry of the codes. The systems have coded rules that
check the bills for each payor’s rules in advance of the electronic submission of the
bill.

The use of these codes for billing has in turn had an impact on the policies and
procedures related to physician documentation. For billing purposes, there are
specific rules related to the use of these codes. If the codes are not supported by
appropriate provider documentation, the bill is considered fraudulent. Health care
provider procedures are in place to require appropriate documentation. Audit
teams are in place to due scheduled and routine audit of the documentation to
ensure compliance with the federal and state billing rules and the policies and
procedures.

Of all of the standards discussed, the Health Insurance Portability and Accountability
Act (HIPAA) has had the most impact on the policies and procedures. There is a
huge concern regarding privacy and the standards for the electronic transmission of
patient’s information. HIPAA directly affects healthcare providers all across the

2
 nation. HIPAA has altered the way the healthcare sector does business and will
cause a culture change. Additionally, data-interchange standards have impacted the
policies and procedures for clinicians as well.

Provider and payor organizations have implemented privacy and security policies to
become and remain compliant with the Health Insurance and Portability
Accountability Act (HIPAA). These policies address administrative and clinical
activities of the organization. As with many federal and state regulations, non-
compliance can result in fines and imprisonment.

As a result, the procedure for first contact with a patient at the organization was
changed. Now, when a patient first arrives at the organization, s/he is provided the
organizations privacy policy, called the Notice of Privacy Practices. There is even a
procedure for the distribution. The brochure must be handed to the patient or
guardian, the patient must sign a document acknowledging receipt of the
document, and the acknowledgement must be filed, scanned or otherwise tracked
to provide an audit trail that the Notice was provided to the patient.

Another impact from HIPAA has to do with the sign-in procedure at any clinical area
– laboratory, physician office, ambulatory surgery desk, etc. Many of the
organization’s desk used to have sign-in sheets indicating the patient’s name and
sometimes the physician or procedure. HIPAA required that this procedure be
examined to ensure that only the minimum necessary information be present on
that sheet. This same concept applies to “calling for the patient”. For instance,
the organization does call the patient by name, but does not announce the
physician as that may be an indication of the patient’s medical condition.

Clinicians are impacted as well. When a surgeon arrives at the waiting room to
speak with the family, they all proceed to a private room to discuss the surgery and
condition of the patient. This procedure is required to protect the patient’s privacy
from the rest of the people in the waiting room.

When a clinician has lab results and receives voicemail, care must be taken as to
how much information can be left on the message. The physician’s office procedure
has been changed to secure permission from the patient to leave a message at one
number. This information is noted in the patient’s chart. This ensures that
information related to recent exams or labs is not left on a voicemail that can be
accessed by a spouse or other family member if the patient wants to be the first to
receive the information.

HIPAA and the electronic medical record (EMR) have a challenging relationship.
Limiting this discussion to one example, consider the employee with access to the
EMR and a friend waiting for results. Organizations have implemented strict policies
and procedures – with corrective action measures – for employees that, even with
the best of intentions – access the computer system and the medical information of
someone not under their care.

3
The need to interconnect health care applications and transmit data from one
system to another in a seamless manner has become critically important. However,
not all healthcare providers must comply with the privacy and security regulations.
The regulations make a distinction between those that use electronic transmission
of data and those that don't. There are no distinctions between sizes of healthcare
providers when it comes to HIPAA compliance. The only exception is that mental
health providers must follow special, more stringent rules.1 For example some
organizations purchased occlusive labels for the nurses to place over the patient
specific IV label before they discarded the empty IV bag so as to comply with HIPAA.

According to HIPAA standards, if your firm electronically transmits any patient

information to anyone else you fall under the HIPAA rules. It also states that if you
give the information to someone like a billing service or third party claims service
and they transmit it electronically, it is the same as if you did it. Medicaid and
Medicare require all claims to be submitted electronically. There are some
exceptions for a small provider of services or suppliers. HIPAA requires changes to
how an office operates. Even if you already have some privacy and security
measures in place, HIPAA requires that you document those policies and
procedures. And it requires that your employees be trained in the HIPAA law and the
policies and procedures of your office.

Another group of businesses that have a direct impact from HIPAA are Business
Associates of the covered entity. A Business Associate is an individual or entity that
receives protected health information (PHI) from a covered entity, such as a medical
practice, so that the business associate may perform services or functions, or assist
in the performance of services or functions, on behalf of the covered entity.2 HIPAA
mandates the covered entity require a Business Associate to sign a Business
Associate Agreement. This agreement includes parties that normally do not fall
under the definition of a covered entity into the HIPAA regulations. The agreement
requires the Business Associate to offer the same protection of the data as the
covered entity and it is a contract enforceable in court. If the Business Associate
does not sign the agreement or fails to protect the data, HIPAA requires the covered
entity to terminate relationship with the Business Associate.

What are examples of Business Associates?

• Lawyers
• Accountants
• Consultants
• Billing Companies
• Collection Agents
• Practice Managers
• Medical Transcription Service

2
 An employee of the covered entity or a member of the covered entity's own
workforce is not considered a business associate. Independent contractors are
Business Associates. Also, other health care providers to whom covered entities
disclose PHI for treatment purposes are considered business associates.

The public is also playing a major role is how some standards, such as HIPAA has
impacted policies and procedures on the job as well. As the public becomes more
HIPAA aware, they will expect if not demand privacy compliance. For example, if
you were to seek care from a medical provider and one says they are HIPAA
complaint and follow the guidelines, but the other does not and has no intention of
complying voluntarily, which one would you go to? Same applies to a firm like a
lawyer. Suppose you needed an attorney to represent you in a conversation that
included your personal medical history, which law firm would you use, one that is
HIPAA certified or one that is not?

The question remains how do we exchange health information, what is appropriate

to exchange and how do we maintain integrity as well as confidentiality.

References
1. HIPAAps Privacy & Security. Who is affected by HIPAA? Retrieved January,
2009, from www.hipaaps.com/whoIsAffected.html .

2. IBID.

3
What are ANSI, IEEE, HL7 and WHO? What are their
various roles in creating standards?

ANSI: Since 1918, the American National Standards Institute (ANSI) has been
coordinating the activities leading to United States voluntary standards systems.
ANSI facilitates the formation of standards in the United States by accrediting the
procedures of standards developing organizations (SDOs), government agencies,
consumer groups, companies, and others. These standards ensure consistency in
characteristics and performance of products, use of definitions and terms, and
product testing. ANSI accreditation signifies that the procedures used by standards
setting organizations meet the Institute's requirements for openness, balance,
consensus, and due process. ANSI promotes the use of U.S. standards
internationally, advocates U.S. policy and technical positions in international and
regional standards organizations and encourages the adoption of international
standards as national standards where appropriate.

IEEE: An international, non-profit organization that promotes advancement of

technology. The IEEE name was originally an acronym for the Institute of Electrical
and Electronics Engineers, Inc. Today, the organization's scope of interest
has expanded into so many related fields, that it is simply referred to by the letters
I-E-E-E (pronounced Eye-triple-E). It is a member of both ANSI & ISO and as such
performs its standards making and maintaining functions through the IEEE
Standards Association (IEEE-SA). IEEE-SA is the leading developer of global
standards affecting a wide range of industries including power and energy,
biomedical and healthcare, information technology, telecommunications,
transportation, nanotechnology, and information assurance. IEEE-SA has the same
commitment as ASNI to balance, openness, due process and consensus.Error:
Reference source not found

HL7: Health Level Seven is an accredited American National Standards Institute

(ANSI) Standards Developing Organization (SDO), operating in healthcare. Most
SDOs produce standards (sometimes called specifications or protocols) for a
particular healthcare domain such as pharmacy, medical devices, imaging or
insurance (claims processing) transactions. Health Level Seven’s domain is clinical
and administrative data. The organization develops specifications; the most widely
used being a messaging standard that enables healthcare applications to exchange
clinical and administrative data, thereby reducing or eliminating the need for
specific interface programming. HL7 educates the healthcare industry, policy
makers, and the general public concerning the benefits of healthcare information
standardization and HL7 specifically.

2
 One of the organization’s strategies is to develop a formal methodology to support
the creation of HL7 standards from the HL7 Reference Information Model (RIM). The
RIM is a large pictorial representation of clinical data (domains) and identifies the
life cycle of events that a message or groups of related messages will carry. It is a
shared model between all the domains and as such, is the model from which all
domains create their messages. The RIM represents the connections that exist
between the information carried in the fields of HL7 messages and is essential to
HL7’s ongoing mission of increasing precision and reducing implementation costs.

"Level Seven" refers to the highest level of the International Organization for
Standardization (ISO) communications model for Open Systems Interconnection
(OSI) – the application level. The application level addresses definition of the data
to be exchanged, the timing of the interchange, and the communication of certain
errors to the application. The seventh level supports such functions as security
checks, participant identification, availability checks, exchange mechanism
negotiations and, data exchange structuring.

WHO Drug Dictionary: A hierarchical international classification of drugs using

chemical and therapeutic groupings referred to as Anatomical-Therapeutic-
Chemical (ATC) classification. It is used by pharmaceutical companies, clinical
research organizations and drug regulatory authorities for identifying drug names,
their active ingredients and therapeutic use, in the course of their drug safety
surveillance. It translates a drug name to useful information, which is used for
coding and analysis of drug safety data both pre- and post- marketing.

The majority of entries refer to prescription-only products, but some are over-the-
counter (OTC) or pharmacist-dispensed. Biotech and blood products, diagnostic
substances and contrast media are also entered in the dictionary.

References
3. IEEE Standards Association. Frequently Asked Questions. Retrieved January,
2009, from http://standards.ieee.org/faqs/sa-faq.html#q1.
4. http://www.hl7.org/
5. WHO Drug Dictionary Enhanced, retrieved January 2009 from http://www.umc-
products.com/DynPage.aspx?id=2829
6. ANSI.org
7. Wikipedia, http://en.wikipedia.org/wiki/ANSI, accessed 1/28/09.
8. IEEE.org

Give an example of when social, legal or personal

ethics might come into conflict in the practice of
medicine. Consider at least 3 perspectives.

3
Physician assisted suicide (PAS) refers to the physician's act of providing
medication, a prescription, information, or other interventions to a patient with the
understanding that the patient intends to use them to commit suicide. PAS is legal
in the Netherlands, Belgium, and Switzerland. In the United States, PAS is legal only
in the State of Oregon.

Consider the case of a 67 year old patient with terminal lung cancer. This patient
has undergone multiple courses of chemotherapy and radiation without success. At
this point, all that can be offered is palliative care; death is inevitable. The patient
declines Hospice. The patient’s pain is not controlled, in spite of pain medication.
The patient asks the physician for a prescription for a large quantity of opioid pain
medication. The patient takes the prescription to the pharmacy. The pharmacist
contacts the physician to question the dosage, but is told “It is none of your
business.” The pharmacist refuses to fill the prescription and places a notation in
the computer system to alert other pharmacists of their suspicion.

The patient’s perspective: The patient believes in their fundamental right to

decide when and how to die. Autonomy means that individuals have the right to
pursue their own personal view of what kind of life is best, including when and how
to die. The pain and suffering a person feels during a disease, even with pain
relievers, can be incomprehensible to a person who has not gone through it. Even
without considering the physical pain, it is often difficult for patients to overcome
the emotional pain of losing their independence. The diminished quality of life is
worse than the inevitable death. The notation in the computer system violated
privacy.

The physician’s perspective: The trust in an established physician-patient

relationship dictates that patient well-being is primary. With terminal illness there
are two choices: let the disease run its course, or allow the inevitable death to come
sooner. The question is which one is of more benefit to the patient and acts in their
best interests. Extensive discussions about the patient’s interest in PAS were
conducted. Evaluation and treatment of physical and psychological symptoms
included psychiatric evaluation and anti-depressant medications. The patient was
competent to make decisions and had a Living Will outlining their wishes. I felt it
was in the best interest of the patient to allow and respect their autonomy.

The pharmacist’s perspective: The prescription did not serve a "legitimate

medical purpose" and therefore violated the Controlled Substances Act. It is my
right to not participate in morally, religiously, or ethically troubling therapies.
Further, I have a responsibility to my colleagues to share my knowledge of the
situation so that other pharmacists can act within the bounds of their conscience.

References:

2
 1. American Society of Health-System Pharmacists. ASHP statement on
pharmacist’s decision-making on assisted suicide. Am J Health-Syst. Pharm.1999;
56:1661–4.

2. Emanuel, EJ. Euthanasia. Historical, ethical, and empiric perspectives. Arch Intern
Med 1994; 154:1890

3. Fried, TR, Stein, MD, O'Sullivan, PS, et al. Limits of patient autonomy. Physician
attitudes and practices regarding life-sustaining treatments and euthanasia. Arch
Intern Med 1993; 153:722

4. Psychology, Public Policy & Law. June, 2000. v6, number 2. The entire issue is
devoted to articles on PAS including "A Continued Debate About Hastened Death" B.
Andrew; "Misconceived Sources of Opposition to Physician-Assisted Suicide" D.
Brock; "Requests of Physician-Assisted Death: Guidelines for Assessing Mental
Capacity and Impaired Judgment" J. Werth et al; "Factors to Consider Before
Participating in a Hastened Death: Issues for Medical Professionals" S. Jamison

5. "Assisted Suicide and the Inalienable Right to Life." Daniel Avila. Issues in Law &
Medicine. Fall 2000. v.16; n.2: p.111-141.

6. "Physician-assisted Suicide." Lois Snyder and Daniel P. Sulmasy. Annals of

Internal Medicine. August 7, 2001. v.135, number 3: p.209-216.

7. "A Moral Right to Physician-assisted Suicide." C. Wellman. American

Philosophical Quarterly. 2001. v.38, number 3: p.271-286.

8. "Desire for Physician-assisted Suicide: Requests for a Better Death?" Anthony L.

Back and Robert A. Pearlman. The Lancet. August 4, 2001. v.358, issue 9279:
p.344.

3
 Electronic Medical Records:
An Automatic Breach of Ethics?
Ethics and Confidentiality in the Age of Electronic Medical Records

Introduction
In the paper by E-H. W. Kluge, he states that the popular belief that data extraction
(secondary use of data) from Electronic Medical Records (EMR) requires a specific
informed consent is limited by four ethically-based arguments:

1. When use of the data without specific consent creates obstacles for
healthcare providers to carry out their mandates (presumably those of
patient care and population care)

2. When use of the data without specific consent prevents the creation and
maintenance of a health care system as a starting point

3. When use of data without specific consent seriously inhibits the ability for
equal and competing rights, and

4. When use of the data without specific consent makes bona fide research
impossible.i

Kluge walks through the logic behind each of these scenarios, and applies the
principles of ethics to support specific limitations that apply to use of secondary
data, and the lack of specific informed consent. He concludes with several possible
options to obtaining a somewhat global consent to information use to mitigate
violation of ethics in these situations.

Discussion
Perhaps the most meaningful moment in a young physician’s career is when he or
she takes the Hippocratic Oath (or the Oath of Maimonides), in which he pledges to
abide by a system of ethical statements developed primarily for the benefit of the
patient. As a member of this profession, a physician must recognize responsibility to
patients first and foremost, as well as to society, to other health professionals, and
to self.ii Of the 9 ‘codes’ outlined by these oaths and the American Medical
Association, (see Appendix A), the two that are most germane to the use of
secondary data contained in a medical record (paper OR electronic) are #5 [A
physician shall continue to study, apply, and advance scientific knowledge, maintain
a commitment to medical education, make relevant information available to
patients, colleagues, and the public, obtain consultation, and use the talents of
other health professionals when indicated] and # 7 [A physician shall recognize a

2
 responsibility to participate in activities contributing to the improvement of the
community and the betterment of public health].

Each of these obligations would comprise a compelling argument for a physician to

access secondary data about their patients to contribute to knowledge
advancement and continue to participate in activities (research) that contribute to
the community at large. As data about individual patients is collected in an
electronic medical record, scrubbed data (devoid of patient identifiers) becomes
useful in the collective to determine a variety of ‘answers’ to population-based
questions. The fact that patients are often asked to consent to collection of
information and use of that information to provide foundational research about
conditions existing in the population at large is a step in the right direction to
establishing informed consent. Because information is provided to insurers or third-
party payors to process claims and identify patients who are candidates for disease
or lifestyle management programs, with the proviso that general privacy will be
protected, most patients generally accept the use of their information in this
manner. Some offices and hospitals go so far as to indicate that they are active
participants in research, and that patient information, blinded by removal of
individual identification elements, will be provided to various researchers to further
knowledge of disease, population health, etc.

If one ascribes to the principle of autonomy, the right that all persons have to self-
determination, then patients should in general, be able to indicate which parties
have access to which pieces of information. And, in general practice, there are
some items which are specifically required to have direct consent for their
dissemination, such as HIV results. This can pose an obstacle to transitions in care,
for instance, when referring a patient to a specialist. If the patient requests that NO
information be provided, the new care provider must essentially start from scratch.
This principle is perhaps the most often over-ridden in cases when emergency care
must be provided, and records are ‘unlocked’ without specific consent. Similarly, if
a patient refuses use of secondary data, then any unusual or abnormal items in
his/her history, medical condition or current state of health are unavailable to be
utilized for aggregate knowledge.

If one subscribes to the principle of non-malfeasance, which ascertains that all have
the duty to prevent harm, this would apply to both physicians AND patients.
Physicians would want to utilize secondary data about their population to further
research knowledge to prevent future harm, and patients should also want to do
anything in their power to help prevent harm to others, in this case, by allowing
secondary data to be utilized for research purposes. The promise that must be
agreed to by both parties is that the use of the secondary information in and of
itself shall not bring harm to any individual who provided access to that information,
or was the ‘source’ of that information. This would bring into play many of the
HIPAA requirements for privacy protection and safeguarding of confidential
information.

3
The principle of equality states that all persons are equals, and have the right to be
treated as such. Medical research has indicated that many conditions act
differently depending on the patient’s socioeconomic status, race or environment.
This would preclude the idea that hypertension, for example, should be treated in
everyone the same way—in fact, hypertension is more prevalent in African-
American males, and is often more malignant and difficult to control in this
population. Thus, knowing more about a patient’s specific condition is important for
the best practices in treatment, and this ‘population-dependent’ knowledge only
continues to improve and expand through the use of secondary data from medical
records.

The final principle of ethics most germane to this discussion is that of beneficence-
everyone having a duty to advance to the good of others. Again, this would most
broadly argue that providing data to further research and best practices would be a
compelling argument to patients to allow such secondary data use.

Creating a satisfactory balance between these ethical principles and those of the
code of conduct imposed upon medical providers would seem to be a difficult task
when one then considers the tenets of HIPAA…the Health Insurance Portability and
Accountability Act. This act, passed in 1996, required the Department of Health and
Human Services (HHS) to establish national standards for electronic health care
transactions and national identifiers for providers, health plans, and employers. It
also addressed the security and privacy of health data.

Balancing confidentiality with need-to-know situations, privacy with research, and

trying to ‘provide the best care’ with ‘doing no harm’ provide foundations for
discussions and debates with any number of biases, depending on whether one
takes a legal approach, an ethical approach, a societal approach or a provider’s
approach. None of the traditional approaches seem to cover today’s world of
increasing electronics. “Computer and information ethics”, in the broadest sense of
this phrase, can be understood as that branch of applied ethics which studies and
analyzes such social and ethical impacts of information and communication
technology (ICT). In 1976, an ethics professor, Walter Maner, realized that the
addition of computers actually generated wholly new ethics problems that would
not have existed if computers had not been invented. He concluded that there
should be a new branch of applied ethics similar to already existing fields like
medical ethics and business ethics; and he decided to name the proposed new field
“computer ethics”. This proposed new field would study ethical problems
“aggravated, transformed or created by computer technology”.iii

As the health care industry adopts technology, the efficiency and effectiveness of
the nation's health care system will demand improved use of electronic data
interchange. iv As a result of increasing technological dependence, CMS (Center for
Medicare and Medicaid Services) has been authorized to enforce the security
standards, and has written new guideline documents to cover newer technologies,

2
 increasing use of mobile means to gather and distribute protected health
information, and maintaining adequate security measures for covered entities.

Not only are new technologies being utilized in healthcare; new roles of personnel
are being created. Perhaps the most integrally involved are the Healthcare
Informatics Professionals (HIPs). The International Medical Informatics Association,
established in 1989, has realized the multiple relationships that HIPs have with
data, healthcare providers and patients. As such, it has adopted a code of ethics
unique and specific to HIPs, encompassing the many facets of the role. See
Appendix B for this code. The various delineations under the category of ‘Duties to
Society’ include the HIPs duty to facilitate appropriate “collection, storage,
communication, use and manipulation of health care data that are necessary for the
planning and providing of health care services on a social scale.v The very next
tenet in that same section is the responsibility to ensure only appropriate data are
collected, the data is de-identified and rendered as anonymous as possible and that
only authorized personnel have access to relevant data. This would represent a
dramatic step forward to reconciling the need for gathering secondary data with
protecting the ethical rights of all parties involved.

We believe that the complexity of this entire topic will only continue to grow, as
methods and delivery models of health care and research continue to evolve, and
as technology assumes its place front and center. It is only with the continued
debate of the various approaches and points of view that the best compromise to
protect involved parties and advance knowledge can be reached.

3
Appendix A: AMA Code of Ethics
Preamble

The medical profession has long subscribed to a body of ethical statements

developed primarily for the benefit of the patient. As a member of this profession, a
physician must recognize responsibility to patients first and foremost, as well as to
society, to other health professionals, and to self. The following Principles adopted
by the American Medical Association are not laws, but standards of conduct which
define the essentials of honorable behavior for the physician.

Principles of medical ethics

I. A physician shall be dedicated to providing competent medical care, with

compassion and respect for human dignity and rights.

II. A physician shall uphold the standards of professionalism, be honest in all

professional interactions, and strive to report physicians deficient in
character or competence, or engaging in fraud or deception, to
appropriate entities.

III. A physician shall respect the law and also recognize a responsibility to
seek changes in those requirements which are contrary to the best
interests of the patient.

IV. A physician shall respect the rights of patients, colleagues, and other
health professionals, and shall safeguard patient confidences and privacy
within the constraints of the law.

V. A physician shall continue to study, apply, and advance scientific

knowledge, maintain a commitment to medical education, make relevant
information available to patients, colleagues, and the public, obtain
consultation, and use the talents of other health professionals when
indicated.

VI. A physician shall, in the provision of appropriate patient care, except in

emergencies, be free to choose whom to serve, with whom to associate,
and the environment in which to provide medical care.

VII. A physician shall recognize a responsibility to participate in activities

contributing to the improvement of the community and the betterment of
public health.

VIII. A physician shall, while caring for a patient, regard responsibility to the
patient as paramount.

IX. A physician shall support access to medical care for all people.

Adopted by the AMA's House of Delegates June 17, 2001.

2
 Appendix B: Excerpt from IMIA Code of Ethics for
Health Information Professionals

Rules of Ethical Conduct for HIPs

The rules of ethical conduct for HIPs can be broken down into six general rubrics,
each of which has various sub-sections. The general rubrics demarcate the different
domains of the ethical relationships that obtain between HIPs and specific
stakeholders; the sub-sections detail the specifics of these relationships.

A. Subject-centred duties
These are duties that derive from the relationship in which HIPs stand to the
subjects of the electronic records or to the subjects of the electronic
communications that are facilitated by the HIPs through their professional actions.

1. HIPs have a duty to ensure that the potential subjects of electronic records are
aware of the existence of systems, programs or devices whose purpose it is to
collect and/or communicate data about them.

2. HIPs have a duty to ensure that appropriate procedures are in place so that:

a. electronic records are established or communicated only with the

voluntary, competent and informed consent of the subjects of those records,
and
b. if an electronic record is established or communicated in contravention of
A.2.a, the need to establish or communicate such a record has been
demonstrated on independent ethical grounds to the subject of the record, in
good time and in an appropriate fashion.
3. HIPs have a duty to ensure that the subject of an electronic record is made aware
that
a. an electronic record has been established about her/him,
b. who has established the record and who continues to maintain it,
c. what is contained in the electronic record,
d. the purpose for which it is established,
e. the individuals, institutions or agencies who have access to it or to whom it
(or an identifiable part of it) may be communicated,
f. where the electronic record is maintained,
g. the length of time it will be maintained, and
h. the ultimate nature of its disposition.
4. HIPs have a duty to ensure that the subject of an electronic record is aware of the
origin of the data contained in the record.

3
5. HIPs have a duty to ensure that the subject of an electronic record is aware of
any rights that he or she may have with respect to

a. access, use and storage,

b. communication and manipulation,
c. quality and correction, and
d. disposition
of her or his electronic record and of the data contained in it.

6. HIPs have a duty to ensure that

a. electronic records are stored, accessed, used, manipulated or

communicated only for legitimate purposes;

b. there are appropriate protocols and mechanisms in place to monitor the

storage, accessing, use, manipulation or communication of electronic
records, or of the data contained in them, in accordance with section A.6.a;

c. there are appropriating protocols and mechanisms in place to act on the

basis of the information under section A.6.b as and when the occasion
demands;

d. the existence of these protocols and mechanisms is known to the subjects

of electronic records, and

e. there are appropriate means for subjects of electronic records to enquire

into and to engage the relevant review protocols and mechanisms.

7. HIPs have a duty to treat the duly empowered representatives of the subjects of
electronic records as though they had the same rights concerning the electronic
records as the subjects of the record themselves, and that the duly empowered
representatives (and, if appropriate, the subjects of the records themselves) are
aware of this fact.

8. HIPs have a duty to ensure that all electronic records are treated in a just, fair
and equitable fashion.

9. HIPs have a duty to ensure that appropriate measures are in place that may
reasonably be expected to safeguard the

a. security,
b. integrity,
c. material quality,
d. usability, and
e. accessibility of electronic records

2
 10. HIPs have a duty to ensure, insofar as this lies within their power, that an
electronic record or the data contained in it are used only

a. for the stated purposes for which the data were collected, or
b. for purposes that are otherwise ethically defensible.
11. HIPs have a duty to ensure that the subjects of electronic records or
communications are aware of possible breaches of the preceding duties and the
reason for them.

B. Duties towards HCPs

HCPs who care for patients depend on the technological skills of HIPs in the
fulfillment of their patient-centered obligations. Consequently, HIPs have an
obligation to assist these HCPs insofar as this is compatible with the HIPs’ primary
duty towards the subjects of the electronic records. Specifically, this means that

1. HIPs have a duty

a. to assist duly empowered HCPs who are engaged in patient care in having
appropriate, timely and secure access to relevant electronic records (or parts
of thereof), and to ensure the usability, integrity, and highest possible
technical quality of these records; and
b. to provide those informatic services that might be necessary for the HCPs
to carry out their mandate.
2. HIPs should keep HCPs informed of the status of the informatic services on which
the HCPs rely, and immediately advise them of any problems or difficulties that
might be associated or that could reasonably be expected to arise in connection
with these informatic services.

3. HIPs should advise the HCPs with whom they interact on a professional basis, or
for whom they provide professional services, of any circumstances that might
prejudice the objectivity of the advice they give or that might impair the nature or
quality of the services that they perform for the HCPs.

4. HIPs have a general duty to foster an environment that is conducive to the

maintenance of the highest possible ethical and material standards of data
collection, storage, management, communication and use by HCPs within the health
care setting.

5. HCPs who are directly involved in the construction of electronic records may have
an intellectual property right in certain formal features of these records.
Consequently, HIPs have a duty to safeguard

a. those formal features of the electronic record, or

b. those formal features of the data collection, retrieval, storage or usage
system in which the electronic record is embedded

3
in which the HCP has, or may reasonably be expected to have, an intellectual
property interest.

C. Duties towards institutions/employers

1. HIPs owe their employers and the institutions in which they work a duty of

a. competence,
b. diligence,
c. integrity, and
d. loyalty
2. HIPs have a duty to

a. foster an ethically sensitive security culture in the institutional setting in

which they practice their profession,
b. facilitate the planning and implementation of the best and most
appropriate data security measures possible for the institutional setting in
which they work,
c. implement and maintain the highest possible qualitative standards of data
collection, storage, retrieval, processing, accessing, communication and
utilization in all areas of their professional endeavor.
3. HIPs have a duty to ensure, to the best of their ability, that appropriate
structures are in place to evaluate the technical, legal and ethical acceptability of
the data-collection, storage, retrieval, processing, accessing, communication, and
utilization of data in the settings in which they carry out their work or with which
they are affiliated.

4. HIPs have a duty to alert, in good time and in a suitable manner, appropriately
placed decision-makers of the security- and quality-status of the data-generating,
storing, accessing, handling and communication systems, programs, devices or
procedures of the institution with which they are affiliated or of the employers for
whom they provide professional services.

5. HIPs should immediately inform the institutions with which they are affiliated or
the employers for whom they provide a professional service of any problems or
difficulties that could reasonably be expected to arise in connection with the
performance of their contractually stipulated services.

6. HIPs should immediately inform the institutions with which they are affiliated or
the employers for whom they provide a professional service of circumstances that
might prejudice the objectivity of the advice they give.

7. Except in emergencies, HIPs should only provide services in their areas of

competence; however, they should always be honest and forthright about their
education, experience or training.

2
 8. HIPs should only use suitable and ethically acquired or developed tools,
techniques or devices in the execution of their duties.

9. HIPs have a duty to assist in the development and provision of appropriate

informatics-oriented educational services in the institution which they are affiliated
or for the employer for whom they work.

D. Duties towards society

1. HIPs have a duty to facilitate the appropriate

a. collection,
b. storage,
c. communication,
d. use, and
e. manipulation
of health care data that are necessary for the planning and providing of health care
services on a social scale.

2. HIPs have a duty to ensure that

a. only data that are relevant to legitimate planning needs are collected;
b. the data that are collected are de-identified or rendered anonymous as
much as possible, in keeping with the legitimate aims of the collection;
c. the linkage of data bases can occur only for otherwise legitimate and
defensible reasons that do not violate the fundamental rights of the subjects
of the records; and
d. only duly authorized persons have access to the relevant data.
3. HIPs have a duty to educate the public about the various issues associated with
the nature, collection, storage and use of electronic health-data and to make
society aware of any problems, dangers, implications or limitations that might
reasonably be associated with the collection, storage, usage and manipulation of
socially relevant health data.

4. HIPs will refuse to participate in or support practices that violate human rights.

5. HIPs will be responsible in setting the fee for their services and in their demands
for working conditions, benefits, etc.

E. Self-regarding duties
HIPs have a duty to

1. recognize the limits of their competence,

2. consult when necessary or appropriate,

3
3. maintain competence,
4. take responsibility for all actions performed by them or under their control,
5. avoid conflict of interest,
6. give appropriate credit for work done, and
7. act with honesty, integrity and diligence.

F. Duties towards the profession

1. HIPs have a duty always to act in such a fashion as not to bring the profession
into disrepute.

2. HIPs have a duty to assist in the development of the highest possible standards
of professional competence, to ensure that these standards are publicly known, and
to see that they are applied in an impartial and transparent manner.

3. HIPs will refrain from impugning the reputation of colleagues but will report to the
appropriate authority any unprofessional conduct by a colleague.

4. HIPs have a duty to assist their colleagues in living up to the highest technical
and ethical standards of the profession.

5. HIPs have a duty to promote the understanding, appropriate utilization, and

ethical use of health information technologies, and to advance and further the
discipline of Health Informatics.

2
i
Informed Consent to the Secondary Use of EHRs: Informatic rights and their limitations,
E-H.W. Kluge, MEDINFO 2004, M. Fieschi et al. (Eds), Amsterdam: IOS Press, 2004.
ii
http://www.ama-assn.org/ama/pub/category/2512.html, “Principles of Medical
Ethics”, accessed 1/26/09.
iii
http://plato.stanford.edu/entries/ethics-computer/, accessed 1/26/09.
iv
http://www.cms.hhs.gov/HIPAAGenInfo/01_Overview.asp, accessed 1/26/09.
v
http://www.imia.org/ethics.lasso, accessed 1/26/09.

Privacy-Preserving Data Releases

for Health Report Generation
Padman Article Responses

What are the challenges of publishing data and yet

retaining privacy?
In their paper, Privacy-Preserving Data Releases for Health Report Generation, Boyens,
Kreshnan and Padman (2004a) discuss how to foster or promote privacy of data that has
been integrated and analyzed by mediators. The use of mediators provides a buffer
between the data sources and the organizations requesting the data analyses.

To meet the objectives of retaining data confidentiality, Boyens et al. illustrate two stages
of the mediator data-handling process. In data release 1, the mediator obtains the data in
a way that protects the identity of the individual (they obtain measures of central
tendency and dispersion). Data release 2 is the release of mediator-analyzed aggregated
data, usually in the form of a report, released in such a way that the individual’s, or the
organization’s confidentiality and privacy is preserved.

By avoiding the collection of raw data from the data owners, the data are less likely to be
subject to threats such as external attacks on the service provider’s database, malicious
attacks, data corruption due to incompetence, or the chance that due to changes of
ownership within the organization, the raw data may fall into competitors’ or other
inappropriate hands. To avoid these potential threats, Boyens et al. discuss encrypting
the data (which reduces the mediator’s ability to read and therefore analyze the data), or
de-identifying the data such that one can no longer link the data record to an individual
owner. This data-treatment would still permit the calculation of measures of central
tendency, but would not provide a means to evaluate how organizations rate or rank in
relation to each other. The third option mentioned is to give the data to a trusted third-
party mediator who uses the data to produce reports, but does not then store the data
long term.

Interval Inference Problem

The article authors describe a scenario during the second data release stage (reporting),
whereby even though individual data was not released, the aggregate data that was
released was detailed enough to provide enough information first to infer significant data
boundaries or limits. Additionally, using Non-Linear Programming, one could then
calculate the individual’s or an organization’s result-range (e.g. the range or interval
bounds in which the arithmetic average is likely to occur) with a surprising degree of
accuracy. Boyens et al. show how easily an organization’s privacy can be breached when
these analytical methodologies are used to conduct meta-analyses of published data.

Interval Inference refers to when “a database attacker is able to infer an accurate enough
interval when he or she may not infer an exact value of the sensitive attribute”. The
“interval” in question, is then referred to as the inference interval (Li et al., 2002). These
investigators use an ‘auditing approach’ to limit the capability of analyzing published
data in order to obtain sensitive or private information. “By auditing, all queries made by
each user are logged and checked for possible inference before the results of new
queries are released.”

Suggested Solutions
The first approach to reducing the risk of breaching data confidentiality is careful initial
treatment of the data to ensure record anonymization “preventing the re-identification of
real-world entities from a published table whose records represent individuals” where no
personal names, addresses, or birthdates appear in the data (Boyens et al., 204b). A
number of methods of reducing the capability of obtaining confidential information are
cited in Li et al. (2002). Some of these inference control options include controlling query
sets (restricting size, controlling overlap), suppressing query results, using different
sampling techniques, and additionally, adding variability (noise) to the source data.

To avoid the breach of privacy due to further analysis of reported data, organizations can
specify a maximum disclosure risk for each of the sensitive descriptive data cells in a
table displayed in the report (Boyens et al., 2004a). These criteria are set prior to data
release 1 when the data are given to the mediator for analysis. The maximum disclosure
risk criteria could include specific guidelines about the widths of the cell intervals,
(perhaps a specified numerical range around the true mean) or a specification of
minimum information entropy. In the event that the risk criteria are met (even within one
cell of the table showing the descriptive statistics); then the data containing the identified
risk criterion cannot be published. The method of assessing whether the data are subject
to a risk of disclosure is called “disclosure detection” or “disclosure audit” (Boyens et al.,
2004).

Li et al. (2002) caution that when auditing data, it is important to account for the impact
of boundary information and different types of data on interval-based inference which is
something that ‘audit experts’ do not do when they audit for exact inference. They note
that it is possible to audit interval-based inference, but it requires the use of complex
calculations to do so.

A second approach to reducing the risk of inadvertently disclosing confidential

information can be accomplished through data aggregation, however the more data are
bundled together (aggregated) the less useful they become for researchers who are
attempting to answer specific questions based on the data. Boyens et al. note that the
most useful information associated with data sets such as the arithmetic mean and the
standard deviation, can be too specific to publish because these measures can more
easily be used to calculate confidential information. They define this kind of information
as ‘high utility’ data. Instead, they suggest suppressing the information, making it of
‘lower utility’ for data snoopers to be of use when attempting to calculate sensitive
information from reported data.

The suppression of information would not add a biasing factor since it uniformly reduces
information. For example, instead of using the arithmetic mean in reporting, a rounded
mean would be reported (selecting a specific interval width that makes sense for the
data). Additionally, instead of reporting the standard deviations associated with the
arithmetic mean, a less specific measure of spread than a standard deviation (for
example, a range) would be reported. A range is based on two data points (max and min)
and so provides less information than does a standard deviation which is based on all the
data points. The authors note that it is important to reduce or suppress the data in a
manner that “limits disclosure with [the] least data utility loss possible”. They reference
an “audit and aggregate” algorithm that they developed which enables the comparison
between privacy and data utility tradeoffs for mediator analyzed data and data
warehouse collated data, model shown below (Boyens et al, 2004b).

In this model, data is audited on a continuous basis, and is iteratively aggregated and
suppressed if upon analysis; there is a significant risk of disclosure detection.
References
Claus Boyens, Ramayya Krishnan, and Rema Padman. (2004a). Privacy-Preserving Data
Releases for Health Report Generation. In MEDINFO 2004. M. Dieschi et al. (eds)
Amsterdam: IOS Press

Claus Boyens, Ramayya Krishnan, and Rema Padman. (2004b). On Privacy-Preserving

Access to Distributed Heterogeneous Healthcare Information. In Proceedings of the 37th
Hawaii International Conference on System Sciences.

http://www2.computer.org/plugins/dl/pdf/proceedings/hicss/2004/2056/06/205660135a.p
df?template=1&loginState=1&userData=anonymous-IP1233194125513 downloaded
1/27/09

Yingjiu Li, Lingyu Wang, X. Sean Wang, Sushil Jajodia. (2002). Auditing interval-based
inference. In Proceedings of the 14th Conference on Advanced Information Systems
Engineering (CAiSE’02).

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.6139 downloaded 1/27/09