The Networking of Health Information: Handbook for the Management of Ethical and Social Questions (2004 project report, Knowledge Development and Exchange Applied Research Initiative, Health Canada)

Diane L. Demers
François Fournier
Marc Lemire
Pierrot Péladeau
Marie-Claude Prémont
David J. Roy

Centre de bioéthique
Institut de recherches cliniques de Montréal
110 avenue des Pins Ouest
Montreal, Quebec H2W 1R7

Telephone : (514) 987-5617
Fax : (514) 987-5695
E-mail : pierrot_peladeau@ircm.qc.ca

Official Archive : 1^er quarter
National Library of Quebec
National Library of Canada
Printed in Canada

Acknowledgements

Many people have participated in the production of this manual. Our most sincere thanks go to Mme Mary Gribbon, who conceived the initial handbook. Also Mmes Denise Brouillard, Marie Pelchat, France Thibault et M.M. Reginald Blanchard, Andre Garon, Stephen Lafferty, Rene Rouleau et Guy Talbot who, with the kind knowledge of their respectives organizations, Droits et Recours Laurentides, le Regroupement intersectoriel des organismes communautaires de Montréal, l'Association des archivists médicales de Québec, SOGIQUE Inc., le Collge des médecins du Québec, Purkinje Inc., la Régie régionale de la santé et des services sociaux de Montreal-Centre and the Centre universitaitre de Santé McGill, contributed to the same handbook by their invaluable comments,. We also wish to thank Mme Mary Hirtle, lawyer, as well as MM. Jean-Guy Lacroix of the University of Quebec at Montreal, Claude Sicotte of the University of Montreal and Fabien de Lorenzi of the Univerity of Sherbrooke for their valued comments on the manuscript.

We would equally like to express our gratitude to Mme Electa Baril for her administrative support during the length of the project and the work on the language revisions which were carried out in concert with M. Jacques Beauchamp; Mme Christiane Desroches for conceiving the graphics and working on the format; Mme Emmanuelle Marceau et M. Thierry Hurlimann for the documentary research; et Mme Carole Marcotte for the standardization of the reference and footnotes.

A large number of people contributed to our thinking and drafting of this project, especially their participation in the studies and in the activities outlined in Un manual ancré dans l'experimentation et le savoir de l'Introduction générale or by their comments on the first versions. We also especially thank the heads of the projects of information health networks who encouraged us to produce the tools on the social, legal and ethical questions that they encounter; key personnel in the Quebec health system as well as those experts both within and outside Quebec who participated, respectively, at the focus groups and at the Delphi enquiry on the challenges which emerged with the development of the health network.

We particularly want to acknowledge Mme Charlotte Thibault, consultant, et M. Raymond Grenier, Head Professional at the Faculty of Nursing Science at the Univerty of Montreal, who with great expertise, have respectively conducted the focus groups and the Delphi enquiry. We also thank Mmes Anne-Marie Savard, Marie-Eve Bouthillier et Suzan Lebel who assisted in organizing these events; Mme. Beatrice Godard, who conducted the interviews with the nurses and patients having lived with a networking experience; and Mmes Marie-Chantale Poisson et Helene Cade who transcribed the interviews and discussions.

Finally, we thank M. Rejean Laprise who participated in the development of this project and Mme Robyn Tamblyn of the Department of Medicine of McGill University who, in opening the door on their clinical health and information experience, were able to offer a very privileged point of observation on the networking of health information.

The design, writing and production of this handbook were made possible with the financial assistance of Health Canada in the framework the Knowledge Development and Exchange Applied Research Initiative (Proposal number : RICS #G36BDP1-0055).

The Authors

Diane L. Demers
Ll.D., professor at the Départment de sciences juridiques, Faculté de science politique et de droit, Université du Québec à Montréal, Montreal, Quebec

François Fournier
M.A. Political Science, Ph.D. Sociology, Professional researcher at the Centre for Bioethics, Clinical Research Institute of Montreal (IRCM), Montreal, Quebec

Marc Lemire
Ph.D. Political Science, Professional Researcher at the Centre for Bioethics, Clinical Research Institute of Montreal (IRCM), Montreal, Quebec

Pierrot Péladeau
Legal officer and specialist in the social assessment of personal information systems; scientific coordinator, Centre for Bioethics, Clinical Research Institute of Montreal (IRCM); associate researcher, CEFRIO
(Centre francophone d'informatisation des organisations), Montreal, Quebec

Marie-Claude Prémont
Bachelor of Applied Sciences, LL.L, Ph.D. Law, professor at the Faculty of Law, McGill University, Montreal, Quebec

David J. Roy
O.C., O.Q., LL.D. (H.C.), S.T.L, Ph.L., Dr. Theol.; Director, Centre for Bioethics (IRCM); Chercheur titulaire, Faculté de médecine, Université de Montréal, Montreal, Quebec

General Introduction

Networking Potentials and Risks

Although still in an embryonic stage, health information networking¹ is increasingly the topic of discussions and public policies and is manifested in a growing number of proposals and experiments. The computerization process and placing of information on networks is, moreover, a significant feature of the transformations of the healthcare systems in progress in Quebec, in Canada, and elsewhere in the world. These technological applications have great potential but the potential risks are also great.

Complex ethical and social issues

Numerous decision-makers are already showing their confusion in the face of the complexity of the ethical and social issues raised by the change; most of them, in fact, are ill-equipped to appropriately identify and manage these types of issues. For example, the only matters they perceive as problematic are those dealing with the protection of personal information and computer security; however, this type of approach leads to the neglect of numerous other questions that may become the source of problems and conflicts capable of compromising the implementation or success of a networking project.

Overall objective of this handbook

This handbook has been developed to promote the identification, assessment and prevention of the ethical and social problems of health information networking. The objective is not only to raise awareness of the promoters and other stakeholders in the change to the great diversity of the issues, but to support them by providing the knowledge and tools that will enable them to avoid the pitfalls most likely to be encountered. Moreover, ethical assessment must not be the private preserve of ethics experts alone; it has to be everyone's concern!

Anticipate, identify and avoid the pitfalls

Various networking applications...

There are multiple types of potential applications derived from health information networking, in particular: electronic patient records, population registers and, indirectly, telehealth tools when the production, processing and communication of health information on patients is made necessary by telehealth.

...affecting many activities

Placing health information on a network can have an impact on most core activities in the healthcare system, namely, clinical, administrative, research and training activities as well as the development of professional practices, public health and public education. It can be understood, then, that as it expands, health information networking will take on a strategic aspect in the daily life of numerous stakeholders in the healthcare system.

Complicated tools in complex relationships...

It is impossible to know all the implications of networking in advance, but the contention as a result of various research, is that networking will profoundly change a significant number of practices, responsibilities, relationships and standards. Transformations will also mark the communication, coordination, decision-making, supervision and control structures. Even if their goals are modest or they handle rudimentary information, technological tools are part of complex social realities; consequently, the complexity becomes more pronounced with every technological application, weaving new relationships among a growing number of stakeholders in the healthcare system.

...that are first of all social

In short, beyond the implementation of technologies, this is about individuals, groups and populations. This is what gives the decisions made in these matters an immediate social, indeed political, significance; and this is what signals as well, the degree to which technological plans must absolutely be discussed locally, regionally or nationally, depending on the scope of the plans, before proceeding to their implementation.

The importance of a well-planned technological choice

Numerous possibilities

There is a multitude of possible configurations with regard to networking. Nevertheless, a number of plans or policies are presented as if there are no possible alternatives with the exception of the status quo or a few options that would not be of much interest. If you believe this, there will only be one real solution: the one designed or ordered by its promoters, which is always presented as the best. If that were true, ethical assessment would be of less benefit since it would be limited to understanding the positive and negative effects of the only solution put forward with a view to optimizing the former and mitigating the latter. However, no single solution is "naturally" a must.

Numerous choices to make

Even the design of the simplest networking application demands hundreds of decisions, requires choosing among several thousand available options, whether with regard to hardware, software, programming, modes of communication, data definition, access and use of data, or ergonomic organization. Furthermore, the range of tools and systems endlessly expands, information processing capability can be driven in a thousand ways, the results of this processing can be communicated in various ways and there are more ways than ever to connect the tools and the systems.

Different social relationships

Beyond the physical organization, the same network can integrate and apply very different operating rules. These rules can deal with, among other things, record content; conservation principles, access and dissemination principles; rules for information use as well as users' rights and obligations. Accordingly, it is possible to design different networks that will allow, impose, forbid or cause very dissimilar social and institutional relationships in comparison to one another. Each will propose its own way of ordering the complex world of health services and organizing the relationships among the system's multiple stakeholders.

Subjective objectives and interests

A technology choice is, then, anything but neutral, even if it wraps itself in the virtues of rationality and expertise. In fact, well before the design of projects until well after they are implemented, stakeholders defend a vision, directions and priorities which prove to be preferences that are not necessarily technological but cultural, economic or political, with the result that certain networking choices may not give the corresponding priority to a social need or, in any event, to a need that has been socially identified and is shared by all the stakeholders affected. This is why it is important to include assessment mechanisms from the initial phase of the project; they allow exchange not only on the identification of needs, but also on the ultimate aims of the networking plan.

Maintaining a critical outlook

Our fascination with technology can make us lose all critical sense: in fact, we like to believe from time to time that this or that innovation is, in itself, the solution to our problems. However, it must never be forgotten that technology is only as meaningful and relevant as it is well designed and tailored, based on actual needs, and that stakeholders in the environment find it useable and appropriate.

The global approach to ethical assessment

With regard to networking applications, we have already written that the possibilities are many; they are not all equal nor are they all equally desirable. This is where ethical assessment plays an irreplaceable role. By establishing as criteria the solutions' social, economic, environmental, organizational and operational relevance and validity, as well as their consistency with the society's fundamental values, ethical assessment encourages us to examine what can be done, allowed, tolerated or forbidden among all the scientific and technological possibilities. Initially, a number of decisions regarding networking may seem innocuous from an ethical point of view; but, as this work shows, to the contrary, a number of decisions involve and raise substantial issues such as the distribution of power, the sharing out of benefits and stakeholders' control. Ethical assessment -- and herein lies one of its strengths -- does not overlook any of these questions and seeks to render them transparent, including the motives and interests of the promoters, as well as the change process and its impact on the stakeholders in the environment. In short, ethical assessment encourages the examination of the proposed technological solution from every angle before, during and after its implementation.

Why this handbook?

Specific objectives of this manual

A combination of approaches

This handbook is located at the intersection of four main approaches, each targeting in its own way the prevention and management of ethical and social problems similar to those encountered in the networking of health information:

The participatory approach consists in having different partners, particularly the users of the computer applications, participate in the various stages of an automation project. The social assessment of the technologies examines the relevance and of a technology or a technology plan and whether it is sound from a social point of view. Bioethics looks into the imperative, permissible, tolerable or unacceptable nature of technologies, practices and policies in the area of health. Finally, the complex of problems surrounding computers and freedoms focuses attention on the various possible impacts of computerization projects on individuals, indeed, on entire populations, and their rights.

A handbook anchored in experimentation and knowledge

To our knowledge, there is no document comparable to this one dealing globally with the real or anticipated ethical and social problems connected with health information networking projects. The decision to produce this handbook was made as the result of interviews with 21 persons in charge of 15 health information networking projects in Quebec who said they were ill-equipped to: personally identify the ethical and social questions raised by their projects; convince the decision-makers and users of the importance of the questions which they themselves identified; prevent or, failing that, to manage the problems that these questions could cause.

Thus, the team led or participated in various additional studies on the questions likely to emerge from an extensive networking of health information. These included:

The reflections, explanations and the courses of action for the solutions presented in this handbook were also driven by other studies and activities in which the research team or some of its members, took part. Thus, for example:

The work of a multidisciplinary...team

If the group of activities mentioned in the box on page 7 entitled "A Handbook Anchored in Experimentation and Knowledge" have powerfully contributed to the creation and structure of the handbook's subject matter, its conception equally benefited from the team members' multidisciplinary expertise in philosophy, ethics, computer science, law, political science and sociology.

Each chapter was first commented on and discussed individually or in a group, by the team members. Then, an outside expert was called upon for one chapter or another to perfect and optimize the content; we in fact wished to ensure that the handbook was assessed by individuals with the appropriate training and areas of expertise. Finally, an advisory committee made up of representatives of the manual's targeted user groups met at the beginning and end of the writing process: first, their expectations were recorded and then it was ascertained whether the handbook for identifying ethical and social questions really met the needs of the different user groups targeted and if the handbook was easily used by them.

An easy-to-use handbook intended for a broad audience

For non-specialists

This handbook is designed to be easily used by all the stakeholders in networking projects; therefore, espectially by ethics, law, sociology and computer science non-specialists. Obviously, it can be used in various ways, but since its role is to drive reflection for the planning, implementation and decision-making related to health information networking projects, it is strongly advised to read and use this handbook from the beginning of the process, that is to say, starting with the needs analysis and design stage. Using the handbook in this way will make it a more effective tool for the prevention of blunders and slips in the networking process.

For all stakeholders involved

Finally, the handbook is intended, first and foremost, for the various stakeholders and partners involved in networking projects: applications developers, healthcare system users and subject-groups of population files, nurses, physicians, pharmacists and other health professionals, administrators, medical archivists, network managers, regulatory agencies, hardware suppliers and computer service providers and other health information users and specialists.

The handbook's two main parts

Initiation to networking ethics

The first part is a general introduction to networking and the ethics of health information networking. The networking situation in Quebec is fully described; we seek to go beyond appearances to identify the potential changes hidden in the networking process; we describe its dynamics in the present legal context, then indicate the principles and values at stake in the ethical analysis of networking.

Probing the key dimensions

The second part is very different and identifies about ten key dimensions to take into consideration in the design and implementation of every health information networking project, or risk running into major difficulties, indeed, a total failure. This part opens with a text that gives an overall picture of the major ethical and social issues raised by health information networking. Each of the following chapters then deals with a particular main issue.

Part 1 - Introduction to Networking Ethics

Introduction

Health information networking has many dimensions: Hardware, informational, legal, organizational, social, political, etc. The field of ethical assessment exploration is vast and draws attention to numerous questions from various angles. Appearances aside, networking is a complex process that must be correctly defined in order for the issues to be grasped; ethical assessment's contribution is precisely to reveal the nature of these issues.

The objective of this first part of the handbook is to introduce the reader to the networking world from legal, sociological, computer science and ethical perspectives. Reading this part is a prerequisite to a good understanding of the various themes addressed in the second part of the handbook; indeed, in the first part the concepts and constructs used throughout the handbook are explained, as well as the multi-dimensional context in which health information networking is spreading in Quebec.

For the inexperienced and the experienced alike, the chapters forming this first part will cause reflection and encourage practices that are predicated on a common knowledge base. Here is the content of Part I:

Chapter 1

Chapter 1 (Health information networking) is an introduction to the why and how of health information networking in addition to painting a realistic picture of the situation in Quebec. In particular, it is explained that the transformations in progress in the health system stimulate a demand for greater networking; its various possible functions and ultimate aims - administrative, clinical, public health and research - are closely examined.

Chapter 2

Chapter 2 (The social relationships established through networking) sets out to explain that the networking of information, contrary to what one may believe or hear from time to time, is not a purely technical operation with purely technical consequences. Networking projects or applications involve the organization and reorganization of social relationships between the health system stakeholders and these changes must not escape ethical assessment.

Chapter 3

Chapter 3 (The adaptation of standardized and computerized applications to particular, concrete situations) The main question of adapting networking projects or applications to the needs and the particular realities of their use is often obscured by our collective fascination with technology; this chapter tackles the question head-on. Analysis of this adaptation must also be part of an ethical assessment process.

Chapter 4

Chapter 4 (The legal dimension of networking) examines the current Quebec health information law and addresses the transformations of this law in the context of networking. Networking, in fact, turns the current circulation of information model upside down, especially because it shifts the loci of responsibility and control.

Chapter 5

Finally, the purpose of chapter 5 (Networking as the subject of ethical evaluation) is to specify the reasons why ethical analysis and assessment are needed now, and will continue to be needed, in health information networking. The ethics concepts that are used in the handbook will be described as well as the ethical assessment modalities for networking.

Chapter 1 - Health Information Networking

Summary Chapter 1

Health information

Not only about the patient

Health Information

Information generated in the health care and social services sector. In this handbook, we will focus on information generated on the delivery of health services.

Health information generated in the context of health care delivery is on the whole more complex and diversified than it would appear at first glance. The patient's medical record naturally comes to mind. This is made up of notes added by physicians and other health professionals who take into account facts, make observations, measurements or diagnoses pertaining to the patient's state of health. Analysis of this information gives indications which greatly go beyond the single particular patient and includes other individuals, places, resources and rules governing these individuals' behaviour.

The patient and those close to him or her...

Information placed in the patient's medical record of course concerns the patient's physical, mental or psychological health. This information can also provide information on those close to the patient, directly (immediate family, individuals to contact, friends, family history) or indirectly (genetic information that can also apply to blood relatives). The intimate nature of health information, the context of confidence and trust in which the patient transmits this information or allows it to be generated, and the possibilities for discriminatory or stigmatizing use, require uninterrupted protection of its confidential nature.

...and other individuals as well...

Health information also tells us about other practitioners (physician, pharmacist, nurse, attendant) and organizational levels of care (general hospital, family medicine groups (GMF), RAMQ) involved in providing health care as care dispensers, researchers, volunteers and all administrative functions connected to providing care (insurer, administrator).

Events, places, resources, management

Health information also refers to events or activities that involve the individual (birth, disability, illness, death), that can explain his or her condition (accident, exposure to a pathogenic agent, lay-off, incident affecting a loved one), that describe an action performed by the health professional (an examination, test, operation, prescription) or which report a decision pertaining to the patient (confirmation of insurance, elegibility for a service or care program).

This information also locates these individuals and events in space (address, institution, ward, room) and describe material or human resources used (equipment, expenditures, supplies, referrals to a specialist).

Health information also takes into account the rules and mechanisms that govern the use of resources for providing care (care or research protocols, individual care plans, monitoring, insurance scheme, technical standards for use of medical technologies or clinical practice).

Formats and support

Health information can take various forms (series of alphabetic and digital characters, images, charts, audio recordings) and be supported in various formats (computer memory, on-screen displays, film, electronic or radio signals, paper).

Between computerization and networking

What are the phenomena contemplated by computerization in the health area and what is the link between computerization and the networking of health information? How does health information networking appear across the Quebec health system and what are the uses or functions carried out? These are the main questions this chapter attempts to answer.

The act of organizing a set of activities with a view to the introduction and implementation of data technology and disciplines in information processing.

No networking without computerization

Computerization and networking health information are two operations that are intimately connected. Placing information on a computerized network first of all requires that this information be coded for availability in digital format. Inversely, computerization is of greater interest in a context of integrating the various elements of a system that are likely to communicate in this way with each other on a regular basis.

Neologism that expresses placing on a network; the sharing and use of information belonging to a field of activities (health, the legal system) between the participating individuals and agencies.

Computerization calls for standardization...

The first phase of computerization then is often standardization of the information, which accordingly, calls for the standardization of practices. Indeed, automated information processing requires that the stakeholders conform to standardized definitions that have meanings and consequences that are the same for all users of shared information.

...and organization

Networking requires that the information be organized, implies the connection of computer equipment to a telecommunications network and the pooling of computer applications among the individuals and agencies who are part of the network. A network's feasibility and viability furthermore require administrative, social, legal and ethical conditions that support the transmission or dissemination of this information among participants.

Where is the health sector?

Example of a sector in which computerization was relatively fast

Computerization has advanced at different paces depending on the sector. We know, for example, that the banking sector is one of the first major sectors to have completely computerized its clients' financial information. There are two main reasons for the banks' early move in this direction. The first deals with the banks' bureaucratic corporate structure and the compulsory relationships that they must maintain among themselves to complete the service operations and clearings required by the colossal number of transactions, not only among the various branches of the same bank but also between the different banks.

The second reason has to do with the very nature of banking information and the relative ease with which it is possible to digitize information that is fundamentally quantitative and objective. Moreover, management of this information comes under simple mathematical operations (addition, subtraction, calculation of percentages). In short, an urgent, unequivocal need together with the simplicity of converting the required operations into computerized formats, not to mention the enormous increases in productivity, explain the relative speed with which the banking sector completed its computerization.

Uneven progress

The health sector presents a totally different situation. Some even feel that it is one of the last information-intensive sectors to be conquered by computerization. To explain the very uneven rate of digitization across the health system, administrative activities must be separated from clinical activities. In fact, most of the activities pertaining to the administration of health insurance schemes are highly digitized, while the digitization of clinical activity data is only at an embryonic or experimental stage of development.

Payment management

The activities in which computerization has made the greatest progress have been in the administration of the health care system, particularly the area of payment of fees to health professionals like physicians and pharmacists. The centralization of payments at the Régie de l'assurance maladie du Québec (RAMQ), the relatively small number of transactions and the objective and accountable nature of the information in question explain why physicians' requests for payment and the fees paid to the pharmacist for every drug prescription have been performed electronically for a number of years already. Since April 1, 1996, the RAMQ receives electronic billing not only from physicians paid on a per fee basis, but also billing from physicians on salary or set honorarium, contracts or hourly rates of pay.

Insurance scheme administration

Vast computerized data banks for the administration of the different public insurance schemes are also in place, like the bank of all the insured persons in the public scheme and the bank of health professionals registered with the scheme. Other important data banks support management of the schemes, like the Med-Echo data bank which sets out all the services dispensed by the network of hospitals, in the form of a list of diagnoses and treatments.

Prescription drug insurance

Quebec's pharmacies have completed the computerization of drug purchase records. Quebec's compulsory drug insurance scheme that came into effect in January 1997 also brought about the implementation of an interactive communication network between the RAMQ and some 1500 pharmacies in Quebec. A number of private group insurers are also part of a communication network with the pharmacies for the transmission of direct reimbursement claims to the client. These national networks for the management of insurance schemes in the health sector, while interactive, are most often hubs of information, forwarding data in particular to a central receiver, like the RAMQ or the private insurer. The physician or pharmacist cannot, on the other hand, gain access to the information provided by other information originators.

The medical record

Computerization is however, much less advanced in the clinical field. This is particularly the case for the patient medical record, despite the pressing nature of the needs and the magnitude of the expected benefits. Even the large general hospitals have made relatively little progress in this regard despite the significant sums granted, as shown by the Canadian program for the development of the electronic patient record. Hospitals' level of computerization is almost diametrically opposed to that of the banks.

Extensive preparatory work must first be completed. A solution must be found for integrating information produced by multiple professional categories working in separate specializations and who provide a significant number of services to patients whose conditions and needs are so varied that every situation becomes unique.

A number of software programs for keeping medical records are currently developed and tested but none will be able to be universally prescribed. Professional needs are too different from one specialization to another or between the specialist and the generalist, not to mention the requirements imposed by under-serviced populations or local practice conditions. Even within a single institution, the many systems must be compatible and communicate with each other. Patient record networking requires adoption of standardized language and the definition of uniform data collection standards for professionals as a whole.

The difficult standardization of practices.

The research and attempts at standardization of medical data to be entered in an electronic patient record have made significant progress in Europe, the United States and Canada. However, these gains are still far from adequate to enable electronic patient records to be adopted on a large scale. Even among a group of professionals trained at the same schools and practicing in similar environments, it remains difficult to reach consensus on the standards for medical data input in actual daily practice. Some data is objective, frequently produced through observation or measurement instruments, like the patient's body temperature or blood pressure; but others are more subjective or stem from communication with the patient, like data on history and living conditions. This information lends itself less readily to standardization. There is also the fear that coding will cause a loss or reduction of meaning when standardizing clinical information. Add the difficulty of clinical rounds and information processing that appropriately meets the health professional's use requirements to these difficulties. What will be the compulsory or optional order of health information in clinical rounds, hierarchy or chronology? How will the lapse of certain information be managed? The answer to these questions goes beyond the simple use of a computerized modification instrument to the practice of medicine.

Computerization of measurements

A computer program that enables problems in a particular application domain to be solved with the assistance of a knowledge base established on the basis of human expertise. An expert system is basically made up of a knowledge base, a fact base and a mechanism that allows conclusions to be drawn. Expert systems are used particularly in medicine to support diagnoses, in insurance for risk calculation, and in equipment repair to identify a failure and suggest a solution.

These observations explain why the greatest advances in digitizing clinical information have been in essentially translating data based on measurement, like laboratory analysis results, measurement or imaging equipment like X-ray machines or scanners, as well as the resulting reports or diagnoses.

Expert systems

Computerization understood as the automation of processes is also open to significant developments in the area of health, especially through knowledge bases or expert systems. In the area of health insurance scheme administration, computerization already enables health professionals' usual or exceptional practices profiles to be monitored. Computer systems enable physicians whose professional practice deviates from the mean or prescribed standard to be identified, either by type or number of medical interventions or drug prescriptions.

In the clinical field, besides the knowledge bases that warn of harmful drug interactions likely to occur, some standardized care protocol monitoring systems have also been developed and tested.

From paper transmission to computerized networking

The limitations of paper support

Information generated within the health system was traditionally supported on paper. The advent of the photocopier provided a relatively easy means to transmit a copy of a record (or a part thereof) from point A to point B by messenger, mail or fax. There is still, however, a time lapse, whether long or short, between the request for information and when it is received. But most of all, they do not offer any simple means to rapidly provide information about the existence and location of health information regarding an individual. The compilation of data distributed in scattered records requires a significant amount of work. The archive systems where the records are manually indexed attempt to somehow to close this gap.

Networking's potential

The digitization of information now opens the door to networking health information on a large scale. Through digitization of various records collected within the health system, we are able to go from point to point transmission logic to a shared logic, in which every network participant becomes simultaneously both potential sender and receiver of all this information. In a single step, the requesting party can find out about the existence of a piece of information, find out where it is located and request communication and finally, obtain a copy. The requesting party can also on this basis, produce new information that will, in turn become accessible to the other network participants.

The confidentiality standard

The potential for communication offered by computerization is considerably restricted by strict confidentiality standards due to the sensitive nature of this information. Health information networking of is faced with a personal information protection model designed in another era. The restructuring of how care and services are organized brings the protection model into question today. We will return to this set of problems in Chapter 4.

Understanding networking conditions

The legal, social, administrative and ethical conditions that authorized or encouraged the networking of clinical information accordingly remain confused today. Requirements that are often contradictory or inappropriate are not reconciled and slow down implementation. This handbook aims to take a few steps towards a better understanding and management of these health information networking conditions.

Networking and health system reform

A need to share

The development of health care practices and the successive reforms of the public health system, particularly since the 1990s, increase the demand for sharing a patient's health information among different health workers. Networking patients' health information is presented as a solution to this need to share.

A more collective practice

In the era when a physician worked alone in a clinic or on the road, and the patient almost always consulted the same family doctor over long periods of time, the need to transmit the record to other health professionals was rather limited.

A work team

The advent of the public hospitalization and health insurance scheme systematized the collective practice of medicine. Sharing a patient record is allowed within the same clinic or institution by all the health professionals caring for the patient. The progressive specialization of the practice of medicine and of institutions also increases the number and frequency of requests to share a patient's health information among health professionals working in various places that are occasionally separated by great distances.

Information is more scattered

By the same token, patients themselves have become more mobile and less faithful than in the past. Besides moving house, people move more for work or leisure. As well, patients more often shop around for their health professionals. The system itself encourages infidelity by adjusting the consultation request to the availability of professionals (notices in the media, local community health centre health watch referrals). A patient's medical history is thus scattered among multiple records, it is difficult to obtain an inventory of the records and it is hard to locate them and rapidly access their content.

Restructuring

The merging of health institutions (especially among large university hospitals and regional health centres) has also increased the need for sharing records among the different providers who participate in the care plan of the same patient. The need to share patient information among care institutions, the home and the various government or social economics organizations participating in the same care plan have also been placed on the agenda by the shift to ambulatory care and the implementation of integrated care networks. The implementation of Family Medicine Groups (FMG), affiliated medical centres (CMA) or other similar networks requires the networking of patient records among private clinics and public agencies as well as with other institutions to ensure ongoing patient management in accordance with the responsibilities vested in each.

Inter-institutional programs

The inauguration of programs targeted by health problem in which responsibility for treatment is distributed among a number of organizations also increases the needs for networking health information. For example, the new Centre hospitalier ambulatoire régional de Laval (CHARL) is the management hub of 13 ambulatory care and service programs like geriatrics, the respiratory system, paediatrics, oncology and diabetes. Patients registered in any one of these programs is able to call on the services of a number of individuals attached to various agencies (hospitals, LCHS (Local Community Health Centre), specialized institutions). The entire project is based on a common information network (SI-PRSA, which stands for Système d'information de la programmation régionale des soins ambulatories) [translation : Regional Ambulatory Care Programming Information], which ensures the availability of information throughout the institutions visited by the patient.

Inter-sector programs

Other care programs can also overlap the public health network. This is the case, for example, for the McGill University Health Centre brain injury monitoring program (MUHC) which involves a number of health institutions (MUHS, LCHS, Rehabilitation centre), but also the donor agency (Société d'assurance automobile du Québec[SAAQ]), police services that intervene on the scene of an accident and community agencies that participate in the individual's reintegration.

Results-based management

The objective of the reform begun in 1991 in the Quebec public health network was to modify the distribution of power and responsibilities as well as to put the brakes on the growth in public spending. The commitment to rationalization was translated into the gradual introduction of new management methods: results-based management. Broadly based on performance and outcome indicators, this management calls for the development and implementation of computer and networking systems for producing and communicating the necessary data to closely monitor institutions' activities and their patients' situations. Results-based management is based on increased administrative accountability which can be translated into incentives for success (fiscal manoeuvrability for institutions, promotions or bonuses for individuals) or sanctions in the case of failure (budget cuts, trusteeship). Enactment of the law on public administration in 2000 extended results-based management to the Ministère de la santé et des services sociaux du Québec (Quebec Ministry of Health and Social Services) and other government agencies (RAMQ, CSST). Consequently, the health care system as a whole is thus subject to the rules of results-based management. This increases all the more the need for reliable data on institutions' performance and populations' state of health produced by government agencies and independent organizations (Conseil de la santé et du bien-être, Canadian Institute for Health Information) or the world of research.

In short, the modification of medical practice over the course of recent decades and the reforms in the organization of health care through the Quebec public health scheme are factors that create a need for sharing health information, for which networking is proposed as a solution.

Thus, despite the challenges and difficulties, the various components of the health sector are firmly committed in the implementation of health information networking.

Networking's functions

Networking can serve various functions. This handbook will examine five functions: administrative, clinical, public health, research and self-care. The same network can simultaneously fulfill more than one function.

Multi-level management

The administrative function revolves around good administrative operation of the health system. It targets certain procedures that are related to the administration of health care insurance schemes and is accordingly, intimately linked to the system's structure and management. Administrative management's level of complexity is reflected in the type of networking implemented.

The administrative function brings together a variety of procedures that can go from the identification of the patient or health professional to the control of health expenditures and planning of resource allocation within the health system, not to mention proof of eligibility for different insurance schemes, the management of institutions and the management of payments and reimbursements.

The administrative function of networking can therefore show up at various levels and take distinct forms that are intimately linked with the insurance schemes' funding structure and their implementation.

Example 1

Payment of physicians' fees

Physicians' requisitions for payment to the Régie de l'assurance maladie du Québec are an eloquent example of the computerization and networking process for administrative purposes. The digitization of data used for the calculation of fees serves as the departure point for the physician's automated request for payment. The physician submits his or her request for payment in electronic format to the Régie de l'assurance maladie du Québec which allows it to be processed by computer, from the calculation of fees claimed and verification of the request, to the issuing of a cheque or automatic deposit order in an account at the physician's financial institution. To ensure the correct operation of this objective, the RAMQ had to create a series of data banks, one of which on all the professionals able to request payment for eligible treatments or services, a bank of all the insured persons for whom the professional may request payment and another data bank on all the treatments covered with their codes and the fee schedule.

More advanced networking could enable the RAMQ to exercise even tighter control over expenditures. This was, incidentally, one of the applications planned in the smart card project (see Example 4).

Example 2

Payment for prescription drugs in the framework of the drug insurance scheme: a network between the RAMQ and Quebec's pharmacies

Quebec has experimented with different drug reimbursement schemes over the course of recent decades. Until July 1996, only seniors and the poor, in income security programs, received public drug insurance administered by the RAMQ. On January 1, 1997 the Prescription Drug Insurance scheme went into effect, that requires all Quebec residents be covered by drug insurance, shared between the public sector (managed by the RAMQ) and private insurers.

Implementation of prescription drug insurance schemes was a deciding motivator for inaugurating networks for the communication of the information necessary for the management of the insurance schemes. Certain private insurers currently participate in networks for transmitting patient claims for prescription drugs purchased.

For its part, the RAMQ, had to implement a network enabling it to be online with all the pharmacies in Quebec, to calculate in real time the amount of the patient's contribution and the amount covered, so that payment was made directly to the pharmacy (and not in the form of a reimbursement to the patient as is the case for private insurers), so to better meet the needs of insured individuals who are often in precarious financial situations.

Implementation of the network was entrusted to Bell (and their partners). The information on the drug purchase transactions is forwarded from the pharmacist's computer to the Régie which processes it and returns it to the pharmacist.

The administrative function can also go beyond the simple management of an insurance program. It can serve to assess the performance of an institution or program or to implement a reform to the funding structure or delivery of care.

Example 3

CIFINO

CIFINO (Collecte d'Information Financière et Opérationnelle [translation : Financial and Operational Data Collection]) is a web application used in health institutions in the Quebec public health network. Developed at the request of the Ministère de la Santé et des services sociaux (MSSS), this technology enables the different institutions to process and transmit their accounting data (financial and operational data) to their regional boards and the MSSS. It especially supports the authorities in the implementation of the Loi sur l'équilibre budgétaire du réseau public de la santé et des services sociaux, [translation: Public health and social services network balanced budget law], the anti-deficit law enacted in June 2000.

Example 4

Remote patient eligibility verification by RAMQ

In December 2001, the Québec Minister of Health and Social Services tabled for consultation draft legislation for the Loi sur la carte santé du Québec [translation: Québec health card act], pertaining to the implementation throughout Québec of computerized networked applications supported by the use of two types of microprocessor cards. Many of these applications are administrative. The first card would replace the current health card and the other would be delivered to health professionals, network application managers, etc.

Section 2 of the draft legislation specified that the systems planned were supposed to modernize public insurance schemes' (health, hospitalization and prescription drug)management mechanisms, as well as to support the organization of front-line services, the implementation of integrated care and service networks and the implementation of service corridors between organizations. Accordingly, this networking plan was part of a funding and service organization structure reform plan.

One of the applications in particular would allow remote verification by the RAMQ of a patient's eligibility for a required service. Like the banks which electronically pre-authorize a transaction by debit or credit card, the draft legislation made provision not only for confirmation to the health professional regarding the patient's health insurance coverage but would also enable the RAMQ to authorize or refuse reimbursement for some specific services. The system made provision for rules imposing certain quotas based on the patient's state of health or other criteria. The system would accordingly be able to allow refusal of a procedure on the basis of quotas already being filled or the patient's state of health being such that the procedure would be deemed unnecessary. Networking of this type no longer simply allows proceeding to elaborate administrative controls but also opens the way to an in-depth modification of the very nature of the insurance plan.

Rapid access to clinical information

One can contend that the administrative function is connected to the clinical function. Delays in admission to hospital caused by a patient's difficulty in showing eligibility or by the obligation to fill out administrative forms, could accordingly shift management of admissions to clinical staff. At the same time, clinical networking applications perform a clearly separate task, clearly aimed at better medical management of the patient and improvement in the quality of care offered. Clinical applications most often seek better accessibility to the patient's clinical information (medical or drug record information, results of tests or procedures) and more appropriate or effective use of information. Clinical networking applications of can vary according to the requirements of the discipline or specialization of the various users and their field (emergency, specialized medical surveillance, home care).

Health information networking can also have a public health function, whether to monitor the population's state of health, detect the emergence of public health problems, organize a targeted preventive intervention or a solution for at-risk individuals or groups like for the promotion and monitoring of prophylactic measures (tracking compulsory immunization, preventive examinations in the framework of programs fighting certain illnesses, e.g. prostate and breast cancer) or in the context of the assessment and monitoring of general public health policies.

Example 5

Surveillance in real time

The SPHINX project (Spatial Public Health Information Network Exchange) addresses the development of a network for the electronic exchange of information for health surveillance. Developed by the Alberta Ministry of Health in collaboration with Health Canada, this type of networking could potentially be extended to the rest of Canada. We know that identifying the pathway for the entry of a specific symptom can sometimes take months. The anticipated system will allow information to be rapidly collected, processed and disseminated to health professionals, enable diagnostics to be performed and decisions to be made in a meaningful timeframe. A system like SPHINX targets development of the capability to perform surveillance in real time of public health problems that may arise. Instead of being limited to producing analyses and recommendations after events, public health authorities would be able to promptly perform checks on the sources of the problem (like water quality, contamination of food products), issue warnings to the population regarding the use of these products and to health professions for interpretation of the symptoms and management of the patients affected.

The terrorist attacks of September 11, 2001, the Walkerton tragedy and the SARS outbreaks have made implementation of surveillance networks top priority, as shown by the development of the Canadian Network for Public Health Intelligence. The CNPHI is interdisciplinary and inter-agency (public health authorities, Canadian Food Inspection Agency, police forces) and includes all levels of government. The CNPHI network's objective is to improve biological threat detection and response capability. This network is based on the integration of surveillance data, epidemiological data, laboratory results and more.

Health information networking can also serve research purposes and the production of highly diverse types of knowledge. For example:

Towards new forms of research

Computerization and health information networking offer researchers, managers and those in charge of public health unprecedented access to clinical and administrative data that could enable the health of populations, the effectiveness of treatments and services, and health policies to be tracked and improved. These developments open the door to original clinical and epidemiological research.

Research infrastructures

Research benefits from administrative and clinical networks in the public health sector. The world of research is also attempting to develop its own networks in cooperation with institutions and researchers that are geographically scattered, often across continents. The scientific communities participate despite themselves in fierce competition for public and private research grants, and to pick up lucrative research contracts from commercial companies where the pharmaceutical industry is at the forefront. A number of research networks are thus in development; some are entirely governmental, others are being developed by public and private sector partnerships and others still by companies that are essentially commercial and private. This is the case, for example, of the networks developed by IMS Health, a business established in a hundred or so countries that specializes in data collection and strategic health surveillance. The firm accordingly uses one of its networks to collect information from pharmacies in Québec pertaining to drugs purchased by patients. IMS Health processes this information to produce analyses and reports pertaining to prescription drugs; the reports are sold to the pharmaceutical industry, public health organizations, researchers and professional bodies.

Example 6

The EPSEBE Project - (Entrepôt pour la promotion de la santé de l'enfant et son bien-être)[translation : Repository for the promotion of child health and well-being]

Some systems are implemented allowing developments that are taking shape in this way: The mother who registers her child's birth with the Registrar of Civil Status triggers a process that transforms her child, herself and her family into biomedical and social research subjects for hundreds of researchers. The electronic transmission of the statement of birth to the RAMQ could cause the same. Researchers could process these data in various ways to answer multiple questions regarding medical, environmental and social factors affecting the child's health and well-being following the matching of data drawn from other sectors, such as the Ministry of Revenue or the Ministry of Education.

A general public application

Other general public networking applications are also being developed to support the ability of individuals, families or groups (patients with the same illness, workers subjected to the same contaminants or work conditions, individuals playing a same high-risk sport) to make decisions and take realistic steps to stay in good health or cope with an illness or disability.

The patient as a producer of health information

Patients are not only the recipients of information (production of personalized instruction sheets for the best and safest use of drugs prescribed), but are also the primary users of the applications (self-administration of a questionnaire to measure one's risks) and even producers of clinical information used by professional workers (self-collection followed by transmission of certain health information from home).

This function brings together on an individual scale a combination of the four functions previously described. This enables the patient to: monitor his or her state of health, identify personal needs in this regard in order to take better charge of his or her health and well-being and, receive the appropriate care or make use of the necessary services.

Health information storage formats

To this point, we have dealt with the computerization and networking of information so it can be shared among organizations and users, and some of the various functions performed by networking. Health information networking also assumes that the information is first appropriately stored and organized.

The distinction needs to be made here between the physical storage methods (paper records, databank disks, repositories of data banks) and the management agreements or rules that submit a body of information to common standards (records, files). Networking opens the door to new combinations of physical storage methods and management agreements making way for unprecedented features.

Records

The record is a concept

Record

A record is defined as a clustering of information or documents pertaining to a subject or an individual.

The word "record" spontaneously evokes an image of a physical object made up of a certain number of pages containing information and inserts in a file folder identified with an individual. Even when it is stored in paper format, the record may be split among more than one physical object so that when someone asks to have access to his or her record, it may be necessary to request information from more than one place. We understand, then, that records are more a concept than a physical thing. A record corresponds to a convention, a legal guideline or an agreement between parties, depending on the case.

A record may accordingly take various configurations and present multiple contents. The records made up of information on a patient or health professional (physician, pharmacist, nurse...) are those that particularly interest us in this handbook.

The patient's clinical record

In this section, we are going to spend some time on the patient record (that is, the clinical record, as opposed to an administrative record like those kept by the RAMQ). The patient record is a clustering of health information regarding a patient, organized and kept by an individual (a physician, a pharmacist) or an organization (hospital, pharmacy, private clinic). The patient record may take on a specific legal meaning when, for example, the Health Services and Social Services Act (Loi sur les services de santé et les services sociaux [LSSSS]) requires all institutions to keep a record on every user who receives services. This record's minimum content is prescribed by regulation.

A number of clinical records for one patient

It immediately becomes obvious that one patient usually has a number of records containing health information concerning him or her: one or more hospital records, private clinic records, a prescription drug record at each of the pharmacies where he or she has done business (or through a drugstore chain's network), a physiotherapy treatment record.

The current legal framework only recognizes the existence of a single type of record: the record that is prescribed by regulation and requires every institution or physician to keep a record on the patient that is seen. This record will be referred to here as the complete record.

Networking and the implementation of new record formats.

Moreover, national and international experiments in health information networking suggest that other record formats ought to be set up to better meet the requirements of networking and the specific needs it targets. We propose here a patient record framework with five main types of record: the complete record, the emergency record, the at-a-glance/reminder record[aide-mémoire], the index or pointer record [dossier index ou pointeur] and the specialized medical case record.

Called into question

A patient's complete record would be formed, in principle, by clustering all his or her health records distributed across the health network. This object does not physically exist, however; it remains virtual. On the other hand, it is considered acceptable to qualify as "complete", the record of a single institution that clusters all of the information gathered by the institution's staff on a single patient. Networking challenges this definition by opening the door to the convergence of all of a patient's clinical records.

A patient's emergency record clusters information that is useful or vital in an emergency situation. Even if its outline is still not clear, a consensus is taking shape with regard to the inclusion of certain information, like blood type, drug allergies (like penicillin), pre-existing chronic illnesses (diabetes), heart conditions and the prescription of certain drugs. Occasionally, two types of emergency records are identified: the vital emergency record and the timely emergency record, which clusters a broader sample of relevant information than the basic survival emergency record.

It is easier to agree on a limited amount of information.

The emergency record is a favourite in discussions regarding patient health information networking and comes up often as the first candidate in a networking program; there are three main reasons for this. First of all, the type of information transmitted by an emergency record can, in many cases, prove to be less sensitive than information likely to be contained in the patient's complete medical record. Second, the benefits of vital information that is quickly available for a patient in an emergency situation, who may be unconscious, seems less open to objections with regard to the tangible nature of the potential benefits for the patient and the objectives pursued. Finally, the relative ease with which this limited and more or less objective information is standardized and formatted promotes its computerization.

Consensus regarding the acceptability of networking emergency records accordingly seems easier to reach.

The patient is master of his or her own file

The concept of an at-a-glance/reminder record stems from meeting two objectives. First of all, by definition, this type of record is in no way intended to be exhaustive but rather a summary of information that appears to be the most significant or relevant for better medical management. Second, the concept focuses on the primary role given to the patient who maintains control over the nature and content of the information shared when faced with pressure to place information on the network. The content of the at-a-glance/reminder record gives the patient primary responsibility and control over his or her own record. The reminder function first of all serves the patient, who decides one-by-one the items of information for which he would like some support for his memory lapses. It is, therefore, the patient who oversees the creation of this record through his or her consent to the inclusion of the different information that is gathered there.

Example 7

The Rimouski experimenti

The first microprocessor card experiment in Québec made possible the testing of the at-a-glance/reminder record concept for the patient in the Rimouski region over a two-year period from 1993 to 1995. Patients who agreed to participate in the project were given a microprocessor card which acted as the receptacle for a summary of his or her medical record to remind him about appointments with health professionals. The patient him or herself was primarily responsible for construction of the summary record and was free at all times to present the card, or not, to the professional authorized to receive it. The patient was also free to accept or refuse the inclusion of certain information in his or her record. The main principle of the experiment was, then, the patient's willingness, which could be expressed at three levels of consent: joining the project (and the right to withdraw at any time); presentation of the card; and the choice with regard to what data would be included in the record summary. The patient's summary record or at-a-glance/reminder, is a concept developed to respect the patient's freedom to have his health information placed in a network in a particular format. Criticism has nonetheless been expressed with regard to the reminder record's reliability, calling into question its benefit, particularly by the medical establishment participating in the experiment. A definitive answer to these questions was not possible due to the experiment's time and geographic limitations.

A record pointing towards the patient's records.

The needs and discussions with regard to health information networking gave way to the emergence of another concept - that of the index or pointer record which, while containing no patient health information itself, enables certain patient records to be identified and provides instructions on how to obtain them. This type of record is also an answer to certain risks created by networking. First, access to the pointer record does not allow access to information contained in the records the pointer record indicates without further control. Second, the pointer record is consistent with the promotion of decentralization and keeping health information in multiple sources, as opposed for example, to a design that promotes the centralization of data and the creation of vast data banks clustering all patient records.

A monitoring record for a chronic serious illness

The specialized record is associated with certain chronic serious illnesses that require significant complex medical monitoring. The specialized record can, for example, enable the patient on dialysis or who is diabetic to enter monitoring data about his or her illness him- or herself, as was shown in certain microprocessor card experiments in Europe.

Data banks

The data bank is an organized clustering of computerized information, normally created according to a common content denominator, for a particular ultimate purpose to which other uses may be added.

The data bank can also take various forms and meet multiple objectives depending on the main functions described in the previous section. Even if a data bank is set up to meet a specific need, it is not unusual for it to be used for other purposes as well. For example, a data bank designed to administer an insurance scheme is also used for planning public policy or research.

Besides the applications pertaining to the clinical function, we propose three types of data bank:

The Ministry of Health and Social Services has created data banks to support the Ministry's mission regarding the provision of health care. The Med-Echo data bank comes to mind, for example, which clusters clinical and administrative data on hospitalization. There is also the I-CLSC data bank which clusters data on CLSC services and users.

The RAMQ manages its own data banks

In Québec, the RAMQ occupies a central position as guardian of a number of large data banks. The main reason has to do with its primary responsibility regarding the management of certain insurance schemes in the health sector (health, drug, dental and optical insurance schemes), and for which the data banks were created. Content of the data banks ties into one or the other of these contents:

Example 8

The FIPA management data bank

The RAMQ keeps a data bank regarding all individuals eligible for coverage under Québec's health insurance scheme: FIPA, which stands for file of insured individuals [fichier des personnes assurées]. The data pertaining to everyone registered from 1976 to date and individuals deceased since 1991 are kept in the bank. The following information on nearly 9 million individuals (2 million of which are deceased) is kept: health insurance number (NAM), last name, first name, address, date of birth, date of death, postal code, sex, mother and father's names, common-law partner (indicateur de conjoint de fait.)

The RAMQ manages the MSSS data bank and others

The RAMQ is also a depositary and manager of data banks which the MSSS, a regional scheme, an institution or other may entrust to it by agreement (following an amendment to the Loi sur la Régie de l'assurance maladie du Québec [Translation: Quebec Health Insurance Scheme Act], enacted in 1999).

Example 9

The RAMQ is a data depositary and data bank manager.

Through an agreement signed in 1999, MSSS entrusted the RAMQ with the storage and management of four identifying public health data banks: MED-ECHO, "Tumeurs"[tumors], "Hygiène mentale" [mental health], personnes hospitalisées-DRG" [hospitalized individuals - DRG]. The reasons for this transfer are set out in the understanding itself and read as follows:

[translation] "WHEREAS the significant modifications to the health and social services system have brought about major changes to the layout of structures and that as a result, the stovepiping of information systems precludes analyses of the consumption and dispensing of care with a view to documenting episodes of care and developing indicators on the various aspects of health in Québec;

WHEREAS in order to mitigate these situations, the Minister wishes to centralize the information by depositing public health data with the Régie and entrusting the management of this data to the Régie;"

Serving other purposes

The data banks for managing health insurance programs can in turn also serve the purpose of planning and monitoring the public policies which underlie them or furthermore, serve the purpose of research, often by combining these data with other data banks.

Set up specific data banks for monitoring

There are, moreover, a number of specialized data banks that have been created specifically to ensure that certain targeted health problems are monitored, from the public health policy perspective. For example, the mental health data bank, which includes data on the long stay beneficiaries in psychiatric facilities; the tumour registry, which clusters information on cancer and the individuals with malignant tumours treated in institutions; the data bank on the Centres jeunesse [translation: youth centres] clientele pertaining to users of the Loi sur la protection de la jeunesse [translation: Youth Protection Act].

Warehouse or Megafile

The term "warehouse" is a metaphor which designates a megafile (clustering of files or data banks). In actual fact, a warehouse is an automated environment that allows the joint use or the connection of various data banks that are physically centralized in the same place or distributed to a number of places.

The main advantage of the warehouse rests in the joint utilization of a number of data banks whether for research, producing longitudinal studies or for administrative purposes, by allowing verification with the cross-referencing of information between data banks.

A clustering of vastly different data banks

Most warehouses of clinical, administrative, research or public health data are still in the planning or design phase. The RAMQ has already created a single computerized environment for the management of a number of data banks it holds or looks after for others. Certain projects funded by large research support agencies, are currently at the design stage for implementing connections between these data banks and others that have been created by services that are outside the health sector (like civil status data banks, school data banks, the Institut de la Statistique du Québec data bank). The main objective in creating these megafiles, or data warehouses, is to increase the scope, range and competitiveness of clinical and population studies in health.

Example 10

The IRIS-Q Megafile

The acronym stands for "Infostructure de recherche intégrée en santé au Québec " [Integrated health research infrastructure in Québec". Creation of a data warehouse is the core of the project.

"[translation] Four or five years from now, researchers will have access to a formidable data bank containing non identifying information on patients from four major university hospital centres. And it will be possible to connect this information to the Régie de l'assurance-médicale du Québec's main data banks, to the MED-ECHO registry, to the Société d'assurance-automobile du Québec's data and even to Santé Québec's investigation data.

Experts from Québec are currently working on the creation of this mega-databank in the framework of a project entitled IRIS-Q.(...) the IRIS-Q consortium is made up of representatives from the four university hospital centres, the Ministry of Health and Social Services, the RAMQ, the FRSQ and the regional boards of Montréal, Québec and Sherbrooke.

(...) Researchers will accordingly be able to more easily and, especially, more quickly conduct multi-centre clinical or epidemiological research. For example, they will be able to combine the university hospital centre records with records from laboratories and pharmaceutical services to monitor a cohort of patients to whom physicians have prescribed a new molecule for treating hypertension. (...)

The IRIS-Q project also creates numerous possibilities for public health research. The hospitalization data (MED-ECHO), tumour register, birth register and the trauma register data bases may be added to the four main RAMQ data bases that already exist, i.e. pharmaceutical services, medical services, beneficiary demographic information and physicians' demographic information. (...)"

Conclusion

Networking health information is already on the road to becoming reality in Québec's health system, at different paces across numerous jurisdictions and for various functions from the administration of insurance schemes to medical management, public policy planning and public health, not to mention medical research and the general public self-care function. The networking experiments and projects do not all have the same public visibility. Very few projects cause public discussion. The vast majority of networking projects are planned without the general public's knowledge and without consultation outside the circle of partners directly involved.

The RAMQ microprocessor card pilot project had the advantage of immediately creating discussion, steering committees, surveillance committees, assessment reports, and so on, until the public hearings in the parliamentary committee held during the winter of 2002, which looked into the plan for the microprocessor card's nation-wide networking applications. This work enabled a vast range of health network and civil society stakeholders to express their points of view on these networking applications.

However, other types of networking are in operation or the planning stage, without those mainly affected having really been able to speak about the plan or, sometimes, without even having been informed. Think, for example, about the transmission of physicians' prescription profiles by pharmacies, or about the creation of vast data bank warehouses to improve the competitiveness and the nature of medical research practiced in Québec.

This chapter's objective was to give an overview of the nature and meaning of the types of networking contemplated, in order to better determine in the following chapters, the multiple dimensions of ethical assessment they ought to undergo.

Chapter 2 - Relationships between individuals and organizations established through networking

Summary

Information as the material support of a relationship between individuals and organizations

Networking² involves the manipulation of physical objects, called information, by human beings and machines within the network itself, as well as around it.

Information is a material object...

Information is, in fact, a physical object. Of course, its physical nature is not always immediately perceived by the senses. For example, information no longer only takes the form of notes that are handwritten or printed on the pages of a medical record. From now on, it will increasingly be found in the form of magnetic alignments on a tape or floppy disk, in microscopic perforations in a film making up a compact disc, in open and closed microprocessor circuits, in the flow of electrons through a copper wire or in photon emissions from a radio antenna, laser beam or projector. The fact remains that information cannot exist without material support, whatever that might be. It is information's material property that enables it to be created, stored, moved about in space, copied, transformed, used to produce new information, or potentially, destroyed.

...used to support knowledge

Above all, this material object has the special feature of being organized for the purpose of supporting knowledge. This knowledge can be ordinary information (e.g. a clinical note, a billing item, a scientific finding), the representation of another object or reality (e.g. a photograph, an x-ray, an electrocardiogram), or can be an instruction (e.g. a section in a regulation to be applied, a software command).

Individuals can establish relationships among themselves using information

Therefore, when we speak of information, we are generally referring to an artificial object, an artifact. This object exists only because human beings created it (or commanded a machine to create it) in order to communicate through time or space with themselves or others. This manipulation of information is how individuals or groups of individuals establish certain types of relationships among themselves. This is especially obvious when the information manipulated is about other people.

Relationships representing a fraction or all of the relationships experienced between certain stakeholders

In certain circumstances, these relationships established through information represent only a fraction of the relationships experienced by the stakeholders. This would be the case, for example, for the multiple relationships that a resident patient has with a residential and long-term care centre (CHSLD), its staff and volunteers. On the other hand, relationships created almost exclusively through information are increasingly common between certain stakeholders. This is especially the case for researchers who only come into contact with their human research subjects through the research data that they have on their subjects. This is often the case in certain bureaucratic relationships as well. The individual often has no other existence for the organization except as an historic compilation of information and transactions appearing in company files; and vice versa, the organization is not a reality for the individual except through the written exchanges with it. This is the case, for example, in routine relationships which are carried out essentially in the form of letters, forms and minibills between the RAMQ and a majority of its insured members.

Relationships established through information have an impact on the relationships between stakeholders

However, the computerization of the public health sector and its networking will naturally increase the amount of information in the relationships among stakeholders. And, even when a relationship is for the most part not supported by information, the presence of information has no less an impact on the types of interactions between stakeholders, if only through the unique power of the written word in human relationships.³ This creates unprecedented sets of problems then, as in the case of a number of independent community health groups invited by their regional managers to computerize their operations, or to participate in individualized service plans for their members, in cooperation with other institutions or health professionals. These groups then have to ask themselves, for example, what levels of professionalism and standardization of their practices are possible without compromising their primary mission? This question immediately gives rise to questions about the nature of their relationships: through this new information that they will be manipulating, will these groups have relationships with "members" ? "clients" ? "patients" ? "Canadians" ? We will see further on, a case in which some health professionals can feel trapped in a type of relationship that they do not want with their patients because of a particular kind of information provided by a networking application. (Example: a network for the prevention of illegal access to prescription drugs).
In this manual, we are more specifically interested in the relationships established through information networking that deal with patients and health workers.

Example 11

An individual goes to hospital

Claude can be considered simply as a sick person seeking care or comfort care, but when the admissions clerk asks for Claude's health insurance card, a process is set in motion defining Claude as an insured person with regard to certain health care providers (the hospital and certain physicians) who will receive from an insurer (the Régie de l'assurance maladie du Québec - RAMQ) payment for medical care provided. The information entered on the health insurance card, on the billing forms and as a result, in the insured person's RAMQ record, serves insurance purposes. They create a relationship between the physical persons and legal entities playing defined social roles: insurer, insured individual, health care provider.

Let's suppose that immediately after Claude is admitted, a nurse gives Claude information on a clinical research project regarding a new medication. Claude agrees to participate in this project. The nurse asks him, then, to read and complete a consent form for his participation as well as another form for the collection of certain sociodemographic, family and medical data to support the research. Here, the information gathered defines Claude as a human research subject in relation to a research team. The information entered on the forms and other clinical information gathered at a later time by the researchers clearly serves an ultimate research goal and supports this particular relationship.

Then finally, members of the hospital's medical staff open Claude's clinical record for information about the observations, diagnoses, decisions and treatments entered and to add some new notes. This is where Claude, in the relationship supported by this information, finally acquires his status as a patient in the care relationships that involve a number of health professionals at this hospital and possibly others: physicians, nurses, technicians and archivists. Claude's medical record is what supports the informational dimension of these relationships.

Networking as the organization of relationships between individuals and organizations

Longevity of the relationship supported by information

In Example 11 on the preceding page, the different relationships are presented consecutively. Claude alternately plays the part of the insured individual, the research subject and the patient. In reality, the different relationships supported by separate information occur simultaneously and for as long as the information continues to exist. Claude may well heave a sigh of relief upon leaving the hospital, thinking he may finally be able to do other things. Claude nevertheless remains an insured individual, a research subject and a patient. The RAMQ, the hospital, its staff and researchers will still continue to manipulate and use Claude's information, and, consequently, maintain their respective roles with respect to Claude. These mutual relationships will continue for as long as the information is manipulated for these purposes. And beyond these purposes, the knowledge related to these past relationships will remain accessible and manipulable for as long as the information continues to exist.

Transformation of the supported relationship

Relationships supported by information can change. Take the case of researchers who regularly obtain copies of Claude's clinical and insurance record information for their research. This new information no longer supports the original relationships (or purposes), which dealt with insurance and health care. The information now supports a research relationship (or purpose) between research subject and researchers, to which Claude had previously consented.

Example of the transformation from patient to a charity fundraising target

The effect of replacing one relationship with another is clearly more flagrant when it is involuntary on the part of one of the parties in the relationship. For example, let's imagine that, without his knowledge, Claude's name, addresses and telephone numbers are sent to the hospital's charitable foundation, which collects and manages donations to fund certain types of equipment or activities for the institution. This communication of information changes Claude's status. Once a patient, he now also becomes a prospective donor; in other words, a new target for the foundation's canvassing activities. The information in the foundation's possession will be used by a fundraiser to contact Claude and ask him to become a donor. This is how information created for one type of relationship (or purpose) can be used to establish a very different relationship.

Networking enables one type of information to be used in a number of different relationships.

The specific goal of networking is to allow information produced by a person within the framework of a particular relationship between specific stakeholders, to be used immediately or in the future, by other stakeholders.

The ultimate purpose of the new use can remain similar or as a continuation of the one that was in place when the information was initially produced. For example, when copies of information generated in the context of the relationship between a pharmacist and a patient for the dispensing of drugs are used to inform another pharmacist who receives the same patient for a new prescription.

The new use can also serve a very different purpose. This would be the case when copies of certain types of information generated by these same pharmacists are used by an insurer, researchers, administrators, a professional order, a police force, or others.

Networking applications support and govern relationships

Networking applications allow, demand or forbid different individuals and organizations certain types of access to certain information for certain uses. In doing so, these applications support and govern more or less diverse relationships between these stakeholders. The manipulations of information created in this way generate new knowledge, findings or decisions, that are capable of affecting the stakeholders and the relationships among them.

Networking that creates relationships among physical persons and legal entities (moral persons)

A socio-ethical assessment must examine the relationships that are established between stakeholders

If health information networking is a form of organizing certain relationships between individuals (physical persons) and legal entities (moral persons), then an ethical assessment of a networking application or project must include a detailed examination of this entity as well as of its implications and consequences for the stakeholders who are directly affected, for those who are indirectly affected, as well as for society as a whole.

Pitfalls of the examination of relationships between stakeholders

However, a similar examination of the organization of the relationships between stakeholders can represent a considerable challenge. The networks and the technical tools available are increasingly vast and complicated. The stakeholders involved and the ultimate aims simultaneously served are also increasingly numerous and varied; and the interactions established between these stakeholders and aims are increasingly complex. The exact nature of these interactions can easily constitute vastly different perceptions between the parties involved. This can even cause controversy. First of all, speeches and impressions can easily overtake the facts. The basis of the problems encountered or disagreements expressed becomes difficultto identify and interpret, complicating the search for solutions.

Networking establishes relationships between stakeholders

On the other hand, the material nature of networking facilitates the determination of the exact nature of the relationships supported and orchestrated in this way. For, to be exact, these interactions are created through the manipulation of informational objects by physical tools which obey a programming code, made concrete as well in its written form (program lines, printed circuits). All of these elements are producible and verifiable. It becomes possible to reconstruct the life of information, the processes through which it can or must pass, in the context of the networking activities or applications being considered.

Dimensions of the relationships created among stakeholders revealed by networking

The answers to these questions constitute a solid base upon which an ethical assessment can be seriously undertaken.

Computer science clarifies social practices

As we see in the previous and following chapters, computer technology requires that the targeted social practices be clarified and formalized. By so doing, computer technology acts as a powerful tool for creating certain relationships between the stakeholders involved. It thus becomes possible to clearly document changes that relationships undergo with the introduction or modification of a networking application, just as it becomes possible to directly compare official speeches with actual practices. This is how the non-governmental organization, California HealthCare Foundation, easily located the web sites on health education that did not respect their confidentiality agreement regarding personal information entered by the Internet users who had consulted it. A simple reading of the instructions entered in the programming code of these sites' web pages showed those which instantly relayed this personal information through the Internet to commercial businesses.⁴

Knowledge of the relationships supported by computer technology is verifiable

Thus, the relationship supported by information includes a material dimension which makes it verifiable or provable (see Example 12 on the next page).
The analysis of information manipulations enables the accuracy or truth of a statement relating to the existence and nature of an interaction between specific stakeholders to be confirmed or invalidated.

Example 12

A network for preventing illegal access to prescription drugs

An information network about patients managed by a group of health professionals

The verifiable nature of relationships between individuals and organizations, as formalized by computer technology (see the previous section of this chapter) can be illustrated by the following real-life case concerning a system for the detection and prevention of attempts to illegally obtain prescription drugs.⁵ This system focused on information on potential attempts to obtain certain types of drugs through the use of fake prescriptions or identities. If these indicators proved that a real attempt had been made to obtain drugs illegally, a warning was sent out to all health professionals who were part of that particular network. The warning identified the suspect, the type of drugs sought and the method used to fraudulently obtain it.

An old controversy, also including the very nature of the implementation of networking

A technological upgrading project of the roughly 15 year-old system including an expansion of its use to new classes of drugs, had revived an old debate about its ethical legitimacy among the members of the network who were operating it. The differences appeared all the more insolvable because the professionals using the system could not even manage to agree on its exact nature and use, the moreso because its nature and use had not been documented.

This group of professionals consequently commissioned a detailed analysis to better understand the problems and accordingly, better define topics of disagreement to be resolved. In other words, the objective was to produce a description of the system that was sufficiently detailed, precise, and objective to be recognized by all the interested parties, whatever side they were on. The resulting picture was so revealing that even a person whose only job for ten years had been operating the system stated that he had learned some new facts on how it worked. For example, the implementation of rules allowing health professionals to close patient records that had been inactive for a certain amount of time systematically led to the premature elimination of warnings which were, in fact, still in effect.

This analysis, however, primarily identified an internal contradiction as the definitive source of the controversy. Officially, the system dealt with information about patients, and sent out warnings about patients. However, a vast portion of the processing of this information followed the administrative logic of proof in criminal law, rather than that of medical diagnosis. Health professionals, of course, fed the system through clinical records about patients. However, the warnings they received no longer had to do with patients, but rather with persons suspected of having broken the law. This made a number of professionals uncomfortable, since they neither considered themselves, nor wanted to be, crime prevention agents.

Clarification of relationships prior to the assessment and proposal for a solution

The system sometimes used professional health logic, and at other times, police logic, without satisfying either. This demonstrable interference between two very different, indeed incompatible, types of logic, not only pointed out the main source of the controversy; it also explained why the system could not send out a warning in the cases of drugs acquired completely legally for suicide attempts: the core of the system excluded any health considerations and applied only the principles of criminal law.

This is how analysis of relationships with an effective support tool enables possible solutions to the debate to be outlined. Here, one of the solutions considered was to reorganize and redeploy the system based on logic that was primarily medical. Not only could this solve one problem in the inter-network conflict, but it could also help to strengthen the role of health professionals with respect to the problematic use of prescription drugs, indeed, even helping them to save lives that would not otherwise have been saved. All of this while fully preserving their ability to detect and prevent illegal access to prescription drugs.

Conclusion

Information speaks about itself and about those who use it

Health information does not just bear knowledge about ideas, concepts, realities or external facts. In practice, information also contains knowledge about its own genesis and the manipulation it undergoes, as well as information about who created, and who uses it. Moreover, every operation for the manipulation of information which creates new information always creates an opportunity to produce information on the operation itself. For example, the entry of a single new piece of information in a patient's electronic record could be accompanied by the creation of several other elements specifying who made the entry, on what grounds (in relation to this patient), when and under what circumstances.

Understanding the relationships before the assessment and proposal of a solution

Health information is therefore revealing about the specific relationships that are established between specific stakeholders. The material processes on which networking is based pave the way to an understanding of these relationships in multiple social dimensions, whether they are organizational, political, economic, legal or ethical. This understanding, in turn, contributes to the identification of dozens of questions that the manipulations of information can raise, and clears the way for the prevention of, the solution of, or should a solution not be found, the management of, potential problems.

An essential understanding in a networked world

Today, such understanding is more important than ever when the lives of both people and organizations are becoming increasingly dependent on the proper operation of information networks and systems, which are ever more costly, complicated and extensive. However, it is now possible to base this useful knowledge on objective observations pertaining to the manipulation of informational objects that organize all the relationships that weave in and about the health care system.

Chapter 3 - Adapting standardized and automated applications to particular concrete situations

Summary

Health: An abundance of particular practices

The challenges of diversity

The public health service sector is marked by a great diversity of practices. This situation is in contrast to the relative uniformity observed in other major sectors such as banking, insurance or utilities. This diversity raises appreciable challenges with regard to computerized networking. Challenges often have an ethical dimension.

Networking piecemeal activities

In the banking sector, clients expect that procedures will be relatively similar, regardless of the branch or even the institution they go to. The transactions they perform through automated teller machines are, moreover, practically identical, regardless of the place on the planet where they're performed. Networking connects work units by creating similar, indeed identical, activities. In the public health sector, to the contrary, individuals do not expect to have the same experiences at an isolated village dispensary, a large university hospital, a psychiatrist's office, a physical rehabilitation centre or youth centre. To the contrary, networking is accordingly called upon to connect work units linking vastly different activities, fulfilling distinct functions (see Chapter 1, The Networking of Health Information). In principle, all these activities share the same ultimate purpose, that is, "health". But this term already unites separate objectives: the promotion of physical, mental and social health; care and support services to the sick and individuals in difficulty; and prevention. That being said, despite their differences, these different objectives as well as the multiple activities and functions which contribute to them often prove to be complementary, particularly when they concern the same individual, populations or sets of problems; whence the interest in networking them.

Numerous tasks

The diversity of practices appears even greater when we go from the level of differences between institutions to that of the tasks performed by their respective staffs. For example, the same professional may in the same week, perform dozens of vastly different tasks of a clinical, administrative, educational, scientific or community nature. However, the same institution will house a roughly similar set of jobs, specialties and number of practical areas, each of them involving the completion of different specific tasks or portions of tasks shared with others. Consequently, daily life of a single institution may require the performance of thousands of tasks that are very different from one another with consideration to their nature, ultimate objectives, the type of stakeholders involved and the information to be manipulated.

Diversity of situations

Finally, this diversity increases even more when we leave the task level to arrive at the transactional level of each of the actions in fact established because the specific situation of every individual, each population, every institution, and every set of problems often presents details that require just as many suitable adaptations. Even if they appear to be tiny, these adaptations can make a big difference for the individuals involved. And what is true in the short term is even more so over the duration, because the situations change and each in its own way.

Objective and subjective differences

Consequently, one of the traits of public health sector practices consists in their subjection to a broad variety of conditions and objective constraints, on the one hand, and to an equally significant diversity in the expectations and subjective needs on the other.

Computerized networks: A standardized universe

Standardization of terms

To the contrary, networking is not possible unless practices and languages are standardized (see Chapter 1, The Networking of Health Information).

Information cannot be successfully shared among numerous institutions for the most diverse purposes without standardized terminology. In fact, everyone must use the same terms to designate the same things, or at least know what they exactly mean in specific contexts. Otherwise, counterproductive confusion - indeed, dangerous confusion - is likely to occur.

Standardized practices

That which is necessary for networked information is also necessary for the practices that the information describes or supports. The pooling of computer applications requires that the specific format and content of the networked portion of an activity (the act of requesting a medical test) be more or less standardized. In other words, various ways of performing the same activity will be replaced with a single basic model, used everywhere, if possible. Independently of networking, standardization often enables an activity to be simplified and output to be optimized with regard to the goals sought. And certain standards that establish the model to be followed can also underlie the means to measure and control this output. Therefore, when we dream of networking an activity, its standardization becomes mandatory because it is necessary to ensure that the computerized portion of the activity is compatible with all the other activities with which it will become interrelated. For instance, the various elements making up a computerized request for a medical test must be compatible with the computerized streams from other activities such as patient test administration, production of the results, communication of the results and their subsequent uses by various stakeholders such as the other professionals looking after the same patients, the public health authorities to whom certain results must be sent, the patients themselves (see Example 13 below Standardization of the test request).

Example 13

Standardization of the test request

In concrete terms, programmer analysts analyze an activity in order to reduce it to a series of tasks or type functions dealing with information that is also typical. For instance, a test request may be separated into various elements of standard tasks, such as: the identification of the professional requesting the test; the identification of the patient involved; the description of the test or tests requested; the name of the institution or unit requested to perform the test, if applicable; the signature of the professional requesting the test; transmission of the request.

Each of the previously identified elements will then be detailed. For example, the description of the element "Identification of requesting physician" will specify what information must be manipulated: physician's first and last names, licence number, specialization, place of practice, address where test results are to be sent.

Once these elements have been defined in the smallest detail, the programmer analysts can program them into one or more computer applications. Here, an application enabling a medical test to be requested can go look for the identification of the physician which has already been established by work station; it can look for the identification of the patient in his or her medical record; offer a physician a pre-established list of tests from which to choose and, if applicable, a pre-established list of parameters to specify for each of the tests requested; etc. In this way, an activity which could appear to the physician to be a simple and quick action, has been separated into numerous typical abstract elements. Its computerization has required that these elements be reconstructed as a series of more or less complicated procedures. And its networking has made the execution of this activity interdependent on other computerized procedures performed elsewhere in time or space in the framework of other similar or complementary activities.

Reduction implies elimination

However, it is never the entire activity that is managed in this way by the programmer analysts. Far from it! They must ignore the aspects that do not necessarily involve the manipulation of information or that prove to be more informal, discretionary or too variable depending on the circumstances. For example, during the drafting of a test request, a physician can more or less explain to the patient why he or she wants this test or tests, why it will be performed at this or that place, etc. If this explanation is given, the reasons stated may vary according to the nature of the case. The level of detail provided will differ depending on personality, the patient's need for information or the need to convince the patient to undergo necessary or unpleasant procedures. The physician may also wish to offer further explanations to the patient, such as the least busy times or the most practical order for undergoing different tests having to be done in different places. In the public health sector, there are often numerous activities with too many variables. But whether they are essential or simply useful, these elements are typically.non standardizable. Programmer analysts generally avoid implementing them. These elements accordingly are seldom or never computerized and networked or if they are, it is only locally or transactionally by the user him- or herself.

Reduction and standardization require appropriate choices

Thus, every computer application project intended to operate in a network will be faced with this tension between meeting a diversity of situations and needs on the one hand, and the reduction of situations into a defined number of elements of standardized information and procedures, on the other. This unavoidable dilemma can only be resolved by a detailed analysis of the practical realities as well as of the various options available - in short, through the choice of appropriate solutions according to various criteria, including considerations of an ethical nature. Even when networking applications are modest or only deal with a limited amount of information, their inclusion within frequently complex social realities must be achieved, the more so because beyond the elegance or innovativeness of these tools, ultimately, the question is frequently one of human lives. The manipulation of health information intervenes in peoples' lives and draws on precious resources. The challenge for network designers is to think technology in terms of the social and not the reverse.

Two facets of the same challenge.

From the ethical point of view, two facets of this tension between diversity and standardization especially interest us in this chapter. The first is the adaptation of options in light of particular realities. The second is the automatic regulation of situations due to computerization. These are the two manifestations of the same dilemma, that is, the challenge of designing an appropriate connection between computers and humans. We will separate them, however, for demonstration purposes.

Adaptation to particular realities

Sidestepping reality

The primary criterion of all ethical assessment of a networking application is whether or not the application is suitable for the actual needs. Unfortunately, it must be observed that the identification of these needs and the appropriate response to them still frequently causes a large number of networking projects to stumble. Cooper (1999) identifies a number of pitfalls awaiting designers here.

Technology can hide reality

First of all, the complexity and unavoidable nature of the technical constraints and requirements can easily divert designers' attention from the realities and demands outside the world of programming. This is all the more true when the organization that orders the application has not invested enough in the analysis of their needs and the realities. In many cases, solutions are invented and marketed, independently of specific needs, by designers who are completely outside the area of activity. There is then the risk that either the promises or the elegance of the solution offered are what will structure the needs analysis rather than the needs analysis giving direction to the search for a solution.

Reality can be reduced to an abstraction

Even when designers focus on the users' and other involved stakeholders' demands, they often only manage to think about needs abstractly, on the basis of the needs of the machines creating their tool (see Example 14 on the following page The abstract patient...) However, the designers are not the only ones to automatically think about reality in purely abstract terms. The administrators, legal officers and other technocrats who support them, often also fall into the same trap, as can even the practitioners and members of the populations affected.

Example 14

The abstract patient...and the failure of an application project

One of the typical networking applications for which there is convincing proof of the benefits as much for individuals' health as for the health system, is the creation of a complete patient drug profile. By enabling physicians or pharmacists to obtain a complete list of the drugs prescribed to a patient by various prescribers, it is possible to avoid a large number of cases of over-medication or harmful, even deadly, drug interactions for patients. It goes the without saying that a similar drug profile is one of the clinical applications integrated into the Quebec microprocessor health card project.⁶

Nevertheless, during the public study of the plan, the proposed tool proved to be unusable in too many critical cases. As a matter of fact, the creation and updating of this profile required the patient to present his or her microprocessor patient card to the physician each time he or she wrote a prescription and to the pharmacist each time a prescription was filled. This could only work to the extent that the patients were able to get around. However, family members often go pick up patients' medications or the pharmacies deliver them to the patent's home. It also occurs that physicians prescribe, renew, change or cancel a prescription outside the patient's immediate presence. In these cases, the proposed tool would not allow access to the proposed profile in order to read it or update it, much less to manage the patient's medication.

How did that happen? Clearly, the designers wanted to give patients a great deal of control over the creation of their drug profile and the access to it. With this solution, the patient's presence was accordingly compulsory so that consent could be given for access by presenting the patient's microprocessor card to the professional. However, these designers seem to have forgotten that many patients, especially those simultaneously taking a number of drugs are.sick! The system met the needs of the abstractly defined "patient", "physician" and "pharmacist" in a single hypothetical situation: that in which the "patient" automatically goes in person to another professional. Fortunately, public discussion was able to prevent the deployment of a tool that was as unsuitable as it was costly and consequently, unacceptable. However, it would have been less wasteful had the designers had a realistic picture from the outset of the diversity of situations in which drugs are prescribed and dispensed, and designed their tool accordingly.

The meaning of information depends on context...

Therefore, the pitfalls that await the development of an entirely new application remain the same ones that await networking of practices or applications that already exist and function nevertheless well. Here, one of the risks is that of confusing previously existing information with reality itself; that is, losing sight of the circumstantial nature of information production. Information presents a specific relationship between the stakeholders playing particular roles in particular contexts and at particular moments (see Chapter 2, The relationships between individuals and organizations established through networking). This information rarely has universal value and must consequently be manipulated with caution when it is used in a different context from the one that existed when the information was first produced.

...and the stakeholders' intentions

Moreover, it must be remembered that the stakeholders of the relationships supported by the information determine as well in good part, the meaning of the information exchanged. As stakeholders, they want a given relationship or use of a computer application to meet their particular interests or objectives of the moment. They consequently produce information - or cause it to be produced - accordingly. Therefore, it is not only individual situations that may differ greatly and develop differently, as we have already seen. The very definition of the stakeholders' respective interests or objectives can change and evolve just as much. In fact, every individual stakeholder - a patient, for example - can try to achieve different but coherent objectives from the perspective of his or her own situation or interests. Such being the case, the information generated as a result can appear difficult, indeed impossible, to reconcile (see Example 15, Networking patients' addresses). Whence, once again, the need to undertake every networking exercise with caution.

Example 15

Networking patients' addresses

As for networking the various patient records, couldn't a number of procedures be simplified by automation? For example, couldn't a patient's change of address be done in all his or her records with a single updating operation? Isn't this a matter of relatively simple and objective information? And wouldn't automated service of this type make life easier for patients and institutions?

Once again, the diversity of individual situations must not be underestimated. All these records may contain the same field entitled "address" under a patient's name, but their content may not have the same value or meaning. In fact, the same patient may have a number of different "addresses", all simultaneously valid.

One address may be a discretionary choice. Canadians have the freedom to live where they prefer. A child can easily have two residences in two different regions. One may be a main address and the other, secondary, where he or she often spends weekends and most summer and winter holidays. Or the respective address of each parent in shared custody situations. That said, illnesses and injuries do not always give warnings and often can't wait. Medical attention is sought as close by as possible. Clinical and institutional records of both regions may have, respectively, one address or the other.

An address may also be imposed by law. A court can place a child in a foster home or facility having a different address from the previous ones. The health insurance card renewal is normally sent to the mother's address, regardless of whether or not she has custody of the child. The legal residence of an adult under curatorship is his or her curator's, regardless of his or her true residence address. So, certain administrative bodies of the public health network may have addresses that are different from those appearing in institutional records.

A person may quite legally elect through a fiction of law a residence for the purpose of his or her civil rights. This would be the case of Quebec residents whose place of residence changes often (students, travelling salespersons, seasonal workers, homeless) or who, though temporarily living outside the province, nonetheless maintain a fixed address in Quebec. Or patients who "take up physical residence" with a parent located in the area of a renowned health institution for a particular treatment or where a certain psychiatrist practices.

So, the good idea to computerize changes of address requires not only bearing in mind the complexity of the various relationships that individuals may establish in the same geographic space, but also the users' needs. In fact, the institution performing a clinical function does not necessarily need the same address as the body performing an administrative task or as the public health authority who wishes to check a health problem in his or her territory, or the researcher who wishes to understand the links between health and physical or social environment.

For the patient, the quality of the management of their addresses has implications regarding their freedom of movement, choice of residence, choice of institutions or health professionals as well as that of controlling the possibilities of interference in their privacy. For the various professionals and organizations in the health sector, the implications pertain to the quality of the information necessary for carrying out their respective duties. This does not make the idea of computerized change of address impossible. It requires, however, that the principle of caution be applied (see Chapter 7) in consideration especially of the inevitable ethical, social and legal dimensions.

The automatic regulation of practices

Activities described by standards

A large portion of health activities to be computerized are already defined and more or less framed in detail by law, regulations, professional practice standards, scientific or technical jargon and administrative or funding rules. So many sources of abstract categories that it is tempting to take them as they are in designing a new networking application, particularly as the computerization and networking of health activities also enables a number of these standards to be very effectively implemented with their support, indeed, assurance.

Meaningful implementation of standards

In fact, computer science enables certain standards to be implemented. Let's imagine rules like:

Once written into programs or technical instruments, machines can easily implement similar rules. In this case, they ensure a systematic and universal implementation of the rules. Every situation or individual presenting identical or equivalent information will normally receive the same treatment or the same finding. On the other hand, a machine can remain indifferent to the meaning of processed information or the concrete effects of functions performed.

Example 16

Computerized verification of insurance coverage

In Example 4 presented in Chapter 1, we refer to an RAMQ remote verification project for elegibility of insured persons. Taking into account the volume of transactions at issue, an electronic preauthorization reimbursement system for a specific health service is only possible if it is computerized. In practice, this means that every minute a computer would preauthorize, or not, reimbursement of hundreds of different services to as many patients.

This implies that the computer has pre-established criteria for authorizing or refusing payment (e.g.: access quotas for certain tests or examinations depending on the patient's age and condition). This is far cry from the preauthorized banking transaction based on a single criterion like: is there enough credit left in this account? Here, establishing criteria is already a significant challenge, considering the diversity of situations in which particular services can be medically required.

However, even if a consensus is achieved on such criteria, it is practically impossible to predict all possible cases or to prevent decisions being made on the basis of incorrect information. Considering the frequently vital issues of access to health services, this means that human beings would have to be available from now on, seven days a week, 24 hours a day, to receive and promptly deal with requests for review of refusals of authorization made by the computer, submitted by professionals or patients.

It is, then, possible to entrust implementation of numerous rules to the machine. However, the stakeholders involved must also be expected to adjust their behaviour accordingly. In the United States, for example, the implementation of "managed care" has led a large number of patients and health providers to "play" a bit with the presentation of symptoms and diagnoses in order to have access to treatments that otherwise would not be available based on the rules in effect. These effects can in turn produce other effects, like reduced confidence in the reliability of the content of medical records or the increase in administrative controls.

Two categories of questions are added to the pitfalls called to mind previously in this chapter.

Automation or no?

First of all, what portion of an activity can be entrusted to machines? Many routine decisions and operations can be give to machines. It is always a case of determining which ones. And what are the risks or effects? Under what conditions? Once again, it remains impossible to answer these questions without adequate understanding of the diversity of situations likely to be encountered or experienced.

Flexibility or no?

Secondly, to what extent do the systems in place today link users, decision-makers and other stakeholders in the future? Let's assume that the government invests a few hundred million dollars in a smart card system that gives the patient a certain level of control over the circulation of health information involving him or her. How much will it cost to change these control standards at a later time? Is it only a matter of re-writing a few hundred lines of programming? Or changing all the terminals in the health institutions and re-issuing new microprocessor cards to millions of patients and health care providers? One option is not in and of itself preferable to another. Great flexibility and great rigidity both have their advantages and disadvantages. It may be reassuring for patients that a high level of control over their information can not be taken away from them except at great expense, probably following public discussion. Inversely, the inability to economically adapt to new ways of providing health services could be counterproductive, indeed deplorable, from the perspective of the health of populations or public funds. In every case, it must be recognized that changing the standards written into the networking instruments can be as easy as amending a few words in the text of the statutory instrument or as difficult as replacing an infrastructure such as a network of aqueducts or highways. The choices made today will determine, then, those that can be made in the future.

Example 17

Compulsory, but not automatic, notification

Certain poisonings, infections or specific illnesses can constitute a threat, not only for the individual involved but for an entire population. The Public Health Act (Loi sur la santé public), particularly requires physicians to notify health authorities of cases they encounter. The list of these compulsory illnesses as well as the notification content, format and timeframes are specified in detail by regulation.

It would be tempting for an electronic patient record designer to completely automate notification of these illnesses. From the time given diagnoses or test results are confirmed, or a given set of symptoms is entered into the record, the application would automatically generate and transmit the appropriate required notification with the statutory text. In fact, if this is a legal obligation, why not simplify its implementation for the physicians bound to it? None the less, complete automation would be a serious mistake, even if public health authorities agree.

It is preferable that the application automatically generate the notification but leave the decision to send it and determination of the definitive content entirely up to the physician. Validity of the content is certainly a question. For example, cases in which the demographic or geographic information in the patient's record is not relevant for the health authorities. But more important, there are also all those situations in which a physician may deem that less information should be given than requested or, to the contrary, that other information or comments should be added, or that the notification should be temporarily delayed, indeed not sent at all. Because this obligation to notify cannot be isolated from the other obligations, duties and constraints that a health professional must assume. For example, a physician may consider delaying the notification for a short while in order to avoid prematurely breaking off a relationship with a frightened patient. Since machines are currently incapable of navigating many professionals' daily contingencies and dilemmas, their management is better left to the professionals.

Conclusion

Documenting the details

Generally, the developers of computer applications very carefully document the conceptual and technical dimensions of their project. In the public health sector, it is just as essential to properly understand the great variability of the practice contexts and individual situations a networking application will probably face. This is necessary, not only for designing a suitable application but also to enable all interested parties to discuss in an enlightened and intelligent manner, its ethical dimensions in particular. This documentation of the concrete realities should occur from the earliest development phases of a new networking application and continue, even once the application is in routine use.

Reconciling the abstract universal and the concrete particular

A number of means or strategies previously used by developers can be adapted for this purpose: analyses of existing processes, field investigations, design through objectives, ergonomic analyses, participatory design methods, pilot projects, gradual implementation, etc. What is important is to be able to customize the planned use of the networking application beyond the abstract design model necessary for it to be designed. For example, the "patient" must cease to be a mere abstract conceptual entity. The patient must become these different men, women and children with names, who experience a specific situation in a given environment or community, who have a history, particular interests and who are trying to achieve more or less specific objectives (Cooper, 1999). Because networked information does not just deal with subjects, but with stakeholders in networked practices. Consequently, user cases must also cease to be nothing more than typical situations. We must be able to make them correspond, or not, to the diversity of user scenarios in concrete situations and contexts.

Cooper, Alan. The Inmates Are Running the Asylum, Why High-Tech Products Drive Us Crazy and How to Restore the Sanity. Sams Publishing: Indianapolis, 1999.

Chapter 4 - The Legal Dimension of Networking

Summary

Health Information at the Centre of a Complex Model of Legal Relationships

A substantial, diverse and complex legislative framework

Accountablity

(Source: Translation of entry from Grand Dictionnaire Terminologique) Legal or moral obligation of the incumbent of a position to carry out a task and to answer to the competent authority for its execution and use of the resources belonging to the community, in accordance with established criteria to which the individual has agreed. Management principle establishing accountability, the obligation to achieve results, and acceptance of responsibility for resulting problems. In the area of computer science, it refers to a principle whereby breaches or attempts to breach the information system are attributed solely to the entity responsible for the system.]

The legislative framework for health information is substantial, diverse and complex. From the protection of human rights, guaranteed in the Charters and the Quebec Civil Code, to laws applicable more specifically to public health management, to the organization of the health network or professional organizations, as well as access to information and privacy of personal information legislation, it can be observed that all these laws share a common logic in the matter of information management. This logic advocates the individual responsibility and accountability of physical persons and legal entities with regard to the protection of health information. In other words, it is a proactive responsibility. Thus, any individual authorized to access information by virtue of his or her job must be accountable for this access to the higher authority, the empowering authority and potentially to the individual concerned. Any error made in managing this information is punishable by disciplinary, professional or even criminal sanctions. Finally, the individual to whom the information pertains may take legal action if he or she experiences a quantifiable loss.

In the area of health, the basic principles that underlie this accountability are the protection of privacy guaranteed by the right to professional secrecy and the obligation to maintain confidentiality of health information.

Accountablity (continued)

Explanation: This could be the responsibility of an employee at any level in the hierarchy, or equally of the Minister before Parliament. The French term imputabilité is sometimes used in Canada as the translation for "accountability", in the sense of "responsibility". In French, the term imputabilité refers rather to the possibility of considering an error or contravention as attributable to a given person. Imputability is a concept of "proactive" responsibility. Every "imputable" individual answers to a higher authority, in turn responsible to the person or entity (the minister/National Assembly) empowering them. The sanction for failure is different from that for breach of responsibility. Responsibility gives rise to disciplinary measures, action by professional associations and criminal charges. Only when the question of accountability is raised by the patient is there civil responsibility, which can give rise to payment of damages and interest when the error results in loss.

Professional secrecy

Express Consent

Express consent given orally, in writing or by means of a gesture. The express consent to the disclosure of information and to placing it in a network is generally given in writing, either on paper or electronically, or by the use of an electronic identity card.

Implied Consent

This consent is inferred from the voluntary actions of the patient such as requesting the care of a doctor at his or her clinic.

The right of a patient to professional secrecy is entrenched in the Quebec Charter of Human Rights and Freedoms and the ensuing obligation for professionals (doctors, nurses, social workers, psychologists, technicians, etc.) is found in the codes of conduct and legislation governing the professions involved. By virtue of the patient's right and these professional obligations, it is the responsibility of the patient to relieve the professional of the obligation by providing express or implied consent. Professional secrecy may also be lifted by provision of law.

The obligation of confidentiality

Two laws govern two complementary aspects of the obligation to maintain confidentiality: the confidentiality of personal information is compulsory under the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information while the Health Services and Social Services Act imposes the obligation to maintain confidentiality of the patient's entire record. This obligation of confidentiality is much more than just protection of the patient's personal or identifying information. All information contained in the record is covered whether it concerns the patient, a third party or others involved (see Example 22 on page 86).

Section 28 of the Health Services and Social Services Act states that Sections 17 to 27, on confidentiality and the patient's record, apply notwithstanding the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information. Thus, health services must abide by the provisions governing them. Only in the absence of a specific rule do the provisions of the Access to Information Act apply.

Everyone is responsible for the information

Anyone working in health services (including clergy and volunteers) is personally responsible for the management of information he or she produces, stores or obtains as a result of a request. This responsibility results from the role or the tasks assigned.

Health information at the core of a link between multiple relationships

Whether the role results from direct intervention in patient care, administration of health services, protection of public health, scientific research or monitoring of professional conduct, we are forced to note that there is an important link between health information and a large number of individuals, organizations and authorities that come into contact with one another while pursuing distinct legislative purposes. For example:

the coherent and concerted management of services; payment of fees and honorariums; controlling costs; health watch; risk management; monitoring of professional practices; investigation of death; and so forth.

Protection of information: a guiding principle

The diversity of the end purposes and the legislative authorization of access are of little consequence; the same principle of protection of information prevails at all times. This principle underlies a broad range of general or specific objectives connected with the public health field established by the legislative framework.

Example 18

The reliability of professional practices and the security of care

Take the case of Claude who, after a work-related accident, had many tests and surgery at the regional hospital, followed by professional rehabilitation at another institution. Because of the nature of his case, Claude's record is accessible to many individuals other than the team providing care (CSST, CLSC, professional groups, etc.). The overall acute care is provided by a team of professionals (physicians, surgeons, nurses, medical and radiology technicians, etc.) who are accountable to their respective professional associations for the quality of their actions.

Thus, Claude's record could be one that is reviewed by the College of Physicians in order to verify the competency of the orthopedic specialist who performed the surgery and whether or not the operation conforms to recognized practices. This type of review by a professional examination committee studying patient records of the professional under review is authorized by legislation governing professions (Code of Ethics, Medical Act) together with the Health Services and Social Services Act. The objective of these laws, and particularly the review, is to protect the public.

This example shows a very minute portion of the complex chain of professional relationships involved in health information. We will illustrate other points with Claude as an example later in this handbook.

Health Information circulates but in a controlled manner

Information is accessible with an authorized request

Health information is currently accessible with a request authorized by the patient or by provision of the law. However, the information remains the responsibility and under the control of those who produce it or retain it in accordance with the law. These rules serve to protect the patient's right to protection of his or her integrity, privacy as well as the right to professional secrecy.

Circulation of information by provision of law

Only by provision of law, namely the Access to Information Act, does information circulate without the prior consent of the patient. This law establishes the rules for the flow of information among organizations responsible for managing and administering public services.

Information remains under the control of the custodian

On the one hand, the law authorizes access to information required by the mission of the agencies (see the example of Claude and the CSST) and recognizes the accountability of individuals with respect to action taken to transmit or receive this information. On the other hand, the law sets out the obligations of agencies storing information with respect to management of the information (person responsible; rules for retention; terms of access; etc.).

Information under the control of professionals

The Code of ethics and laws governing professions also impose a set of rules for retaining records. These rules have the same intent as the Access to Information Act and apply to the professionals as well as their staff at their offices or private clinics. The professionals are responsible for managing the information they retain.

The combination of these norms leads to the general conclusion that the prevailing logic in the current legislative model for the circulation of health information is one of protection of the patient and his or her rights. This protection is ensured by the responsibility imposed on organizations to establish a system for the management, control and supervision of information and for the individual accountability of anyone who produces or keeps information.

Example 19

Legal authorization for access: a right restricted to specific information

To continue with the example of Claude, we note that processing of his claim under the Industrial Accidents and Occupational Disease Act, authorizes the CSST official to access all the information pertaining to his accident. However, assuming that Claude had a previous medical record, the officer cannot justify access to this part of Claude's health information and, consequently, the institution or the professional will have to refuse transmission of the data.

Health information accessible to those who establish their right to access

Access to information authorized by the patient

Access to health information is based on the express or implied consent of the patient or by provision of specific legislation. Patient consent generally takes the form of express consent, that is a written hard or electronic copy of the consent. However, when requesting care or services, there is implied consent by reason of the patient's action. To provide the care or services needed, the professional or the organization must access the information.

Access to information by provision of law

Access may also be authorized by law. In this case, the required information must be accessed in order to ensure application of the law in question. This is the case in particular for the Quebec Health Insurance Act, which covers payment for services rendered. In order for a payment to be made, the institution must forward information justifying payment from the patient's record to the appropriate official.

The current legislative model is designed such that without patient consent, only those individuals who can justify their right to access by a legislative provision may share or obtain the specific information required.

Access restricted to identifiable individuals

Legal authorization for accessing information is determined by the individual's position and his or her mandate. This access is limited and personalized and the applicant is accountable for it. Consequently, the professional or organization holding the information must make it accessible to the legally entitled individual, following verification of that person's right to obtain the information.

Access upon verification of authorization

The accountability rule applies to all requests for access. The individual who holds the information is responsible for protecting it from illegal access. It is up to the individual to verify the access right and to control the information transmitted. The laws require everyone with legal authorization to provide the required identification to the holder of the information, who is required to verify this identity as well as the previously mentioned legal authorization.

Current legislative framework accordingly sets limits on the circulation of information by restricting the communication to the specific, exact content necessary for achieving ultimate goals of the law in question.

Example 20

Legal access authorization: a right controlled by the manager

The example of Claude and his CSST claim will illustrate how the protection of information works.

Let's suppose that Claude has a single health record, located at the regional general hospital; this record includes the entirety of information pertaining to care and services he received before the work-related accident. Let's assume that over the course of the years preceding his work-related accident Claude had an appendectomy and cosmetic surgery to his lower jaw. His record contains the information on care and services pertaining to all of these procedures, as well as those connected to his work-related injury.

When the CSST officer makes a request for access to Claude's health information, or, more commonly, when he requests access to his "records", the medical archivist will see that he is only sent the information prescribed by law, that is, the information related to care or services pertaining to the work accident. In doing so, he or she is in compliance with the Health Services and Social Services Act, the Access to Information Act and the Work Accident and Professional Illness Act. In his or her capacity as the person in charge of health record management in institutions, he or she fulfills the institution's obligations but also the obligations placed on professionals governed by professional code.

In short, the current legislative model allows the circulation of health information. However, this circulation must be done under the control and surveillance of each of the individuals and each agency responsible for the information and with the strictest respect for the applicant's authorization, per piece, whether this authorization comes from the patient personally or the law. Furthermore, it must be noted that at no time is information made "accessible" in its entirety to any applicant; applicants will only receive the information authorized.

Networking of information modifies the foundations of the legal framework

Information management through right of access to the network

Health information networking is a profound change in the locus of accountability. We are witnessing the transition from the transmission of information upon request and under the control of the responsible authority, to access control by the individual accessing the information. In other words, once it is on the network, information becomes accessible, without a specific request nor particular authorization, to everyone having an access right to the network.

This means that the locus of responsibility has shifted and that both the patient's and information manager's control of the flow of information is lessened due to the almost exponential number of individuals capable of access.

Changes created by networking

We have seen that in the present context, transmission is done upon request, per piece, and under the control of the authority responsible for the information. Networking produces three fundamental changes.

First of all, control of the flow of information shifts from the individual who is custodian of the information to the individual having authorized access to the network. At the same time, the patient is likely to see the extent of his control reduced in proportion to the multiplication of the clearances granted by the system.

Second, authorizations for the communication of information are not prescribed and checked one at a time, but set rather, according to pre-established network rules.

Finally, placing information on the network creates unprecedented increases in pressure for use by secondary users. We will return to each of these points.

The very principle of networking information is to give access at all times to the individuals who use the system as a work tool, enabling them to obtain the information they need, or store the information they produce, if any. At the same time, networking allows the search for information. For example, when a patient goes to a professional for the first time, the professional can consult the network system to see if there is a record for this patient and obtain the contents.

This simply assumes that the system recognizes the professional or any other member of the administrative staff authorized to use the system. Access to the information is subject to pre-established rules when a network is implemented. Simply put, these rules cover the means to authenticate the request for access to the network, that is, verification of the applicant's identity and access code and the information that the individual may access. The rules are established on the basis of a policy that determines who may have access to what and under what conditions.

A networking system can present different levels of access and various means of circumscribing the content accessible. A few pilot projects in the health network have explored this channel by associating access rights to professional qualification. Access that was restricted - to a set length of time or to content that was related to the nature of the treatment (medical, nursing, drugs) - has also been tried.

Moreover, and in general, it can be observed that the projects tried in Quebec to date attempted to maintain a certain amount of control by the patient over the circulation of information by making access to the network or the circulation of information subject to the patient's direct or implied consent. In these projects, access remained under the control of the information custodian, who did not make the information accessible to the professional except on the basis of action by the patient (electronic signature, introduction of his or her card). In short, these projects explored networking in compliance with current rules; they had mixed results.

To date, none of these projects included granting secondary access to information, whether CSST, SAAQ, an insurer or a professional group. This creates the need to examine the scope and range of proposed networking. Should networking projects be designed with secondary access rights? If so, what are the limits of this type of network? And what are the possible accountability rules?

Control instruments to be developed

Another point: the current type of management allows implementation of centralized instruments for the control and monitoring of information, under local (e.g.: Archive services) or provincial (e.g.: RAMQ) responsibility and localized, that is, located in a specific place (generally a government institution or agency). However, in the case of networking, the premises where control and monitoring of data inputting, processing, saving and storage are likely to be decentralized, scattered and multiplied almost infinitely, posing a considerable problem to those who are, or will be, obligated to ensure the protection of this information. One may wonder who is going to grant access rights and on the basis of which rules. In other words, the more extensive the network, the more difficult it becomes to identify who is in charge of information management.

Example 21

Legal access authorization: the applicant's and manager's accountability

Once again referring to Claude's case and offering the hypothesis that the CSST officer accessed "his computerized record" to process his claim, we could wonder about the informational content this officer will access. There is no longer a medical archivist to sort the information and remove information predating the work-related accident. Will the system deliver the entire medical record to the officer? If so, how will the information predating the accident influence the officer's decision?

In the example as presented, we may believe that there would be little or no impact, considering the absence of links between this information and the accident but if his record took into account monitoring for recurring depression, would it go differently?

The Work Accident and Professional Illness Act makes provisions for the injured worker's medical record to be accessible to the employer. Accordingly, there is reason to wonder which record becomes accessible to the employer. Does the CSST officer access the network medical record through networking? And even if the officer transfers information from the network to his or her own record, how can one ensure that the information is limited to the accident?

Networking takes us from access upon substantiated request to pre-authorized access

We have seen that the passage from how information circulates currently - on request - to how it circulates with networking, carries with it a nearly exponential broadening of the content accessible as well as the number of individuals or agents capable of accessing it. It must be noted that we are not speaking of categories of people but in fact of individuals.

Information management through access rights

One of the special features of networking is that of collectivizing, so to speak, the management of information; that is, placing control of the means of access to information in the hands of the individuals authorized by the system. This control is acknowledged by virtue of their professions, duties or mandate and the role they are called upon to play in patient care or services. We must remember that this is a significant change in comparison to the current situation in which the collection and processing, just like the sharing or circulation, of information was managed instead by the institution or agency in the context of care and services provided to the patient.

Access is personalized and individualized

The current rules insist that only the individuals directly involved in the treatment or involved in the management of these patient services may gather, process or have access to information. In other words, just being a physician, pharmacist, nurse, manager, etc., does not give access to a patient's information but rather the fact that these individuals have a role to play in the care or services to be provided to the patient. Access to information is not the right of the professional, manager or officer of the agency involved, but an obligation directly related to the professional practice or management task required by health services.

Access through authentication

Everyone with an access right to the network by virtue of his or her work will potentially have the power to look into all the information there simply because he or she possesses authentication recognized by the networking system and has the knowledge and instructions necessary to arrive at the information.

Access rules to be developed

Current uses of local computerization systems show that it is difficult to ensure that access rules (by personalized code or key) are respected at all times. There are relatively frequent instances in which individuals working in a team borrow or use another's code or key for accessing a health record. These situations generally occur due to a forgotten code or key or to speed up the access process, the system being active and the record already open.

Removing control from the patient

Moreover, networking information removes all the patient's knowledge of and control over who has access to the information concerning him or her, and over what happens to this information.

Various research projects involving access and the communication of health information have shed light on the difficulties of designing a network according to the current model's parameters, particularly with regard to patient consent. Certain experiments (Rimouski, Laval) have attempted specifically to restrict access to a single patient record at a time by requiring use of the patient's card for access. However, the main difficulties encountered deal with the fact that the sicker or needier a patient is, (distance from the management premises, difficulty getting around, difficulty understanding), the more difficult it is to use the technical means proposed for enabling him or her to give express consent.

In short, the patient's place in controlling the flow of information through networking still remains to be defined.

Increased interest for secondary users

To this point, we have addressed the clinical and administrative users of information gathered for these purposes. The current legislative framework also allows secondary users for research and public health purposes. This type of access is governed by the general rule of patient consent or, when that is not possible, access may be authorized by the Director of professional services of the institution involved or by the Quebec Access to Information Commission (Commission d'accès à l'information). This authorization is framed by specific rules under section 125 of the Access to Information and Privacy Act. In short, access for research purposes is possible within a very specific context.

Networking pilot projects and the creation of vast data banks have sparked the interest of researchers and public health agents. It is becoming possible to simply and reliably access a significant volume of information taken from a large number of individuals.

Removal of information pertaining to an individual that would allow that individual to be identified.

We also note that information per se is what interests researchers in epidemiology or other areas. All things considered, these researchers are more concerned with collected data than with the clinical aspect of a particular patient's treatment. In fact, researchers are more interested in redacted information content to which it must be possible at the same time to connect the subject's sociological data.

The expressions "identifying information" and "redacted information" are part of the accepted terminology in the protection of personal information standards area. Information is considered identifying when it allows an individual to be identified. It is not necessary that the person's name be present for information to be considered identifying. For example, an excerpt from a medical record from which the individual's name has been removed, leaving only the health insurance number (NAM) remains identifying since it is possible to identify the individual through his or her NAM.

Here are some current examples of records containing identifying information in the health area:

Non-identifying information

Health information is non-identifying if it is not possible to identify the individual involved. It can accordingly be non-identifying with regard to the patient but remain identifying with regard to the health professional. Health information may be redacted to a particular area in the network and not to another. Depending on the controls and management rules implemented throughout the network, information kept in an identifying format in one data bank may be automatically redacted when it goes through a certain access portal towards a destination. It is generally through technology that this result is produced.

This consequently opens the door to various projects for the storage of health information for research. Some of these projects presented in Chapter 1 even anticipate storage in data warehouses that would be open to every authorized researcher. Beyond the possible discussions on the nature or objectives targeted by these projects, the worrisome issue of the existence of indissociable links between the information and the patient remains unresolved. Whatever the technology used to render information non-identifying, traces of the information's origin always remain.

Identifying information about personal relationships

It must not be forgotten that health information or identifying information can also involve other individuals who are not part of the immediate relationship between the patient and the health professional. This information may, for example, tell us about certain of the patient's family members; this is especially the case for information pertaining to genetics.

Identifying information about the professional relationship

Health information can also involve more than one individual at the same time: the patient and health professional who collects the information. Information placed in a medical record tells us not only about the state of the patient's health but informs us at the same time about the professional who records it. We know, for example, that this professional was with the patient at a given time, that the professional made a certain observation and performed certain professional procedures or made records.

Example 22

Networking and changes in responsibilities

The circulation of information through networking is very widespread in the pharmaceutical sector today. Everything leads one to believe that the security of the information processed in this way is acquired by virtue, in particular, of pharmacists' professional obligations and that there is a high level of protective measures. In the normal order of things, only authorized individuals have access to this information even if the patient, or even the physician who wrote the prescription, is totally unaware of the information.

None the less, we are currently witnessing a legal challenge in Canada as a result of the fact that information collected by various pharmacists was redacted and then transferred to companies that were interested in the profile of the doctors as prescription writers. Thus, it can be observed that even having recourse to redacted information pertaining to a patient, the circulation of information may disclose information, especially on the professionals or third parties involved, which may prove to be problematic. Current legislative provisions ensure the protection of the targeted individual; however, this protection was conceived within the context of circulation that was controlled by the custodian.

Security is not synonymous with accountability

This example brings to light the fact that a system's security measures are not synonymous with controlling the circulation of information by the patient or the professional. This example also illustrates that although a portion of security involves the protection of the patient and his or her rights, this does not include reporting to the patient, any more than to the professional involved, what happens to the information. Before the growing interest of marketing specialists for all information gathering systems, it is appropriate to wonder about the rules for the protection of information gathered in this way. Finally, this example demonstrates that the technology for removing identifying information does not guarantee that certain links are broken between the information placed in circulation and the individuals it concerns, whether the information was produced by these individuals or they are the source.

Conclusion

Every networking project brings with it, then, the search for a new model of legislative framework based on effective accountability of information custodians as well as on the accountability of the individuals who will access it. We must also look into new tools for control and monitoring by the patient, as the targeted individual and by health professionals, as the primary producers of this information.

An examination to be donee

There is, accordingly, a case for the examination of how networking's characteristics and special features are likely to affect:

Choices to be made

This examination ought to encourage reflection about the choices to be made for creating the framework for the processing, storage, circulation, access, and the communication of information with regard to the primary goal of this information, which is to meet the patient's needs while lending itself to other specific ultimate goals such as public health and research.

Finally, before exploring possible courses of action, it appears essential to determine what must be preserved from the current model pertaining to patient rights and the rights of agents producing the information, as well as to the obligations of information managers. The effects and consequences of the implementation of networking on the rights of these individuals must be done in cooperation with them since they are the most important ones involved.

Chapter 5 - Networking as the subject of Ethical Assessment

Summary

Analysis and assessment of an ethical nature

By the word framework, we mean a set of interrelated basic concepts to answer, now, two intimately related questions. How do we know we are facing an ethical problem or issue in the context of networking health information, and what is the nature of the ethical issue to be analyzed and resolved?

An ethical framework is a set of ideas, concepts and considerations that act as reference points for carrying out an ethical analysis and assessment.

The objective of this chapter is to clarify the main reasons why the use of information and communication technologies for creating electronic information networks needs analysis and assessment of an ethical nature. This clarification requires first that an ethical framework be developed in order to proceed to the ethical analysis and assessment of any electronic network.

Our objective is not to perform an ethical analysis and assessment of a typical project dealing with electronic health information networking. The goal of this chapter is, rather, to identify networks' main characteristics to determine the ethical issues raised by the design, creation and use of electronic health information networks that will overlap ethical questions and issues.

Anticipate in order to avoid mistakes

It is possible to anticipate ethical problems, their issues and difficulties. Moreover, if ethical analysis is practiced from the beginning and is part of the design of an electronic information network, it is possible to avoid disastrous and irreparable mistakes. This chapter will accordingly focus attention on the most significant or most common ethical pitfalls that can arise in a networking project.

An exercise that is simultaneously essential and difficult

The ethical analysis and assessment of an emerging technology such as the electronic health information network are at the same time both essential and difficult when this technology is complex not only from a scientific point of view but also from an administrative and ethical perspective. Thus, attention to the indicators of the ethical complexity will minimize the probability of falling into the worst of ethical pitfalls; that is, not anticipating the major ethical problems of health information networking.

Towards an ethical framework

Where and how an electronic health information network creates one or more reference points on the ethical framework can be identified and specified through the use of an ethical framework. This overlap can have a positive implication in that it can expand and support one or another of the key concepts, principles or values of the ethical framework. This overlap can also be negative in that the operation of the electronic network may challenge, threaten or contradict one or more of the concepts, principles or values that are important or essential from an ethical point of view.

Three aspects of ethics

In as much as this chapter is not an ethics handbook, we are going to restrict ourselves to three aspects of ethics that will suffice to construct a framework for ethical analysis and assessment. These three aspects are: the foundations of ethics, the levels of ethics, and the domains of ethics.

The foundations of ethics

Ethics: discernment on what is fair, necessary, permissible, tolerable, bad or what must be forbidden.

The first group of ideas involves the foundations of ethics. Ethics, as understood in this handbook, concerns human choices, decisions, policies and actions. Ethics consists in forming an opinion about what is fair, necessary, permissible or tolerable, on what is bad and finally, on what is bad to the point of being forbidden. The foundations of ethics involve the very source of these ethical discernments. The origin of this source is not from books and codes but in fact from each individual. Ethics emerges from the interaction, the growth and development of awareness of oneself and others - from people who communicate and interact with one another. Consequently, ethics is adulterated at its very source when some individuals or groups of individuals are excluded from this communication.

If the foundations of ethics are understood in this sense, then one must inform these individuals, groups or populations precisely and completely about every topic requiring a decision, a choice and the exercise of responsibility. By refusing to share this information, or even worse, by adulterating or falsifying this information, we remove ourselves and others from a responsible decision and action. This rejection is the equivalent of manipulating others and repression of their development.

There is a corollary to this concept of the foundations of ethics: every individual involved in the creation and use of electronic health information networks must encourage the ethical analysis and particularly the ethical assessment of this technology. Individuals with experience in ethical analysis can be a great help in promoting the appropriate ethical assessment of an emerging technology. However, ethical assessment is not the private reserve of experts in ethics or other separate domains.

The principle of democracy is a stakeholder in the foundations of ethics. The advance and safeguarding of democracy require that information and knowledge having an impact on the common good flow freely and are discussed openly. Obstructions to the creation, communication, and discussion surrounding information and knowledge tend to promote the concentration of power and authority.

Levels of ethics

Ethics serves as a guide for resolving questions and conflicts raised by applications of science and technology. The main point of the discussion specifically involves the multiple uses made of information and communication technologies in the organization of electronic health information networks. Science and technology, including information and communication technologies, enable people, professionals and societies to do things that have never been done before but it is not always true to contend that we must do something just because we now can.

The two fundamental questions of ethics facing science and technology

The task of ethics in this context, consists in bringing together people with different training and backgrounds to work together to resolve two fundamental questions:

First, what must we do, what must we allow, what can we tolerate and what must we forbid among all the new applications that science and technology make possible with human beings?

Second, how can we determine what is compulsory, what is permissible, what is tolerable and what must be forbidden when new powers enable us to do things as never before?

The answer to these two fundamental questions, which recur with every new scientific or technological advance, requires reflection and deliberation taking place on three different but interrelated levels.

The three levels of ethics

Practical ethics

Practical ethics seeks to formulate opinions, decisions and policies dealing with particular courses of actions. The immediacy of action in present life is at the basis of practical ethics and this job requires that full attention be given to the unique nature of specific electronic networking projects; to the possible consequences of these projects on the numerous individuals and institutions involved in the network; to the spin-off effects of the networking project on the health system as a whole.

Normative ethics

Normative ethics develops the principles, standards, guidelines and procedures necessary for channelling behaviour that does not veer too much from the values deemed essential to the identity of a community or society. The principles and standards that are at the basis of practical ethics act somewhat as attractors. In the theory of complexity, attractors are states or trajectories towards which dynamic systems converge and around which they will potentially settle. Ethics is a dynamic system that operates through particular decisions which may converge towards a set of standards. The principles and their related standards can be articulated in the theoretical experiences preceding every new guideline. These "theoretical" standards can, nonetheless, not coincide with the factual standards that emerge from a set of practical judgements set down in actual situations. Tension can arise between the theoretical standards and the practical standards that operate in reality as attractors in practical ethics.

Horizon ethics

Horizon ethics deals with the beliefs, perceptions and generally, the uncontested assumptions which form the foundation of principles, standards and choices of values.

The concept of "horizon" represents the line where the sky and earth seem to meet. By analogy, a horizon represents, then, a boundary, a demarcation line, not only of vision and perception but also of knowledge, understanding, deliberation, anticipation and approval about what is important or, what is less so, in every area of life and the activities related to it. The breadth and extent of a horizon, whether an individual's or that shared by a community, vary in proportion to the nobility of the points of view adopted by individuals and communities. In general, activities governed by noble points of view encourage progress while less noble points of view follow a downward curve.

Possible tension between the three levels of ethics

Just as tension can exist between normative ethics and practical ethics, there can also be tension between normative ethics, practical ethics and horizon ethics. New developments, especially if they are revolutionary, can show us that these uncontested assumptions perceived as irrefutable standards and practices, must again be called into question and perhaps even rejected. Individual or community behaviours, as shown by a number of practical decisions, can at this point depart from the principles and standards, becoming incompatible with the beliefs established by a group, profession or society. When confronted with crises of this type, it is essential to re-examine the relationships between practical, normative and horizon ethics.

The domains of ethics

The three levels of ethics dealing with the two fundamental questions raised by technoscientific projects in the health systems, are addressed repeatedly by individuals working in quite separate disciplines and in interdisciplinarity with others. In ethics, this produces separate but interrelated domains. Within each domain, a certain doctrine gradually evolves as the individuals working in their discipline manage to formulate answers to new, often difficult, ethical questions. When an ethical question overlaps different domains of ethics, it is possible for the answers to this question developed in one particular domain, to be very different and occasionally even the opposite of answers developed in one or more other domains of ethics (see Example 23). The idea according to which all ethical analysis ought to consider all the facets of an ethical problem is correct. However, in practice, it is very difficult to carry out the ethical analysis with the depth and historical perspective to lead to the exhaustive understanding of all the dimensions of the problem at hand. That is why ethics must necessarily be a process of interdisciplinary and intercultural deliberation.

Example 23

Illustration of a difference in the ways of solving an ethical problem

The practice of euthanasia is a good illustration of how various domains of ethics can differ in the ways of solving a specific ethical problem. A number of individuals contend that euthanasia goes against the fundamental mission of medicine (professional ethics) while some physicians are of the opinion that euthanasia is justifiable in cases in which pain is intolerable (clinical ethics). The problem of euthanasia has produced a number of opposing reactions going from tolerance to criminalization in different societies (public ethics).

The five domains of ethics

Health information networking has an impact on nearly every individual and discipline operating in health institutions and is felt through the health system as a whole. The ethical analysis and assessment of an electronic network must accordingly focus attention on the way in which ethical questions raised are perceived in at least five domains of ethics related to health care. We will now outline the main characteristics of these five domains.

1. Professional ethics

Professional ethics refers to the set of obligations and responsibilities associated with the practice of a profession. Professions such as medicine and nursing also have a social dimension, namely that of dispensing services that are highly valued in society to meet very important needs (health and life) that are shared by the entire society.

Five major dimensions of professional ethics

Medicine's professional ethics, or medical ethics, includes five major interrelated dimensions or elements: an ethos or central mission, a values system, a normative set of responsibilities, a set of practical maxims that determine what is good or bad behaviour in specific situations, and an open-ended corpus of doctrine on how specific ethical problems in the practice of medicine on the whole should be resolved.

The implementation of an electronic health information network will have numerous repercussions on medicine's professional ethics. As the practice of medicine in our times requires specialist physicians and other health professionals to cooperate with each other, by integrating a scattered set of information on sick individuals, an electronic network will be able to strengthen the basic values of the medical profession which sets out to offer high quality medical services with a minimum of medical errors. However, because some of this information related to health, such as information on mental health or infectious diseases, can be highly sensitive from a social, personal, family of professional point of view, physicians could feel that an electronic network endangers their professional ethical commitment, which is to protect their patents' privacy and the confidentiality of their relationship with their patients. In other words, an electronic network could also create new dilemmas in professional ethics by virtue of the new possibilities of actions or interventions offered to physicians.

2. Institutional ethics

Institutions such as hospitals and health centres, hold fast to fundamental concepts with regard to their own mission, the value systems that guide them in carrying out this mission, and the separate styles or approaches to the management of delicate ethical problems. Although they are all engaged in caring for the ill, hospitals and health centres may exhibit very different and even divergent styles or approaches to institutional ethics. Some health institutions may develop customs that are completely different with regard to the way certain recurring ethical problems are solved. For example, some hospitals could traditionally use aggressive technologies for prolonging life while others may place more emphasis on the objectives of palliative care.

Institutions and professional ethics: possible divergences

Health information networking is relatively new and it is possible at the beginning at least, that different hospitals and health centres adopt completely different ethical positions with regard to, for example, patient consent or the protection of confidentiality. The institutions involved in these electronic networks may not all share the same institutional ethics. For example, hospitals which place greater emphasis on research may have justifiable reasons, taking into account their research mission, for simplifying consent procedures for sharing electronic data on patients, particularly redacted information, among medical specializations and health centres. Other hospitals whose primary mission is not research but who are about to join an electronic network, may be inclined to place greater emphasis on the protection of consent and confidentiality. As an increasingly significant amount of data on the sick is integrated and shared through electronic channels among various health institutions, this institutional ethical diversity can create major cooperation and management problems.

3. Clinical ethics

Clinical ethics involves the decisions to be made in caring for the sick. Clinical ethics must resolve the uncertainties, the conflicting values and dilemmas which appear when the physician and his or her team together with other health professionals, treat the sick person, whether at the bedside, in the operating room, in intensive care or in a long-term care facility.

The patient: the reference point for clinical ethics

Clinical ethics requires that the patient and his or her well-being be at the centre of concerns leading to practical decisions. The patient's clinical progress, which is also assessed according the relationships with his or her family and others, life plans and personal interests, are at the core of the elements that must be balanced by the care team, which then acts according to the patient's particular standards which are added to those imposed by professional ethics.

Four basic characteristics of the relationships between health professionals and patients

Clinical ethics can only be fully implemented if the care team demonstrates humanity, autonomy, insight and trustworthiness.

Humanity means that the decisions made with regard to an individual must be made on the basis of the individual's own situation and not on the basis of his or her belonging to a group or category of patients. A relationships that promotes patient autonomy is distinguished by the absence of abuse, force or any inclination to use the patient as a resource for achieving an objective that is foreign to him or her. The requirement of insight reminds us that the patent's consent must not be limited to the green light needed by clinicians or researchers to pursue their work. The patient has the right to be well and honestly informed and to be cared for by competent professionals. Trustworthiness means that the patient's legitimate expectations must be honoured.

These four dimensions of the bon fide clinical relationship have a material impact on the way in which patient consent is expressed and on the way in which personal information must be protected when health information is networked. Individuals who are sick must never become simply data for research or administrative purposes. Clinical ethics dictates that the patient not be reduced to a mere source of data.

4. Research ethics

Health professionals' ethical obligation to offer patients the best treatments available cannot be separated from the clinical requirements that treatments be necessarily focused on meaningful information. There is tension between these two interdependent responsibilities: 1) the compassionate dispensing of care focused on the person, and 2) dispensing treatments that are scientifically reasonable and proven. This tension is intrinsic to medicine and health care and at certain times reflects the tension existing between research ethics and clinical ethics.

Even if we readily admit that patients must not be seen as mere sources of data for the pursuit of clinical, epidemiological or other types of research, we can also acknowledge that these numerous types of research, which are essential to the improvement of care, would be impossible without patients' cooperation with researchers.

Networking information can profoundly change health research

Health information networking can profoundly change the many ways in which health-related research is carried out. While research subjects were accustomed to either giving or withholding consent to participation in clinical, epidemiological or behavioural studies of limited duration, electronic networks will make it possible to share a vast amount of data on individuals, turning them into practically permanent research subjects. This would remain true even if the data were stored and used in an anonymous (or redacted) form. Whereas people were accustomed to giving or withholding consent to participation in a research project, through networking they could now find themselves in an ongoing research process. Research ethics will have to quickly and completely change in order to face these emerging large-scale problems.

5. Public ethics

Social ethics and public ethics focus on the protection and improvement of the collective well-being within a society. The collective good includes a number of interrelated values. One of these, the most general, involves society's order as a whole.

The internal shifting of the order of values are a primary concern of public ethics.

Increasingly widespread implementation of health information networking, including in a form that integrates other types of information on citizens, could cause a certain number of conflicts of values within the health system itself or between the health system and the economy. Health information networking implemented to improve the quality of care and access could in time serve other purposes, like monitoring the performance of professionals and institutions. Quality of care, access to care and the effectiveness of professions and institutions are values of the utmost importance within a health system. However, the order of values can shift, for example, from equitable access to care towards improved effectiveness and cost reduction, depending on the use made of networking and the goals pursued. These shifts in the order of health system values and the conflicts caused, are a main concern of public ethics.

Social Ethics

Social ethics involves the decisions on that which is necessary, allowed, tolerable or completely unacceptable in social policies whose role is to correct, stabilize or advance society as a whole.

Public Ethics

Public ethics has a narrower scope and focuses instead on the order of the specific institutions in a society. The term "institution" here does not refer to buildings which house a social function but the function itself and the organization between individuals, the professions, needs, activities and resources without which the function itself would collapse. In this sense, education, the media, the family, science, the economy, the health system and various professions such as medicine and law are social institutions.

Health information networking and ethics

It is now necessary to make a list of a certain number of areas in which health information networking strengthens or compromises ethical values, responsibilities and requirements. These areas are the early signs indicating where electronic networks will need ethical monitoring, analysis and assessment.

Health information networking: the ethical pitfalls to be avoided

To conclude this chapter, we are going to borrow the image from orienteering exercises.

Orienteering is a sport in which the participants navigate their way between control points on a route, which has been set in advance on a specially drawn map. On the terrain, coloured markers are placed at points corresponding to those targeted on the map. A compass is used to find the way to the pre-set points and the winner is the participant who took the least amount of time to complete the course while punching a card at every control point in numerical order.

Ethical Pitfalls

Ethical pitfalls are generally unexpected and unimagined difficulties or dangers that cause errors with regard to ethical behaviour in the planning, design, introduction and implementation of information networking in the health system. Even with the best of intentions, it is possible to fall into one or more of these traps, consequently creating high costs and serious difficulties for the professionals, the institutions and society as a whole.

The following pitfalls must be avoided at all costs and accordingly merit special attention:

Conclusion: Ethics and its complexity

Ethics is relatively simple when the consequences of actions can be predicted with sufficient clarity and precision. But the complexity increases when the consequences of actions cannot be controlled and the consequences remain obscure or unpredictable. It can occur as well that actions or programs begun according to a set of specific objectives later finds itself connected to a new set of objectives that are very different from those initially anticipated because they are dependant on new political, economic or socio-ethical ideas which become predominant at a time in a society's history. Ethics for complexity requires ongoing vigilance to anticipate and prevent a program of action that was adopted with the most praiseworthy intentions, with high social objectives, from moving radically move away from both the initial objectives and the values that guided it.

Part 2 - Ethical and Social Questions to Anticipate and Assess

Introduction

Objective

The objective of the second part of this handbook is first of all, to address the most compelling and crucial ethical and social issues from among all the issues related to health information networking.

Providing some tools

This part of the manual has a practical vision. As a matter of fact, from Chapter 7 to Chapter 14, eight sets of problems are set out detailing the ethical and social issues. Each chapter includes a list of questions on various levels, that can be applied to every health networking project. These questions are designed for use by all stakeholders and spectators in health information networking. They are likewise working tools to be used for the ethical and social assessment of such projects. They have been drawn up in order to prevent not only the pitfalls that are already known but also the unprecedented problems that are likely to emerge. At the end of every chapter, you will find the bibliographic references used for writing the chapter, then in the Annex, under the title "Suggested Resources", the reader will be able to refer to a list of documents (monographs, articles) and references (Web sites, institutional standards, etc.) that we consider helpful for finding out more on the various sets of problems addressed.

Choosing the sets of problems

The choice of the eight sets of problems dealt with here is based on studies carried out by the handbook team members⁷. The results of these studies indicate particularly, that in the eyes of the experts and the stakeholders directly concerned, the most directly political or socio-political considerations (such as modification of the power structure, social control over the health system stakeholders, the issues regarding allocation of resources, etc.) occupy a place that is as important as the questions related to respect of privacy and security. In choosing the sets of problems, we decided to take into account the concerns expressed with regard to information technologies' enormous potential to modify and regulate a number of procedures that are currently used in the health system.

Ethical assessment: a necessity

We saw in the previous chapter (see Chapter 5, Networking as the object of ethical assessment) why it is so important, particularly due to its technological, social and political complexity, to grasp health information networking through socio-ethical analysis. We put this analysis into practice in the second part of the handbook. Moreover, ethical assessment cannot just be confined to "specialists": certain networking projects have so many consequences and ramifications that they have much in common with actual "social projects" requiring broader in-depth discussion.

An assessment based on values and principles

Ethical assessment goes significantly beyond the framework of a technology assessment. This is critical reflection that is based on values, principles and rights that are commonly recognized and accepted in our democratic societies. In this spirit, various studies, including ours, and certain public discussions that have taken place in recent years, flag these points: the importance of collective control over technological changes; the necessity to upgrade participation and reflection in the decision-making process; maintaining the integrity of the public health system; the quality of health services and care; the controlled production, manipulation and circulation of health information; finally, the ongoing assessment of automation in health. The sets of problems contained in this part are accordingly dealt with on the basis of these values.

Chapter 6

Chapter 6 (Table of the main socio-ethical questions) suggests an inventory by category of the main ethical and social questions raised by health information networking. The inventory is made up of 28 considerations that are broadly defined and clustered into four categories, that are simultaneously separate and indissociable: considerations of guidance, of society, of networking operationalization and questions of change management.

The eight chapters that follow involve matters that, among the 29, we consider high on the agenda to be dealt with from both an ethical and social perspective.

Chapter 7

Chapter 7 (Equity in the allocation and management of precious resources) particularly asks the question whether the benefits of health networking projects justify the significant amounts of resources devoted to them, a question that is all the more essential because the available resources in health are few. We will examine here the reasons why managers in the health system invest in this type of project and the questions that these investments raise, particularly in a context in which a number of these projects end in failure.

Chapter 8

Chapter 8 (The role of industry and business strategies) describes the place of the development of local industry and employment issues, which is often a deciding factor, as well as business considerations in decisions regarding the development or purchase of health networking applications. We will explain by way of examples, the different industrial and business logics present and how they can enter into conflict with the mission and logics specific to the health system and its institutions. No ethical assessment of a networking project can neglect to take these factors into consideration.

Chapter 9

Thus, Chapter 9 (Participation in the decision-making process) addresses the theme of participation by the stakeholders in the development and implementation of health information networking projects. The broadest possible participation is set out as both an ethical and operational requirement for the success of this type of project. From this perspective and using concrete examples, we will illustrate the basic pitfalls to be avoided at the time a networking project is begun.

Chapter 10

Chapter 10 (The changes in relationships) explains that networking allows not only the circulation of information but also causes significant changes in the proximal relationships between the stakeholders involved in the production and management of information in the context of networking. The ethical assessment of networking projects must explore these changes. Here the review involves the transformations in (a) the inter-organizational relationships, that is, the inter-institutional relationships or the relationships between institutions and agencies, private or public, (b) inter-professional relationships, and (c) the patient's relationships with professionals, institutions and agencies.

Chapter 11

Chapter 11 (Human and social vulnerabilities) proposes looking beyond the question of the security of the tools and information to focus the attention of ethical and social assessment on the security of human beings and the relationships they have with each other. Four themes are addressed: protection of the environment and human health; the risks resulting from malfunctions in network operation; the vulnerability of particular populations and organizations; the risks arising from the very management of security.

Chapter 12

The objective of Chapter 12 (Pressures on consent and accessibility) is a review of the three related and indissociable facets of the protection of patients' privacy in the context of information management in the context of networking. The analysis developed here describes the diverse forms these pressures can take between two fundamental ethical poles, namely the principle of beneficence (or absence of maleficence) and the principle of respect for individual autonomy in the dynamics between protection of information, free and informed consent and access to information.

Chapter 13

Chapter 13 (Management of the secondary uses of health information) outlines the unprecedented possibilities presented by computerization and networking regarding the use of health information. It is becoming increasingly easy to transmit or to transform this information so that it can be used for one or more purposes that are very different from those for which it was initially collected or produced. This phenomenon of secondary use of health information, which is becoming more frequent with the multiplication of networked data bases, generates significant ethical dilemmas, not only for the individual whose information is used but also for society as a whole.

Chapter 14

Chapter 14 (The political transformation of the health system through technology) demonstrates that the design, implementation and management of a health information network do not just come under the area of technology, as a network of this type is also a political system that places its stamp on the health system. We maintain and illustrate here that the ethical assessment of health information networking projects must analyze the links that are woven between the implementation of automated systems and the short and long term transformation aims of the political aspect of the health system; technical solutions must serve political objectives that are appropriately stated and discussed and must not be used to impose ultimate aims that are unintentional or hidden.

Chapter 6 - Table of the main socio-ethical questions

Overview

This chapter paints a picture of the main socio-ethical questions raised by health information networking. It offers a more direct and systematic introduction than currently exists to this complex universe in which multiple significant issues overlap, are blended with, or opposite to each other.

The socio-ethical considerations cannot be completely and exactly set out with all the expected nuances in this single chapter. The objective, then, is not to make a complete inventory of them but to identify from among all the considerations, those which seem to be the most meaningful due to their degree and recurrence in time or in the variety of the networking process. Eight questions are, on the other hand, discussed more fully in Chapters 7 to 14, which are specially devoted to them. These questions will be identified in this chapter with an asterisk (*).

As the result of an inventory created through research and various experiments in the area (see the detail in the Introduction of the handbook), 29 components have been taken up. They have been divided into four separate categories which refer likewise to the main sets of indissociable considerations of all networking processes, namely:

It must be remembered that these considerations are almost all interrelated in one way or another, and if one of them is more identified with one of the four categories raised, it could also fit into other categories. Finally, the fact that the issues are expressed differently must also be considered, that is, they are manifested according to their own situation and degree based on the type of project or type of policy, as well as the context of the networking process.

A) Guidance Considerations

1. Political guidance

The networking of health information speaks on several fronts to the different public authorities given the responsibility to define and see to the implementation of policies, regulations and various laws that involve the public health sector and the whole of the population. Moreover, as it is capable of creating profound changes in certain practices, responsibilities, relationships and standards within the health system, and its applications eventually involve everyone, technological networking requires the responsible authorities to be willing and able to determine a vision, directions, a plan and the means to act on the basis of the long-term collective interest, rather than on the basis of a special interest or short-term interest.

However, health information networking involves all types of initiatives that are undertaken at various levels (local, regional, national, indeed, international), by different stakeholders in the public sector as well as in the private sector. Accordingly, they are not all accountable in the same way to government authorities and the population. And they do not all share the same goals and interests in the context of networking (see point 5 on this topic: Reconciliation and prioritization of multiple interests and expectations).

This situation creates constant tension in the dynamics between the stakeholders and the decision-making processes. This makes high level political guidance that is effective and capable of transcending special goals and interests for the collective good even more important. One of the challenges is to ensure this type of guidance while avoiding short-circuiting local and regional developments that are deemed beneficial and desirable for the communities involved.

2. Networking process guidance

Health information networking is a vast process of change called upon to follow paths and dynamics that are at once both complex and unpredictable. The outcome of this socio-technological process is largely undefined by virtue of the dimensions that are not only material and informational but also organizational, legal and especially political, social and human. In this context, guidance of the networking process is a considerable challenge. It involves the management of changes and contingencies that cannot always be foreseen.

Proper guidance of the networking process requires on the part of those in charge of projects, policies or teams, the ability to anticipate, analyse and steer in order to see that the planned activities are correctly brought to fruition but also in order to take care of the many surprises that can occur during the process.

The surprises can be of various types, such as cost over-runs, a delay in the delivery of applications, requirements or constraints coming from the arrival or departure of partners, a hostile reaction on the part of certain individuals or categories of individuals, a lack of interest or commitment on the part of targeted individuals, if not the partners. Therefore, it would appear necessary to do a rapid risk analysis which takes into account not only the factors that are likely to have an impact on the immediate operational success of the networking but that will also allow anticipation, based on an ethical assessment, of the factors likely to intervene in the implementation and operation of the networking applications (see point 3: Guidance for the Implementation and operation of networking applications)

Proper guidance of the networking process also consists in the ability to appropriately manage the development of practices, responsibilities, relationships and standards involved in the health system, in a way that is in agreement with the society's fundamental values. If every project, like every policy, is only a tiny part of the vast process of networking, it is through each of the projects or policies that it is possible to contemplate an influence that is both prudent and effective over the course of the change.

3. Guidance for the Implementation and operation of networking applications

As soon as a networking application is designed and developed, those in charge must ensure its implementation and daily operation. A number of the questions that are asked in the early stages of the process remain crucial but the attention of those in charge tends to turn too quickly towards exclusively technical and practical matters: how the application works, the users' skills, utilization rate, error frequency, etc.

While none of the above aspects is negligible, the issues of guidance when implementing and operating applications are very often even more essential. This is how it is when one is dealing with the new application's abilities to fulfill the users' actual needs, expectations and objectives; the ability of those in charge to react quickly to problems encountered by the users; the ability of those in charge to constantly anticipate the development of the social environment and obstacles of all kinds, including the socio-ethical pitfalls; the ability to monitor and ensure effective control over access, processing of and use of networked health information; and, the ability to get an application to evolve without betraying the initial commitments made to the partners, monitoring agencies and the public in general. Some of these issues are discussed in greater depth elsewhere in this chapter or in the handbook.

4. Partnership and stakeholder participation (* Chapter 9)

The complexity and social focus of the transformations anticipated with the networking of health information requires acuity of judgement and a sense of caution throughout the decision-making process. However, countless decisions are made at different times in networking and involve aspects that are as varied as the objectives, plans, funding, design, users, partnership, etc. As change brings a plurality of questions which assume vast knowledge so they can be answered, change also requires the input of a variety of stakeholders and a variety of expertise, the only way to adequately address all the aspects.

The input of the stakeholders directly affected by the change, including that of health professionals and representatives of populations affected, is also a major asset in promoting the social acceptability and benefits of networking. By bringing together the individuals and groups directly affected, especially those who have a specific knowledge of the realities of the environment, it is possible to contribute not only to making technologies more suitable, but also to a better connection with practical realities, indeed, a development that is more socially beneficial.

However, the participation of affected stakeholders is especially an ethical imperative based on a democratic principle: the right of every individual to know and have his or her say in the decisions that directly involve him or her, especially when they will have to bear the costs and impacts of networking.

In all cases, the challenge for those in charge will be to manage to equip themselves with effective participation mechanisms that will ensure the balance of powers, interests and knowledge and that will allow informed choices to be made that are suitable and applicable with regard to the stakeholders who are affected in various ways.

5. Reconciliation and prioritization of multiple interests and expectations

Multiple institutional and social stakeholders are engaged in the networking process, which poses the difficulty of reconciling assorted interests and expectations, which are at times in direct opposition to one another.

Indeed, nurses, physicians, public health specialists, researchers, technological consultants, software manufacturers, public and private insurers, pharmaceutical industries, funding agencies, administrators, managers and patients all have their own vision of networking and do not expect the same benefits. The differences in point of view are observed not only between such stakeholders as distinct as the nurse and the software manufacturer but also between stakeholders in the same field such as the practice of medicine: general practitioner or specialist, urban or rural. The differences in point of view can involve very different considerations, general and specific alike, particularly the ultimate aims of networking, of applications, development priorities, allocation of resources, the planning of activities, distribution of tasks or responsibilities, accounting, the design of applications, interface configuration and the content of data entry documents.

In broader terms, these are the forms of partnership and funding that can pose problems or at least raise questions. For example, funding agencies have their requirements regarding both budgets and schedules that can quickly lead to painful decisions for those in charge of a project: rushing or speeding up certain work, forcing the implementation of an application that is not completely finished, adjusting the project to satisfy a partnership with private enterprise imposed by the funding agency, etc.

One of the issues related to partnerships deals with possible conflicts of interests, roles or responsibility that can appear at different levels and times in the decision-making process or the action. The ability to reconcile and prioritize multiple interests and expectations is a constant challenge for those in charge of networking projects and policies.

6. Allocation and management of precious resources (* Chapter 7)

The resources extended to health care and more generally to the health system seem increasingly scarce or at least, limited. The allocation of these resources for the development of networking technologies poses significant questions, indeed, critical questions, pertaining to the amount, circumstances and the likelihood of benefit that can come of it. By definition, the benefits of health information networking ought to be in connection with the objectives of public health and good. However, the motivations can be different depending on the authorities and stakeholders involved.

The challenge for the decision-makers is to be able to anticipate and gage the probable benefits as well as to prevent counter-productive effects on health and society brought about by resource allocation decisions. A fair distribution of development, implementation, operating and maintenance costs must also be established by the various stakeholders as well as a fair distribution of the benefits, being careful not to alter the nature of the different organizations' primary mission.

7. Accountability and control of stakeholders

The coordination and accountability of the various stakeholders engaged in guiding the networking process as well as in the implementation of the technical applications makes setting up accountability and control mechanisms necessary. The credibility of the process and the public's confidence in the project take preference and priority. Without these mechanisms, there is a great risk of deviations occurring related, for example, to the lack of commitment, to failure to respect agreements, to breach of contract, to violation of the confidentiality of certain information or the irregular use of protected information. One of the difficulties for those in charge of policies and planning is accordingly to ensure the legal and moral accountability of all the stakeholders involved in the short, medium and long term, including the stakeholders providing guidance.

One of the solutions to this problem is to rely on control or monitoring mechanisms that are as independent as possible from the interested stakeholders when guidance is involved. But specific mechanisms are required based on the nature of the actions to be monitored. These particularly have to do with directions and ultimate goals that are determined at the outset, partnership agreements, manipulation of information, access to tools and information, and use of this information.

The challenge is to succeed in bringing about enough of a consensus among those in charge not only on the importance of accountability and control mechanisms but also on the form that they must take and the effective power that must be granted to them.

8. Industry and business strategies (* Chapter 8)

The decisions regarding resource allocation in networking are based on different considerations that are not necessarily all related to the primary mission pertaining to the health of populations. Government decisions, for example, also serve other government missions, particularly regarding the economy and employment. The development of the information technologies and communications sector is at the core of all industrial policies, which can create conflicts when the time comes to choose a technology, an application or a supplier for the health sector. A certain technology may be favoured in order to encourage a local supplier even if it is not an ideal answer to the community's needs.

Public health institutions occasionally develop new technological products themselves and try to maximize the returns on these investments through marketing strategies. One of the challenges is to succeed in maximizing the returns on these investments without compromising the institutions' primary mission.

Moreover, the industrial sector must also make strategic choices in order to ensure its own growth and be able to potentially expand towards the important U.S. market. These strategic choices govern numerous decisions, which can among other things lead to the design of networking applications to meet, first of all, regulatory requirements in the United States, for example, for consent or protection of personal information.

The pitfall then, is to unduly subject networking decisions to industry pressures and strategies. In the face of all industry pressures and strategies, all those in charge of projects or policies must be brought back to this unavoidable criterion by which the success of health information networking is judged: its suitability for the community's needs and realities.

9. Political transformation of the health system (* Chapter 14)

Information networking allows meaningful changes to be supported, driven and managed in the health system. Implementation of high-performance information technologies is often presented as a condition for implementing new generation policies, like program-based or results-based management.

However, a fixation on the technical dimension often leads stakeholders to neglect discussions on the impact of the development of these technologies on the very structure of the health system, the organization of powers and their approaches to governance.

Networking cannot be designed without taking into account the evolution of the health system or considering the impact of this technological development on the development of public policies. On the other hand, the link between these policies and the implementation of networking applications is not always well studied or understood. Issues like those raised by the creation of integrated networks of health care and health services, such as the implementation of standardized care protocols, the rationing of care, and public-private partnerships often remain in the shadow.

By placing technical discussions in the foreground, as is generally the case, it is easy to lose sight of a fundamental principle of democracy: every political transformation of the health system, like the process of creating networks, requires going through the agreed upon democratic mechanisms. The first mechanisms to consider are discussion and participation but also, in the present context, socio-ethical assessment enabling the project's or policy's objectives and ultimate goals to be studied.

10. The connection between politics and technology

The design, implementation and management of networking applications in the health system do not come under a strictly technical undertaking. Behind every information system a political system is revealed, that is, an organization of power among individuals. An information system in part determines the respective distribution of rights, duties, powers, resources, etc. to the various individuals and imposes, through this, its imprint on the health system itself.

One of the pitfalls, then is to leave the task of defining the information system up to the technical experts. The temptation is, in fact, very great to entrust networking application solutions to technical staff or consultants on the simple basis of a broad and fuzzy description of the needs and objectives. This recipe is the equivalent of giving them the power to determine networking application policy.

Inversely, the insidious use of a technical process to promote the realization of a political project, the acceptance of which by public opinion is otherwise difficult, poses a problem that is just as serious on the socio-ethical level.

While considering this problem, it is of fundamental importance to ensure that the technical solutions serve legitimate political objectives and not the reverse. The challenge is to integrate the political with the technical, to give back to the political decision-makers their just place in the political transformation of the health system - a transformation that involves all of society and intervenes in the relationships of power within the health system (This theme is also developed in Chapter 14: The political transformation of the health system).

11. Time constraints

Every change takes place in time. In the context of a networking project or policy, time quickly becomes a constraint. This constraint is generally dictated by other sources of constraint, often budgetary but also occasionally, strategic and political. Beyond planning difficulties related to the different activities that are necessary for completing the project, the risk is to get there by greatly reducing the requirements - technical and socio-ethical alike - in order to meet a timetable that is unrealistic from the outset or that has become so as the project progresses.

The challenge consists in finding the balance between the constraints of the timetable and the requirements for a product meeting criteria of technical, social and ethical quality. One of these criteria remains the suitability of the networking applications to the actual needs and concrete realities of stakeholders and their intended uses (see point 24 on this topic: Social suitability of technological development). Unsuitable management of the time constraints can lead to bypassing the correct identification of needs and realities as well as the participation of the involved stakeholders in the design and development of the application.

12. Concrete integration of ethical and social considerations

If the anticipation and identification of the socio-ethical issues is a crucial phase in every networking process, it is because it must lead to their actual recognition when policies or projects are defined, or when designing the applications and ensuring their implementation and proper operation. The concrete integration of these considerations is a challenge at all times, because they do not fit in automatically, nor naturally, in the practical and strategic considerations of the experts in charge of a large number of structuring decisions pertaining to networking.

The challenge consists more specifically in integrating these considerations together with considerations of technical and scientific soundness, effectiveness, costs and benefits - from the moment the work begins. In this sense, the considerations must take into account the contributions of assessment committees, ethics committees and monitoring committees that are well placed to anticipate and identify the most important issues. One of the pitfalls would be to only settle questions of protection of personal information, consent and security when the issues are so much greater and complex, as shown in this handbook.

B) Questions with a Social Focus

13. Management of a public asset

Health information networking comes under a collective project before being led to collective goals. On the one hand, its realization and management involve recourse to so-called public resources belonging to the government or its institutions. On the other, networking assumes the implementation of databases made up of information on populations and individuals generated by a great diversity of stakeholders, much of this information coming from the public sector which by definition is accountable to the government or its institutions. Finally, access to this information will result in multiple uses, benefiting the public sector as much as the private and will involve various health system activities, respectively the clinical and administrative areas, as well as public health, research and self-care. This information and the knowledge it enables to be produced will profoundly structure public debates on all questions pertaining to the health of populations and of the health system.

In this way, then, the management of networking and health information cannot be looked at like the management of a business falling within the private sector, even if a large portion of the information processed is of a personal nature or is kept by private organizations. Rather, this matter must be considered like the management of a public asset which assumes a set of parameters based on democratic principles such as transparency, participation, accessibility and the sharing of benefits.

A set of actions or predispositions accordingly follow from these principles such as acknowledging the rights of individuals and communities, adequate information, training in informatics culture, training in citizenship and democracy in an information society, and the implementation of fair conditions for access to information and how it is handled.

14. Public health surveillance

The public health sector is likely to draw numerous advantages from health information networking. Thus, networking will allow the effective implementation of systems and procedures to better monitor the state of the population's health, to detect emerging health problems, to organize a targeted prevention or solution intervention, or to assess and ensure the monitoring of general policies pertaining to public health. Furthermore, networking could allow research to be conducted the scale, scope and precision of which would be impossible to achieve without access to a significant volume of information and its comparison based on different databanks, occasionally coming under areas other than health or other countries or territories. Networking should also allow surveillance and prevention of infectious diseases (like the human variant of Creutzfeldt-Jakob Disease), pandemics (like influenza), even bioterrorism, and do so much more effectively thanks to the interconnection on an international scale of different systems operating in more or less real time.

However, these possibilities imply numerous adjustments or changes first, like the harmonisation of legislation between the different territories or the implementation of a guidance structure that ensures clear authority, a procedure for accounting to the public and clarification of the roles and responsibilities between the multiple stakeholders involved, who are both government and non-government communities.

At the same time, numerous risks appear or are quite simply intensified by technological developments. The requirements of inter-network standardization could allow a limited number of stakeholders (particularly the dominant countries) to impose standards or practices that are unsuitable for situations and national or regional priorities pertaining to public health. Another risk would be creating confusion among public health and other objectives like the fight against terrorism or economic competition. Already, public health and homeland security authorities in the States are putting in place new information exchange systems to improve their respective abilities to respond. Finally, there is also the possibility that population sub-groups, that will now be easier to identify and monitor through tracking the information they leave, will be subjected to stigmatization, discrimination or increased marginalization or, disproportionately quarantined (see point 15 on this topic: Stigmatization of individuals and populations). In certain cases, an entire territory could be the subject of a world alert in the face of an epidemic outbreak as was the case for Toronto with the recent SARS episode. In situations such as these, the possibility of unfair treatment or even the appearance alone of unfair treatment, could encourage certain governments to withhold crucial information that could have an unfavourable impact on them.

Taking into account the potentials for disorganization and political, economic and social pressure following from the production, circulation and use of information that can result in setting off alerts and interventions, public health networks must be meticulously assessed in a socio-ethical context.

15. Stigmatization of individuals and populations

Health information networking greatly increases the possibilities of surveillance: organizations, populations and individuals can all be subject to it. While not new, it is now likely to grow in significance and effectiveness, particularly due to technical possibilities and the increasing willingness on the part of authorities to use it as means of controlling resources and behaviours.

Despite the positive spin-offs that can ensue, for example regarding accountability or public health, certain risks exist. One of them is related to the possible forms of excessive monitoring, stigmatization, discrimination and exclusion of categories of individuals and populations. These practices that go against the rights, values and principles of a free and democratic society can result from applications that are clinical, administrative and related to public health alike, or even research. Indeed, networking can allow the categories of individuals and populations likely to present a risk to be identified more fairly, whether with regard to individual or public health, insurability or levels of service consumption. Conversely, the fact that situations are less easily detectable or are in a blind spot in information systems could penalize certain groups deserving attention or particular treatments.

In short, the increase in the abilities to produce and process information can strengthen certain relationships of power or create new conflicts. The first challenge is accordingly to develop critical knowledge of the power of information and how this power is exercised, particularly in the control and forms of social regulation it enables to be implemented.

16. Human and social vulnerabilities (* Chapter 111)

The manipulation of personal information automatically poses the questions of the security of information, automated systems and telecommunications networks. The concept of security is that which receives the most attention. However, from a socio-ethical point of view, it is human beings and their relationships with each other and institutions that should be protected. Indeed, the human and social dimension appears beyond the strictly technical aspect of security. The issue being less the protection of systems in the face of risks of an environmental or human nature than the protection of human beings and their environment in the face of the systems on which they are increasingly dependant.

In the face of this increased dependence, the least malfunction, the least inability to meet a need or the smallest error is likely to translate into problems which will be felt directly by the patient who is receiving care, by the institutions and their staff who must perform their duties and fulfill requests, by researchers who need information, etc.

The challenge is to review vulnerability, and not from the technical aspect but from the social aspect: the vulnerability of human beings and their relationships with each other and with institutions.

17. Secondary uses of health information (* Chapter 13)

The purpose of health information networking is to increase the opportunities for secondary use of the information, that is, taking the information that is collected or produced for one purpose and using it for another completely different purpose.

In the case of personal information, this use is far from being self-evident as it puts at risk fundamental principles like the confidentiality of personal information, the relationship of trust between the patient, the professional and the institution, and the respect of human rights and freedoms.

Personal information can be used to produce statistical data, information or indicators about phenomena or populations. It can thus be used to produce knowledge, debate questions or make decisions that, in the end, can have an impact on the very individuals the information involved in the first place. A classic example is the transformation of personal information into actuarial data creating risk profiles on the basis of which an insurer accepts or rejects coverage for health services.

There are also legal boundaries for secondary use of health information in as much as it is personal. However, technological advancements in progress are so considerable that they upset and call these boundaries into question. Ethical discussions concerning the use of health information in its non-identifying or impersonal form are in their earliest stages.

18. Use of genetic information databases

One of the directions in which networking is developing is in the creation, management and operation of databases that contain human specimens or personal information of a genetic or biological nature (DNA, cells or tissue), namely, genetic information databanks. It can be predicted that sooner or later, these databases will be networked with other databases of health information, medical records or other health records, for example. Research infrastructures in place in different environments rightly aim to facilitate the use of different sources of information stored for multiple research purposes, certain of which not yet being determined.

However, a number of genetic information databases currently in place partially escape the obligation of accountability and control to which other databanks of health information are subject, like universities and hospitals. This situation must be considered by every stakeholder having a role in the networking of information, as it can have repercussions that go beyond the community the genetic information databases involve per se. Significant ethical questions are being asked regarding, among other things, the legitimacy of the databases in existence and their regulation.

The challenge of those in charge of networking is to consider the specific nature and various, particular implications of the use of information drawn from genetic information databases in the context of health information networking.

19. Intellectual property

Health information networking and the creation of databases and data warehouses will involve an increasingly large number of stakeholders, all the while exponentially increasing the role played by some of them to date. This will also allow new forms of data to be created by virtue of access, processing and overlapping of information offered by networking, which moreover multiplies the potential secondary users of the information.

These new information forms and new computerized data processing are used to produce or process information that may be protected under the heading of intellectual property, whether it has to do with copyright, trade secrets, patents or more. These legal mechanisms are accordingly likely to give rise to a certain form of appropriation of information and applications that were first produced in public plans and that can be used to the exclusive benefit of special interests.

Networking connected to the outsourcing of services to the private sector or to the implementation of public-private partnerships, places even more emphasis on the risk of seeing intellectual property being translated into a greater impossibility for public health agencies, the government and civil society to have access to health data with a view to promoting objectives of public interest. Health information networking can then involve the balance between business or industry objectives and public health objectives and the healthy management of the public health scheme (this subject is addressed in Chapter 8: The role of industrial and business strategies).

C) Networking Operationalization Considerations

20. Identification of individuals

Connecting information scattered in various records on a single individual requires the use of personal identifiers. The available options are quite numerous, (from personal identification number to retinal scan), as are their respective ethical implications.

Thus, recourse to the health insurance number as a universal patient number would be efficient and inexpensive but would offer a very low level of security for individuals as it is widely disseminated elsewhere besides in the health sector. Vice-versa, the use of specific identifiers for every record or the absence of all identifiers could offer greater security, indeed, total control over access if, for example, the patient and a trusted third party are the only ones to have the key to all the identifiers. However, this proves to be costly and complex to manage, especially for access without consent for administrative or research purposes.

The choices in this area can be of a long term structuring nature, particularly with regard to the functioning of networks, applicable legal protection plans, human and social vulnerabilities and the exercise of individuals' basic rights and freedoms.

21. Quality of information

The success of health information networking is largely dependent on the quality of the information found there. It cannot be assumed, however, that the information contained in the databases is exact, complete and relevant. Taking into account the vast number of sources, the contexts and ultimate purposes of the collection or production of information, the lack of uniform rules for inputting data and the amount of processing it has subsequently undergone, networked health information can easily be shown to be incomplete, inexact or irrelevant.

Furthermore, errors can be caused during inputting, transmission or manipulation of information. Problems of integrity of data arising from risks of theft and sabotage or failure of information and equipment, must also be managed. The problems can be especially serious when they have to do with personal information required for decisions of a medical or therapeutic nature.

In these situation, but also in numerous others, problems related to quality are such that they require the introduction of, or at least the improvement of, the mechanisms for controlling information and those who have access to it. The main challenge is to ensure that health information that is made available by current and future databanks is exact and complete, as much for secondary uses and beyond as for primary uses.

22. Retention of Information

Networking databases of information on the scale of the health system involves profound transformations in designing the way the collected information is stored or archived. Various versions or derivatives of the same information could now be successively or simultaneously kept and controlled by a number of separate professionals, institutions and agencies. This change poses a challenge especially for determining whether this information should be updated or not, if it should be completely or partially updated, who should be responsible for doing it, how to do it and under what conditions.

The possibilities for retaining indefinite quantities of information over an indefinite period of time, that can extend over a number of generations, demands a critical awareness not only of the power this information has, but also of the mechanisms, procedures or protocols in place to ensure control over the medium-, long- and very long-term.

Moreover, objective difficulties can occur in the maintenance of digitized records over long periods due to the rapid development (or obsolescence) of information management software, the diversity of information status (active, semi-active or archive) or again, of the segregation of information that is out of date. There are many problems anticipated that require careful assessment of information retention.

23. The confidentiality-access-consent triangle (* Chapter 12)

Networking of personal health information shifts the locus of surveillance and control and increases the problems locating and correcting errors. It makes information separation and retention operations more complex, changes the focus of consent for the communication and use of this information and, especially, distances the patient from control of information about him or her.

The challenge consists, on the one hand, in appropriately considering the questions of protection of personal information and consent and on the other, fostering the accessibility of information that is as reliable and useful as possible. This prerequisite particularly asks how is truly informed consent produced even in a context of uncertainty and complexity.

In any case, it is necessary to explore the different avenues likely to protect or preserve basic patient rights or subsume practices without involving the essentials of these rights.

24. Social suitability of technological development

From the moment in which it is put into operation, every networking application is faced with the particular multiform and complex realities of the public health sector. For its successful integration with the social realities that are known to be multiple, delicate and changing, a networking application must be able to respond to a diversity of situations and needs, which are those of the stakeholders it is intended for.

A problem of suitability of the technical tool to the realities of the environment can hypothetically produce a series of consequences, for example: errors or failures in creating records, failed processing of information, an inappropriate decision or outcome, an incorrect or incomplete follow-up, dissatisfaction or disinterest on the part of the users, and a waste of resources. In other words, a large portion of the success of health information networking can be challenged.

The challenge that appears from the outset of a project is to ensure the social suitability of the networking application, which implies having to think nearly simultaneously about the technical challenges to the physical, psychological, cultural and social realties of the environment.

25. Security and flexibility requirements

One of the difficult balances to strike is between the requirements for networking to be flexible and the need for security, aiming to ensure, among other things, the integrity of the data and preserve its confidentiality. In the context of health information networking, it is necessary to upgrade the availability of information along with its integrity, accountability and confidentiality.

The challenge is to meet security requirements without going overboard with rigidity and locking up the tools, which would be contrary to needs and to the possibilities of networking applications' adaptability and flexibility. The challenge is also to contemplate appropriate levels of security depending on the sensitivity and degree of confidentiality of the health information without falling into a police-like surveillance mentality.

D. Change Management Considerations

26. Planning and management of the reorganization arising from networking

There are numerous impacts to be anticipated about the networking of health information, whether regarding practices, responsibilities, relationships or standards. Proper guidance of the change process, as we said earlier, requires the ability to appropriately plan and manage this reorganization.

The challenge is to anticipate networking's effects on the existing structure of tasks, decisions, coordination, control and surveillance. The issues connected to the organization of work and the practice of professions also need to be integrated into this guidance (review points 2 and 3 to further extend this).

27. Change in the relationships (* Chapter 10)

A set of laws, rules, understandings and professional obligations set out the individual and organizational responsibilities that govern the relationships among the different stakeholders in the system, including the patients. However, numerous relationships will be transformed or affected by information networking: inter-organizational relationships, inter-professional relationships and the relationships of the patient with professionals, institutions and agencies.

Furthermore, networking puts professional practices on display, and exposes the resulting professional decisions and actions to the scrutiny of guidance procedures, peers and the general population. Therefore, the professional loses a part of the privilege over information generated during consultation with a patient by recording this data for the benefit of a greater number of stakeholders. While bringing many advantages, these changes are also likely to involve evolution towards agreed upon professional practices that are very different from those that are known today.

The challenge is to anticipate the transformations to the relationships between stakeholders and institutions brought about or accompanied by health information networking. The challenge is also to consider the full extent of the related cultural and organizational changes.

28. Confidence of the public, users and control agencies

Confidence of the public, the users and control agencies is essential for the success of every networking project or policy. It contributes to providing those in charge with leeway to go forward but it is never acquired in advance. In numerous occasions, we can observe the fragility of the confidence linking the public in general and the authorities in particular.

The confidence the public shows in the context of networking is based among other things, on the quality of the information received on the objectives and implications of the different projects or policies, as well as on the assurance of seeing the establishment of an actual democratization of access possibilities and legitimate uses of resources in information, suitable control and surveillance mechanisms of the latter, including credible individual consent mechanisms and collective participation in decisions. For the users, confidence can be acquired through suitable information, appropriate applications from the point of view of needs and use objectives, a real opportunity to have an influence on their development, and through real coaching over the course of the change. For the different authorities in charge, in particular control agencies, the establishment of a rapport of confidence goes through the assurance that the appropriate mechanisms for accountability, participation in decision-making, security and protection of personal information, consent as well as monitoring of the uses of the information and networking applications will be put in place.

In all cases, the challenge is to establish a climate of trust as much with regard to a project or specific policy as to the phenomenon of health information networking in general. The challenge is also to consider both perceptions and actions in different discussions and decisions.

29. Training in networking practices and culture

Health information networking both creates and requires a particular culture for its different users and for the other stakeholders concerned. This culture is rooted in new structures of coordination and communication between the interested parties, in the new ways of thinking and working, and of course, in a new relationship with information and how it is processed.

This culture has less need for familiarization with the functioning of particular applications than for an understanding of the growing role of information and communications in the organization of real life. Every networking project or policy should accordingly give great attention to training and the development of this culture. Computer and networking training, which is intimately connected to the process of approval of the tools used, particularly their social and ethical dimensions, constitutes a factor of success.

One of the challenges is to ensure that all the stakeholders involved with the networking project - especially the designers, operators and users - share at least a common base of knowledge, language and culture to be able to really discuss together.

Conclusion

The purpose of this chapter was to offer an overview of the socio-ethical considerations we felt are the most important by virtue of the number and frequency in time or in the variety of procedures. It is necessarily incomplete and the questions it raises are only alluded to. The purpose of the following chapters is in fact to probe the questions we consider to be especially high on the agenda.

Chapter 7 - Equity in the Allocation and Management of Precious Resources

Overview

This chapter addresses four questions regarding the allocation of precious resources to develop projects for the use of information technologies in the health system.

In partial answer to these questions, this chapter provides a set of reflections on precious resources devoted to any project for the introduction of information technologies in the health system.

The distribution and management of precious resources, particularly those earmarked for the sick, suffering or dying, challenges and even opposes the fundamental values by which societies, professionals and individuals define themselves. The issues addressed in this chapter are some of the crucial ethical questions raised by investments of precious resources and information technologies in health care.

In Search of the Right Balance

Scarce or, at the very least, limited resources

A society must always find the right balance between the allocation of resources to health care and to other assets, services and needs that are just as important for order, stability, and the development and prosperity of this society. Resources allocated to health care will always be scarce or, at the very least, limited.

For a few years now, governments, ministries of health, as well as health managers have devoted precious resources to develop projects based mainly on the introduction and use of information and communications technologies.

From an ethical point of view, it is crucial that we question the allocation of these resources and specifically examine if the amounts allocated are in proportion to the extent and the probability of the benefits to be reaped by the patients and the health system as extolled by the proponents of these projects.

The Underlying Reasons for Investment of Limited Resources in Health Care Information Technology

In various countries, particularly rich and developed countries, the governments, ministries of health and administrators of health care institutions allocate significant amounts of precious resources - such as time, money and professional services - to develop and implement a large number of projects for networking health systems and institutions.

Major investments

Since 1997, the federal government of Canada has provided approximately $1.5 billion to 15 programs or funding projects in order to subsidize 153 health-related information technology projects. These projects fall into seven categories (see box on next page) ranging from developing electronic files to implementing telehealth projects.

Types of Information Technology Projects in the Health Sector

Electronic health database

A collection of health information on a patient, stored electronically. Term interchangeable with electronic medical record and electronic or computerized patient record.

E-learning

Use of information and communications technologies to provide health professionals with opportunities to take continuing education courses.

Applied Health Informatics

Combination of computer science, information sciences and health sciences to assist in the management and processing of data in support of delivery of health care.

Health Information

Use of information technologies to provide the public with access to reliable information to enable them to care for themselves.

Privacy of Health Information

Projects that attempt to develop policies, procedures and systems to prevent any unauthorized disclosure or misuse of health information.

Telehealth

Use of information and communications technologies to deliver services, expertise, and information remotely.

Electronic Networking of Health Institutions and Data Banks

Application of information and communications technologies to establish electronic links between health institutions, physicians at clinics and laboratories in order to facilitate the transfer and integration of data required to provide care.

Use of information and communications technologies to create electronic networks of health data banks, thus promoting the collection and integration of data required for research in clinical, epidemiological, public health and health services settings.

Among health information technology projects initiated, a certain number have as their objective the implementation of networks among health institutions, laboratories and data banks such as health insurance, pharmaceutical data bases and clinical data storage centres.

Availability creates demand

We would be deceiving ourselves to believe that society could meet all financial needs and all requests made of a health system when health technologies, knowledge and services available are continually evolving. It is important to note that any new health product or technology will find a buyer as availability creates demand. Health services needs are constantly reassessed and expanded on the basis of the resources available, the new technologies, new treatments and services [Office of Health Economics; M.I. Roemer, 1961].

Why are significant amounts of these precious resources allocated to developing and implementing networking projects? How do we explain the fact that these investments are made even when the health systems and their institutions are struggling with drastic budget cuts; when there is a shortage of modern diagnostic and therapeutic equipment; when there is an insufficient number of intensive care and long-term care beds; when access to leading-edge care in regions remains inequitable; and when there is a shortage of qualified staff in various specialties?

The answer to these questions is complex and is based on the vision and objectives underlying investments of precious resources in health information and communications technologies projects.

The promise of solutions for many shortcomings

It has been said that information and communications technologies make it possible to develop many projects, which, individually and in conjunction with others, could eliminate shortcomings in delivery and quality of care, access to health care and reduce the cost of health care.

Providing an adequate description of the multiple objectives covered by this vision and the interconnection between these objectives falls outside the scope and purpose of this chapter. Nevertheless, it is definitely expected that the computerization of patient records and their networking will provide all the information required wherever the patient receives care and sufficient details to diagnose and treat the health condition [Tierney, 2001; Espinosa, 1998].

Should this situation ever materialize, it promises to greatly reduce the time and money spent on retrieving important information dispersed throughout a number of records, in various locations where the patient previously received care. In addition, it has been estimated that doctors spend one-third of their time recording, retrieving or integrating clinical information and that the cost of managing this data represents one-third of a hospital's budget [Weiner et al., 2003].

The underlying reasons for the considerable investments made are summarized in a document prepared by the Institute of Medicine (U.S.A.) stating that new investments in information systems are the best means of improving the safety, quality and effectiveness of care in a health system. While recognizing that improving safety, quality of care and health research as well as the effectiveness of prevention are all worthwhile objectives, we must also consider the possibility, especially in the context of a discussion of precious resources, that the motivation for implementing and using networking and health information technologies is that these innovations foster the economic survival of both public and private institutions [Simpson, 1996]. Industry pressure and the belief in the power of technology also influence the decision to make investments in information networking projects.

Precious resources Applied to Health Information Technologies: Questions Raised

The researchers who participated in a Delphi survey conducted by the Center for Bioethics of the Clinical Research Institute of Montreal in 2000 and 2001, identified 9 categories of ethical and social problems pertaining to projects on information and communications technologies in the health system. The main theme of the survey was Health Information Networking Projects [Péladeau et al., unpublished].

Hypotheses and questions about allocation of resources to information technology

One of the categories dealt with the possible relationships between the allocation of precious resources and information technologies in health systems. We have summarized these observations in a format using hypotheses (H) and questions (Q).

Within the Quebec health system there is an imbalance of information between health administration (ministry, regional boards, managers) and the individual citizen.

Could the growing use of information technology to create increasingly complex links between health institutions and health data banks lead to greater inequality of access in order to acquire these precious resources?

The imbalance in sharing specific information found in the health system usually results in a serious imbalance in determining and controlling the allocation and management of precious resources.

Does the increasingly widespread use of health information technologies further weaken the democratic process prevailing in the allocation and fair distribution of precious resources?

Health information networking will undoubtedly increase the volume of integrated data required to strengthen and develop the management and allocation of precious resources based on performance criteria. However, health resources will be provided in those areas where objectives previously set by managers have been met. This form of management deserves its own discussion and raises specific concerns regarding the allocation of precious resources.

Could the increase in health information networking - resulting in a very high concentration of information in the hands of relatively few decision-makers - lead to a distribution of resources that would not be based on the true needs of the sick and the health system but would be based rather on the attainment of specific professional and institutional outcomes associated with pre-established performance criteria?

Conflicts of interest and responsibility may surface when managers at various levels of the health network become involved in the information technologies industry.

Does the financial attraction of some information technology projects distract managers from their main responsibility of meeting the fundamental and urgent health needs of the population and encourage risky and disproportionate investments in the information technologies industry?

Health information technology projects tend to translate into both very high setup costs and significant operating expenditures. When these projects fail, before or after they are introduced into hospitals or the health system overall, there is waste and irreparable loss of scarce health resources.

Have expensive information technology projects designed to be implemented in institutions or the health system failed? Have the causes for the failure been identified? What can be done to minimize the associated risks of failure and waste of health resources?

Failure of Health Information Technology Projects Wasting Precious resources

A number of health information technology projects - including applications pertaining to electronic patient records, the health information system or expert systems and health information networks - have failed in the past fifteen years. There is a wide gap between the hopes elicited by information technologies and their ability to improve the quality of clinical care, research and management of institutions or the system in general.

Four types of failure

In recent years innovations in health care information technologies have had four types of failures.

The total failure of an informatics project occurs when, after having invested considerable amounts in the development of an application, it is never put into practice or it is abandoned after the launch. The partial failure of an information technology initiative occurs when it does not meet a sufficient number of the objectives for which it was designed or when the results of its introduction are too expensive for the institution and disrupt its operation. Some innovations, although they meet with success in their implementation, are eventually put aside or are inadequately used. This is a sustainability failure can be attributable to a lack of continuity in funding or incompatibility between the technological innovation and the culture of the host institution. Some of these innovative projects pass the pilot project stage successfully but do not pass the test of implementation in a health institution. This is deemed a replication failure since the results of the pilot project cannot be replicated on the scale of normal operations. [Hecks, Mundy and Salazar, 1999].

The observation that "several health institutions have spent astronomical amounts of money and frustrated an incredible number of people in the unsuccessful effort to implement information technology systems" [Paré and Elam, 1998] warrants reflection in an effort to determine the reasons for these failures which are rarely due to a single factor.

A Case Study

The purpose of the Limpopo project was to implement a computerized and integrated system for health data at hospitals in the Limpopo province, South Africa. This project, one of the largest health informatics projects in all of Africa, clearly demonstrates the various factors that can result in the failure of a project [Littlejohns, Wyatt, Garvican, 2003].

The objective of this health sector computerization project was to design an electronic network of 42 health institutions in the Limpopo province and the central server of the Information Technologies Operations Centre of the Health and Welfare Ministry. The Centre was to store on its server a central patient record and clinical data from 42 hospitals in an effort to improve hospital management and the requirements of epidemiology research. This integrated health information system was designed to improve delivery of care to the sick, and improve performance and efficiency of hospital management.

The causes of failure observed

The Limpopo project was a failure from the time the computerized system was implemented. From the beginning, the process was affected by the lack of appropriate premises for the computer service and by power failures, as well as technical design flaws in the computer system which included too many functions, and by a lack of organization during the implementation process such that delays caused serious dissatisfaction among staff.

After the system was installed in 24 hospitals, it was noted that it was not producing the anticipated results and modifications were made. These modifications did not significantly improve system results and the system had to be abandoned. The Limpopo integrated computer health system is one example of a total failure that wasted precious resources totalling approximately US$22 million, or 2.5% of the health and welfare budget of the Limpopo province.

An evaluation report on the Limpopo project concluded that this example clearly illustrates the various reasons for failure that were also experienced in other countries and identifies a certain number of factors that led to the failure of the Limpopo project.

Factors leading to the failure of health information technology systems

Although a detailed discussion of the causes of failure is beyond the scope of this chapter, we will revisit factors at the root of these failures in the section on precious resources and questions that should be asked before implementing information technologies in health institutions.

The Gap Between Design and Reality: A General Cause of Failure

The collapse of the Limpopo project is a good example of the most general and encompassing cause of failure when implementing a networking project: the gap or incompatibility between the design of the system and the social and institutional reality of the implementing body.

These gaps occur along one or more of the following seven dimensions on which the failure or success of the networking projects rest.

Health Information System

The design of a project well-founded in reality: A success story

The home-based health information network Computer Links was designed to allow patients, individually or as a group, to communicate with one another and to provide them with access to an electronic encyclopaedia on HIV and AIDS [Brennan and Ripich, 1994].

It was a resounding success and is a good example of the perfect harmonization (according to the 7 dimensions) between the concept of this innovation and the reality for which the network was designed.

The flexibility of access to the various sources of information in this network enabled the AIDS patients to satisfy their true need for information (Information).The computer technology adopted was simple and did not exceed the abilities and the means of the users (Technology). Information was obtained from the network with methods similar to those previously used by the patients (Processes). The network helped AIDS sufferers to attain the objectives that were important to them: to interact with other individuals in the same position and to obtain the information they were seeking on their illness (Objectives and Values). Management of the network only required one nurse on a half-time basis and demanded very little new knowledge. The network design was suitable for the part-time staff having limited computer skills (Human resources and skills, Management and structure). In addition, this network was accessible 24 hours per day to AIDS patients receiving at-home care. Finally, the equipment only cost US$350 per patient. The design of this network matched the needs of the AIDS patients and was in line with the limited financial resources available (Other resources). [Heeks, Mundy, Salazar, 1999].

Design in conflict with reality: an example of failure

In the United Kingdom, a pilot project for the introduction of an expert system for computerized coloscopy failed and had to be abandoned because of the incompatibility between the design of the system and the actual working environment at the hospital where it was introduced. There proved to be incompatibility in all seven dimensions listed previously.

First, the expert system was designed to provide statistics about coloscopy. However, there had not been a request from the Coloscopy Unit for such data (Information). Second, the expert system was technically very sophisticated and required an energy infrastructure that exceeded the technical capabilities of the hospital (Technology). Third, automation of the decision-making process by the expert system conflicted with the value system of the doctors and their more human approach to decision-making (Processes, Objectives and Values). Fourth, the expert system was technically difficult to use. It required computer expertise that the hospital did not have and considerable amounts of time. Moreover, it was expensive to operate (Human resources and skills, Other resources) [Hecks, Mundy, Salazar, 1999].

It is true that certain networking projects fulfill their promises and make changes that improve the provision of services to the sick, the way of conducting health research and managing hospitals and health systems. However, no information technology can implement itself. Very complex working environments must be prepared for the changes resulting from the networking. The design and implementation of projects must connect with the culture of the implementing organization. Any project that does not adapt the technology to the institution and the social realities is destined to fail from the outset and will only result in the waste of scarce health resources.

Questions For Evaluating the Promises of Networking

Some ethical markers

The amount of scarce health resources allocated to develop and implement various networking applications should be proportional to the benefits and improvements anticipated and the probability that these improvements will materialize and will be sustained. Second, from an ethical point of view, it is crucial that precious resources be allocated and managed with the objective of promoting health care for the good of all individuals in the society. The allocation of resources must also seek to maintain equity between the various regions of a province and country and between the various professional health institutions in these regions. It is unfair, from an ethical standpoint, for the distribution of scarce health resources to information technologies to be carried out in such a way that certain individuals, professions or institutions reap the most money, information and power to the detriment of others.

Questions leading to answers can be crucial to the success or failure of a project

Any networking project must be scrutinized and assessed from an ethical as well as technical standpoint. This chapter discusses the meticulous ethical review of a fair distribution of precious resources to networking and their responsible management. This ethical review requires that we ask the following questions cognizant of the fact that the answers may foster or place the projects at risk.

Questions to ask

Conclusion

The allocation and management of precious resources, especially resources intended for the care of the sick, dying and those in pain, can challenge our fundamental values and even place them in conflict. These basic values are how societies, professions and individuals define themselves. It is true that some expensive projects can fail for technological reasons or due to weaknesses in the infrastructure required for the project's viability. However, it is also true that some health information technology projects fail because a number of stakeholders involved in the design, implementation and use of these systems have very different expectations that often conflict with one another. The situation is even more serious when the failure of an expensive project is rooted in the use of networking to promote hidden interests or objectives, or when it worsens inequities in the distribution of resources or information, or when failure is caused by power struggles within the health system. The failure of expensive networking projects initiated with the promise of benefits for all threatens to damage every level of the relationship of confidence, which is a central value the entire health system rests on.

References

Assadi B. Information and Communications Technologies in the Canadian Health System: An Analysis of Federally-Funded ICT-Related Projects. Ottawa: Office of Health and the Information Highway Information Management and Connectivity Branch, 2003. Information contained in the text box is a modified version of the definitions by B. Assadi (p.13).

Espinosa, AL. Availability of health data: requirements and solutions. International Journal of Medical Informatics 1998; 49: 97-104.

Heeks R, Mundy D, Salazar A. Why Health Care Information Systems Succeed or Fail, Paper No. 9. Information Systems for Public Sector Management. Working Paper Series. Manchester, UK: Institute for Development, Policy and Management, 1999: 1-25.

Littlejohns P, Wyatt JC, Garvican L. Evaluating computerized health information systems: hard lessons still to be learnt. British Medical Journal 2003; 326: 860-863.

Office of Health Economics (London). Special Report: Precious resources in Health Care. Millbank Memorial Quarterly 1979: 265-287.

Paré G, Elam JJ. Introducing information technology in the clinical setting. Lessons learned in a trauma center. International Journal of Technology Assessment in Health Care 1998; 14(2): 331-343.

Péladeau P, Demers D, Prémont MC, Roy DJ. Étude empirique des problèmes éthiques, légaux et sociaux découlant du reseautage de l'information sur les medicaments d'ordonnance. Étude 3. L'Enquête Delphi. Unpublished manuscript.

Roemer MI. Bed supply and utilization: a national experiment. Hospitals: Journal of the American Hospital Association1961; 35:35-42.

Simpson RL. Ethics and privacy in a technologically driven health care network. Nursing Administration Quarterly 1996; 21(1): 81-84.

Tierney WM. Improving clinical decisions and outcomes with information: a review. International Journal of Medical Informatics 2001; 62: 1-9.

Weiner M et al. Using information technology to improve the health care of older adults. Annals of Internal Medecine 2003; 139(5): 430-436.

Chapter 8 - Industry and Business Strategies

Overview

In Quebec and in Canada, the basics of computerization and networking of health information are still to come. The needs for equipment, software, telecommunications services and consultant services are considerable while the resources available to meet them remain limited. Similar needs exist more or less everywhere on the planet. In strictly business terms, there is demand and potentially lucrative markets for anyone knowing how to fulfill it.

In a world dominated by business and money, it is difficult to ignore these realities. Thus, an institution that has developed an in-house application, occasionally at great expense, can see an opportunity to generate some income to at least amortize their investment by marketing it. As well, public powers-that-be legitimately wonder about the appropriateness of using public investments to leverage the growth of local industries and jobs. A number of them, more or less openly, expect the various ministries and public agencies to take these concerns into account in decisions pertaining to computerization and networking in their sector. Thus, those in charge and other decision-makers for computerization or networking projects, small or large, run into questioning or choices that include a business or industry component, because even if these individuals do not have similar concerns or objectives, the providers of equipment and services, their employees and sales representatives certainly do and do not hesitate to express them.

It is already painstaking to reconcile professional, public administrative and democratic guidance reasoning, as well as the respect of human rights and freedoms, in the organization of care and services to the ill and individuals in difficulty, in the promotion of health and prevention of illness⁸. This reconciliation only becomes more complex when adding the arguments of business and industry pertaining to the equipment, software, consulting services and health information itself. Pressures arise where these different forms of logic push on towards diverging - indeed, incompatible - conclusions.

The socialization of business benefits

Public organizations and institutions in the health sector develop technological innovations, expertise and information in-house that can present either certain or hypothetical business potential. Here are three examples.

An example of a marketable networked application

For its own needs, a hospital may develop or had developed an in-house application for managing its patients' menus. On the basis of the content of medical records and the help of dieticians, a networked tool of this nature enables the food service to prepare personalized meals based on every patient's nutritional needs, any intolerances or food allergies, restrictions or needs of a personal, cultural or religious nature and the subsequent phases of their treatments, as well as the changes in their state of health. Other institutions probably need a similar system and accordingly could be interested in the solution that has been developed. Shouldn't the hospital offer them its application and thus obtain a return on its investment?

An example of marketable expertise

The shareable patient record experiment in Rimouski was the first to use microprocessor card technology on a small-scale population in the American hemisphere⁹. As a partner in the project, the Régie d'assurance maladie du Québec (RAMQ) thus acquired unique expertise potentially having great commercial value. Indeed, numerous economic and technological observers predict a great future for the microprocessor card, especially in banking sectors, personal identification and access security for premises and computer systems. Shouldn't the RAMQ find a way to offer its expertise so that potential profits return to the public health system (see Example No. 24, The microprocessor card: A business partnership that is too close, later in this chapter)?

An example of marketable information

Certain information marketers get statistical data from pharmacies on drug prescriptions filled or from clinics on the frequency with which certain illnesses appear. These data enable them to produce statistical reports and analyses that are sold to various users, particularly drug manufacturers and marketers¹⁰. However, health information networks under construction thanks to public funding are going to allow statistical data to be collected that is infinitely more exact, exhaustive and up-to-date. Shouldn't the government that is funding these new networks and a majority of the medical treatments try itself to sell these statistics to business clients?

Public expenditures, public benefits?

The set of problems described here is that of "socialization" of a business potential and accordingly, of potential profits. Public expenditures in health have generated a product for which a clientele exists that is willing to pay in order to take advantage of it. Shouldn't this potential for income first benefit the same public sector that has such a need for resources? Probably yes, if we only consider the monetary aspect. A more global economic and social analysis can, however, lead to a different answer (see What reasoning for what market? below). In every case, implementing this principle raises basic questions, some of which are of an ethical nature.

Business partnerships

Barring exceptions, an institution or other public health organization does not have either the mission or the expertise required for marketing a product. Furthermore, it would not be easy for this agency to allocate a portion of public funds, received for health, to operating expenses or venture capital for even the most promising business venture. The agency that decides to go down this road will have to realistically consider going into partnership with a private enterprise or a government marketing agency.

However, there is no set formula for business partnerships ensuring an optimum risk/benefit ratio that is at the same time ethically acceptable. Thus, the pure and simple sale of the product or marketing rights can offer a certain profit to the agency in exchange for minimal levels of risk and administrative involvement on its part. However, this solution can result in the privatization of not only significant potential profits, but also of the control over a technology intended to serve the public. On the other hand, too much involvement on the part of the agency can result not only in financial risk that is too great, or excessive involvement of its staff in an activity that is outside its fundamental mission; it can also encourage the agency to become engaged itself in promoting the use of its product, independently of the actual situations or needs of potential public users (see the following example). Determining the best formula for business partnerships must, then, take into account numerous non-financial factors, such as the product's future and its uses, impacts of the partnership on the agency and its mission and on the perception by third parties.

Example 24

The microprocessor card: A business partnership that is too close

One of the factors that probably contributed to the inadequate design of the clinical application of the Quebec Health Card Project¹¹ and accordingly to the project's failure in this regard, lies in the nature of the relationships between the RAMQ and the firm Motus Technologies, inc. The RAMQ's mission not being of a business nature, they were probably right to transfer a portion of their expertise in use of microprocessor cards to a private commercial enterprise supported by venture capital investors. In theory, the RAMQ limited its risks to the expertise transferred but assured the Quebec government a share in the potential profits if the demand for the microprocessor card applications finally managed to take off.

However, its financial interests and especially the very close ties maintained between the RAMQ (and through it, Quebec government powers) and Motus would have eventually served all interested parties, including the Quebec health system, which lost still undetermined millions in the Quebec Health Card Project's failure. The weight of the interests and links is clearly evident upon reading the government decree authorizing the project's implementation. The decree discusses on a number of pages the government industrial strategy that saw this project intended for the Quebec health system (7 million users) as a springboard to the international marketing of a solution developed by Motus.

However, this implementation began without any relevant studies regarding the communication securization solution proposed by Motus in light of the needs and constraints of different contexts of medical practice. The RAMQ and the government found themselves in conflicting roles. For a time, they behaved less like clients seeking a better solution for institutions, professionals and patients than like promoters interested in a predetermined solution which they owned. This confusion of roles would explain, at least in part, their obstinate determination to support this solution despite the accumulation of signs showing that it was unsuitable in practice, particularly over the course of the Laval showcase project in 1999-2001 and during consultations that preceded tabling of the draft legislation in December 2001. Only when the design flaws of the proposed clinical application became publicly obvious did the government finally abandon it and definitively distanced itself from Motus.

Industry and employment growth

The response to needs versus jobs

Sooner or later, networking decision-makers are confronted with the potential impact of their decisions on the growth of local industries and jobs. In theory, the needs of the health system are ahead of these considerations. Decision-makers can, nonetheless help local businesses by clearly identifying their current needs and how they are likely to evolve. It is then up to the local entrepreneurs to organize themselves to offer answers that are at least as good as those of their competitors. In practice, however, nothing is ever that simple. Thus, when the Ministère de la Santé et des Services sociaux du Québec [Quebec ministry of health and social services] decided to buy computers for the entire LCSC network, it had to resist strong political pressure because certain conditions of the purchasing plan (especially the basic requirement for technical support seven days a week, 24 hours per day) automatically favoured the large foreign suppliers to the detriment of local suppliers. It was the equipment suppliers who eventually had to make the adjustment.

Respect of individuals versus jobs

Even the legal and ethical protection system can be challenged for industrial and labour considerations. Thus, in 2000, the Commission d'accès à l'information (CAI) had undertaken a review of authorization previously granted to the information agency, IMS of Canada Ltd., to obtain personal information on the prescriptions for drugs filled by pharmacists without consent of the physicians involved. The CAI was probably going to come to the conclusion that IMS did not fulfill one of the conditions set by the law for authorizing communication without consent for research purposes. The firm undertook steps with the members of the Quebec National Assembly and the Quebec government emphasizing keeping roughly a hundred jobs in Montreal and about $15 million in investments in a support activity for the marketing of pharmaceutical products. These steps resulted in the enactment of a bill in December 2001 that introduced a long amendment whose purpose was specifically to legalize and frame IMS's supply of information. It can be argued that the conditions that were finally placed by the CAI in 2002 on this private network offer protection of the rights of the individuals concerned that are at least equivalent to, if not greater than, the initial provision of the law¹². The fact remains that a gap in the protection plan eventually opened for considerations that were basically industrial.

Which logic for which market?

Requirements of the target market

In the first section of this chapter, The socialization of business benefits, we called to mind the scenario of an innovation initially developed in response to a well-defined local need, that proved subsequently to be a success and was then offered to other potential users. However, in a good number of cases, further marketing is contemplated from the first stages of a product's development. This is especially true for commercial developers. In America, the bulk of financially sound demand is still concentrated in the United States, particularly in private institutions and universities. Quebec and Canadian markets are still timid and remain limited in comparison. This is why a number of Canadian developers of electronic networked record systems currently design their applications making the needs of the U.S. market a priority, resulting in the importance of billing functions, pre-authorization for medical treatment based on insurance coverage or the administrative constraints of managed care, and management of patient consent to the communication of information about them in accordance with U.S. law. Canadian institutions are accordingly often confronted with either the offer of products that are suited to a different context from theirs, or with partners who develop custom solutions for them but always with the U.S. market in mind.

"World" or "world class" technologies

In fact, two main market logics square off against each other, more or less. The first tries to fulfill a highly profitable demand of a few big highly developed countries for the latest high tech products. This is particularly the case in the United States, where for a care institution, having the latest cutting edge technology is also a selling feature to attract a clientele in a highly competitive market. Those who share this reasoning often say they want to develop "world class" innovations, read satisfying for the institutions and professionals serving a world elite. The second line of reasoning tries to meet the needs of public health systems - whose resources are necessarily limited - in the most appropriate, economical and sustainable way possible. For lack of another name, we can call this second approach a truly "world" approach as it is more likely to be exportable to a large number of countries in the world, despite the unprofitablity of a clearly smaller demand.

The distinction is not necessarily established according to types or lines of technologies (high-tech versus low-tech, for example). Indeed, applications using all the latest technological innovations may well be those that prove to be the most appropriate, economical and suitable to the pursuit of lasting development. The distinction, rather, must first be made between the reasoning of the target markets: who are the clients and what are their needs?

This consideration is particularly relevant in Quebec and Canada. Our health care and service systems are public while the markets in which we are developing are literally dominated by the composite health system in the United States. This is not only for technology markets but also markets for highly skilled jobs, in medicine and computer science alike. Developers and buyers of networking applications in Quebec and Canada are necessarily subject to the constant conflict between these two logics.

Proprietary or open technologies

To the conflict between "world" and "world class" technology, the conflict must be added between two approaches regarding the management and use of intellectual property rights on innovations. The dominant approach is called "proprietary". Typically, the application is specific to the firm that developed it and does not necessarily follow a standard that enables it to be replaced with another firm's application. This specificity is protected by complete exclusivity in the exercise of intellectual property rights (the obligation to obtain user licences) and the impossibility for purchasers and users to access the programming source code. Accordingly, users cannot check the details of the application's operation for themselves and are as a result, completely dependent on the supplier, including for the correction of bugs, updates or adaptation of the application to their specific needs. In addition to the economic and ethical considerations raised by this approach that maximizes profits, the dependence created makes the users vulnerable to the wishes, as well as to any potential bankruptcy or business re-direction, of the supplier.

The alternative approach is called "open architecture" or "free". In the most elaborate implementation, the provider allows the users to examine the source code, to improve or adapt it to their needs and to offer the improvements to the other users. This cooperative type of application development does not in any way bar the opportunity for providers and users to sell their products at a profit. However, it corrects the dependency on a single provider. In fact, a number of providers, commercial and non-profit, can compete against one another to offer applications and technical support. The "open architecture" approach is particularly well-suited to parallel development and experimentation by different institutions of different applications that, ultimately, will have to function compatibly and in a network. This approach also enables an application to be shared among various institutions - without charge, for example, for institutions in developing countries or in exchange for improvements that the beneficiaries can introduce themselves.

Conclusion

All projects for the development or acquisition of networking applications are faced sooner or later with one or more of the considerations raised in this chapter. These considerations are organized around two issues in particular. The first is the precedence of the search for suitable and lasting responses to the actual needs of the health system and the population based on the often legitimate considerations regarding industry and business development. The second is the search for fair access to existing technological solutions.

Questions to ask

Chapter 9 - Participation in the decision-making process

Overview

The decision-making process in the context of health information networking takes on a crucial importance in the objective of promoting the social acceptability and benefit of projects and policies. Numerous specialists agree that by involving the individuals and groups concerned, it is possible to contribute not only to a better enactment of technologies but also to a more suitable connection with the practical realities in the community, indeed, a growth that is more socially beneficial. Beyond every utilitarian argument, there is another reason why involving the stakeholders involved is an ethical imperative: the obligation to assume the costs, the benefits, the implications and impacts of the key decisions gives one at the least, the right to know and, more fundamentally, the right to have one's say.

The bet on the social acceptability and social benefit of health information networking

Perceptions of problems and needs vary

Every networking initiative naturally arises from the desire and work of the stakeholders that are especially interested and motivated. However, all the individuals and groups concerned rarely share in equal measures the perception of the problems and needs to which this initiative must respond. To ensure the success of networking, it is not enough that those in charge be profoundly convinced of the initiative's soundness, nor that they vigorously defend it in the name of constraints, obligations and responsibilities; the success of a project is judged in large part on the basis of the social acceptability and benefit of the tool that has been developed. In other words, it greatly depends on the tool's desirability, its properties and its results as perceived by:

Accordingly, no real success in networking can be achieved except by implementing technologies that are suitable for the situations and the specific contexts for which these technologies are intended or required. This also poses the problem of appropriate knowledge of the situations and contexts.

Getting away from the experts' influence

In addition, the development of networking takes place in a context in which the financial and technological concerns exert a determining influence on the decisions regarding the allocation of resources. Economic expertise, like technical expertise, is highly valued at all levels of decision-making, and both play a fundamental role in identifying problems, needs and solutions. Networking health information however, poses a variety of questions and demands an array of knowledge that cannot be reduced to the world of technology, economics or even professional practice alone. The plurality of values and interests to be reconciled makes every action begun solely on the basis of these dominant areas of expertise even dangerous.

Considering the human and social factors

The challenge is to not only getting away from the experts' influence but to give the human and social factors their proper consideration. Every innovation process is the opportunity for confrontations between diverging opinions, values and interests. This is even more true for networking, as it makes partners out of realities and stakeholders who weren't partners before. The diversity of points of view and the ensuing fragility of the cohesion poses significant challenges to how the projects will be defined and carried out. If a number of individuals agree that the human and social factors must be taken into consideration, different approaches conflict with each other with regard to how these factors should be dealt with in practice. A pitfall that is as widespread as it is harmful, is that of reducing these factors to the status of sources for failure. To the contrary, they must be considered as much sources for learning and creativity as guidelines for decision-making. By the same token, interdisciplinarity must be valued in steering the networking project, and the intersubjectivity and social interaction between the concerned stakeholders must both also be seen here as a fertile source of teaching and a condition of suitable guidance. The partnership of these concerned stakeholders facilitates a more accurate understanding of:

Calling on the experience and knowledge of the concerned stakeholders: an ethical requirement

Rule that is applied in situations of uncertainty in the face of the suspected risks of harm for the individuals, the societies and their communities, based on the requirement for lasting development and serving to guide the actions or decisions regarding scientific or technological development.

Before the complexity of networking and the social focus of the anticipated transformations, two characteristics are necessary when making decisions: acuity of judgement and care, in accordance with the principle of caution. Both depend, however on the decision-makers' ability to properly understand the traits of the environment affected by the networking. Only an adequate understanding of the environment enables the issues and concerns raised by a specific project to be properly identified. Therefore, this knowledge is the only thing that will permit action exhibiting acuity of judgement and care - which is why it is important for the decision-makers to know how to solicit the experience, knowledge and opinions of the stakeholders affected or otherwise involved.

Making the stakeholders concerned with the change in an organization or a greater environment, like a region, partners in the decision-making process or in the decisions by soliciting their experience, knowledge and opinions and in this way clarify the decision, making it more pertinent or at least more legitimate.

Participation process in which the participants study and compare their opinions on a matter, a project, a program or a policy and try to arrive at points of view that are shared or at least acceptable to a majority.

However, beyond the search for effectiveness, there are also considerations that are specifically ethical for soliciting these stakeholders' input. First of all, the obligation to assume, often for a long time, the costs, the benefits, the implications and the impacts of these key decisions regarding a networking project gives at the very least to individuals and communities, the right to know and, more fundamentally, the right to have their say, which is why it is necessary to institute formal or informal mechanisms for participation in the project. Moreover, the issues that are specific to health information are sensitive, often of literally vital interest for many, and of public interest for everyone. In themselves, these issues necessarily have an ethical dimension, which makes discussion between stakeholders an ethical requirement for every measure whose purpose is to resolve them. By calling on the whole of experiences and knowledge available as well as the opinions of those who will have to bear the effects of the decisions, discussion clarifies the decision and makes it more pertinent or at least more legitimate.

Participation as a condition for success

The participation of the stakeholders involved in the various stages of the change appears to be from the outset a condition for the social and ethical success of health information networking projects and policies. But as we will state later, participation can take different forms, involve quite varied matters and fit into different times in the decision-making process. Indeed, all participation does not have the same value. It is the most essential at the design stage of the project as it enables the very direction that the change must take to be driven by the full spectrum of reflection. Therefore, it is when participation allows an actual influence on the decision that it best responds to ethical considerations. Certain forms of participation are more like persuasion than discussion. In similar cases, it is more accurate to talk about non-participation or token participation (see below, the three main levels of participation).

Summary

Objective reasons for involving concerned stakeholders

Minimal conditions to be respected

The active participation of the involved stakeholders cannot be spoken about if these minimum provisions or conditions are not met:

Pitfalls to be avoided in every networking project

Different examples of networking projects enable the most common types of pitfalls to be illustrated.

Example 25

A project that seems done on the sly

In Quebec, the development of a research networking project clustering numerous institutions and organizations in the health sector allowed valuable exchanges between the stakeholders involved. Its existence remained, however, totally unknown to the public for many years. For all projects of this nature, the lack of visibility poses a problem from the moment it involves public money and requires approval of the researchers and populations studied. The surprise or tardy disclosure of its existence, in the media, could lead to the belief that the truth was deliberately withheld. In addition, the act of carrying out a project far from the public sphere does not encourage either collective discussion or learning. Participation in a similar project of the affected stakeholders could, to the contrary, increase its legitimacy and promote a more sustained commitment on the part of the public.

Example 26

A design dominated by managers and technologists

The Réseau de télécommunications socio-santaire (RTSS) [translation: Public Health Telecommunications Network] is the basic infrastructure of the health sector in Quebec, a sort of "pipeline" to which the different common applications - clinical as well as administrative - must hook up. However, its design was limited to managers and technologists, while its creation and management was given to a business consortium specialized in technology. Stakeholders in the clinical community, like those in the research community, were not invited to take part which may explain certain difficulties encountered when the network was implemented. As was observed by a working group formed by the Conférence des régies régionales: [translation] "A number of problems arose because of the mistake of imposing technological systems or solutions developed at the top of the pyramid on the whole of the network, without bothering to find out if the solutions stuck to the reality in the environments. This was far from always being the case. This method created many frustrations." (Working group on the network modernity, 2001, p. 6). The willingness to involve the stakeholders affected by the change gives rise to moving away from the traditional approaches to development in which only technical and economic expertise were valued.

Example 27

A strategy based on communication and training more than on participation

In the Montérégie region, the Brome-Missisquoi-Perkins General Hospital (BMP) implemented an integrated inter-institution health information network structured around a plan of clinical intervention. This innovative project was designed and implemented by the hospital's administration which believed in the possibility of a shared common vision of change to ensure its success. Those in charge opted for a strategy of effective communication and a structured training program, believing this was how to create adequate interest among the target users. However, the project created negative reactions from the nursing and medical staff alike. Considering the tool inadequate in relation to their needs, the physicians furthermore chose to not use it. An evaluation showed that management had not succeeded in getting its vision properly accepted and that the involvement of users had been inadequate. In similar cases, the importance of advance consultation before the implementation phase of the technology is often forgotten or neglected. Consultation is only done to reflect on the means aimed at making the best use of the instrument that has already been designed. This approach is of little benefit for fine-tuning information on the basic problems to be solved, the actual needs to be met and the suitable solutions that have to be developed. It especially does not contribute to taking full advantage of the experience and knowledge acquired in the field.

Example 28

The Pratique médicale de l'avenir (PMA) project, also known by its English acronym MOXXI

(for Medical Office of the XXIst Century), is the perfecting and experimentation of various technologies intended to support front line medical decisions and practice. This project led by a group of researchers, is distinguished from a number of others, especially for the supervision assumed by a committee clustering stakeholders from various sectors, particularly the clinical and scientific sectors. However, nothing ensures that that is enough to ensure an outcome that meets the actual needs of the targeted users. During the second stage of the project, those in charge in fact observed that the system that had been tested did not meet physicians' day-to-day needs. Indeed, use of the tool never became common practice for a number of them. It has to be seen that involvement by voluntary users occurred following the development and was limited to use of the system and its final evaluation. However, besides not meeting the principles of discussion, it is not easy for these forms of participation to contribute to decisions on the very directions of the development. As for involvement at the time of the evaluation, it is insufficient to the extent that, as a number of specialists observe in this regard, the evaluation reports rarely serve to drive further reflection for the design of new projects.

Example 29

A tangible request to participate that is not acknowledged or appeased

The project for implementation of the microprocessor health card, supported by the government and the Régie de l'assurance-maladie du Québec raised many objections over the years, in the clinical environment and public alike. The criticisms of the project whose purpose was to implement a mechanism for authentication and access to health information, covered a range of aspects, from the ambiguous nature of the ultimate purposes sought by the decision-maker to the inappropriate nature of assorted components of the project. One of the main concerns observed in the parliamentary committee during the draft legislation study on the implementation of this technology involved the approach taken by the decision-maker. He was reproached for his lack of transparency, his dubious eagerness and especially, his lack of any overture to hold an actual informed public discussion. The various interventions made, particularly by community groups, however eloquently bore witness to their real interest in health information networking considerations. They brought to mind above all the existence of a tangible social demand for democratization of the decision-making process in projects that involve society as a whole.

How to determine realistic participation conditions

It is possible to determine realistic participation conditions that enable discussion to be opened, promote exchange and begin real dialogue so that the diversity of opinions is expressed and that this approach thus contributes to the success of the projects and politics of health information networking.

The multiple channels for participation

Participation can take different forms and take place at different times over the course of the process. The ultimate goals of participation, that is the outcomes expected by those in charge of steering the change, can also be numerous. There are multiple possibilities between participation from all angles and a categorical refusal to make any overture; for example, the sharing of power, stimulating public discussion, validation of a decision, public relations and persuasion strategy. In realistic terms, participation can be particularly in the form of referendum, conferences, group discussion, consultation and surveys. Therefore, it can be seen very well from the above that not all participation is synonymous with deliberation.

In certain cases, participation is even fictitious as in the case of public relations and persuasion strategy. Holding on to these two options would be contrary to the ethics described in this handbook.

Participation as a relationship of power

Arnstein (1969) describes three levels of participation based on the intensity or the relationship of power observed. These categories help identify the forms of participation that outright encourage the partnership of the stakeholders involved and their actual influence on the decision.

The purpose of participation

Every classification of power sharing remains, however, incomplete if it is not matched with an effort to specify the various goals of participation. To simplify, let's say that participation assumes a different meaning depending on whether it has to do with the direction of the change or the conditions for producing the change. Thus, discussing the ultimate goals of a project has many more implications than exchanges about the means of bringing about the change. Discussing the possible impacts of a project or the issues it raises leads to taking action on considerations that are much more crucial than those pertaining to realization strategies. Finally, in opening discussion on the common interests rather than on the specific interests of each, the ethical requirement we describe in this chapter can much better be met.

The contexts of participation

Finally, participation means different things depending on whether it is occurs near the beginning or the end of the change process, or in the management of the new context created by the change. The period when the project is defined is decisive as it is then that not only is the technical tool designed, but when the final objectives of the implementation of the technology are decided. If participation must be encouraged at all the main points of the process, the beginning is when it is shown to be the most essential.

Questions to ask

Questions to be considered in every networking project or policy

To avoid the socio-ethical pitfalls related to the decision-making process and promote social acceptability and benefit of health information networking, a certain number of questions deserve to be considered from the outset of a project or policy. The work of Thibault, Lequin and Tremblay (2000) on public participation enables the following questions to be compiled to help interested stakeholders increase the participation of all affected stakeholders:

Conclusion

There is no single guide or model for the participatory process. Everything depends on the project, the stakeholders, the context and the issues to be debated. This chapter, however, allows identification of the minimum conditions to be respected, the pitfalls to avoid and the basic questions to ask to encourage the implementation of formal and informal mechanisms that permit a true partnership of the stakeholders affected. We must conclude with this final very important clarification: all the issues addressed in the entire handbook must be the topic of discussion and debate in the context of the participatory processes implemented in view of health information networking.

Arnstein, Sherry R, "A Ladder of Citizen Participation", American Institute of Planners Journal, vol. 35 (July) 1969, p. 216-224.

Fondation européenne pour l'amélioration des conditions de vie et de travail, Les chemins de la participation dans le changement technologique. Attitudes et expériences, Shankill (Dublin), Loughlinstown House, 1991.

Working group on the promotion of modernity in the Quebec public health network, Au rythme de vos mots et de vos pas, nous créerons le réseau, Regional Quebec health and social services board conference and Centre francophone d'informatisation des organisations, 2001.

Lemire, Marc, "Le politique dans le projet de modernisation technologique du service public de santé. Le paradigme des autoroutes de l'information face à la démocratie", Doctoral thesis, Département de science politique, Université du Québec à Montréal, November 2003.

Thibault, André, Marie Lequin and Mireille Tremblay, Cadre de référence de la participation publique (Démocratique, utile et crédible), Sainte-Foy, Conseil de la santé et du bien-être, 2000.

Office of Intergovernmental and Public Accountability, How to design a public participation program, U.S. Department of Energy, s.d., (online) http://web.em.doe.gov/ftplink/public/doeguide.pdf

Chapter 10 - Changing Relationships

Introduction

Multiple relationships give structure to the health-care field, based on stakeholders' roles and on the missions and roles of institutions or agencies. We are witnessing major restructuring of organizational relationships within the health-care network which entail revising the relationships between stakeholders.

From an information perspective, these relationships are based on the production, sharing and circulation of information, by and for all stakeholders. Such relationships are also at the very heart of the information management taken on by those people responsible, in particular archivists, institutions and network managers. A number of individual and organizational responsibilities are likely to be affected by information networking.

Networking is also likely to cause these relationships to be broken up, roles to be redefined and reorganizations involving new stakeholders, not to mention the multiplication of secondary uses discussed in the previous chapter.

All in all, networking is not limited to the sole support role, i.e. making it possible to circulate information.

Networking moves the places where surveillance and control occur; it increases difficulties in spotting and correcting errors or reduces them, insofar as integrated methods for doing so allow; it affects prescribed operations for pruning and retaining information; it displays professional practices by exposing professional judgements and the resulting actions to greater visibility; it reduces the scope of patients' actual consent or makes the process more complex, thus affecting patients' control over information about themselves.

Thus, despite networking being a method which maximizes the efficiency of health-care services and the safety of care, the nature of these characteristics generates either resistance to the networking project or a tendency to withhold information or restrict its input and, as a result, restrict communication.

Reviewing the changes created in the direct relationships of the main stakeholders seems essential to any information network rollout process.

Reviewing Changes in Relationships

This section proposes certain bases for identifying the changes made to the direct relationships between stakeholders involved or affected by the production and management of information in a networking project.

In order to simplify the presentation, changes have been grouped under three main categories, organized by the stakeholders involved and the nature of the relationships, i.e.:

Inter-Organizational Relationships

Relationships involving the objective of continuity of service

Beyond the relationships maintained by public or private agencies and institutions, whether administrative or financial or developed for cooperation with the research or public health fields, it might be thought that relationships between dispensers of health care or services are generally intended to provide the continuity of service required by patients. Continuity of service is a part either of the objectives or the very organization of the public health-care network, or it is the result of a program set up to meet the specific needs of a group of patients, often within an integrated network project for individualized care. Depending on the complexity of the services or care required, a varying number of institutions or agencies is involved.

Three levels of integration in the continuity of service

Relationships between organizations are set out based on a model which varies by level of autonomy or integration of the health-care agencies or institutions. Kodner and Kyriacou distinguish three levels of integration: linkage, full integration and coordination.

Integration of services by linkage between organizations

Linkage involves offering established services through protocols or agreements between different organizations to facilitate patient transfers and transition between services. Institutions retain their autonomy for procedures and rules with respect to administration, evaluation and management. In terms of information, we see bilateral or multilateral linkages intended to facilitate relationships involving health-care services or care dispensed. This method of integration by linkage characterizes the relationships between hospitals and the CLSCs in Québec to ensure monitoring of patients who have had surgery and been discharged. The local information and coordination centres (CLIC - Centres locaux d'information et de coordination) which have existed for some time in France represent a multilateral form of linkage.

Integration of services under the direction of a single organization

Conversely, the full integration of services involves a single organization acting as the manager for all services provided. Total management of people is carried out by a multidisciplinary team, within a service-centre type structure which provides management and circulation of information among stakeholders and partners. This type of integration is illustrated by the setting up of outpatient hospital centres such as the Centre hospitalier ambulatoire régional de Laval (CHARL) [Laval regional outpatient hospital centre], day centers or home support services, such as the integrated service projects for older people with decreasing autonomy (SIPA - Services intégrés pour personnes âgées en perte d'autonomie) in Montréal. It exists parallel to institutions and agencies and does not entail changes in their structures or internal administration processes, but rather is based on negotiating contractual agreements between institutions and the organization responsible. These agreements create bridges between the partners, taking into account their respective missions, and, in particular, provide the basis for management by programs for target patient groups. For examples of such programs, see chapter 1.

Integration of services by coordination of organizations

Coordination is based on dialogue between all institutions or agencies from one region which give up some of their autonomy for a joint regional or local approach to services. Coordination entails establishing structures and mechanisms which transcend the organizations involved and which they belong to, adapting their structures, administrative processes and resources in accordance with the partnership agreement. The success of these integrated service networks generally requires the use of a continuous information system which is independent of the organizations, but which they contribute to by compiling information collected or produced concerning the clientele served by the integrated service network.

Information management to support integration

Whichever model of integration is favoured, information management raises many challenges. Agreements are often rather light on specifications as to institutions' management responsibilities, employees' accountability for information or the scope or limitations respecting information circulation. It seems to be assumed that, despite the changes in relationships, the responsibilities of all parties remain basically the same and that it is enough to set up mechanisms to manage patients' consent to information sharing and restrict access to the obtaining of such consent. It must be observed that networking information through the decompartmentalization of institutions or even of the public health-care network is much more complex than that.

Initially, the new relationships created by reorganizing the public health-care service network or introducing integration service networks or programs cause a redefinition of stakeholders' and organizations' roles, both public and private. It is not the intention of this handbook to deal with this question per se, but it is important to remember, for all those who are concerned with the conditions for rolling out an information network, that this type of changes inevitably cause new tensions concerning information, whether or not it is personal, health-related, medical or psychosocial.

Several challenges to acknowledge

For example, identifying the person responsible for producing the information and inputting it, faultlessly, without omissions or errors, in a context of interrelationships and interactions of institutions and agencies, is part of the challenge. In the same way, setting out the use which will be made of it, by whom and under what circumstances, or understanding the processing and transformation resulting from it and those who are responsible for that, may prove complex but is vital for all professionals involved. Lastly, determining who will be responsible for ensuring compliance with rules or record retention schedules or the circulation of information to third parties, if appropriate, is an element which is far from insignificant.

A shared and collective responsibility

Redefining responsibilities for each stakeholder, partner or network manager is crucial. Identifying the roles, duties and responsibilities of each party with respect to the information is necessary. This must be done from the beginning to prevent faux pas or violations of rights likely to harm the patient. In addition, that makes it possible to set up intervention processes about the information and identity of the people responsible for such intervention. It is the job not only of the manager, but also of all those with responsibility for initial production or its new versions and their transformation and use.

The personalized identity of a responsible party

Institutions in the public health-care network give medical archivists or, failing that, a named person, the responsibility of meeting their obligations for protecting information. Document management for partners from the private sector, community agencies or local or regional service groups is done by support staff. Generally, we do not find any individuals assigned to document management, because there are no specific standards which would apply.

Different information management responsibilities for the public and private sectors

Information management standards (plan for classification, pruning, record retention schedule, deletion of information, purging or destruction of the record, etc.) are therefore different depending on whether the record is established and managed by a public agency or a private organization. The same observation applies to obligations imposed on health-care professionals, depending on whether the medical record is held in a private clinic or office or in a public institution. For example, it is possible for pharmacists' record management information network to transmit information about doctors (see example no. 22 in chapter 4), because they are required to comply only for patients' personal information and not professionals', whereas the same information held in an institution's records could not be transmitted to third parties.

In short, the changes caused by the new relationships between institutional partners from the private and public sectors with respect to information management should provoke a detailled review of changes in the relationships between institutions, causing an inevitable revision of the information management process.

Questions to ask

Inter-Professional Relationships

From privileged information to accessible information

The main change brought about by information networking with respect to professional relationships is undoubtedly the greater distribution of information generated by the professional. Inputting information about a patient instantly makes it potentially accessible to anybody whose authentication is recognized by the system. The status of privileged information for the professional concerned blurs to take on the status of data entered for the benefit of all professionals or people involved with the patient or any person entitled to access the network (network managers or administrators, professional orders, risk managers, etc.). The definite advantage in terms of increased safety of professional actions must be measured against the increased risk due to the relative loss of the professional's control over information produced and by the use or processing of that information by other professionals or people involved.

Increased health-care safety

Information networking gives greater safety in professional actions, particularly for those involved with a patient for the first time. Networking makes it possible to quickly get both a patient history and a recent clinical picture. Access to a continuous system of information documenting the various actions taken previously enables professionals to more quickly grasp the situation before them and to move more surely to a diagnosis and determining the treatment required.

Increased risk of vulnerability to errors

Networking information is also likely to make patients and professionals more vulnerable to any kind of error. For example, it might be errors of measurement or writing (test result), judgment errors (diagnosis), access to a particular diagnosis (a mental health problem or HIV), design of application or processing of information (juxtaposition of information on two different patients or inconsistent merging of initial records), etc. Professionals accessing the patient's record for the first time on the network are inevitably influenced by what is found there and their actions are based, in part, on what they retain from it.

A new dimension in professional responsibility

Networking requires professionals to evaluate the information they obtain against their own observations or tests. They must exercise their professional judgment based on all the information available to them, without omission or abstraction, including actions taken by others. In their turn, they must input new information produced into the digital record on the network. In brief, networking is not limited to access to existing information but necessarily includes the responsibility to take into account information obtained and the sharing of newly produced information.

This change in professional practice leads in its turn to a change in relationships between professionals. Thus, health-care information acquires a new dimension or rather the dimension is multiplied by networking: it becomes the bearer of knowledge concerning the professional who produced the information. Health-care information gives information about the practices of other professionals, their competence in keeping their knowledge up to date, their preferred choices of treatment, the attention they pay, or do not pay, to the actions of other professionals, etc.

Redefining individual or collective responsibility

Individual or collective responsibility is increased, particularly in the context of team action faced with the actions of other professionals. The example of prescribing incompatible drugs illustrates the difficulties to be untangled. Who is responsible when a patient is simultaneously taking incompatible drugs, prescribed by general practitioners and specialist physicians, sold by pharmacists and administered by nurses or supervised by other professionals? Who should intervene in such cases? Is it the responsibility of all professionals involved in the case? Of the last one involved? Of the one who gave the prescription, probably, without reading the whole record? Of the pharmacist who filled the prescription? Of the nurse who administers or supervises drug taking?

In short, inputting information into a networked record has significant consequences for professionals, not only with respect to their own professional practice but also the practice of others. Professional actions may less and less be dissociated from the information and knowledge they are based on.

The changes in professional relationships caused by networking are only outlined here. Since the objective of this chapter is to open the door to a more detailled review of these changes, we can only propose questions with which to start studying the changes.

Questions to ask

Patients' Relationships with Professionals and Institutions or Agencies

Patients' rights

Traditionally, patients establish health-care and service relationships both with professionals and institutions. In this specific context, with respect to information about them, patients have specific rights of access to and control over the information. Generally, they are able to find out who is involved with their case and who has access to their record. It could be said that, subject to legal and administrative authorizations, the current information management model provides for patients' actual participation in circulating their health-care information.

Patients' role in information transmission

Patients provide the information required by the services they require and authorize access to the information compiled for people providing them with services or care. When transmitting required information, patients may exercise their freedom of communication and transmit only information which is helpful and relevant to the health-care episode or consultation.

Patients' rights over information about themselves

By virtue of the rights they are acknowledged to have, patients may access their record, get a copy of it, and have errors corrected or demand comments be added, when they consider it appropriate. They may also authorize the people of their choice to have access to it. In short, patients' relationships with professionals and institutions are part of a fairly immediate and direct relationship with their records, for which patients have full ability to take action.

Relative reduction in ability to take action

Networking necessarily entails a reduction in the actual ability to take action. When designing a networking project, it is possible to make it so that patients' relationship with the system is defined in such a way that their ability to take action increases; however, we are increasingly witnessing decisions which are more and more determined by network management standards and applications as much as by the objectives of inter-organizational or inter-professional agreements.

Distance from places where surveillance and control occur

Networking distances patients from the places where information is stored, controlled or monitored. Despite a legislative framework which requires it, patients experience problems identifying where information is managed and, in particular, the people responsible. Can they access their networked record? If so, where do they turn to? Who must they contact to obtain a copy of the information about them? Who must they turn to in order to get information updated or an error corrected? How can they be sure of the identities of people accessing their record? All these questions illustrate an important change in the relationship between patients and their records and, consequently, in their relationships with the professionals, institutions or agencies involved in providing services.

Decreasing patients' freedom of communication

Networking also affects patients' freedom of communication with the professional, since they know that their words become simultaneously accessible to a whole group of people. It is no longer as easy for patients to distinguish between various health problems and keep information separate, depending on the professional consulted or the reasons for the consultation. Just think of the care required by the victim of an accident at work who is also receiving mental health care, from a doctor and a psychologist, for reactive depression related to a crisis in his family life.

Accessible information without patients being able to exercise their right to restrict communication

A wide range of situations may justify patients withholding information when they require a service or specific care from an institution or professional, without that necessarily influencing the action taken. Thus, the physician consulted for a sprain does not necessarily need to knew that cosmetic surgery corrected the patient's nose or that the patient has had a vasectomy. That kind of information, by the effect of networking, can become accessible, without patients being able to say anything about it. There are certainly organization and information mechanisms which can provide different access controls based on the needs of people accessing the information. For example, we can think of access by a pharmacist or dentist, who both require only that part of the information that is relevant to their activity; however, this type of information organization, which meets network effectiveness by avoiding the overload of information transmitted, does not offer a reply to the change in exercising patients' freedom of communication.

In short, any networking project entails calling into question patients' freedom of communication.

Thus, beyond the notion of consent, which will be dealt with later on, it is appropriate to be aware of the changes that networking entails in patients' relationships with health-care professionals and institutions. In that respect, we suggest here a few questions to clarify these changes.

Questions to ask

References

Bussière C. (2002). Les centres locaux d'information et de coordination (CLIC). Gérontologie et société 100: 75-81.

Health Canada (2002). Sharing the Learning. The Health Transition Fund, Synthesis Series: Department of Supply and Services and Government Services Canada, Ottawa, 2002.

Hébert, R. (2003) L'intégration des services aux personnes âgées: une solution prometteuse aux problèmes de continuité, Santé, société et solidarité: Special issue: 67-76.

Kodner D.L., Kyriacou C.K. (2000). Fully Integrated Care for Frail Elderly: Two American Models, International Journal of Integrated Care, 1(1): 1-24.

Leutz W.N. (1999) Five Laws for Integrated Medical and Social Services: Lessons from the United States and the United Kingdom, Milbank Quarterly, 77(1): 77-110.

Chapter 11 - Human and Social Vulnerability

Overview

Computer security is a dimension of networking that is suddenly receiving much attention from the stakeholders involved. They have no hesitation in investing in it or in calling on help from specialists in the field.

However, socio-ethical analysis requires that more attention be focused on the security of individuals and their relationships rather than only on tools and information, especially since a networking application can affect already vulnerable patients and populations which are, along with institutions and personnel, working to the limits of their abilities. Moreover, maintaining a confidential relationship is dependent on the idea that the circulation and use of health information remains, at all times, under the control of the parties involved. The implications are numerous, diverse, and complex. Its management cannot therefore be left only to computer security specialists. Everyone's input is essential.

After establishing the difference between the protection of material objects and the protection of human beings, this chapter will address four topics:

From the security of objects to the vulnerability of humans

From machines...

Computer security was originally about protecting machines. A spectacular 1969 incident in Montreal captured the entire world's imagination when demonstrators rioted in the computer room of Sir George Williams University (today Concordia). While the imposing machines, which until then had been proudly show-cased, had to be taken to hidden and protected sanctuaries, computer security developed as a true discipline.

...to information...

As they became more affordable and user-friendly, computers entered businesses, then homes. They deal with entire parts of the lives of organizations and individuals. In 1986, again in Montreal, the Alexis Nihon Plaza fire caused the disorganization, and even the failure of businesses that had not kept copies of their information in a secure place. From machine security, we move on to information security.

The 1980s were also the years of "protection of personal information". Many laws dealing with protection were passed in Québec, in Canada, and elsewhere around the world. Personal information security is not, however, an end unto itself; rather, it is conditional upon a certain amount of free use and circulation of information, most notably across organizational and national borders.

...to humans in society

The 1990s were characterized by the computerization of services and the creation of computer networks on a worldwide scale. One event caused a new leap in the world's consciousness: the year 2000. Because of the sheer vastness of the malfunctions that needed to be prevented, the consequences that were feared and the resources harnessed, this change constituted the biggest technological risk prevention effort in the history of the world. The protection objective merged with the whole of society. However, the danger was no longer from the risk of accidents, malicious intent, or error, but rather from a million deliberate decisions relating to the coding of dates. Developed societies and their citizens suddenly understood how highly dependent and vulnerable they were with respect to computers.

Centrality of socio-ethical questions

The perspective of computer security is therefore reversed; from the protection of systems against human or environmental risks, security must now include - indeed, prioritize - the protection of people and their environment with respect to systems. Such a reversal naturally widens the analysis and action framework to include psychological, social, political, cultural, organizational, environmental, legal, and ethical dimensions.

Protection tools rather than objects

It is, therefore, no longer enough for computer systems and the information that they handle to be well-protected and operated. At the very least, they must also not constitute an undue risk factor for people and society and, ideally, they must become themselves protection tools. An evaluation of networking projects focused on human and social vulnerability must therefore not be afraid to question the properties, the operation and the framework of the applications, all the way to the adequacy of tools.

Protection of the environment and human health

A very polluting industry

Networking is based on the coordinated operation of numerous communication tools and processing of information. However, the production of the electronic components is an activity that pollutes and consumes vast amounts of energy. The production of only one semiconductor plate currently generates approximately 3 kilograms of waste that is hazardous to human health and the environment, particularly chlorinated residue, acids, and organic carcinogenic solvents (Ayres and Ayres, 1996). Other components are in themselves dangerous because of their toxic metal content (lead, mercury, cadmium, chrome). Less polluting production procedures have been developed, but are still not used on a large scale by industry. (Silicon Valley Toxics Commission, 2001).

Manufacturing that is a health hazard

The assembly and testing of semiconductors is typically performed by young women, often in developing countries. The work is dangerous to human health. For example, long days of soldering using a microscope cause permanent damage to eyesight. The list of health problems includes: injuries resulting from repetitive motion, stress, the development of hypersensitivity to chemicals, hearing problems, reproductive problems including miscarriages, infertility, and cancer. Both male and female workers must often quit work after only a few years.

Consequences of planned obsolescence

The extent of these health and environmental problems is aggravated by the planned obsolescence of electronic products, which encourages frequent replacement of equipment, well before the end of its useful life. However, in order for the industry to encourage this replacement, it must keep production costs as low as possible, thus reducing its investments in the environment and human health. This economic strategy uselessly generates considerable amounts of dangerous waste products and health problems.

Ultimate goal of protection and health promotion

It is paradoxical that healthcare sector networking can occur at the expense of the health of individuals or populations. It would therefore seem logical that all recourse to electronic material take into consideration the risks posed by its production and disposal.

Sources of information

It is primarily the responsibility of manufacturers and equipment suppliers to show that the production methods used respect the environment and the health of female workers and populations to the greatest extent possible. There are also several independent sources of information and certification. In the case of environmental protection, IS014001 certification focuses on the quality of the environmental management system in place and not on environmental consequences as such.¹³ Regarding the respect of workers' rights, Social Accountability International's SA 8000 program applies stringent standards in the verification of companies' social performance. However, to date, very few companies which produce electronic components have joined.¹⁴

Risks resulting from malfunctions in the operation of networks

Dependence and interdependence

Little by little, individual and collective stakeholders in the health sector become dependent on health information systems as well as on various computer applications. Consequently, the malfunction of even one of these tools can have a considerable impact on the activities or lives of the individuals and organizations. However, networking only increases the interdependent relationships between stakeholders and the systems or applications. The proper functioning of an activity no longer depends on the work done locally by stakeholders supported by their own computer tools. Increasingly, proper functioning requires remote input from other stakeholders and tools, as well as the proper operation of networks enabling their connection. The risk of malfunction is likewise increased, as well as the extent of potential consequences that can occur on a large scale. The responsibility in risk management also increases, and is divided among an ever-growing number of stakeholders.

It is possible to distinguish between computer malfunction and social malfunction, even though it may often be difficult to separate them in practice.

Computer malfunction

A computer malfunction is an irregular or abnormal operation of software or computer hardware. It can happen for many different reasons: inside the machine (programming error, component failure) or external (power outage, computer virus).

Social malfunction

A social malfunction occurs when the proper operating of a system is compromised by social factors or when it causes problems of a social nature. There are numerous social factors: the closing or failure of a company which supplies a key component; a lack of money, personnel or skills; the unauthorized use of a tool; resistance or inadequate appropriation by a category of users, etc. Conversely, a well-operating tool can cause various social problems: inadequate functioning in certain specific situations,¹⁵ conflict between the existing or new legal standards and those integrated in the tools; large amounts of information desired by third parties for incompatible purposes; unexpected confrontation between stakeholders in which the interaction has changed,¹⁶ etc.

A global and participatory approach

The management of malfunction risks requires a global approach which takes into account all of the four main components of networking: information and software, computer and telecommunications equipment, individuals and organizations involved, and the management of the network and its networked activities.¹⁷ Every phase of operation of networked information must be examined, including phases occurring outside of the network itself. This management must be a permanent activity which must begin immediately from the first design stages. Not only must it rely on competent expertise and watch out for risk sources, vulnerability and solutions, but also on ongoing accountability, participation and vigilance by involved stakeholders. These stakeholders must therefore have sufficient computer knowledge in matters of security and vulnerability, as well. They must also be assured that their observations or suggestions will be correctly received and discussed.

The vulnerability of populations and specific organizations

Different dependencies and vulnerabilities

In a field as diverse as the health sector, organizations and individuals have very different levels of dependence and vulnerability, depending on the context. A radiologist will be unable to work if he or she temporarily loses access to the imaging and medical notes about patients, whereas a general practitioner in a walk-in clinic can continue with most of his or her consultations with patients. However, even this type of physician and his or her patients will experience difficulties if several drugs prescribed by different specialists need to be adjusted in order to ensure their compatibility. A researcher does not need continuous access to his or her data sources, but research being done could be compromised if ever a medical treatment under study were no longer covered by public medical insurance, drying up the necessary information provided till that point by the RAMQ. A traveler could lose his or her hospitalization insurance abroad because of the prescription of a drug (to prevent a potential health problem which, once testing is completed, is found not to exist) which causes a substantial change in risk estimation by the insurer. Examples of such possible malfunctions are multiplied with networking applications, depending on to the clinical, administrative, research or public health¹⁸ function, the type of individual or organization involved, and the specific real-life situations experienced by the individual or oragnization.¹⁹

Global approach, specific analyses

If, as proposed in the previous section, risk management of computer and social malfunctions requires a global approach, the awareness of vulnerabilities also requires specific analyses that consider every activity, context and type of stakeholder involved. Each case - even minor or unusual ones - of great vulnerability or where the malfunction would have a major impact, must be identified.

Objective and subjective vulnerability

Objective vulnerability must be identified and studied: a possible disturbance of activities and its effects, the state of health of certain patients and their needs for care and services, the impacts of decisions that could be made by third parties, etc. The more subjective dimensions of vulnerability must also be considered. Regardless of assurances given by health professionals, a number of people who have consulted psychiatrists are wary of the possibilities of giving professionals free access to this specialized file. Certain members of populations who have fled persecution in their country of origin fear that health information about them could somehow end up in the hands of government organizations. In both cases, this distrust can be justified by previous experiences, which may or may not be relevant to the networking application being evaluated. To the extent that maintaining confidential ties between stakeholders is essential in the health system, perceptions constitute an undeniable reality. With regard to analysis of vulnerability, it is therefore appropriate to integrate stakeholders' subjective perceptions which, depending on the case, arise from physical, social or psychological conditions; contexts and professional practice situations; culture or history; or their sensitivities and fears.

Risks resulting from security management

The problems with solutions

Any solution to a problem can generate its own complications. This is true of networking; it is also true of preventing computer and social malfunctions, and of security management.

Solutions that are obstacles

One must ensure that the solutions chosen do not unduly complicate attaining the end results supported by networking or actually create obstacles. The clinical uselessness of the health report of the Carte accès santé Québec project [Quebec health card project], particularly due to the solution chosen for information security, is an obvious example of this risk.²⁰

Deviation from security

It is also important to ensure that the control and monitoring measures used for network users and their networked activities are not organized in such a way or become so important that they undermine medical confidentiality or confidential relationships among stakeholders in the health system. The risks here do not only come from management of health network and applications, but also from external third parties such as police departments, the army, and national and internal security organizations in the context of the struggles against crime and terrorism. Indeed, some people would like to see these organizations monitor communications directly within the networks in order to protect them against computer attacks (and consequently, protect the services of health institutions that depend on them)²¹ or would even like to get information from these networks to be able to quickly detect threats of biological or other attacks against the population.

Questions to ask

Smart acquisition of equipment

The environment and health at work

Smart use of equipment

Dependence on suppliers

Questions to ask

Computer and social understanding of the process

Develop an understanding of the technical tools and activities as well as the categories of individuals and organizations involved.

Questions to ask

Understanding specific situations

Understanding the risks

Questions à poser

Understanding the solutions

Chapter 12 - Tensions concerning the consent and accessibility

Presentation

The health information consists of data that is highly protected in accordance with identifying information. This protection is registered in numerous legislative instruments since the Charters, establishing the cornerstones from the right to privacy protection, to privacy of personal information legislation in the private and public sectors, as well as laws governing in particular health professionals and institutions. This legislative corpus establishes the rules of protection of this information but without taking into account the computer-based support from which it is managed. It also establishes access procedure around the concepts of legal authorization, or the consent on the basis of the fundamental principle, which is the discerning consent of the patient.

The information networking submits the adherence to these rules and principles to high tensions because of the fact that these rules where first and foremost designed around a simple contact between the patient and the health professionals, on the one hand, and the administrative and financial health care facilities, on the other hand. Therefore, the designing and development of all networking project sets out the challenge of properly defining the relationships between the objectives targeted by the networking and the rules or principles of protection, in order to regulate these tensions adequately. The issue here is to find a balance between the "networking" and what we could call the triangle "protection - consent - accessibility" of information.

The examination of these questions is situated at the junction of two fundamental ethical positions: one grounded on the principle of beneficence (or non-maleficence); the other grounded on the principle of respect of personal autonomy. We must not forget that the idea itself of consent implies the proposal of action to which patients hold fast to, in regards to the information received. The consent constitutes sort of the necessary corollary of information given to the patient, pertaining to the object of the consent desired.

Generally, in the health sector, we assist in the retrieval of consent to the gathering, processing, circulation or access to information that is part of the organizational setting of services and the offer of the care required by the patient. The standard is to respect the right of the patient to choose the options that are the most convenient to him or, in other words, to offer the patient the possibility to fully participate in the decisions concerning him; including the matter of information management, particularly as the information gathered usually comes from the information he is willing to reveal of himself in the specific context of a relationship of care.

Therefore, following this standard in the context of networking health information can become particularly problematic because of the wide variety of users, immediate or potential, and for primary or secondary use purposes of this information.

The three aspects of the protection of privacy of the patient

The protection: a problematic widely discussed to date; but with a determined perspective

The object of this chapter is to examine the three aspects of the protection of privacy of the patients, for the purposes of health information management by means of a networking project. This problematic is widely discussed in the literature and has been for a long time. Therefore, it may seem well known and without much interest, particularly when we take into account that the most effective options have been developed around what is agreed upon to call "privacy enhancing technologies" PET, for the protection of confidentiality and privacy.

A problematic more fundamental to the indissociable elements

Therefore, according to the current standards, information protection is closely related to the consent of the patient or the backup legislative intervention for everything that concerns accessibility to this information. The use of the triangle illustration aims at reminding us that these three aspects are practically indissociable one from the other, and that these three aspects create a set where the patient is the focal point. In the case of the examination of issues, this simply means that we would not be able to reduce the problematic of information protection only to questions concerning system security or informational aspects. No more then we could allege making all the information accessible to all parties or to any person showing an interest for this information, simply because of the existence of a broad consent (non specific and non restrictive) from the patient to circulate the information between the concerned parties or, for that matter, engage in its processing.

Each of these aspects includes separate rules that within the context of networking information and circulating it are defined on the basis of their links to the other two aspects.

Information Protection

Information protection hinges around the consent and authorizations of access.

Ensuring information protection can be interpreted as meaning, beyond the security of the systems, which would mean restricting the circulation of the information, so that only the people concerned or implicated with the patient's care would have access to this information. This could also mean allowing a controlled circulation to other parties to whom the access to this information through the network can be justified. The aspects that will prescribe the applicable rule will come from either the implication or the duration of the patient's consent, to which is added the particulars of the right of access he recognizes, or by the information access parameters established by law.

The basis for protection

All circulation of information includes an intrusive characteristic in the privacy of the patient, which must be considered individually and with the basic approach of beneficence and respect of his autonomy. The information protection constitutes an obligation imposed by the respect of the person and must aim to support the expression of the patient's fundamental freedom, recognizing him as a free and responsible individual, with the right to refuse. Respecting this freedom is offering and not urging the patient for the distribution or circulation of the information concerning him with the utmost transparency of process expected, in order to ensure the information protection, and also to respect the goals or objectives pursuant to the circulation of this information.

In this context, information protection can also mean to recognize the necessity to adopt a rule promoting a specific consent in writing. This could also mean that the legislator would have to clarify or refine the new limits of information circulation along with the details of access. This could also mean to establish a special status for this information when recorded in collective data banks, which tie contents into one or the other.

Free and enlightened consent

A consent freely

Technically, the patient can refuse the distribution of information that may seem unacceptable to him, or too widespread or uncontrolled, it is therefore essential that the information provided to him in order to get his consent allow him to make an enlightened, honest and comprehensive decision without any kind of constraints.

Carefully choosing the role of the originator of the proposal

The role of the initiator of the proposal of consent surpasses the simple role of middleman, since it creates a privileged relationship between the patient and the concerned individuals, by first dispensing the care and services, and also by creating a link between the patient and the establishments, the organizations or the interested parties relating for the purpose of: public health, research, the management of insurance plans and also for the administration or enforcement of other legislations (SAAQ, CSST...)

A clear proposal for and enlightened consent

Insisting on obtaining an enlightened consent in regards to information gathering and circulation that takes part in encouraging the patient to exercise his responsible autonomy concerning a technological support, for which he probably does not quite understand the whys and wherefores. In view of this, the information must be simple, intelligible, accessible, and adequate in regards to the goal and the nature of the computer-based support, and also in regards to the consequences and related risks. The networking makes the link of the patient to his information more complex, particularly because once the information is recorded in this computer-based support, the information escapes him; it becomes the object of interest for a wide range of people, often without any immediate link to the patient. The patient must be able to clearly understand the subject matter of the consent that we are looking for, the effects of the consent given and also the consequences in the event of refusal or restriction of consent.

Information habits to receiving

While information habits in regards to the consent of circulating this information have a tendency to be as follow: making sure the patient receives simplified or approximate information, we can think that the obligation to inform the patient for the purposes of networking, the information concerning him could go more towards an obligation of giving the complete information. To target this objective is to insist on the link between information gathering and the processing and circulation of this information, in regards to all the parties involved or concerned by the networking, without leaving any gray area that in time would aggravate the possibility of objections arising.

Getting consent signed must be the result of a two-way communication and not the result of automatic actions or a signature obtained with difficulty.

The implicit characteristics of the consent to information management associated to the request of care and services would not totally eliminate looking for the approval expressed knowledgeably. The fact that in most of the cases, the consent is acquired or given without difficulties cannot be construed as "the" standard that is required from all patients against their right to refuse or restrict the information gathering or circulation. The expression of refusal or of reservations can turn out to be legitimate, comprehensible and justified because of choices or because of the personal situation of the patient. The respect of this fundamental freedom should find its place in the expression of consent.

The specific or determined expression of consent

This simply means that once the information is obtained, the patient is entitled to express a restrictive or broad consent, of short term or definite term based on his need of services or care, or to agree to a secondary use for research purposes. The consent can be in regards to the nature of the information and in regards to the context of its use, which amounts to saying that he interacts with the rules of protection, or that he can identify the targeted individuals and interact, this time, with accessibility.

Accessibility to information

The accessibility is limited by the protection rules and determined by the effect of the consent.

The information accessibility is the result of two distinct but complemental rules, one depending of the patient and his consent, and the other of the effect of a legislation or, more directly linked to its application, from the intervention of information manager in response to the requests he received from the individuals concerned or implicated in the care or services.

The accessibility specified by the patient

This simply means that beyond the patient's personal right to access his information, which is clearly recognized by legislation, it is the patient's right to identify third parties he authorized in accessing his information, but only an implicit consent is needed in regards to professionals and other individuals designated to ensure him services or care. The role of the patient in regards to accessibility seems simple, as long as he is capable of expressing his enlightened, determined or specific consent. The deployment of an information network therefore requires that we take interest particularly in the development and the management of computer-based supports for this consent. We will come back to this subject further in this chapter.

The accessibility specified by law

However, accessibility described in terms of needs of health management, administrative or financial, or the application of other legislation, whether it deals with the procedures directly prescribed or the access recognized by intervention of administrative authorities such as the Information Access Commission (Commission d'accès à l'information "CAI", Director of professional services), brings us back to the questions addressed in Chapter 4 of this manual. Without coming back to the content of this chapter, lets remember that the legal rules include major distinctions between the public and private sectors, in regards to the information management. As explained in Chapter 4, it is important to understand these distinctions, to really understand the issues when comes the time to develop the accessibility rules in regards to the information available in the network, especially the ones administered directly by the data processing system, without any human intervention. Apart from the fact that these may be less numerous, if we distinguish these by assuming the existence of the same obligation and the same accountability as the networking partners, it would open a path that would risk leading to uncontrollable tracking.

In brief, we can say that the patient is directly or indirectly, by the effect of the thrust of legislation, in the center of the triangular link "protection - consent - accessibility". However, in order to protect the information concerning the patient, it is important to oversee with great care the consent the patient is asked to give in the same way as the legal requirements targeting its accessibility.

Looking for appropriate means

Technologies measuring up to the protection of privacy by the system

From the perspective of information technology, we can currently presume that the ruggedized privacy enhancing technologies" PET, for the protection of confidentiality and privacy are known to be effective means of monitoring, in order to establish and recognize the identified individuals who have access to the records, as soon as they access this information, and also that these means of monitoring represent a crucial process in order to ensure its control. These technologies offer a wide range of possibilities, as far as organizational structures, in addition to allowing human interventions.

Technologies distant from the patient's action skill

However, we must recognize that these technologies and their implementation remain distant from the patient's action skill or intervention, whether it involves accessing himself to his records, or to determine or control its access.

Tests of patient's integration in the implementation of the information circulation As communicated many times in this manual, many tests were done in order to ensure the patient a bigger control over his information, recorded or distributed through a computer-based support. Many of these tests included the use of simultaneous key codes or card codes by the patient and the professional consulted; this method ended up being more or less appropriate, especially for the patients with reduced autonomy. Therefore, we can think that this process needing the direct presence of the patient, in real time, endorses with difficulty an objective of intervention efficiency on his subject.

Another method of exploring was the procurement / transmission of an electronic consent. More versatile then consent management issued by cards, this method remained difficult to operate in a context with many first possible variables, in regards to the scheme of care and services required on the one hand, and in regards to the targeted individuals, on the other hand. In view of the nature of the information and its support, and in view of the more or less limited knowledge the patient had on his own concerning the information available, its content or its scope, concerning the process to access or to circulate this information, we can say, that in general, this type of consent carried a wide access, not very significant pertaining to the existence of an effective control, real, by the patient, of the information concerning him.

The necessity of functional and effective methods

Furthermore, it is important to remember that in light of the nature of the services required, mainly in the context of acute care or even of the services given by organizations or interdisciplinary teams and inter-establishments, it can proven not too functional to scope out the consent around an access that is too targeted or specified. Incidentally, this is the reason why the legal framework added provisions to this aspect of information management, by establishing rights to access related to the function exercised by the person concerned or implicated and to the task, in relationship to the patient, that was entrusted in his care. Particularly noteworthy, this person has the inevitable obligation of ensuring the information protection.

The dilemma surrounding the consent and the legal authorization

In conjunction with what precedes, can we, for the sake of pragmatism, try to find the answer to the dilemma emerged by the tensions resulting from the difficult management of consent in the broadening of lawful obligations? The answer can not be over-simplified. The satisfactory response can include an approach substantiated by the broaden participation of the patients or of their representatives through the most rigorous information, the most respected and the most complete issues for the patient.

Reflected from what just preceded that for the plan of appropriate methods, the issue raised by this chapter is not perfectly resolved by the reinforced technologies of protection and that it is always actuality regarding avenues to develop in order to ensure the efficient management of an effective consent by the patient. It must also be identified that there is the necessity to better track the status of this information and the legal rules in order to ensure its protection. Such being the case, in the event where this last approach notes a necessary intervention from the State, the partners of a deployment project in health information networking can only, at this stage, direct their efforts towards the development of methods surrounding the consent of the patient.

The exploration of new approaches in relationship with the services

New models of consent management appear pertaining to the development of integrated-services networks. We recognize that these models link the information protection obligation and the respect of the consent, even beyond legal authorizations of access. They entrench even more in the right of the patient to participate in the choice or in the definition of services that concern him.

A more specific definition of the partners responsibilities

This approach is based on two perspectives that are consistent with each other: the obligations and responsibilities of the partners of the network of services concerning the information and the respect of the rights of the patient pertaining to the consent. In a first phase, the partners are invited to sign a personal information exchange and use protocol that incurs their responsibility regarding confidentiality, integrity and the security of information management, in a nutshell, regarding the information protection and the development of consequent accessibility rules.

A method involving more the patient through his consent

Then, we propose to the patient to give his consent to circulate the information at the same time as his adhesion to the service plan that is proposed to him. A few agreements stipulate that this proposal be done by a case manager that supplies the required information for the procurement of an enlightened consent, and that guides the patient in the formulation of a consent giving in writing, for a determined period, renewable or revocable at all times. The preferential model tends towards the respect of the patient's autonomy through a better comprehension of the tensions at issue.

Admittedly, it pertains to situations where we register a patient in the integrated services models, that is in a continuum of care, but we must view here an exploratory experience that entitles more autonomy for the patient and that offers a real meaning to his consent.

The preceding analysis demonstrates the diversity of patterns taken on by the tensions between the two poles of ethics, to which we must refer to in order to process the triangular link "protection - consent - accessibility". The questions that follow are to be considered as points of reference in developing the thought process on these questions.

Questions to ask

References

Association des hôpitaux du Québec, Association des CLSC et des CHSLD du Québec et santé et services sociaux Québec. Protocoles d'entente type interétablissements et médecins. Québec, MSSS, 2001. (Protocols of understanding inter-establishments and physicians).

Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues. Int Journal Med Inf. 60(2):111-118, 2000 Nov.

Andersson A, Vimarlund V, and Timpka T. Management demands on information and communication technology in process-oriented health-care organizations: The importance of understanding managers' expectations during early phases of systems design. Journal of Management in Medicine. 16(2):159-169, 2002.

Cavoukian Ann. The Security-Privacy Paradox: Issues, misconceptions, and Strategies.A join report by the Information and Privacy Commissioner/Ontario and Deloitte & Touche, August 2003.

Fineberg AD, The personal Information Protection and electronic documents act: physician prescription data and Canada health system review. Health Law in Canada. 23: 1-10, 2002 Aug.

Chapter 13 - Managing secondary uses of health information

Presentation

Computerization and networking create new health information use possibilities. Secondary uses are those which are unrelated to the purpose or purposes for which the health information was initially collected or produced. These new uses can be carried out by the initial stakeholders or by others completely outside the context in which the information was created. The question put forth by a secondary use is simple: Upon which conditions is it ethically and socially acceptable as well as legally possible? The answer, however, is becoming more complex every day, proportionate to the increasing complexity of networks and new the interrelations these networks provide between information subjects and the growing number of information producers and users.

Multiple health information uses

A wealth of information

The provision of health care generates a plethora of information. Typically, this information is found in patient records, invoices or reimbursement applications submitted to insurers and possible reports to public health authorities. This information often reveals intimate details about a person: physical, mental and social condition, care and treatments received, genetic-related records and information about the patient's surroundings (extended family, work or life environment). This information also deals with acts carried out by health care professionals and other people caring for or attending to the patient.

A wealth to be harnessed

Thanks to networking, it has become possible to use this information not only to provide better care but also to meet other objectives: better organization and management of physical and human resources required for this care; better monitoring of the improvement in the population's health; improved facilitation in the development of disease knowledge and treatments; and improved management of the health system, perhaps even the organization of society as a whole with respect to health care objectives. Business objectives are also possible. However, health information is often considered sensitive by the persons directly involved and justly so. Consequently, one plays with this sensitivity as soon as one seeks to use information for a purpose different than that for which it was produced. This can even jeopardize the relationship and confidence that was established between the initial stakeholders. Furthermore, new users of the information can put themselves at risk since the information they are using was not produced for this new purpose.

There are no practical or dedicated definitions for the terms "use" and "secondary use". The same is true for the term "purpose", even within personal information protection legislation. In this handbook, we propose the following definitions.

Information Use (or Information Usage)

The action of manipulating the information elements for the purpose of producing a specific result.

From a practical perspective, a use corresponds to the conclusion of a particular information process. This conclusion may be a statement ("establish a diagnosis", "confirm a patient's identity"), a decision ("choose a treatment", "grant access to a service"), production of new knowledge about a situation or reality, or simply the production of new information (statistic compilation, for example). It is therefore the specific intended or obtained result which defines the use and enables it to be designated. Consequently, an information use has both an objective and verifiable nature.

Secondary Information Use

A use serving a different purpose than that for which the information was initially collected or produced (see: "purpose").

Purpose (or Aim)

The object of the relationship between the stakeholders participating in or those involved with the information use. For example, one can distinguish a "health care" purpose between a patient, a healthcare professional and a health institution; an "insurance" purpose between an insuree, an insurer and health care provider; or a "research" purpose between a research subject and a researcher.

From a practical perspective, a purpose corresponds to the object of the relationship established between the specified stakeholders, who each have specific roles to play in the manipulation of information elements. These stakeholders, whether individuals or groups, are those handling the information or are the subject of this same information. Effectively determining the roles played in manipulation of information elements cannot be based exclusively on the observation of processes. Part of this determination remains subjective. As a result, disagreements can occur regarding the nature of a relationship and consequently on the object of a purpose.

An issue greater than that of protecting personal information

Unavoidable laws

Since health information is often personal in nature, the discussion of this issue is highly structured by current personal information protection legislation. In fact, any computerization or networking project, new use, new communication to a new stakeholder or transmission beyond a sector or territory of activity must be in compliance with the regulations of the different legislations adopted in this regard.

Basic notions

However, personal information protection laws determine the legality and limitations of the collection, storage and communication of information on identifiable persons, particularly with respect to the correspondence or lack thereof between the "use" and the "purpose" for which this information was initially produced.²⁵ It is also according to theses notions of "use" and "purpose" that standards are structured relating to consent of the persons involved, information accuracy, as well as transparency of the practices of the information holders or users.²⁶ Therefore, one easily understands the unavoidable nature, as much as for these legal measures as for the notions of "use" and "purpose".

Beyond identifiable information

However, the issue surrounding secondary use is in no way limited to the handling of information elements subject to these laws, i.e., information about identifiable human beings (also called nominative information). The same issue also relates to the handling of personal information on non-identifiable individuals, information about groups, populations, statistical data or even reports generated from this information.

...probative information on groups or group-related phenomena

Moreover, one must look beyond simple handling of nominative information because its relative importance will tend to decrease, even in decision processes pertaining to individuals.²⁷ This can seem paradoxical while networking enables an ever-increasing amount of nominative information to be put into circulation. However, one must not forget that another objective of networking is to facilitate the production of knowledge or "probative data" upon which more and more decisions are based regarding individuals, organizations and populations.²⁸ Already, for example, private life and hospitalization insurance companies determine the insurability of individuals and premium rates based less on an individual's nominative information than on actuarial charts created from numerous statistics on entire populations and sub-group populations. Networking has given rise to increasing use of probative data on groups or group-related phenomena in different clinical, administrative, public health and even business decisions (see example below under Health information for advertising campaigns). This probative data serves in developing criteria, rules and standards that earmark how these decisions are made, including those on individuals. The production of each of these criteria, rules and standards constitutes a secondary use of information.

Information and decisions about individuals or groups

However, the individual, to whom this personal information belongs, does not stop being concerned about its use simply due to the fact that this information has been denominalized (altered so it can no longer be identified) or assimilated into a statistic about a group. Denominalized or assimilated information - or data derived from it - can be used to make decisions directly affecting an individual or a member of a group. The individual or group can also grant or refuse approval for the specific purpose or use of the denominalized or assimilated information, even if this information does not directly affect them. The individual or member of a group can also wish to use this information or have an influence on its use. Denominalization lays out a boundary for the application of personal information protection legislation. However, it still does not define the purpose of the information use or that of the involvement of the individuals, groups, populations or organizations. This is why this chapter does not make, a priori, distinction between information about an individual, a group, a population or an organization, or between information which does or does not identify them.

Example 30

Health information for advertising campaigns

Manufacturers of anti-allergy drugs, anti-itching products, facial tissue or chicken noodle soup can find out morbidity rate variations on illnesses or conditions that affect their sales between 2 to 5 weeks in advance for each North American city. Accordingly, they can coincide their advertising and promotional campaigns with demand variations.

Take the cough syrup manufacturer, W. K. Buckley Ltd., for example. This company can obtain data a few weeks in advance, which ascertains that a city like Montreal will see a significant increase in the number of people affected by a cold. The manufacturer can then purchase advertising time for this specific time period and invite its president, Frank Buckley, to an open-line broadcast to answer cold sufferers' questions.

These types of targeted campaigns yield very promising results. The company Surveillance Data Inc. is a source which provides these forecasts pertaining to a health status of populations. This private Pennsylvania-based company compiles data from doctors, laboratories and other sources across North America. It then generates estimates on morbidity rates for a number of illnesses and their development in various cities. These estimates are sold to companies like Proctor & Gamble, Campbell Soup and PepsiCo (for the sale of its Tropicana fruit juices).

Are patients aware that their doctors can send statistics this way, which are then included in information sent to a private firm? If patients knew of this practice, would this change their relationship with their doctor? Would they ask that their personal information not be used for this practice? Are doctors themselves aware of the different possible uses of the statistics they provide? Should this practice be allowed? Is it in line with the roles and responsibilities of the doctors involved? Should one accept the fact these doctors are remunerated for providing statistics, while the professional acts that make up these statistics are paid for by the health insurance plan? Or accept private appropriation of information produced in this way for the sole benefit of clients who are willing to pay for it? Does the United States, professional bodies or other stakeholders have anything to say about this practice? What control does one have when data crosses the border? Should it be earmarked? As we can see, the social and ethical questions that arise can be numerous.

Moreover, sophisticated public health surveillance infostructures that are developed allow for the production of clearly more comprehensive data, therefore considerably more specific and indicative than those produced by companies like Surveillance Data. This data also allows for the planning of personnel in drop-in clinics and emergency departments in order to provide coverage during anticipated busy periods. This data can be used for organizing and targeting public health campaigns, health program development and decisions surrounding the allocation of resources based on identified needs as priority. Several commercial or insurance companies are also willing to pay for access to such strategic information. One could wonder whether or not the health system should offer such information, and if so, whether it should collect a profit. This in itself could raise a whole new set of questions.

John Heinzl, "Forecasts prove just what the doctor ordered: Armed with data predicting cold and flu outbreaks, companies hawking remedies are pinpointing where and when to advertise". The Globe and Mail, Friday, January 28, 2000.

Information of strategic value

The ultimate goal of networking health information is to transform health information into a potentially useful resource for different health system stakeholders, not only for clinical functions, but also administrative, public health, research, political and business purposes.²⁹ Data and knowledge produced in this manner will therefore be used as arguments in public debates or in lobbying activities of certain interest groups. It will notably serve as the basis of decisions for the allocation of resources in a region, between institutions or within an institution; as a definition element for practice or criteria standards for access to health care or services; as a method for defining public health intervention targets; as a representation of the realities and challenges with which public policy deals; as an evaluation tool for efficient health programs, treatments and intervention methods. This is why networked information will become more and more important.

Other relationship changes

In fact, this issue of the secondary use of health information reproduces on a larger scale the problem of relationship changes between patients, health professionals and health care institutions which were described in Chapter 10, Changing relationships. The changes we are talking about here also include administrative health system stakeholders, public and private insurers, professional bodies, public health authorities, policy makers and citizens, researchers and statistics institutions, charitable foundations, businesses (such as pharmaceutical companies), as well all kinds of groups, populations and communities. All these stakeholders are likely to request broader access to networked information as well as to the methods to process this information in order to support their projects or justify their claims. Conversely, all are likely to try and modify or prevent the use of networked information about themselves if it serves their interests.

New relationship arbitrators

Decision arbitrators related to secondary uses - and therefore new relationships established between stakeholders - are not only used by personal information protection commissions, but public institution professional service branches, research ethics boards, professional bodies and information system and network managers also dealing with these challenges. Ultimately, the courts and parliaments are also likely to be forced to determine which secondary uses are permitted and under which conditions.

Information altered by changes in purpose

Multiple and altered information

As we have already seen, networking increases the usage possibilities of health information. However, by going beyond the scope of the initial relationship or purpose, the meaning of the information changes, as does its value for those wishing to use it. In fact, it can be said that it is no longer the same information. Let us get rid of a possible misunderstanding: contrary to what one might believe, networked information seldom travels. Most of the time, it remains in the same location it was initially produced its entire lifespan. Copies, excerpts and derivatives of this information are what travels through a network. When this information travels, it is integrated into a new compilation, for example, in a new personal record or an accounting record, a statistics table or databank. This integration often requires prior transformation of the received information.

Unedited information

Apart from exceptions, new information is therefore not an identical duplicate of the source information. Subsequently integrated with other data, not only does the information no longer appear the same or have the same structure (the same syntax), but its meaning (its semantics) could have also been changed since the context (the purpose) has changed as well. More importantly, the value of the use that the new recipients grant it (its praxic aspect) has also been altered in relation to the different objectives for which the new collection of information will be subsequently used. This phenomenon is however discussed in Chapter 3, Adapting standardized and automated applications to particular concrete situations.³⁰ However, the following example provides an illustration of this type of transformation that occurs when a purpose is changed. With this example, we will be able to better explain the issues raised by secondary uses, and as a result, the questions that must be asked with respect to a networking project.

Example 31

Secretary stuck between two bosses and how the value of information depends on context

Here is a simple true case where the patient record was not computerized and even less networked.³¹

A woman consults her doctor for physical and psychological distress that is getting worse. Among other things, she wishes to be put on extended sick leave because her situation at work has become unbearable. This woman is the secretary for two department directors. However, these two men are continually disputing. Not only does she have to deal with them, but she must also deal with their irreconcilable demands. From a strictly medical perspective, no treatment can change much about the patient's situation. However, the doctor, with the patient's approval, writes information in the record to justify a psychiatric diagnosis which will explain an extended leave. Both hope that the dispute will be resolved in the meantime or that the secretary will be offered a new position upon her return to work.

The information in the record does not describe everything that was discussed or the decisions made by the doctor and his patient. It only presents a limited number of facts, symptoms, diagnoses and prescriptions with relevant meaning, not only from a medical point of view, but also with respect to the objectives of both patient and doctor, especially regarding the recommendation that the doctor will write to the employer and its insurer.

The purpose of the patient record is to provide health care. This purpose determines that only information with medical relevance can be written in the record (semantic limit). This purpose also largely determines the type of this information, such as the choice of words, their location and the manner in which they are written (syntactic aspect). The recorded information is also a result of a deliberate choice related to the well-defined objective created by the patient and her doctor (praxic aspect). The uses correspond here to the different results obtained: diagnosis, prescription for medical leave and medications. These uses also appear in the file in the form of information.

The secretary consequently receives her leave. After a few months, the insurer requests confirmation of the need for continued leave. The attending physician prepares an excerpt from the patient's file that he forwards to the physician working for the insurer. The attending physician is careful to only include elements from the record that are strictly relevant to a second opinion. The information in the record remains in the record itself. Only copies of several information elements are communicated.

After reading the record, the insurer's physician asks the patient to meet with a psychiatrist, who also notes the limited nature of the case based on strictly a medical aspect. Although paid by the insurer, the psychiatrist confirms the leave with his own detailed notes on the patient's situation. Here, the information serves an insurance purpose, different from the clinical purpose, but does not change in meaning for the main part: the information is used for the diagnosis, prognosis and treatment (leave and medications) paid for by the insurer.

The employer receives a copy of the confirmation from the psychiatrist. But he also receives a copy of his detailed notes by mistake. With new information to light, the dispute between the directors deteriorates into an open confrontation between departments in the company. At this point, the secretary feels that it impossible for her to return to any type of position in this organization. By changing the context, the psychiatrist's notes have completely changed in meaning. They no longer explain any medical opinion. They denounce power and work relationships within an organization. However, the information the employer received is a true copy of the information contained in the psychiatrist's record. Its syntactic structure and semantic significance are completely identical. What has radically changed is the social significance or use value for the stakeholders involved (praxic aspect). The context, stakeholders and the relationships between the stakeholders are no longer fundamentally the same. The purpose has radically changed: from that point forward, it is about work relationships between colleagues.

The complexity in managing secondary uses

The simple world of paper

Before the advent of computers, managing secondary uses of health information was clearly simpler. Each health care professional or institution had its own record for its own patient. Paper records were generally used for defined purposes (ex: health care) relating to specific stakeholders (a healthcare professional and a patient; an institution, its professionals and a patient) playing specific roles (patient, attending family doctor, nurse, referring physician or medical consultant, etc.). In this simple world of paper records and well-defined practices, any secondary use was immediately identifiable because it corresponded to a file being transferred to a third party related to the initial relationship between the stakeholders or to a notable change in this relationship.

The complex world of networked information

With networking, these defined limits that paper support spontaneously provides, no longer exist. The definition of a record, whether paper or electronic, has always been the result of a simple convention. Already with paper, one could state that the various sets of patient information held by the different units of a large hospital, consisting of just as many separate records, were merely parts of a single large record. With computerization and networking, however, information held by multiple institutions can be subdivided and merged into an infinite number of records, from a very small record to a very large one.³² The exact same is true with determining initial purposes of a record. In fact, the same set of information can then simultaneously or successively serve or satisfy numerous clinical, administrative, public health or research functions.

Who defines what purpose?

The answer to both of these questions is defined as "secondary", any use of information serving a purpose other than that of the initial purposes. The list of relevant information to be collected or produced, as well as its specific semantic significance, is dependant upon defining the object, scope and limits of the purpose. Equally dependant is the application of several legal standards, as well as ethical and management principles, particularly with respect to personal information protection, confidentiality of health information and consent for its communication and research ethics. The initial purposes also determine the use value (praxics) that the stakeholders will give to the information. The issues surrounding the process of defining purposes raise certain questions:

Health care: single or multiple purpose?

Let us remain within the realm of health care, where the majority of health care information is still produced. Do the initial purposes of various patient files still need to be limited to the old paper record definitions, such as "family medical care", "hospital care", "psychiatric care" or "pharmacy services"? Or instead, should we amalgamate all clinical practices as components into a single, all-encompassing purpose called "health care"? Or should we organize purposes according to other criteria, such as the fields of practice recognized by various professions? For instance, since pharmacists are responsible for dispensing medication, it could be said that all pharmacist records are part of the same purpose: their contents could then be completely shared among pharmacists since they were collected for the same purpose. The possibilities of file designs and the definition of their purposes are endless. However, according to those that have been retained, the possible consequences will be completely different.

Another relationship, another purpose, another praxic meaning

Let us accept for a moment the possibility of a single health record serving a universal purpose called "health care". For the sick secretary stuck between her bosses in our previous example, this scenario could change her situation altogether. Perhaps she would have preferred the doctor prescribe her medications in order to keep her job until she found a new position rather than see a psychiatric diagnosis written in her single-client file. There are numerous unfortunate cases that occur as a result of a psychiatric note.³³ Here we see how redefining the initial purpose of collected information, and thus the initial established relationships, can radically change the meaning and use value of the information for the stakeholders (praxic aspect). This demonstrates how the objectives of a consultation, diagnosis and treatment can be directly affected. In summary, there is a clear difference between finding oneself in the presence of one doctor holding a medical record that strictly serves this particular relationship (very restricted "health care" purpose) and finding oneself in the presence of a doctor holding a medical record that potentially relates you to an entire medical body (very broad "health care" purpose).

Purposes: a question of relationship

Purpose = object of the relationship + those participating

The definition of a purpose is made up of two components. The first is the object of the established relationship between the stakeholders in the manipulation of the information elements in question. The second is the determination of the stakeholders participating or able to participate in this same relationship.

Therefore, in the same hospital, let us say that one single patient record exists, containing all the health information produced on the same person by all the care units. However, we can also decide that the information produced by the psychiatric unit, perhaps by a single psychiatrist, serves a distinct purpose (the "psychiatric care" relationship between the patient and this unit or psychiatrist). In this case, any use by another unit would be considered related to a secondary purpose. The personal information protection standards and principles related to the use of secondary information would then be applicable. This restricted scope of the "psychiatric care" purpose would also determine the semantic significance of the information, as well as the use value (praxics) that the patients, psychiatrists and other members of the health care staff in the psychiatric department might give to this information.

Who decides on a purpose?

We have seen that there are numerous and significant issues that can result in defining an initial purpose. However, the definition of a purpose constitutes a decision that largely relies on an imposed or agreed upon convention between the stakeholders. In fact, we can decide that the same information serves one or several initial purposes. We can also decide that each of these purposes corresponds to very different relationships, which allows for a relatively greater number of stakeholders. But who decides this? Who makes this extremely important decision considering its multiple effects?

Recognized personal information protection principles and Quebec and Canadian laws on this matter avoid this question. They require that the purposes of a set of personal information be determined prior to the information being collected or produced. However, no legal entity is ever specifically designated to make this decision.

In practice, different stakeholders can decide. It could be those who collect or produce the information, such as the health institutions. These decision makers can also be legislators or regulators. Therefore, various laws define the respective missions of several organizations (RAMQ, Institut de la statistique du Québec [Statistics Quebec], etc.) or the obligations of various stakeholders (e.g. reportable diseases) through which so many information handling purposes are established. With respect to health, professional bodies also play a role in determining what information can be handled and which stakeholders will be in charge of handling it. In fact, it could be one or several stakeholders directly involved in the relationship. This is often the case in the psychosocial field where clients, institutions and their staff members jointly decide whether or not certain information will be recorded, and if so, why.

Independent or imposed

Consequently, the decision of who determines the initial purposes can be made by the same stakeholders involved in the information handling relationship, just like the decision can be imposed by an outside stakeholder. A purpose can also be co-determined. To illustrate these cases, let us use the example of a purpose that we will call "pharmacological supervision". This purpose is based on the generally accepted and demonstrated idea that creating an updated list of prescription medications dispensed and prescribed to a patient enables a health professional to identify the risks of over-medication and harmful interactions.

Completely independent to define the purpose

The Ministry of Health could decide to implement a networking application that would allow for the production of such a list of medications, but would leave it up to the health professionals and their patient to decide whether or not to produce or use it. The stakeholders would be completely free to enter into this "pharmacological supervision" relationship, and define its scope (between one or several doctors, pharmacists or other health care professionals).

Imposed purpose

The Minister of Health could also pass a law making pharmacological supervision mandatory and specifically determine which professionals would be responsible (therefore, who would have access to the list of medications) in which circumstances. Here, the existence of information and its purpose (object of both relationship and stakeholders) would be predetermined.

Both imposed and independent

Or, the law could state that the patient must have at least one "pharmacological supervisor" at all times, but also that the patient is free to designate the professional or professionals who would fulfill this role. Consequently, a patient could decide, one at a time, that each one of his doctors prescribing him a new medication is his pharmacological supervisor at that point in time. Another patient could decide that his psychiatrist will solely act as his, permanent pharmacological supervisor because the patient does not want other health professionals knowing he is suffering from a psychiatric problem. And yet another patient could designate his pharmacist to play this role since he wants to ensure compatibility with his over-the-counter medications, food supplements and natural products that he also purchases on site. In this scenario, the relationship is imposed, its object is predetermined, but its scope is not (i.e., who exactly the stakeholders involved in this relationship are).

Required questions

Consequently, evaluating primary and secondary uses already creates issues between different clinical uses even before one considers the uses for completely different functions. In the case of patient list of medications, we think of the secondary uses conducted by researchers to understand drug effects, by public health authorities to detect and follow certain health problems, by professional bodies to have their members supervise the prescription or dispensing of medications and by pharmaceutical companies for marketing strategy purposes. In fact, the simple description of the possible secondary uses could take up a considerable number of pages in this handbook.

Beyond the description, the socio-ethical evaluation of networking must first ask questions about the who, what and how the primary purpose is determined. All these new uses cannot be qualified as "secondary" due to the fact that someone first decided that certain uses would, in themselves, be defined as "primary". Moreover, questions must be asked about the authorization conditions of the secondary uses, particularly when they are required without the direct consent of the stakeholders directly involved, or even with their knowledge for any practical purpose. We particularly think about the uses relating to research, administration, public health and possibly business. Maintaining the necessary relationships of confidence between the different stakeholders cannot in all likelihood be based on vague secondary purpose claims at the time information is collected or upon the creation of a file pertaining to them. It is also important to consider implementing measures relating to transparency and dialogue, perhaps even related to the participation of those affected by the definition of the uses, conditions in which they are conducted and controlled.

Conclusion

Understanding endless and more complex processes

Networking specifically aims to increase possibilities for secondary use of health information. However, we have seen how the socio-ethical evaluation of secondary uses permitted by networking as well as their management would represent an increasingly difficult challenge. Already, the systematic identification of the initial uses on one hand and the secondary uses on the other, require that the processes involved be reconstructed and remodeled: the information used, the manipulations required for these uses, the stakeholders involved with each use, and the respective roles they play in relation to one another. This documentation exercise is also necessary to allow for transparency of practices upon which confidence relationship are based whether required in the proper functioning of the health system.

Centrality of the concept of purpose

We have observed the centrality of the concept of purpose for the discussion of questions and issues related to secondary uses of health information. This concept is also important in the overall socio-ethical evaluation of networking. In effect, it is also by determining the purpose that semantic and praxic significances of manipulated information are organized, social and institutional relationships are formed, as well as the different methods of exercising power between the stakeholders or their position in the manipulation of information.

Understanding to evaluate and manage

This is why we have proposed below an approach composed of three documentation steps, which precedes the evaluation approach itself. The first three descriptive steps recreate a large part of the different information processes. They can therefore serve as a basis for evaluating other aspects of network applications.³⁴

Questions to ask

First step: Control initial information collection or production processes and their purposes

Second step: Reconstruct the processes serving the identified purposes

Third step: Control secondary purposes

Fourth step: Manage initial and secondary purposes

Chapter 14 - Political Transformation of the Health System

Introduction

The design, deployment and management of a health information network are not strictly technical matters. An information network is also a political system that defines power relations between people (Chapter 11), determines a number of the respective rights of people (Chapter 13) and imprints itself on the health system. In this chapter, we will focus on the latter aspect, examining the link between a networking project and the very structure of the health system, which can thus be modified in such a way as to alter its nature.

In all cases, one must resist taking the easy path of basing system definition on technical considerations alone. Too often, technical staff or consultants base the selection of system solutions solely on a changing and theoretical definition of the needs and objectives, or on objectives largely specified in vague terms by certain dominant players. This approach amounts to giving technical people the power to define the system on a political level. It is vital to ensure that the technical solutions serve political objectives that have been appropriately stated and discussed, and that they not be used to impose unintended or concealed purposes.

Health information networking and the standardization of practices that it implies are also essential and central measures for in-depth transformation of the health system. Over and above its purely technological dimension, health information networking is a master tool for achieving a thorough reform of the health system. The link between current or future health system reforms and deployment of new information technologies should be further studied and better understood. Moreover, it is known that a number of business interests-the insurance industry and financial institutions, for example-promote computerization at the same time that they advocate partial privatization of the public system and establishment of public-private partnerships for health care funding or delivery.

Ethical evaluation of health information networking projects must include analys

Common menu bar links

Institutional links

Current Subject

Explore...

Proactive Disclosure

The Networking of Health information Handbook for the management of ethical and social questions

Table of Contents

Acknowledgements

The Authors

General Introduction

Networking Potentials and Risks

Complex ethical and social issues

Overall objective of this handbook

Anticipate, identify and avoid the pitfalls

Various networking applications...

...affecting many activities

Complicated tools in complex relationships...

...that are first of all social

The importance of a well-planned technological choice

Numerous possibilities

Numerous choices to make

Different social relationships

Subjective objectives and interests

Maintaining a critical outlook

The global approach to ethical assessment

Why this handbook?

Specific objectives of this manual

A combination of approaches

A handbook anchored in experimentation and knowledge

The work of a multidisciplinary...team

An easy-to-use handbook intended for a broad audience

For non-specialists

For all stakeholders involved

The handbook's two main parts

Initiation to networking ethics

Probing the key dimensions

Part 1 - Introduction to Networking Ethics

Introduction

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 1 - Health Information Networking

Summary Chapter 1

Health information

Not only about the patient

Health Information

The patient and those close to him or her...

...and other individuals as well...

Events, places, resources, management

Formats and support

Between computerization and networking

No networking without computerization

Computerization calls for standardization...

...and organization

Where is the health sector?

Example of a sector in which computerization was relatively fast

Uneven progress

Payment management

Insurance scheme administration

Prescription drug insurance

The medical record

The difficult standardization of practices.

Computerization of measurements

Expert systems

From paper transmission to computerized networking

The limitations of paper support

Networking's potential

The confidentiality standard

Understanding networking conditions

Networking and health system reform

A need to share

A more collective practice

A work team

Information is more scattered

Restructuring

Inter-institutional programs

Inter-sector programs

Results-based management