The Health Care Information Directive: Preliminary Results of Key Informant and Focus Group Evaluation of its Feasibility and Utility

Health and the Information Highway Division, Health Canada 2003

Table of Contents

• Executive Summary
• 1. Introduction
• 2. Ethical Issues at Stake
• 3. Issues in Informed Consent
• 4. Elements of Informed Consent
• 5. Consent and Medical Records
• 6. Definitions of Consent Regarding Health Information
• 7. Exemptions from Consent
• 8. Recent Developments
• 9. The Health Care Information Directive
• 10. Method
• 11. Results
• 12. Discussion

Executive Summary

Evaluation of the Health Care Information Directive

Developments in information technology promise to revolutionize the delivery of health care, by providing access to data in a timely and efficient way. Information technology also raises several important concerns about confidentiality and privacy of health data. Recent legislative initiatives in Europe and North America threaten to make access to patient level data more difficult, and this may have substantial impact on research and health surveillance.

It is clear that innovative approaches to enhance individuals' power over health information are required. This report discusses the results of a study to assess the feasibility and utility of a health care information directive. The report consists of the following sections: In the introduction, background information about the state of knowledge and perceptions of Canadians about the protection of their personal health information are reviewed. This is followed by a discussion of the salient issues related to the balance between protecting personal privacy and the necessity for health information for the efficient operation of a complex health care system. The second section addresses the ethical issues involved in changes in legislation, and demonstrates the socially-beneficial uses of personal health information. The third section reviews the concept of informed consent, and delineates its important elements: competence, capacity, disclosure of information, understanding of information, 'voluntariness', and authorization. The fourth section outlines the relationship between consent and medical records. The fifth section presents definitions of consent regarding the use of health information drawn from the Canadian Medical Association, the Canadian Institutes of Health Information, and other sources. A discussion of authorization bias is also included.

Section 6 outlines legal concepts of exemption from consent, and notes the salient issues when consent can be waived. This is followed by a general discussion of principles, drawn from international literature, of ethically defensible and legally supportable health information practices. Section 7 discusses the Romanow and the Kirby Reports in relation to health information issues. Section 8 commences with a discussion of the Health Care Information Directive (HCID), and links the previous discussion to how the HCID may fit into the current debate about health information privacy. Section 9 introduces the evaluation aspects of this project, and outlines the method by which the information directive was evaluated. We used a mixed methods approach for data collection, consisting of an e-mail survey of key informants and focus group meetings. The e-mail survey elicited 26 responses. Four focus groups (with 28 participants in total) were conducted.

The results show the following: The Health Care Information Directive stimulated a wide range of responses, ranging from extremely enthusiastic to highly critical. Most key informants agreed that the issues were complex and important, and that a tool such as the HCID is a good idea. Most key informants and survey respondents were acutely aware of the many barriers related to the successful implementation of such a directive, and stressed the need for a substantial educational effort. Concrete suggestions for improving the current version of the HCID were offered; they included simplifying the language, clarifying and separating the types of data, and suggestions on how to administer the HCID and the type of educational intervention that should accompany it. The focus group participants showed a low level of understanding and knowledge of health information issues. There was general mistrust of any uses of their health information, and a lack of belief that a technique such as the Health Care Information Directive would adequately protect their privacy or enhance their autonomy. We recognize, as a result of this, that there is a divergence of opinion between the lay public and the experts with respect to the use of tools to enhance the security of their health information.

Key recommendations from the above comprise three major forms. One is that a revised Health Care Information Directive be created with a simplified layout, plain language, clear definitions, and improved instructions and explanations. This would be accompanied either by a guidebook or an interactive computer program which would use examples, in a user-friendly format, of how information is used. It is also recommended that this be piloted to see what formats are preferred. There may be a need for multiple types of directives. We also recommend the initiation of a broad public education campaign and the engagement of the public on issues of health information and privacy. This is consistent with the recent calls from the Canadian Institutes of Health Research (CIHR) for greater public engagement. We also recommend increased funding for privacy issues to pilot and assess which methods are best suited to the goal of increasing health information privacy.

1. Introduction

In the modern computer age, there is a justifiable sensitivity concerning the possession and use of personal data. Recent concerns expressed in the media about 'Big Brother' databases indicate a public unease with the extent to which sensitive individual data are available in computer databases.¹ There are many unanswered questions about how data are collected, collated, and linked, as well as concerns over data security and access.

Public opinion surveys have indicated that Canadians are concerned with the security of their health information, and would resist the use of data without consent. The Canadian Medical Association sponsored a national poll on the confidentiality of health data. The results of the poll indicated that confidentiality of health information was a high priority for Canadians: 77% either strongly agreed or somewhat agreed that they would allow their personal information to be released to researchers or to governments, but only with consent; 51% of those surveyed would not agree to the use of their health information, even when stripped of unique identifiers without consent. As Peter Vaughn, Secretary of the Canadian Medical Association, stated: "The issue of consent and confidentiality is of fundamental importance to Canadians."² A report released in Saskatchewan echoes these views: 99.3% of those surveyed agreed with the statement "Individuals should be informed about why information is being collected".³

While Canadians seem to be clear about the need to be informed about uses of their health information, there is no unanimity on preferences about how individuals should be informed, and how the consent process should take place. In the Saskatchewan survey, 62.9% of respondents agreed that "To receive informed consent, health professionals would need to provide details of every anticipated use of health information". However, 71.4 % of those surveyed also agreed with the statement "To receive informed consent, health professionals should not have to provide details of every anticipated use of personal health information on every occasion, but should be expected to make this information available on request and through pamphlets, brochures, and other convenient means". This ambivalent attitude poses difficulties for setting consent policies for the use of health information. There is a lack of clarity, both at the legal and ethical levels.

There are multiple potential uses of individual data, and a health care system cannot function efficiently without such data. To be sure, for a complex health care system to operate effectively, a balance must be struck between the protection of privacy and the need for the use of individual information. This sentiment is also captured in the Saskatchewan survey, as 91.4% of respondents indicated a level of agreement with the statement "It is important to balance the need to protect privacy with the need for the health system to collect information necessary to provide and evaluate services". The public wishes the highest quality treatment and health services. These ends cannot be achieved without the use of personal health information.

There are those who propose / argue / suggest that requiring explicit consent for the use of personal data would needlessly complicate program administration. Furthermore, the collection and use of such data is clearly in the public interest. Counter-arguments hold that any use of individual identifying data can occur only with the explicit consent of a competent adult. Not obtaining explicit consent would result in an abuse of a fundamental human right of a democracy, which should be vigorously protected.

A paradox looms: Canadians want high quality health care, and they want privacy. Both aims are laudable and serve each other, but only if properly understood. In jurisdictions of Europe and the United States, for example, privacy legislation has threatened to negate the benefits of research that leads to high quality care.

2. Ethical Issues at Stake

As noted above, recent changes in legislation in several jurisdictions around the world have resulted in increased privacy protection for individuals. In Europe, the United States, and in Canada, legislation has been passed or is contemplated that will make access to medical records more difficult for researchers. These changes have had profound effects on research and practice, particularly for epidemiology, population health, and public health.

The benefits of using health records for both research and program evaluation are well known. Gordis and Gold have discussed the medical discoveries derived from medical records research.⁴ In particular, the fields of cancer, cardiovascular disease, infectious diseases, and children's health have profited from large-scale epidemiologic studies. Lako has reviewed the legislation in Europe, and points out the obstacles for research and health service delivery posed by the new legislation. He argues that disclosure of patient information for large-scale research, without consent, should be seriously considered. It should take place only with the approval of an institutional review board, and strong security arrangements.⁵

Melton lists the following socially desirable aspects of medical-records studies, and argues that these benefits are in jeopardy by privacy legislation:⁶

• monitoring the health of the population
• identifying populations at high risk for disease
• determining the effectiveness of treatment
• quantifying prognosis
• assessing the usefulness of diagnostic tests and screening programs
• influencing policy through cost-effectiveness analysis
• supporting administrative functions
• monitoring the adequacy of care

It is important to note that this list includes aspects of data analysis not traditionally considered research but which relate to health policy, administration, and quality control. Given that there is no uniformly agreed-upon distinction between empirical research and audit, the programmatic aspects of data use should not be viewed as immune from consent issues.⁷

The argument for the social utility of health records usage has been advanced in editorials in major journals such as the British Medical Journal.⁸ The social utility argument is stated clearly by Gostin and Hodley:⁹

"Despite the importance of explicit informed consent in protecting patient autonomy, requiring such consent before allowing any personal health data to be obtained would discourage and even halt much socially valuable research. The cost and effort of obtaining previous approval for large scale statistical analysis that use data from tens of thousands of patients would be burdensome."

The literature is virtually silent in terms of the harms associated with the use of personal health data for registry and research purposes. Concerns about data falling into the hands of insurance companies or others have been expressed, but no documented reports were found in the literature. There may have been isolated incidents but, in general, health data is well protected.

3. Issues in Informed Consent

Informed consent is one of the central concepts in modern bioethics. It is no understatement to say that the topic is among the most researched and most discussed in bioethics. A simple MEDLINE or BIOETHICSLINE search will attest to this; however, the bulk of this commentary relates to research or clinical care.

3.1 Ethical Principles and Values

Consent is related to the principle of autonomy. The demand for informed consent expresses the value that humans are self-determining and self-regulating. It recognizes that individuals have domain and control over themselves, including information about them. Consent also demonstrates respect for persons as individuals and not as means to an end. It upholds the view that humans have intrinsic value. These values are historically rooted in western liberal democracies.

The doctrine of informed consent is of considerable historical importance. Consent rightly became the focus of ethical reflection in the aftermath of World War II, during which individuals were used for medical experimentation without regard for consent. This practice was universally condemned. As a consequence, the Nuremberg Code was established, providing the following core definition of consent:

"The voluntary consent of the human subject is absolutely essential. This means that the person should have the legal capacity to give consent; should be so situated as to be able to exercise free power of choice, without the intervention of any element of force, fraud, deceit, duress, overreaching or ulterior form of constraint or coercion; and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding and enlightened decision." (the Nuremberg Code, 1949).

4. Elements of Informed Consent

Informed consent consists of the following elements:

Competence / Capacity: Competency is a complex issue. In simple terms, competence refers to the ability to perform a task. It is related to the concept of capacity. In essence, the consenting individual must be able to reason about the foreseeable consequences or lack thereof that will result from his / her decision. Competency is also not a global ability, as people can be variably competent, depending on the circumstances.

Disclosure of Information: The disclosure of information is crucial from a legal standpoint. There must be a communication of information, to a reasonable level, that a person would require for decision making. This must include those facts or descriptions that a person would consider relevant in making the decision to accept or refuse an intervention. The disclosure of information is known to be very sensitive to framing effects.

Understanding of Information: The consenting individual must understand the information provided. A signature in and of itself does not indicate understanding. Some attempt must be made to ascertain that understanding has occurred.

Voluntariness: The decision to consent must be made independently of manipulative or coercive influences exerted by others. There can be no threats, deception or misrepresentation. It should be recognized that these influences can be quite subtle.

Authorization: Some token of the interaction, either verbal or written, is necessary to attest to the consent.

This model of consent prevails in clinical research and in clinical care, where invasive procedures may be performed or medications may be researched. In this domain, there is a real potential for physical harm to accrue directly to the person, as a result of participation. It is not immediately apparent that the same model is operational with regard to health information. The harms associated with the use of health information are not as immediate as the potential physical harms associated with research and clinical care.¹⁰ The harms associated with the use of health information relate to reputation, stigma, and potential economic consequences such as insurability and employability.

5. Consent and Medical Records

The Saskatchewan Report states the following principles:

"Information management in the health system should operate on the basis of informed consent. This means that individuals are informed of, and consent to, the intended uses of the information being gathered from them. This basic principle must be balanced with the need to provide prompt and efficient care and service for the individual. In other words, the need to inform an individual and receive consent for the use of information must not interfere with the provision of quality care - especially in critical situations. Individuals could be informed through:

• A detailed explanation at the time the information is gathered.
• The publication of information brochures.
• Publication of information policies and practices.
• Publication of annual reports.
• Legislation defining acceptable uses."

"Wherever possible, information should be gathered directly from the individual."

This statement recognizes that health information is collected for a variety of purposes, and incorporates a range of potential sensitivity. In general, health information falls under the following categories:

1. Registry Information: This category refers to the information required for the management of the health care system. It includes unique identifiers about the person for the purposes of accounting, etc. It is sensitive information, but required for many administrative functions of the health care system.
2. Personal Health Information: This refers to information about the health status, treatments, tests, etc., of a particular individual. This is the most sensitive data.
3. De-individualized Personal Information: This data is derived from individual data, and is stripped of unique identifiers.
4. Statistical and Aggregate Information: This is data compiled to indicate trends and volumes. It is the least personal and least sensitive type of health data.

6. Definitions of Consent Regarding Health Information

The CMA Health Information Privacy Code defines consent as follows:¹¹

"Consent means a patient's informed and voluntary agreement to confide or permit access to the collection, use, or disclosure of his or her health information for specific purposes. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the provider seeking consent. Implied consent arises where agreement may be reasonably inferred from the action or inaction of the individual and there is good reason to believe that the patient has knowledge relevant to this agreement and would give express consent were it sought."

The Canadian Institute for Health Information released a document entitled Privacy and Confidentiality of Health Information at the Canadian Institute for Health Information (CIHI), in which consent is defined as "Voluntary agreement with what is being done or proposed (express or implicit)". CIHI's policy on consent is as follows:

"The knowledge and consent of the individual or his / her guardian are requested for the collection, use or disclosure of personal data, except:

• where the collection, use or disclosure is permitted by law;
• where the data will be used or disclosed for research, policy formation, and / or statistical purposes; and
• the data will not be used in a way that might harm the individual concerned;
• the purpose cannot reasonably be accomplished unless the data are provided in person-identifiable form;
• processes are in place to safeguard the data and dispose of them in a prompt and secure fashion;
• individual identifiers are removed or destroyed at the earliest reasonable time; or
• where disclosure is to the person or organization that supplied the data to CIHI or, by agreement, to a relevant Minister of Health."

There is concern that requiring explicit consent for the use of medical records for research will lead to authorization bias. Differential bias as a result of incomplete ascertainment, secondary to authorization bias, may distort the actual data, and may lead to uninformed policy and clinical decisions. In Minnesota, a jurisdiction where stringent legislation has been passed, several such studies have examined the possibility of authorization bias.

Yawn et al. (1998) studied patients in an out-patient ambulatory care clinic.¹² They approached 16,000 patients: 90.6% granted authorization, 3.6% refused authorization; 4.5% were undecided, and 1.3% were not asked. Refusal rates were found to be higher in certain subgroups; among older women, and among those with mental health problems, trauma, and eye care. The authors concluded that there is a chance of selection bias.

Jacobsen and associates studied a sample of visitors to outpatient clinics.¹³ Of those visitors, 3.2% refused authorization; if non-response would be considered a refusal, the rate was 20.7%. Women were more likely to refuse than men, and younger people were more likely to refuse than older people. Those who lived at a more remote distance from the clinic were more likely to consent, and people with sensitive diagnoses were more likely to refuse. Jacobsen and associates concluded that there is a possible bias and a threat to clinical understanding that could result in a failure to adequately inform patients and the public.

McCarthy and colleagues examined the impact of the legislation in a health maintenance organization.¹⁴ They received only 26% approval for their study, which would not have required consent prior to the implementation of the legislation. The study posed minimal harms to participants. McCarthy and colleagues concluded that the legislation negatively influenced the ability to complete the study. In other words, efforts to protect patient privacy may come into conflict with the ability to provide timely health information that serves the public health.

These studies indicate that authorization bias is a potential threat to the collection and interpretation of data required to set health policy and inform clinical choice. The rate of authorization was higher in studies associated with the Mayo Clinic. This is understandable, given its reputation as a preeminent medical clinic. For the Mayo Clinic, the cost of obtaining consent was substantial, estimated at $1,000,000 U.S. for 214,000 patients.¹⁵ The cost of obtaining consent from everyone in Canada can be anticipated to be several times higher.

7. Exemptions from Consent

There are exemptions, some codified in law, to the need for explicit consent. In Canada, for example, the recently passed Bill C-6 contains the following exemptions:

Clause 7(1). An organization would be exempt from obtaining consent with respect to the collection of personal information only where:

1. the collection was clearly in the interests of the individual and consent could not be obtained in a timely way;
2. it was reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection was reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
3. the collection was solely for journalistic, artistic or literary purposes;
4. the information was publicly available and was specified by the regulations.

Clause 7(2)(c) and 7(3)(f). Conditions attached to the exemptions for statistical or scholarly study or research purposes. An exemption for the use of personal information for statistical or scholarly study or research purposes would be allowed only if all of the following conditions were met:

1. the purposes could not be achieved without using the information;
2. the information was used in a manner that would ensure its confidentiality;
3. it was impracticable to obtain consent;
4. the organization informed the Commissioner of the use before the information was used.

The salient findings on consent and the collection / use of personal health information from this review are:

• Personal health information is considered very sensitive, and its management is taken seriously by all jurisdictions.
• Issues of privacy and confidentiality are paramount.
• Focus on management of personal health information and on the development and assessment of appropriate safeguards outweighs consent process. Consent is considered important, however.
• The data should be collected directly.
• Consent requirement varies from none (if specific criteria are met) to detailed, initial consent for specific purposes.
• Importance of the right to withdraw consent at any time is also mentioned but is not present in all jurisdictions.
• Individuals should be informed about the specific handling and use of their personal health information.
• Consent for each handling of personal health information is not required. Initial and specific consent is deemed appropriate and sufficient.
• The transfer of personal health information via the Internet or through electronic networking may be considered a specific issue, and could prompt the need for additional consent.

The following general principles emerge from the analysis. These principles are ethically defensible and legally supportable.

Health information should adhere to fair information practices, and should:

• be fairly and lawfully processed
• be processed for limited purposes
• be adequate, relevant, and not excessive
• be accurate
• not be kept longer than necessary
• be processed in accordance with the data subject's rights, including subject's access to the data
• be secure
• not be transferred to countries without adequate protection¹⁶

Furthermore, in accordance with Hodges et al.,¹⁷ these general considerations should be observed:

1. Identifiable health information must be uniformly viewed as highly sensitive information. Its primary value does not derive from either research or commercial potential.
2. Privacy protection should be paramount.
3. Patients are entitled to know for what purpose identifiable information is being used, the length of time the information will be kept, where it will be stored, who has access to it.
4. Effective criminal and civil sanctions should be a consequence of breaches of privacy.
5. Health data should be disclosed according to the least intrusive disclosure principle: narrow in content, least identifiable, minimally sensitive, and to the fewest number of persons reasonable for the required purpose.

Consent should be tied to the type of health information under consideration for use. The requirement for consent varies according to the sensitivity of the information and the application for which it is intended. There are reciprocal relationships between the sensitivity of data and the need for explicit consent and stringent data protection. As identity and sensitivity increase, so does the need for consent, and the stringency of protection increases.

8. Recent Developments

Two major reports on the health care system have been released in the past year. Both the Kirby Report and the Romanow Report addressed issues relevant to the privacy of health information. The Senate Standing Committee on Social Affairs, Science, and Technology, in its final report entitled The Health of Canadians - The Federal Role, Vol. 6: Recommendations for Reform (the Kirby Report, October 2002) articulated the challenge as follows:

"The right to privacy and confidentiality of personal health information is a very important value for Canadians. Now more than ever, Canadians need reassurance that their privacy and confidentiality will be respected in this era of rapidly advancing technology. However, the quality of their health and health care is also a value that Canadians cherish very dearly. Health care providers, health care managers and health researchers need access to personal health information to improve the health of Canadians, strengthen health services, and sustain a high quality health care system. The present challenge for Canadians is to set acceptable limits around the right to privacy, on the one hand, and the need for access to information (by health care providers, managers, and researchers) on the other, to achieve an appropriate balance between them." (p. 230)

Roy J. Romanow, in his final report entitled Building on Values: The Future of Health Care in Canada (the Romanow Report, December 2002) wrote:

"Some might wonder why a chapter on information would figure so prominently and be placed at the beginning of a report on the future of Canada's health care system. The answer is that leading-edge information, technology assessment, and research are essential foundations for all of the reforms outlined in subsequent chapters of this report. Furthermore, health research - especially biomedical and scientific research - is an increasingly important component of Canada's knowledge economy and a source of high-skilled, well-paid employment for thousands of Canadians.... With better information management and technology in place, researchers can assess the impact and value of different treatments and approaches to delivering health care services in addition to developing and testing new discoveries and cures... . Researchers and policy-makers would have access to aggregate data compiled through the electronic health record system. These data could be extracted generically for health research purposes, without being linked to any individual electronic health record. The Commission understands that researchers would, in many cases, prefer to have access to 'person-oriented' health information to allow them to track certain illnesses or health-related factors over time. Only when there are sufficient safeguards in place and the system has demonstrated its ability to protect the privacy of individuals, should researchers have access to 'person-oriented' data." (pp. 75-76; 79)

9. The Health Care Information Directive

From the above discussion it is clear that innovative solutions are required in order to balance privacy protection and the public good in relation to health information. Clearly, in order for the process to be acceptable in a participatory democracy, individuals must have some say in how their information is accessed and used. It is also clear, however, that there currently exists no manner by which individuals can exercise control over all facets of their health information. The Health Care Information Directive (HCID) is intended to fill a gap between purely passive models (such as blanket consent and opt-out models) and fully participatory models (in which individuals must be contacted for each unique use of their health information, regardless of format).

The Health Care Information Directive (see Appendix 1) seeks to integrate sensitivity of data with ethical validity of use. It presents the permutations and combinations of sensitivity and usage in a matrix that forms a table similar to an advance directive. The goal of the HCID is to allow individuals to make informed choices regarding the use of their health information. Currently, models of consent for the use of health information derive from consent for clinical interventions. These models are discrete and time-limited. Health information, however, particularly those items stored in electronic databases, exists almost timelessly and has a multitude of uses. While it may be impossible to determine all possible uses in advance, it is possible for individuals to define the range of possible usages of their health information, and to specify the form of data acceptable to them. The row headings of the HCID move from 'most essential' to 'most discretionary' uses, based on Mullen and Lavery who state:

"To illustrate, the following uses of electronically stored patient data might be placed along a continuum to reflect ethical validity in access or use (acknowledging that the placement of these various interests is debated by different players), where the informing criterion is the proximity of the potential user to the data generator (patient) and their potential benefit/harm in the disclosure of information."¹⁸

The column headings illustrate the data types, from the most identifiable to the most anonymous. The matrix forms a range of options, from most sensitive to least sensitive types of data with most necessary to most discretionary uses of information. Individuals then can, as in advance directives, block out which uses and types of data they do not wish to contribute. They may also specify the range of issues for which they are willing to contribute data, but only with explicit, informed consent. There will be some areas that must be blocked out because no discretion is permitted; for example, for accounting purposes.

The HCID has face validity as it integrates the important elements of health information that have been discussed in the literature. From an ethical perspective, the directive increases patient autonomy, facilitates patient control over information, fosters openness and transparency, and respects several of the ethical principles articulated by Kluge.¹⁹

9.1 Evaluating the Health Care Information Directive

The overall aim of this study was to take the first steps in evaluating the Health Care Information Directive. Following the process outlined by Berry and Singer for Cancer Specific Advance Directives, we surveyed key informants representing various stakeholder groups, and we convened a series of focus groups with lay volunteers representing different demographic profiles within the consumer perspective.²⁰

The specific objectives of the evaluation were to explore the feasibility and utility of the HCID, and to solicit opinion as to what sorts of changes need to be made in format and presentation.

10. Method

As mentioned above, we employed a mixed-methods approach to data collection (e-mail survey and focus group meetings). The research was carried out in the Primary Care Research Unit at Sunnybrook & Women's College Health Sciences Centre in Toronto, Canada. The study received ethics approval from both the host institution and the University of Toronto.

10.1 E-mail Survey of Key Informants

In order to capitalize on the many efficiencies inherent in electronic survey methods, we chose to conduct an e-mail survey of key informants, in lieu of traditional face-to-face interviews. We utilized a modified Dillman²¹ approach, which consists of three separate contacts via electronic mail: a pre-notice message, the questionnaire survey with attached cover letter, and a reminder / thank you message.

The sampling frame for the e-mail survey comprised the participant lists from two recent workshops sponsored by the Canadian Institutes of Health Research (CIHR) on the theme of 'Privacy in Health Research'. The workshop participants included representatives of various stakeholder groups, including data managers / holders, data users, data regulators, public policy advisors, and bioethicists. Forty-five individuals were in attendance at the first of the two workshops, which was held in Toronto in June, 2000. Approximately 125 participants attended the November 2002 workshop held in Ottawa (it should be noted that there was considerable overlap on the lists of participants for the two workshops). In total, 128 individuals were invited to participate in our e-mail survey.

The pre-notice message (see Appendix 2) was sent in order to inform potential participants of the study, and to invite them to take part by completing the survey that would be e-mailed to them within the next two or three days. The second contact (see Appendix 3) included the survey questionnaire as well as a standard cover letter explaining both the purpose of the study and the various ways in which the participants could respond (i.e., e-mail, fax, or post). Potential participants were asked to read a short 4-page journal article (available free online) about the HCID before completing the attached questionnaire. The survey instrument itself was quite brief: there were four sections, each consisting of three open-ended questions. Finally, a reminder message (see Appendix 4), along with a replacement copy of the questionnaire were e-mailed to all non-respondents after 10 days. Respondents received a thank-you message from the Principal Investigator [REGU].

Twenty-six survey questionnaires were completed and returned. The great majority of participants (n = 22; 85%) responded via electronic mail; of the remainder, three responses were received by fax and one arrived through the post. The group of twenty-six respondents comprised twelve data users, four bioethicists, three data regulators, three public policy advisors, two data managers / holders, and one health informatics expert. One participant chose to remain anonymous.

Completed survey questionnaires (some responses were hand-written) were formatted using word processing software. Employing the techniques of content analysis,²² we coded all responses according to a pre-determined set of codes or variables of interest. These codes included utility, feasibility, benefits, burdens, etc. This process yielded a unit-by-variable matrix that allowed for substantive analysis.

10.2 Focus Group Meetings

We conducted a series of four focus group meetings with users of the health care system in Ontario, Canada. The meetings took place in a location convenient for the participants. We initially contacted potential participants by telephone, and then invited them via letters which included flyers describing general information about the project. We contacted four community agencies and one hospital that could have potential interest in the topic. One hospital and one agency - both of which run seniors groups - could not accommodate our time-line; however, we managed to recruit enough participants. The remaining offices displayed our flyers. We aimed to recruit people with a wide range of experiences in using the health care system, and we succeeded in getting members from cancer groups, seniors, advocates of the topic researched, recent immigrants, and a random group of users of the health care system. On average, the meetings lasted 90 - 110 minutes. With the written consent of participants, each session was audio-taped and transcribed verbatim. Names or places that could potentially identify the participants were removed in order to guarantee their privacy.

We developed a discussion guide (see Appendix 6), in order to address the main issues related to the Health Care Information Directive. Transcripts were read several times until the main themes emerged. These were then discussed until we felt confident that the six themes listed below represent the core ideas emphasized in the focus groups. We then searched for quotes that would represent clearly those ideas.

11. Results

In this section, we report the results of our evaluation of the Health Care Information Directive. For purposes of clarity, the e-mail survey and the focus group meetings are reported separately.

11.1 E-mail Survey of Key Informants

Responses to the e-mail survey of key-informant interviews are presented in the tables below. The row headings indicate the type of key informant, and the column headings identify the content area of the survey items. The responses are divided into two broad categories:

1) Content and Utility
2) Feasibility and Benefits / Burdens

The HCID stimulated a wide range of responses from the key informants, ranging from extremely enthusiastic to highly critical. While there was almost universal agreement that the issues involved are important and highly complex, and that the idea of a directive is a good one, it was recognized that the instrument, as it is currently constructed, is inadequate and not user friendly. There was almost unanimous agreement that a substantial educational component was required, and that attention to clarity, simplicity of language, and availability in different languages were important.

Several concrete and constructive suggestions were made as to how to improve the directive. These suggestions included: using tick boxes; shading out non-discretionary areas; rearranging the columns and rows; simplifying the language; and separating the types of usage of data. There was a sense that the directive should be filled out at a time when the patient is not vulnerable; i.e., suffering from an acute illness or otherwise stressed. A range of opinions were expressed as to who would be the best person to administer the directive (trained clerks, health care providers such as nurses or family physicians, or that it be self-administered). There was a clear sense that it may not be feasible to implement the HCID, as it is very complex and possibly too time- consuming.

Many respondents believed that a tool such as the HCID would increase patients' control over data and would thus empower them and enhance their autonomy. At the same time, it was recognized that this also raised the possibility of disempowerment and of creating a false sense of security.

Table 1 - Key Informant Data: Content and Utility

Table 1 - Key Informant Data: Content and Utility

Id	Area of Expertise	First Impression Of Hcid Matrix?	Clear to You?	Is Hcid SelfExplanatory?	How Useful In Practice?	Is The Layout User Friendly?	Suggestions & Improvements
KI01	Data User	very complicated & will be hard to explain will likely reduce participation greatly	yes	more explanation needed re def'n of various terms	as a framework for policies and procedures for data access	needs improvement	should define where consent is currently required establish consent protypes for these areas
KI02	Data User	clever way of informing people & extracting info at the level of comfort	yes	not really not sure	more info from people who otherwise would have declined respects individual preferences	colours might help	unsure
KI03	Data Holder/ Manager	good idea/good start requires more development	yes	more instruction needed, especially for terms some info used without consent	includes public in process begins to test different models	not particularly layout is too cryptic	title is confusing and should focus on information not on health care
KI04	Data User	very good I like the concept & grid format	yes	much more explanation needed	useful in discharge data & large studies	not user- friendly for seniors	more explanation would never work as a stand- alone document needs educational piece
KI05	Data Regulator	interesting concept much too simplistic	yes	not self- explanatory terms need def'ns costs & benefits need explaining	educating public provides means for public to exercise more control	no, all terms need defining more distinctions should be made among uses	response categories should be specified (e.g., I do not consent, ask for my consent, etc.) should indicate where consent is not required
KI06	Data Regulator	appropriate way to balance privacy and need for access to info	yes	I would prefer a more detailed discussion	could facilitate attainment of informed consent allows for more individual choice empowerment may promote higher level of consent allows staff to manage info	is user- friendly mechanism to answer questions is needed	none at this time
KI07	Data User	could be useful in some settings	yes	I understand it, but more instruction required for public	allow greater control to public prevents global answers of 'yes' or 'no' to access	reasonably needs to be clear whether you are opting in or opting out by checking box	an example of use in practice is required
KI08	Bioethics	conceptually, it is very appealing first practical tool I have seen to address these issues	yes	I get it, but requires high literacy level what about diff languages?	education: would help people to understand system could serve to give people more control of their info	literacy issues language issue	an accompanying education piece will be required for this
KI09	Data User	positive step in right direction	yes	may need more information for lay person	raises awareness of how PHI is used & need to balance personal privacy with public good	needs more elaboration of what column terms mean	group the rows by functions/ purpose
KI10	Bioethics	the idea is excellent I hope it becomes a widespread custom & healthcare professionals are trained to use it	it is clear enough for now	requires more explanation and instruction as it progresses	to obtain consent from informed individuals to enable research to go on without invading privacy	this will come through testing must assist people & reinforce idea that goal is to empower them	make a video using actual patients for people to take home & watch if not adequately resourced, it may fall into suspicion & be dismissed by patient support groups
KI11	Public Policy	a fruitful idea worth further exploration	yes	more definitions needed	an opportunity to educate people reinforces importance of info use for legitimate purposes gives control over own PHI reduces need to obtain consent on ad hoc basis	form appears easy to use- need better descriptions of terms on axes	I would add a separate line for community- based spiritual care providers which has been very controversial in my home province
KI12	Data User	a reasonable attempt to deal with a rapidly developing situation probably deserves a trial	yes	will require a good deal of education for patients and also for healthcare professionals	could be a useful tool for gaining permission to access records and for specifying when specific consent is required	might be some potential for confusion about the terms which need to be defined very carefully	the table is okay, but an appendix with clear & readily understandable definitions is needed
KI13	Data User	I like the idea/concept we need something like this in health services research	yes	not sure that it would be clear to public	not sure that it would change a thing in clinical practice since patients are generally asked about this in research, would level the playing field although I fear it would lead to less info being available	would depend on the user requires high literacy level lots of lingo	must revise wording and give examples provide way to ask questions what about issue of expiry date and how to revise over time?
KI14	Public Policy	column headings do not appear logical might be helpful to present a schema illustrating hypothetical version	yes	yes, but need definitions and more explanation some boxes must be pre- selected as no discretion is permitted	I am skeptical too complex for most people to deal with in a short space of time	should re- order column headings as some are just sub- categories of others	should add public health surveillance in the rows Inclusion in the schema of 'most necessary' to 'most discretionary' uses
KI15	Data User	I like the idea addresses a major issue in pro-active & thoughtful way that will raise lots of discussion	yes	it seems to be too complex for general use	might provide a means by which public acceptance of E.H.R. is increased If HCID increases buy- in & doesn't erode access due to refused consent then would be useful	it is very complex terms are at a PhD level rather than a Grade 8 level which is the target norm	fewer choices
KI16	Health Informatics	looks like a tool for facilitating discussion on issues of privacy doesn't appear to be a stand- alone form	yes	more explanation is needed for each of the uses patients wouldn't be able to understand this form without considerable help	matrix format is a good tool, but more explanation is needed on the form person who is administering the form would need to guide patient thru	I think that some type of 'yes' / 'no' check boxes might be helpful	there should be more explanation on the form including a preamble which mentions issues of expiry and renewal accompanying brochure written at a Grade 5 level
KI17	Data User	it's unworkable way too complicated	yes	well beyond the comprehension of average patient a lot more explanation is needed	if it was workable, it might make issue of consent more tractable as is, I suspect this tool wouldn't be useful	it is not user- friendly	I would suggest that this be tested with a group of users it could be embedded in broader public discussion of trade- offs between personal privacy & quality improvement
KI18	Data User	clearly presents the different possible uses of the data for researchers, the matrix is quite simple possibly too difficult to be understood by patients, esp. mentally handicapped/ illiterate	yes	no, you must better explain to patients what all the terms mean you could give an example based on data collected from pilot studies	to standardize procedures of Ethics Committees- enhance sensitivity of researchers patients will feel more respected by researchers	as it is, no	you have to insert a guide to define terms should give specific examples based on data collected from pilot studies
KI19	Data User	it appears to be a useful approach to consent	yes	language unsuitable for lay person table needs more work to make it comprehensible for lay person	would allow for a range of various options in consenting for use of PHI	general layout is OK def'ns need clarification	maybe use boxes rather than horizontal lines only
KI20	Data Holder/ Manager	I have some difficulty understanding how some types of info would be relevant for specific uses will be difficult to complete in knowledgeable manner	no	it must be more clear what types of info are relevant for each purpose (e.g., Aggregate info is clearly not relevant for patient care)	must emphasize that for research we typically want to use de- identified or aggregate info which will encourage consent	definitely will require intensive educational component to be practical	I would prefer separate forms for the various uses rather than lumping all uses on single form
KI21	Public Policy	an innovative approach topology is quite simple/ straightforward may miss some areas where PHI is used more info must be provided to allow for informed consent may be too general offers patients an opportunity to control use of their PHI	yes	satisfactory as a research tool explanations to be used with patients must be much more comprehensive use examples	could be used in various locations could be available in different formats such as paper or electronic	does not seem overly complicated- but instructions for health care profess'ls on how to implement will be needed a 'tick the box' format might work well	may be worthwhile to have a short definition section that is clear, concise and in plain language patients don't think of their PHI in the categories that are given across the top of matrix, but create their own categories so how will you handle this?
KI22	Data User	good in principle excessively complex	yes	considerable explanation needed for general audience	not useful	the layout is hostile	-
KI23	Data Regulator	provides framework to consider different levels of PHI	yes	yes	would show front-line workers the complexity of PHI & raise awareness of its use	I am not sure that I could improve the layout	-
KI24	Bioethics	I was enthusiastic but recognized that there are potential areas that will be problematic	mostly clear, except where choice is implied & there is none	it is self- explanatory is there scope for levels of acceptance, rather than a binary 'yes' or 'no' response?	could be highly useful to generate kind of blanket consent some data custodians would like to have preferable to get consent in advance to eliminate need to track people down	it is user- friendly as it is main improvement would be to add levels of agreement or conditional agreement	should separate the research use from registries as these are not identical and have different uses, liberties, and restrictions
KI25	Bioethics/ Data User	in principle, such a directive is a good idea the devil is in details & could end up being a very bad idea the idea has a long way to go; many issues the definitions of the terms are far too simplistic (even misleading) and need lots of work	I find it unclear and ambiguous	as presented, it is far from self- explanatory big missing part is the response options (e.g., 'I agree' or 'I agree that I will be contacted...')	a useful thing if it actually empowers people with respect to choices if too many boxes are non- discretionary, then could actually be disempowering	instructions are needed- headings are too broad (e.g., research and registries don't belong together) what does each category actually mean?	must explain the risks or potential harms to people potential for accompanying video or handouts to promote informed choice I sympathize with your challenge: it must be detailed but yet not too complex focus group testing is a good idea
KI26	Anonymous	nice concept, but too complicated for general use by the public	yes	depends on the purpose	will increase the autonomy of the very- educated regarding their PHI	no, it is not user- friendly still too primitive and will not be understood by general user	would suggest pilot testing

Table 2 - Key Informant Data: Feasibility and Benefits / Burdens

ID	Area of Expertise	How Feasibleis the HCID?	Who to Present?	When to Present?	Potential Benefits?	Potential Harms?	Does it Protect Privacy?
KI01	Data User	not feasible	should not be presented in current form	should not be presented in current form	as a policy and procedure framework	major work overhead leading to non- compliance by health providers major authorization bias patient confusion unintended impacts	we cannot afford to sacrifice major benefits of technology to fear of loss of control and the unknown which is seen as the main issue
KI02	Data User	requires more effort on behalf of either the interviewer or the respondent	a trained interviewer	when the patient is calm & alone	more information more informed public	complexity may turn people off	I don't know
KI03	Data Holder/ Manager	it will be challenging need to obtain authority from hospital to institute process administrative considerations also	should be a knowledgeable person who has ability & time to explain implications of not consenting	there aren't any good times to address this issue in hospital setting maybe in family docs office, but this also takes time	finally start to grapple with issue of consent	people not consenting due to poor presentation or biased staff could be terrible consequences for research & management of health care system	yes, as I see that your form gives patients the option, which is what consent is all about
KI04	Data User	I think we need to test it out to see if it's workable would need this type of evidence to convince others that it could be done	would depend on where you are using it (e.g., hospital admissions or ER)	at admission or for ER when usual follow-up is done what about proxy consent	possibility of having available a large database where consent has been given already	don't see any harms you would want to know who had not consented burdens on already busy staff feasibility study is necessary	one assumes the guardian for the HCID dataset will employ privacy safeguards for large databases
KI05	Data Regulator	it may be feasible, but it is not clear who or when HCID is completed not clear how the info on HCID could be tracked & applied across wide system	could be presented by Min of Health or primary care providers could present	could be presented at time of issuing or renewing health cards or at point of first contact best if only completed once & then used across entire system	it could be educational & allow more individual control over PHI if applied across whole system, it could save time & money	it could hamper some secondary uses of PHI that may be in the public interest (research) it could prove to be too burdensome to administer	yes, it has the potential to do so if above suggestions are taken into account
KI06	Data Regulator	implementing such a system will require time & effort it appears to be more feasible than current practices	it is not crucial to identify a specific individual or group to present it is more important that whoever does present HCID be informed & well- trained	as soon as possible since getting consent at the initial stages is much more efficient than trying to seek it later also would introduce a level of consistency	facilitating informed consent empowerment efficiency ability to balance competing interests help health care bodies comply with legislation	time & resources another level of bureaucracy for patients frustration for patients & staff	by providing patient with informed options & ability to choose, the HCID appears on surface to protect privacy patients must be assured of confidentiality when they choose not to consent to secondary uses of their PHI
KI07	Data User	custodians of large databases might find this too much trouble and simply bar access to info would be expensive to implement	the physician because he/she needs access to info more so than others	when joining a practice or a health plan	individual has say in how their PHI is used data users can indicate that they have approval to use the data	like any form of consent, individual may be reluctant to give approval, especially for secondary uses this would have negative affect on research & health planning	limits the use of a person's data to the manner that is approved although patient privacy & confidentiality can still be breached
KI08	Bioethics	a great idea if goal is to promote & protect individual privacy this might make HCID unattractive to those with other agendas	could be in a variety of settings as long as presenters are knowledgeable & have time	it would be preferable that these issues are addressed prior to major health crises	promoting individual privacy & freedom may actually promote certain uses of info if the education/trust issues are dealt with properly	mass confusion! consumption of health/health research resources possible disruption of important health / health research goals	potentially a very important step how do you propose to address issues arising when a person cannot provide consent (children or cognitively impaired)?
KI09	Data User	should be feasible, but the educational component may be time consuming- feasibility will also depend on whether or not the majority view dictates the final process if process is tailored to every person, can it be meaningful or practical?	should be presented by health care system (i.e., provincial or regional health authorities)	should be presented before people are in need of health care so it is not thrust upon them when they are vulnerable	indicates how info potentially flows allows info to be used for interests of society may provide comfort to patient to know PHI is being protected will permit research	may be viewed by cynics as a PR exercise trying to hide real threats to their privacy may generate a belief that privacy issues are now all solved large numbers of patients may opt out, without fully understanding the implications for research/ planning	no, it needs to be one of many strategies since no single solution will guarantee 100% protection strategies tailored to individual choices may be incredibly complex to implement & complexities increase room for errors
KI10	Bioethics	I think this is a feasible method of obtaining informed consent from empowered people but still a long way to go, a good first step it is an excellent approach	no question that patients must interact with professionals to complete this form only limited amount of this can be done via Internet	probably at a time when patient is not feeling vulnerable maybe need a staged approach, not all at once	I agree with the potential benefits stated by Upshur & Goel and cannot improve on their discussion	inadequate resources to fulfill the ethical- mandated implications of the concept this leads to invasions of privacy & annoyed public	I think it could do so the resource requirements (a video or brochure) will become more evident as project is implemented
KI11	Public Policy	I think it is worth doing a pilot study using the form to assess time it would take to explain to people, answer questions, & have them complete form	a hard question physicians' staff could be trained to present it special interest groups could offer it government could present with health card registrations	should be completed before it is needed (i.e., not at point of admission to hospital)	if it is considered to constitute informed consent, it will be a benefit if people have to be asked again at the time their data will actually be used, then there is no point in HCID if it is easily accessible to those requiring the consent, then it would be a benefit	it may not be recognized by certain jurisdictions as satisfying consent requirements it does not distinguish between types of PHI that may have varying levels of sensitivity such as sexual health	concerned that PHI with varying levels of sensitivity are not addressed in this form could use footnotes to deal with this on a case by case basis
KI12	Data User	depends entirely on implementation if properly implemented, it would be both feasible & useful critical for principle of informed consent to apply here what about issue of updates/ expiry?	this is most important question each health care facility should have a patient privacy advocate to work one on one with people	depends on whether it can be completed in stages/ sections if so, then first 3 sections could be completed at the first visit to doctor/hospital remaining sections must be presented when there is no pressure or crisis	it has potential to benefit certain kinds of research in terms of speeding up ethics reviews	if it is properly administered, the burden is primarily one of extra resources	it will do so only if adequately implemented according to principles of informed consent & through a third party consent should be required to be renewed periodically
KI13	Data User	tough to say whether feasible likely not feasible to educate entire adult population & collect consent what about non- respondents?	probably inappropriate to present during acute health event so after discharge is better	no time during regular visits to family doctor, so have to be outside of care encounter	need something like this in health services research	major barrier to health services research lack of access to data for entire population (e.g., deceased, those unable to consent, non- respondents, etc)	only if very transparent and easily understood by average person I'm not convinced there is a major problem regarding privacy issues
KI14	Public Policy	it's not very feasible as it requires too much info to produce a really informed choice because of this, it may bias patient toward minimal or non- disclosure	no comment	no comment	would like to see a new draft before commenting	bias toward minimal or non- disclosure must attempt to overcome implicit conservative bias of the schema	I would have to see the next draft must attempt to reach consensus on where the schema should be pre- blocked to indicate non- discretionary uses of PHI
KI15	Data User	I am uncertain it will not be easy, but then nor will any other approach despite this uncertainty, I am certain that this is a valuable line of enquiry	difficult since the same patient may fill it out differently at different times if we move to E.H.R., then a broad public approach will be needed	best presented when patient enrolls in the E.H.R.	clarity as to patient wishes	confusion HCID may diminish or enhance the authorization bias does it allow too much choice?	this question is unanswerable as privacy & confidentiality depend on how the data are managed, not on the consent form itself will HCID increase patients' belief that their privacy is being protected? A good research question
KI16	Health Informatics	this form could not be used in the healthcare system today a major public education campaign needed will take too much time for health professional or admitting clerk to explain to patients patient anxiety is also an issue	should be presented by the admitting clerk or health professional ideally, it should be presented by the person collecting PHI, but this is not likely to happen	should be presented at the beginning of the visit with a verbal confirmation at the conclusion of the visit	-	biggest harm is the creating concern about the ongoing use of PHI without consent an ongoing public education campaign must address this conundrum	there is adequate protection if it is for a specific time period only and not permanent the initiative should not have to be taken by the patient to withdraw consent
KI17	Data User	not feasible it is way too complicated for average patient or even a highly educated patient we have enough trouble getting informed consent for patient's clinical treatment and this is even harder	someone from administration who really understands the issues it would be too onerous, expensive, inappropriate to require care providers to present this	before the data are collected	if it was feasible, it might make the consent issues around PHI more tractable	massive confusion wasted time wasted expense	not sure, although I think this is a good attempt to get at a very serious problem what is really needed at this time in Canada is a broad public dialogue on this topic so people will understand the trade- offs involved
KI18	Data User	seems too complex, esp. in geriatrics and Psychiatry have to test it in several groups to produce a refined version should be applied with groups from different cultures	nurses and research assistants	when the research project is explained to them it will become a problem to ask them again later	respondents will feel respected by researchers more adequate management of personal info if everything is completed, the response rate may increase	is a risk when you raise some anxiety, an emotion experienced in anticipation of some specific pain or danger among patients it will require explanations and will make more complex/ difficult to get consent	in principal, it is an improvement to the level of protection and management of personal information
KI19	Data User	would depend on level on understanding of patients	not the doctor, a clinical nurse or someone not the primary caregiver	at routine visits, not in an acute setting the latter would not be an appropriate time for sober reaction	-	-	if properly used, it should- the concept is great in theory need a pilot project to get the language, forms, and process right before large scale implementation
KI20	Data Holder/ Manager	a form that refers to PHI for so many uses may lead patients to believe that all uses are equally valid	must be presented at first introduction to the health care system where it likely the info will be used	if it is to be presented every time patient has health care, then it will be very difficult to handle and data would be incomplete and of no use to researchers	at this point, I am not sure	confusion may instill belief that all uses of PHI are equally valid	I am not sure this type of approach is feasible, although it may be the only way to handle privacy the real problem is offering the patient a thorough explanation of the issues and ensure they understand
KI21	Public Policy	it is worth testing to determine its feasibility in a number of areas (location of presentation, format of presentation, etc)	in some cases, it may be appropriate to be presented by doctor/nurse in other cases, it may be more appropriate for administrative person	should be presented at the outset of medical treatment	if effective, could help manage PHI and issues of consent could be used in various formats (paper, electronic)	form may be too general to cover all situations tool must be tested with patients to ensure that they can understand it fully	in and of itself, the HCID cannot fully protect patient privacy/ confident. form can be used to simplify collection of patient preferences regarding their PHI privacy also relies on accountability, safeguards, access, compliance, etc.
KI22	Data User	it is not feasible	-	-	increased access of researchers to databases	people will consent without fully understanding issues	-
KI23	Data Regulator	I have reservations about how it can be used with patients would depend on how ill patient is & on the patient's relationship with the caregiver	I believe the first contact should be with the patient's doctor	this is a very difficult question should present before medical procedures take place this will be difficult if the procedure was not a success	would provide more power to the patients who in the end who feel that their PHI is being protected	results of research will be unreliable and of little use to society even though I am concerned about the protection of privacy, I am also concerned that health research may not be promoted by HCID	yes
KI24	Bioethics	a good start, but there are some problems with blanket consent in the long run and I'm not sure they've been addressed is blanket consent respectful of autonomy or can it assume too much?	good question that is not easy to answer ought to be a person that is knowledgeable about privacy & patient rightsand able to speak to the advantages as well as risks	not sure	having the blanket consent will be useful to researchers and registries will raise awareness about uses of PHI which may have further beneficial effects such as better security, more uptake in research	may create a false sense of security both for patients and those who use the data could generate complacency blanket consent could eliminate specific consent which may be more appropriate in some cases any breaches of patient's choices will result in loss of trust	the assumption could be too far sweeping I would want to be assured of restrictions on the use of such info even if blanket consent has been obtained it is the unforeseen uses and risks that most concern me
KI25	Bioethics/ Data User	hope it's workable once refined I fear that to satisfy people like me it would have to be so detailed & complex that it would become unworkable possibly a layered approach would be good (more info for those who want it)	someone independent whose goal is solely to help patients make informed choices in my view, family doctors would be best gov't should supply a billing code for 15min consult on privacy issues	I don't think it should be mandatory to complete, but rather presented with opportunity (e.g., family doc, notice from OHIP, etc.) there is no single perfect time, but should be no coercion to complete	if done well, will promote empowerment & shared decision making will protect privacy could also promote meaningful debate	no doubt it will be an administrative hassle and incur costs I anticipate that if people are indeed empowered some will choose not to consent to use of their PHI a worse potential harm would be that, owing to politics on this, would only be an illusion of empowerment but really a sham and a manipulation	consent is important for sure, but it is not the only 'gatekeeper' in addition, need for robust data protection measures & security plus in some contexts, the professionals' fiduciary duty may even trump the patient's consent
KI26	Anonymous	not very feasible	not ready to be presented	-	patient direction	bias in health research	not sure

11.2 Focus Group Meetings

Twenty-eight participants took part in the four focus groups:

Professionals Group:

• 8 participants - identified as PROF 1-8

Advocacy Group:

• 6 participants - identified as ADV 1-6
• Immigrants Group: 7 participants - identified as IMM 1-7
• Seniors Group: 7 participants - identified as SEN 1-7

Participants were between 29 to 76 years of age; 70% were women. Tables 3 and 4 present the characteristics of individual participants.

Table 3 - Age and Gender Profile of Focus Group Participants

	<30	30 - 39	40 - 49	50 - 59	60 - 69	> 70	Total
Male	1		3	4			8
Female	3	2	3	2	4	6	20
Total	4	2	6	6	4	6	28

Table 4 - Education Profile of Focus Group Participants

	<30	30 - 39	40 - 49	50 - 59	60 - 69	> 70	Total
Some High School						3	3
Completed High School	1		1		1	2	5
Some College / University						1	1
Completed College / University	1	1	4		1		7
Some Graduate Education			1	1			2
Completed Grad. Education	1	1		5	2	1	10
Total	3	2	6	6	4	7	28

We identified six themes that underlie the focus group discussions:

1. Knowledge and understanding
2. Control of access
3. Mistrust
4. Content and format
5. Implementation
6. Perceived need and utility

11.2.1 Knowledge and Understanding

We engaged participants in a discussion of the issues pertaining to health information and privacy. It was clear that the fundamental questions of who has access and who should have access to personal health information were entirely novel to immigrants to Canada. As indicated by one participant, this issue was not previously part of their mindset:

"I think the truth is, I don't know. I've never thought about that before, who has my information." (IMM5)

Even among some of the participants who were born and raised in Canada, basic aspects of health information were not clear, even though they assumed that they were:

A participant in the advocates group expressed a perception that the general population has limited knowledge regarding these issues:

"That's another thing. What do people know about what they can get access to, what they can ask for, and what they can expect? I think the majority of the population has no idea of what they can ask for and expect to get." (ADV4)

In addition to having a low level of understanding, many participants were of the belief that they have very little personal control over their own health information:

"We don't have any control." (IMM6)

11.2.2 Control of Access

Users demonstrated great concern about wide access to their information by all members of the medical field and beyond. They named insurance and pharmaceutical companies as major threats to their privacy:

"I mean, what if insurance companies eventually get a hold of information about you and an insurance company is able to say, 'You know what? This person's a high-risk person. This person could potentially have - or this person's genetic make-up dictates that this person's going to have cancer at a very early age, and we're going to be paying out a huge payment if this person croaks, so let's boost up those premiums.' That's the negative side to that kind of information being available." (PROF2)

"That's something I wanted to say... that somebody who works for an insurance company, or a pharmaceutical company, or a chemical company cannot access the information, even if the doctor working within that company can access it. That's what I really have the strongest objection to, is getting [information] outside of the medical society, or medical community, and into the outlying areas." (PROF4)

"Sharing information with drug companies -- we have no idea what happens in terms of that." (ADV4)

Several participants were concerned that their personal health information is not secure, and that a tool such as the Health Care Information Directive would not significantly increase the security of this information:

"So, I can't buy the concept of selective sharing of information because I don't believe that information can be kept distinct and shared selectively. It will spill, it will bleed, it will flow, so I'm distrustful of the whole thing. This just sets up more spilling, and more flowing, and if I get a form like this [the information directive], and I check off, then I validate the process, which I don't really trust." (PROF7)

This 'flow' - or 'leakage' - was a recurring issue of concern. While participants were skeptical that the proposed information directive would prevent this type of flow, it was seen as an important step forward in that regard:

"What's going to prevent any leaking from one of these into the other? I don't know if that's going to be possible. We still have to try it, though. We still have to try to put something in place as much as we can, knowing full well that it's - what, is it going to be 60 percent effective? I can't see it any more than 60 or 70 percent effective. There's always going to be somebody, or bodies of people, that are going to find information, or pay somebody off. I mean, our society might not be as corrupted as other societies, but we still have ways of doing it." (PROF5)

In order to prevent those potential threats, participants suggested that an ombudsman or some sort of monitoring system is needed, so as to avoid (or minimize) leakage, both inside and outside the system. Another idea was for a system which the users could access themselves, and which would allow them to monitor who has accessed their information and, specifically, what information was accessed:

"What I think could be interesting is if somebody accesses your information, you can see who is looking at your information. If some university researcher is looking for your information, then you can see that. So if anything happens in the future, you can see who has been using your information." (PROF1)

These mechanisms would provide users with some control, and might also serve to prevent abuse by other players. Another, similar strategy for the control of leakage could be to stratify the data in such a way that a given health care professional could access only the information he / she needed, but not everything in the patient's file:

"These people can have this level and these people can have this level, so that the physiotherapist needs certain x-rays and certain things, but they don't really need to know the exact details of certain medical conditions. The fact that you had an abortion is totally irrelevant to a physiotherapist. Somehow or other, the data needs to be stratified." (ADV1)

Concern was expressed regarding the wide access that health care professionals, including medical students, may have to PHI, and whether official confidentiality guidelines are followed:

"Well, after the person appeared, I guess there was a 'Do you mind?' but certainly no signing. My son has just recently been diagnosed, back from a trip [abroad] with some odd sort of thing, and he visited a tropical medicine doctor the day before yesterday, and a third person, a student at some level, was there. I don't know what they said to him, but it can happen not just in a research hospital, but it can happen wherever. I don't know. It's hard to know..." (ADV4)

At the same time, however, there was a clear recognition that those who need to use patient information should have access to the necessary information:

"Information should be accessible by health care providers and enabling the system to serve better." (ADV3)

Most participants also acknowledged the positive aspects of sharing information. A common example cited was that of community pharmacists:

"One is an independent and one of them is Shopper's Drug Mart, but they both seem to know. That had never occurred to me. It's good because say you went to two different doctors or just because you get one [prescription] from one pharmacy and you get one somewhere else, theoretically it could conflict." (PROF6)

"...or medication of some sort in a hurry, and you had no access to a doctor in this obscure place that you've gone to, if you went to a pharmacist, they could ding you long-distance, or ding into the system and into the computer and there would be everything about you, and they would know exactly what to give you..." (SEN6)

On the other hand, there was a consideration of limiting this access, in order to prevent health care professionals from potentially accessing all information (especially information of a sensitive nature) contained in the patient's chart:

"Obviously, you don't mind a physiotherapist knowing about your knee, but you may not want them to know about something else... I think you want only information going when it's necessary, not just handing someone the whole file and saying, 'Pull out what you need'." (PROF6)

The vast majority of participants expressed concern about accessibility to their personal health information:

"We've all heard stories where there's been stolen identities. How difficult is it for the victim to get his or her own identity back? Same idea. Where does it end? Where does it stop? Who's got what information? How am I going to protect myself?" (PROF3)

11.2.3 Mistrust

Issues related to trust were raised in each of the four groups. Participants of all ages and socioeconomic groups expressed feelings of mistrust in relation to the protection of their privacy and the security of their personal health information. For example, there was considerable mistrust towards pharmaceutical and insurance companies' agendas, as participants pointed out the access that these companies have to governments, hospital boards, and the heath care system itself, and the influence that they exert:

"Well, who's going to police this [the HCID]? What about the rights of the patient? Let's say I'm the patient. What kind of power do I have? Let's say this [HCID] was created next year. What power does the patient have to make sure any of this is happening? To me, a pharmaceutical company is way [emphasized] more powerful than the patient." (PROF2)

Participants also felt uneasy about the security of their PHI when being exchanged or transferred through the postal system or via the Internet. Others reported experiencing the disclosure or use of their personal health information in unexpected circumstances.

Another clear example of this mistrust is the following dialogue between two of the immigrants. They have been living in Canada for several years:

Previous personal experiences may also shape their beliefs and their understanding of sharing of personal health information. A few recalled that the Ministry of Citizenship and Immigration and the Public Health department have exchanged information about them:

"I know Immigration has something. I know that when I had to process my papers, they... had to get in touch with the health department, and they found out how was my health so they would allow me to come back. I didn't have to give them my consent. They just got the information they needed." (IMM3)

As described above, several participants have had negative experiences with government offices. These experiences are aggravated among those immigrants for whom language issues add another step to building their confidence in the system. Some participants expressed ambivalent thoughts on trusting the government and the health care system in particular:

"I think if they need, they are going to go for information. It doesn't matter if you say 'yes' or 'no'. By filling these forms out, and they follow whatever you say here, it would be good." (IMM2)

Finally, the quality of the physician-patient relationship appeared to colour participants' perspective on issues of consent and privacy. For one participant in particular, an exemplary relationship with the family doctor lessened the amount of concern regarding the privacy of PHI, thereby diminishing the value attached to the HCID:

"I don't know how what I think of it [the HCID], actually. I mean, I have this relationship with my doctor where I call my doctor, you know, I could call him tonight and leave a message, and they'll call me in the morning. If I need to get in in the morning, I will go in the morning, or take one of my children right away, any time. I don't even need my health card when I go, so I don't need this stuff [the directive or other such measures]." (PROF5)

11.2.4 Content and Format

In general, the focus group participants considered the HCID to be tedious and excessively complex:

"Maybe we've got too many columns...Trying to do too many different things at once." (SEN3)

Barriers such as these might promote inaccurate answers, as suggested in the following thoughts:

"I think people tend to say 'no' for things that are not clear. I would say 'yes' if I knew exactly what it means, but I don't know, so I don't want to take a chance." (IMM5)

Since the terms used were considered complex by lay people, participants suggested a few strategies such as creating boxes, giving examples, providing definitions, and using simpler language, so as to make the format more user-friendly.

Another strategy for reducing the workload for users, especially in difficult circumstances related to imminent health risk, was related to adopting a 'staged approach', in which users would fill out only the boxes necessary at the time; e.g., during hospitalization. Following is one such suggestion:

"They could have a properly trained person there. Do you want to discuss the implications of this with somebody? There's another desk, you sit down with somebody who leads you through it. I'd like to suggest that in fact, there may be a set of maybe no more than three or six boxes which somebody might be considering at the hospital." (ADV2)

As another way to address the length of the directive it was proposed that some boxes be 'not applicable' (shaded out), since the users would have no discretion (e.g., payment for fee-for-service, PHI for primary care providers). By the same token, there was an interesting debate about collapsing the third (de-identified data) and fourth (aggregate / statistical data) columns:

"Do those have to be two separate categories? Once the data is de-identified, once that's done, do most people care whether it's used for statistical purposes? I mean, are [columns] three and four that different for the average consumer?" (ADV4)

Regarding the list of primary care providers (physician, nurse, physiotherapist, etc.), participants were very firm in asking for a separate row in the HCID for each specific group involved in patient care. They also suggested the inclusion of translators and dentists.

Several participants in the advocacy group proposed that the order of the columns be inverted, so that it would progress from the least sensitive to the most sensitive information. With regard to the present ordering (from most to least sensitive), they believed that if one consents to providing access to the most sensitive information (i.e., personal health information), then one would not particularly care about releasing the other levels of information:

"With the reverse order -- from the least to most, rather than the most to least -- they might think more about it. If you want them to really think about each block, well, if I were doing this, once I made my mind up about the first block, I probably wouldn't ever think about next one." (ADV4)

This opinion was not unanimous, however, and several participants noted that the ordering should remain the same as it was originally presented:

"It might be the opposite. In other words, I'm prepared to have my information used in an aggregated sense, but I'm not prepared to have it used in a de-identified sense, because with de-identified it's still an individual set of characteristics." (ADV2)

"...because users should focus on what is really important...I want that to be the first thing people think about." (ADV1)

Participants expressed strong views regarding the type of model that should be utilized with respect to an information directive such as the HCID. While there clearly was some confusion around this issue, especially with the terminology, the vast majority appeared to favor an 'opt-in model' in which participants would have to give informed consent before their health information could be used or exchanged:

"I think the default should be 'no information'." (PROF6)

"I don't like this system [the opt-out model] because if you don't say anything, then you're in. I don't like this. I prefer if you don't say anything, somebody has to ask you 'yes' or 'no'." (PROF 8)

"I think it should be 'opt-in'." (PROF7)

11.2.5 Implementation

There was a strong debate with regard to whether paper or the Internet should be used for filling out the HCID. A few participants manifested clear concern about providing their PHI to be stored / made accessible via the Internet:

"Oh, I particularly prefer computer, but I know that there is a risk for stolen information. In that case, I guess paper is more secure than computer." (PROF8)

They were quite aware of the fallibility of the security systems for electronic files. Several participants suggested that health information at the 'aggregate' and / or 'de-identified' level could be available online, but not PHI.

One participant would prefer to see a questionnaire format instead of a table. Others mentioned the need to access a clerk, in a health clinic or via a help line, to clarify details on the HCID. Across groups, there was a split between filling out the HCID at the doctor's office or at the OHIP office at the time of renewal. This was also a preferred route for some participants in the seniors group who did not want to take the risk of using the mail:

"I prefer the doctor's [office]. I wouldn't fill it and send it back through the mail, no." (SEN7)

Members of the immigrants group indicated a preference for returning the form by mail rather than via the Internet, as it would allow them more time to think about the questions.

Regarding the issue of renewal, most participants would prefer to do it at any time or once a year. One participant expressed a belief that making changes at any time could become too onerous for the system.

11.2.6 Perceived Need and Utility

As one participant noted, the proposed HCID arrives in a society struggling with balancing personal privacy and the public good:

"I would say that there are two issues that concern me. One is the sort of 'Big Brother' that we're now beginning to perceive. In the name of security, there is an increased threat of information both being used and misused. And secondly, that human dignity is being lost." (ADV6)

"It's the classic debate between individual rights and the collective or society." (PROF2)

In the last couple of years, privacy has become more and more of a public issue, especially in the midst of several high-profile cases of breeches of privacy:

"These things like, 'Oh, gosh, we threw all those boxes of files out instead of shredding them. All of your medication information is now in the streets of Saskatchewan,' or whatever. I think there needs to be due diligence, due care. I think it is an issue." (ADV6)

One participant noted that the HCID may also serve a useful purpose as 'a sort of consciousness-raising' tool. Other impressions varied from 'it has some potential' to 'it is a great step forward'. Reactions were mixed in response to the question of whether the HCID will be successful in empowering individuals and increasing the amount of control over PHI:

"I guess the reality is our information will be shared, so we might as well get on the bandwagon with regulating it and controlling it... You can't stop it from being shared, so maybe you can influence how it will be shared." (PROF7)

"I'm very dubious as to whether this matrix will be useful because of the difficulty people will have filling it out. In spite of that, I think the idea has merit and principle. There's merit in what you're trying to do, but I don't think that this is going to succeed." (ADV5)

Despite the weaknesses and limitations of the present version of the directive, one participant neatly summarized the view of the majority of participants regarding the utility of the HCID (or a tool similar to it):

"Not having it allows total absence of control -- therefore it is a necessary evil." (ADV2)

12. Discussion

The findings of this evaluation highlight the complex nature of health information privacy and respect for personal autonomy. The concept of the HCID, though intended to enhance autonomy and choice, was not universally viewed by our key informants and focus group participants as achieving this goal. This reflects the inherent paradoxes involved in the collection, use, and disclosure of health information.²³ Many of the key informants were aware of the myriad difficulties associated with this process. The following two quotations reflect their assessment of the issues at hand: "I am not sure this type of approach is feasible, although it may be the only way to handle privacy" and "I sympathize with the challenge; it must be detailed, but not too complex."

Concerns were also expressed about how such a directive (which might cause, for example, an increase in authorization bias and the thwarting of legitimate public health goals or socially desirable ends) would affect the availability of data for research.

Clearly, the Health Care Information Directive will require a significant educational effort. The findings from the focus group meetings are suggestive of a low level of knowledge of PHI and its uses. This is consistent with recent reports.²⁴ It will be necessary to engage in public education and policy debate before such tools become feasible.

We believe that despite the reservations raised, it is possible to develop effective interactive tools that will allow consumers to express and document their own preferences for the use of health information. It may well be that no unique directive exists that would suffice for all purposes. Indeed, many key informants and focus group participants raised the possibility of employing a tiered approach or using multiple documents.

12.1 Recommendations and Future Directions

Based on the findings presented above, we are making recommendations in three broad areas: continued development of the Health Care Information Directive, public policy and education and, finally, directions for future research.

12.1.1 Development of the Health Care Information Directive

We recommend that a revised, more user-friendly HCID be produced. The revised version would feature a simplified layout, plain language, clear definitions, and significantly improved instructions and explanations. Better use of colour and graphics, in addition to the inclusion of more examples, would assist in making the directive easier to understand. The feasibility of an online version of the directive should be explored.

12.1.2 Public Policy and Educational Initiatives

We recommend the initiation of a broad public education campaign with respect to issues of privacy and informed consent. Preceding the implementation of any health information directive, significant efforts must be taken to inform citizens of the current uses of PHI, of the potential benefits and harms of consenting to secondary uses, and of the opportunities for public involvement in the process (echoing recent calls from organizations such as the CIHR for greater public engagement).

12.1.3 Future Research

We recommend that government funding agencies recognize the growing importance of privacy issues by dedicating significant funds to programs of research in this area. More specifically, there will be the need to pilot test any revised version of the HCID, both with lay persons and with professionals.

Appendix 1: The Health Care Information Directive

	Personal Health Information	Registration Information	De-identified Data	Aggregated Statistical
Patient care (access by caregivers, such as physicians, nurses, physiotherapists etc. next of kin, advocate, legal representatives)
Continuity of care between health care providers and administrative levels Reminders for follow-ups and screening tests etc
Payment (hospital / fee for service)
Administrative management (institutional and governmental / provincial)
Continuous quality improvement, peer review
Research Epidemiological study Disease registries
Hospital fund raising (mail-outs)
Deriving profit from data as a research product Marketing