The Networking of Health information Handbook for the management of ethical and social questions

Chapter 11 - Human and Social Vulnerability

Overview

Computer security is a dimension of networking that is suddenly receiving much attention from the stakeholders involved. They have no hesitation in investing in it or in calling on help from specialists in the field.

However, socio-ethical analysis requires that more attention be focused on the security of individuals and their relationships rather than only on tools and information, especially since a networking application can affect already vulnerable patients and populations which are, along with institutions and personnel, working to the limits of their abilities. Moreover, maintaining a confidential relationship is dependent on the idea that the circulation and use of health information remains, at all times, under the control of the parties involved. The implications are numerous, diverse, and complex. Its management cannot therefore be left only to computer security specialists. Everyone's input is essential.

After establishing the difference between the protection of material objects and the protection of human beings, this chapter will address four topics:

• The protection of the environment and human health
• The risks arising from malfunctions in the operation of networks
• The vulnerability of specific populations and organizations
• The risks arising from security management

From the security of objects to the vulnerability of humans

From machines...

Computer security was originally about protecting machines. A spectacular 1969 incident in Montreal captured the entire world's imagination when demonstrators rioted in the computer room of Sir George Williams University (today Concordia). While the imposing machines, which until then had been proudly show-cased, had to be taken to hidden and protected sanctuaries, computer security developed as a true discipline.

...to information...

As they became more affordable and user-friendly, computers entered businesses, then homes. They deal with entire parts of the lives of organizations and individuals. In 1986, again in Montreal, the Alexis Nihon Plaza fire caused the disorganization, and even the failure of businesses that had not kept copies of their information in a secure place. From machine security, we move on to information security.

The 1980s were also the years of "protection of personal information". Many laws dealing with protection were passed in Québec, in Canada, and elsewhere around the world. Personal information security is not, however, an end unto itself; rather, it is conditional upon a certain amount of free use and circulation of information, most notably across organizational and national borders.

...to humans in society

The 1990s were characterized by the computerization of services and the creation of computer networks on a worldwide scale. One event caused a new leap in the world's consciousness: the year 2000. Because of the sheer vastness of the malfunctions that needed to be prevented, the consequences that were feared and the resources harnessed, this change constituted the biggest technological risk prevention effort in the history of the world. The protection objective merged with the whole of society. However, the danger was no longer from the risk of accidents, malicious intent, or error, but rather from a million deliberate decisions relating to the coding of dates. Developed societies and their citizens suddenly understood how highly dependent and vulnerable they were with respect to computers.

Centrality of socio-ethical questions

The perspective of computer security is therefore reversed; from the protection of systems against human or environmental risks, security must now include - indeed, prioritize - the protection of people and their environment with respect to systems. Such a reversal naturally widens the analysis and action framework to include psychological, social, political, cultural, organizational, environmental, legal, and ethical dimensions.

Protection tools rather than objects

It is, therefore, no longer enough for computer systems and the information that they handle to be well-protected and operated. At the very least, they must also not constitute an undue risk factor for people and society and, ideally, they must become themselves protection tools. An evaluation of networking projects focused on human and social vulnerability must therefore not be afraid to question the properties, the operation and the framework of the applications, all the way to the adequacy of tools.

Protection of the environment and human health

A very polluting industry

Networking is based on the coordinated operation of numerous communication tools and processing of information. However, the production of the electronic components is an activity that pollutes and consumes vast amounts of energy. The production of only one semiconductor plate currently generates approximately 3 kilograms of waste that is hazardous to human health and the environment, particularly chlorinated residue, acids, and organic carcinogenic solvents (Ayres and Ayres, 1996). Other components are in themselves dangerous because of their toxic metal content (lead, mercury, cadmium, chrome). Less polluting production procedures have been developed, but are still not used on a large scale by industry. (Silicon Valley Toxics Commission, 2001).

Manufacturing that is a health hazard

The assembly and testing of semiconductors is typically performed by young women, often in developing countries. The work is dangerous to human health. For example, long days of soldering using a microscope cause permanent damage to eyesight. The list of health problems includes: injuries resulting from repetitive motion, stress, the development of hypersensitivity to chemicals, hearing problems, reproductive problems including miscarriages, infertility, and cancer. Both male and female workers must often quit work after only a few years.

Consequences of planned obsolescence

The extent of these health and environmental problems is aggravated by the planned obsolescence of electronic products, which encourages frequent replacement of equipment, well before the end of its useful life. However, in order for the industry to encourage this replacement, it must keep production costs as low as possible, thus reducing its investments in the environment and human health. This economic strategy uselessly generates considerable amounts of dangerous waste products and health problems.

Ultimate goal of protection and health promotion

It is paradoxical that healthcare sector networking can occur at the expense of the health of individuals or populations. It would therefore seem logical that all recourse to electronic material take into consideration the risks posed by its production and disposal.

Sources of information

It is primarily the responsibility of manufacturers and equipment suppliers to show that the production methods used respect the environment and the health of female workers and populations to the greatest extent possible. There are also several independent sources of information and certification. In the case of environmental protection, IS014001 certification focuses on the quality of the environmental management system in place and not on environmental consequences as such.¹ Regarding the respect of workers' rights, Social Accountability International's SA 8000 program applies stringent standards in the verification of companies' social performance. However, to date, very few companies which produce electronic components have joined.²

¹ International Organization for Standardization : www.iso.ch/iso/fr/ISOOnline.frontpage
² Social Accountability International : http://www.cepaa.org/

Risks resulting from malfunctions in the operation of networks

Dependence and interdependence

Little by little, individual and collective stakeholders in the health sector become dependent on health information systems as well as on various computer applications. Consequently, the malfunction of even one of these tools can have a considerable impact on the activities or lives of the individuals and organizations. However, networking only increases the interdependent relationships between stakeholders and the systems or applications. The proper functioning of an activity no longer depends on the work done locally by stakeholders supported by their own computer tools. Increasingly, proper functioning requires remote input from other stakeholders and tools, as well as the proper operation of networks enabling their connection. The risk of malfunction is likewise increased, as well as the extent of potential consequences that can occur on a large scale. The responsibility in risk management also increases, and is divided among an ever-growing number of stakeholders.

It is possible to distinguish between computer malfunction and social malfunction, even though it may often be difficult to separate them in practice.

Computer malfunction

A computer malfunction is an irregular or abnormal operation of software or computer hardware. It can happen for many different reasons: inside the machine (programming error, component failure) or external (power outage, computer virus).

Social malfunction

A social malfunction occurs when the proper operating of a system is compromised by social factors or when it causes problems of a social nature. There are numerous social factors: the closing or failure of a company which supplies a key component; a lack of money, personnel or skills; the unauthorized use of a tool; resistance or inadequate appropriation by a category of users, etc. Conversely, a well-operating tool can cause various social problems: inadequate functioning in certain specific situations,³ conflict between the existing or new legal standards and those integrated in the tools; large amounts of information desired by third parties for incompatible purposes; unexpected confrontation between stakeholders in which the interaction has changed,⁴ etc.

A global and participatory approach

The management of malfunction risks requires a global approach which takes into account all of the four main components of networking: information and software, computer and telecommunications equipment, individuals and organizations involved, and the management of the network and its networked activities.⁵ Every phase of operation of networked information must be examined, including phases occurring outside of the network itself. This management must be a permanent activity which must begin immediately from the first design stages. Not only must it rely on competent expertise and watch out for risk sources, vulnerability and solutions, but also on ongoing accountability, participation and vigilance by involved stakeholders. These stakeholders must therefore have sufficient computer knowledge in matters of security and vulnerability, as well. They must also be assured that their observations or suggestions will be correctly received and discussed.

³ See Chapter 3, Adapting to Specific Situations.
⁴ See Chapter 10, Changes in Relationships.
⁵ See Chapter 1, The Networking of Health Information.

The vulnerability of populations and specific organizations

Different dependencies and vulnerabilities

In a field as diverse as the health sector, organizations and individuals have very different levels of dependence and vulnerability, depending on the context. A radiologist will be unable to work if he or she temporarily loses access to the imaging and medical notes about patients, whereas a general practitioner in a walk-in clinic can continue with most of his or her consultations with patients. However, even this type of physician and his or her patients will experience difficulties if several drugs prescribed by different specialists need to be adjusted in order to ensure their compatibility. A researcher does not need continuous access to his or her data sources, but research being done could be compromised if ever a medical treatment under study were no longer covered by public medical insurance, drying up the necessary information provided till that point by the RAMQ. A traveler could lose his or her hospitalization insurance abroad because of the prescription of a drug (to prevent a potential health problem which, once testing is completed, is found not to exist) which causes a substantial change in risk estimation by the insurer. Examples of such possible malfunctions are multiplied with networking applications, depending on to the clinical, administrative, research or public health⁶ function, the type of individual or organization involved, and the specific real-life situations experienced by the individual or oragnization.⁷

Global approach, specific analyses

If, as proposed in the previous section, risk management of computer and social malfunctions requires a global approach, the awareness of vulnerabilities also requires specific analyses that consider every activity, context and type of stakeholder involved. Each case - even minor or unusual ones - of great vulnerability or where the malfunction would have a major impact, must be identified.

Objective and subjective vulnerability

Objective vulnerability must be identified and studied: a possible disturbance of activities and its effects, the state of health of certain patients and their needs for care and services, the impacts of decisions that could be made by third parties, etc. The more subjective dimensions of vulnerability must also be considered. Regardless of assurances given by health professionals, a number of people who have consulted psychiatrists are wary of the possibilities of giving professionals free access to this specialized file. Certain members of populations who have fled persecution in their country of origin fear that health information about them could somehow end up in the hands of government organizations. In both cases, this distrust can be justified by previous experiences, which may or may not be relevant to the networking application being evaluated. To the extent that maintaining confidential ties between stakeholders is essential in the health system, perceptions constitute an undeniable reality. With regard to analysis of vulnerability, it is therefore appropriate to integrate stakeholders' subjective perceptions which, depending on the case, arise from physical, social or psychological conditions; contexts and professional practice situations; culture or history; or their sensitivities and fears.

⁶ See Chapter 1, The Networking of Health Information
⁷ See Chapter 3, Adapting to Specific Situations

Risks resulting from security management

The problems with solutions

Any solution to a problem can generate its own complications. This is true of networking; it is also true of preventing computer and social malfunctions, and of security management.

Solutions that are obstacles

One must ensure that the solutions chosen do not unduly complicate attaining the end results supported by networking or actually create obstacles. The clinical uselessness of the health report of the Carte accès santé Québec project [Quebec health card project], particularly due to the solution chosen for information security, is an obvious example of this risk.⁸

Deviation from security

It is also important to ensure that the control and monitoring measures used for network users and their networked activities are not organized in such a way or become so important that they undermine medical confidentiality or confidential relationships among stakeholders in the health system. The risks here do not only come from management of health network and applications, but also from external third parties such as police departments, the army, and national and internal security organizations in the context of the struggles against crime and terrorism. Indeed, some people would like to see these organizations monitor communications directly within the networks in order to protect them against computer attacks (and consequently, protect the services of health institutions that depend on them)⁹ or would even like to get information from these networks to be able to quickly detect threats of biological or other attacks against the population.

⁸ See example no. 14, The abstract patient...and the failure of an application project, on page 62 of Chapter 3, Adapting Standardized and Automated Applications to Specific Situations.
⁹ One of the Canadian projects is that of "legal access" of electronic communication surveillance: http://www.canada.justice.gc.ca/fr/cons/la_al/.

Chapter 12 - Tensions concerning the consent and accessibility

Presentation

The health information consists of data that is highly protected in accordance with identifying information. This protection is registered in numerous legislative instruments since the Charters, establishing the cornerstones from the right to privacy protection, to privacy of personal information legislation in the private and public sectors, as well as laws governing in particular health professionals and institutions. This legislative corpus establishes the rules of protection of this information but without taking into account the computer-based support from which it is managed. It also establishes access procedure around the concepts of legal authorization, or the consent on the basis of the fundamental principle, which is the discerning consent of the patient.

The information networking submits the adherence to these rules and principles to high tensions because of the fact that these rules where first and foremost designed around a simple contact between the patient and the health professionals, on the one hand, and the administrative and financial health care facilities, on the other hand. Therefore, the designing and development of all networking project sets out the challenge of properly defining the relationships between the objectives targeted by the networking and the rules or principles of protection, in order to regulate these tensions adequately. The issue here is to find a balance between the "networking" and what we could call the triangle "protection - consent - accessibility" of information.

The examination of these questions is situated at the junction of two fundamental ethical positions: one grounded on the principle of beneficence (or non-maleficence); the other grounded on the principle of respect of personal autonomy. We must not forget that the idea itself of consent implies the proposal of action to which patients hold fast to, in regards to the information received. The consent constitutes sort of the necessary corollary of information given to the patient, pertaining to the object of the consent desired.

Generally, in the health sector, we assist in the retrieval of consent to the gathering, processing, circulation or access to information that is part of the organizational setting of services and the offer of the care required by the patient. The standard is to respect the right of the patient to choose the options that are the most convenient to him or, in other words, to offer the patient the possibility to fully participate in the decisions concerning him; including the matter of information management, particularly as the information gathered usually comes from the information he is willing to reveal of himself in the specific context of a relationship of care.

Therefore, following this standard in the context of networking health information can become particularly problematic because of the wide variety of users, immediate or potential, and for primary or secondary use purposes of this information.

The three aspects of the protection of privacy of the patient

The protection: a problematic widely discussed to date; but with a determined perspective

The object of this chapter is to examine the three aspects of the protection of privacy of the patients, for the purposes of health information management by means of a networking project. This problematic is widely discussed in the literature and has been for a long time. Therefore, it may seem well known and without much interest, particularly when we take into account that the most effective options have been developed around what is agreed upon to call "privacy enhancing technologies" PET, for the protection of confidentiality and privacy.

A problematic more fundamental to the indissociable elements

Therefore, according to the current standards, information protection is closely related to the consent of the patient or the backup legislative intervention for everything that concerns accessibility to this information. The use of the triangle illustration aims at reminding us that these three aspects are practically indissociable one from the other, and that these three aspects create a set where the patient is the focal point. In the case of the examination of issues, this simply means that we would not be able to reduce the problematic of information protection only to questions concerning system security or informational aspects. No more then we could allege making all the information accessible to all parties or to any person showing an interest for this information, simply because of the existence of a broad consent (non specific and non restrictive) from the patient to circulate the information between the concerned parties or, for that matter, engage in its processing.

Each of these aspects includes separate rules that within the context of networking information and circulating it are defined on the basis of their links to the other two aspects.

Information Protection

Information protection hinges around the consent and authorizations of access.

Ensuring information protection can be interpreted as meaning, beyond the security of the systems, which would mean restricting the circulation of the information, so that only the people concerned or implicated with the patient's care would have access to this information. This could also mean allowing a controlled circulation to other parties to whom the access to this information through the network can be justified. The aspects that will prescribe the applicable rule will come from either the implication or the duration of the patient's consent, to which is added the particulars of the right of access he recognizes, or by the information access parameters established by law.

The basis for protection

All circulation of information includes an intrusive characteristic in the privacy of the patient, which must be considered individually and with the basic approach of beneficence and respect of his autonomy. The information protection constitutes an obligation imposed by the respect of the person and must aim to support the expression of the patient's fundamental freedom, recognizing him as a free and responsible individual, with the right to refuse. Respecting this freedom is offering and not urging the patient for the distribution or circulation of the information concerning him with the utmost transparency of process expected, in order to ensure the information protection, and also to respect the goals or objectives pursuant to the circulation of this information.

In this context, information protection can also mean to recognize the necessity to adopt a rule promoting a specific consent in writing. This could also mean that the legislator would have to clarify or refine the new limits of information circulation along with the details of access. This could also mean to establish a special status for this information when recorded in collective data banks, which tie contents into one or the other.

Free and enlightened consent

A consent freely

Technically, the patient can refuse the distribution of information that may seem unacceptable to him, or too widespread or uncontrolled, it is therefore essential that the information provided to him in order to get his consent allow him to make an enlightened, honest and comprehensive decision without any kind of constraints.

Carefully choosing the role of the originator of the proposal

The role of the initiator of the proposal of consent surpasses the simple role of middleman, since it creates a privileged relationship between the patient and the concerned individuals, by first dispensing the care and services, and also by creating a link between the patient and the establishments, the organizations or the interested parties relating for the purpose of: public health, research, the management of insurance plans and also for the administration or enforcement of other legislations (SAAQ, CSST...)

A clear proposal for and enlightened consent

Insisting on obtaining an enlightened consent in regards to information gathering and circulation that takes part in encouraging the patient to exercise his responsible autonomy concerning a technological support, for which he probably does not quite understand the whys and wherefores. In view of this, the information must be simple, intelligible, accessible, and adequate in regards to the goal and the nature of the computer-based support, and also in regards to the consequences and related risks. The networking makes the link of the patient to his information more complex, particularly because once the information is recorded in this computer-based support, the information escapes him; it becomes the object of interest for a wide range of people, often without any immediate link to the patient. The patient must be able to clearly understand the subject matter of the consent that we are looking for, the effects of the consent given and also the consequences in the event of refusal or restriction of consent.

Information habits to receiving

While information habits in regards to the consent of circulating this information have a tendency to be as follow: making sure the patient receives simplified or approximate information, we can think that the obligation to inform the patient for the purposes of networking, the information concerning him could go more towards an obligation of giving the complete information. To target this objective is to insist on the link between information gathering and the processing and circulation of this information, in regards to all the parties involved or concerned by the networking, without leaving any gray area that in time would aggravate the possibility of objections arising.

Getting consent signed must be the result of a two-way communication and not the result of automatic actions or a signature obtained with difficulty.

The implicit characteristics of the consent to information management associated to the request of care and services would not totally eliminate looking for the approval expressed knowledgeably. The fact that in most of the cases, the consent is acquired or given without difficulties cannot be construed as "the" standard that is required from all patients against their right to refuse or restrict the information gathering or circulation. The expression of refusal or of reservations can turn out to be legitimate, comprehensible and justified because of choices or because of the personal situation of the patient. The respect of this fundamental freedom should find its place in the expression of consent.

The specific or determined expression of consent

This simply means that once the information is obtained, the patient is entitled to express a restrictive or broad consent, of short term or definite term based on his need of services or care, or to agree to a secondary use for research purposes. The consent can be in regards to the nature of the information and in regards to the context of its use, which amounts to saying that he interacts with the rules of protection, or that he can identify the targeted individuals and interact, this time, with accessibility.

Accessibility to information

The accessibility is limited by the protection rules and determined by the effect of the consent.

The information accessibility is the result of two distinct but complemental rules, one depending of the patient and his consent, and the other of the effect of a legislation or, more directly linked to its application, from the intervention of information manager in response to the requests he received from the individuals concerned or implicated in the care or services.

The accessibility specified by the patient

This simply means that beyond the patient's personal right to access his information, which is clearly recognized by legislation, it is the patient's right to identify third parties he authorized in accessing his information, but only an implicit consent is needed in regards to professionals and other individuals designated to ensure him services or care. The role of the patient in regards to accessibility seems simple, as long as he is capable of expressing his enlightened, determined or specific consent. The deployment of an information network therefore requires that we take interest particularly in the development and the management of computer-based supports for this consent. We will come back to this subject further in this chapter.

The accessibility specified by law

However, accessibility described in terms of needs of health management, administrative or financial, or the application of other legislation, whether it deals with the procedures directly prescribed or the access recognized by intervention of administrative authorities such as the Information Access Commission (Commission d'accès à l'information "CAI", Director of professional services), brings us back to the questions addressed in Chapter 4 of this manual. Without coming back to the content of this chapter, lets remember that the legal rules include major distinctions between the public and private sectors, in regards to the information management. As explained in Chapter 4, it is important to understand these distinctions, to really understand the issues when comes the time to develop the accessibility rules in regards to the information available in the network, especially the ones administered directly by the data processing system, without any human intervention. Apart from the fact that these may be less numerous, if we distinguish these by assuming the existence of the same obligation and the same accountability as the networking partners, it would open a path that would risk leading to uncontrollable tracking.

In brief, we can say that the patient is directly or indirectly, by the effect of the thrust of legislation, in the center of the triangular link "protection - consent - accessibility". However, in order to protect the information concerning the patient, it is important to oversee with great care the consent the patient is asked to give in the same way as the legal requirements targeting its accessibility.

Looking for appropriate means

Technologies measuring up to the protection of privacy by the system

From the perspective of information technology, we can currently presume that the ruggedized privacy enhancing technologies" PET, for the protection of confidentiality and privacy are known to be effective means of monitoring, in order to establish and recognize the identified individuals who have access to the records, as soon as they access this information, and also that these means of monitoring represent a crucial process in order to ensure its control. These technologies offer a wide range of possibilities, as far as organizational structures, in addition to allowing human interventions.

Technologies distant from the patient's action skill

However, we must recognize that these technologies and their implementation remain distant from the patient's action skill or intervention, whether it involves accessing himself to his records, or to determine or control its access.

Tests of patient's integration in the implementation of the information circulation As communicated many times in this manual, many tests were done in order to ensure the patient a bigger control over his information, recorded or distributed through a computer-based support. Many of these tests included the use of simultaneous key codes or card codes by the patient and the professional consulted; this method ended up being more or less appropriate, especially for the patients with reduced autonomy. Therefore, we can think that this process needing the direct presence of the patient, in real time, endorses with difficulty an objective of intervention efficiency on his subject.

Another method of exploring was the procurement / transmission of an electronic consent. More versatile then consent management issued by cards, this method remained difficult to operate in a context with many first possible variables, in regards to the scheme of care and services required on the one hand, and in regards to the targeted individuals, on the other hand. In view of the nature of the information and its support, and in view of the more or less limited knowledge the patient had on his own concerning the information available, its content or its scope, concerning the process to access or to circulate this information, we can say, that in general, this type of consent carried a wide access, not very significant pertaining to the existence of an effective control, real, by the patient, of the information concerning him.

The necessity of functional and effective methods

Furthermore, it is important to remember that in light of the nature of the services required, mainly in the context of acute care or even of the services given by organizations or interdisciplinary teams and inter-establishments, it can proven not too functional to scope out the consent around an access that is too targeted or specified. Incidentally, this is the reason why the legal framework added provisions to this aspect of information management, by establishing rights to access related to the function exercised by the person concerned or implicated and to the task, in relationship to the patient, that was entrusted in his care. Particularly noteworthy, this person has the inevitable obligation of ensuring the information protection.

The dilemma surrounding the consent and the legal authorization

In conjunction with what precedes, can we, for the sake of pragmatism, try to find the answer to the dilemma emerged by the tensions resulting from the difficult management of consent in the broadening of lawful obligations? The answer can not be over-simplified. The satisfactory response can include an approach substantiated by the broaden participation of the patients or of their representatives through the most rigorous information, the most respected and the most complete issues for the patient.

Reflected from what just preceded that for the plan of appropriate methods, the issue raised by this chapter is not perfectly resolved by the reinforced technologies of protection and that it is always actuality regarding avenues to develop in order to ensure the efficient management of an effective consent by the patient. It must also be identified that there is the necessity to better track the status of this information and the legal rules in order to ensure its protection. Such being the case, in the event where this last approach notes a necessary intervention from the State, the partners of a deployment project in health information networking can only, at this stage, direct their efforts towards the development of methods surrounding the consent of the patient.

The exploration of new approaches in relationship with the services

New models of consent management appear pertaining to the development of integrated-services networks. We recognize that these models link the information protection obligation and the respect of the consent, even beyond legal authorizations of access. They entrench even more in the right of the patient to participate in the choice or in the definition of services that concern him.

A more specific definition of the partners responsibilities

This approach is based on two perspectives that are consistent with each other: the obligations and responsibilities of the partners of the network of services concerning the information and the respect of the rights of the patient pertaining to the consent. In a first phase, the partners are invited to sign a personal information exchange and use protocol that incurs their responsibility regarding confidentiality, integrity and the security of information management, in a nutshell, regarding the information protection and the development of consequent accessibility rules.

A method involving more the patient through his consent

Then, we propose to the patient to give his consent to circulate the information at the same time as his adhesion to the service plan that is proposed to him. A few agreements stipulate that this proposal be done by a case manager that supplies the required information for the procurement of an enlightened consent, and that guides the patient in the formulation of a consent giving in writing, for a determined period, renewable or revocable at all times. The preferential model tends towards the respect of the patient's autonomy through a better comprehension of the tensions at issue.

Admittedly, it pertains to situations where we register a patient in the integrated services models, that is in a continuum of care, but we must view here an exploratory experience that entitles more autonomy for the patient and that offers a real meaning to his consent.

The preceding analysis demonstrates the diversity of patterns taken on by the tensions between the two poles of ethics, to which we must refer to in order to process the triangular link "protection - consent - accessibility". The questions that follow are to be considered as points of reference in developing the thought process on these questions.

References

Association des hôpitaux du Québec, Association des CLSC et des CHSLD du Québec et santé et services sociaux Québec. Protocoles d'entente type interétablissements et médecins. Québec, MSSS, 2001. (Protocols of understanding inter-establishments and physicians).

Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues. Int Journal Med Inf. 60(2):111-118, 2000 Nov.

Andersson A, Vimarlund V, and Timpka T. Management demands on information and communication technology in process-oriented health-care organizations: The importance of understanding managers' expectations during early phases of systems design. Journal of Management in Medicine. 16(2):159-169, 2002.

Cavoukian Ann. The Security-Privacy Paradox: Issues, misconceptions, and Strategies.A join report by the Information and Privacy Commissioner/Ontario and Deloitte & Touche, August 2003.

Fineberg AD, The personal Information Protection and electronic documents act: physician prescription data and Canada health system review. Health Law in Canada. 23: 1-10, 2002 Aug.

Chapter 13 - Managing secondary uses of health information

Presentation

Computerization and networking create new health information use possibilities. Secondary uses are those which are unrelated to the purpose or purposes for which the health information was initially collected or produced. These new uses can be carried out by the initial stakeholders or by others completely outside the context in which the information was created. The question put forth by a secondary use is simple: Upon which conditions is it ethically and socially acceptable as well as legally possible? The answer, however, is becoming more complex every day, proportionate to the increasing complexity of networks and new the interrelations these networks provide between information subjects and the growing number of information producers and users.

Multiple health information uses

A wealth of information

The provision of health care generates a plethora of information. Typically, this information is found in patient records, invoices or reimbursement applications submitted to insurers and possible reports to public health authorities. This information often reveals intimate details about a person: physical, mental and social condition, care and treatments received, genetic-related records and information about the patient's surroundings (extended family, work or life environment). This information also deals with acts carried out by health care professionals and other people caring for or attending to the patient.

A wealth to be harnessed

Thanks to networking, it has become possible to use this information not only to provide better care but also to meet other objectives: better organization and management of physical and human resources required for this care; better monitoring of the improvement in the population's health; improved facilitation in the development of disease knowledge and treatments; and improved management of the health system, perhaps even the organization of society as a whole with respect to health care objectives. Business objectives are also possible. However, health information is often considered sensitive by the persons directly involved and justly so. Consequently, one plays with this sensitivity as soon as one seeks to use information for a purpose different than that for which it was produced. This can even jeopardize the relationship and confidence that was established between the initial stakeholders. Furthermore, new users of the information can put themselves at risk since the information they are using was not produced for this new purpose.

There are no practical or dedicated definitions for the terms "use" and "secondary use". The same is true for the term "purpose", even within personal information protection legislation. In this handbook, we propose the following definitions.

An issue greater than that of protecting personal information

Unavoidable laws

Since health information is often personal in nature, the discussion of this issue is highly structured by current personal information protection legislation. In fact, any computerization or networking project, new use, new communication to a new stakeholder or transmission beyond a sector or territory of activity must be in compliance with the regulations of the different legislations adopted in this regard.

Basic notions

However, personal information protection laws determine the legality and limitations of the collection, storage and communication of information on identifiable persons, particularly with respect to the correspondence or lack thereof between the "use" and the "purpose" for which this information was initially produced.¹ It is also according to theses notions of "use" and "purpose" that standards are structured relating to consent of the persons involved, information accuracy, as well as transparency of the practices of the information holders or users.² Therefore, one easily understands the unavoidable nature, as much as for these legal measures as for the notions of "use" and "purpose".

Beyond identifiable information

However, the issue surrounding secondary use is in no way limited to the handling of information elements subject to these laws, i.e., information about identifiable human beings (also called nominative information). The same issue also relates to the handling of personal information on non-identifiable individuals, information about groups, populations, statistical data or even reports generated from this information.

...probative information on groups or group-related phenomena

Moreover, one must look beyond simple handling of nominative information because its relative importance will tend to decrease, even in decision processes pertaining to individuals.³ This can seem paradoxical while networking enables an ever-increasing amount of nominative information to be put into circulation. However, one must not forget that another objective of networking is to facilitate the production of knowledge or "probative data" upon which more and more decisions are based regarding individuals, organizations and populations.⁴ Already, for example, private life and hospitalization insurance companies determine the insurability of individuals and premium rates based less on an individual's nominative information than on actuarial charts created from numerous statistics on entire populations and sub-group populations. Networking has given rise to increasing use of probative data on groups or group-related phenomena in different clinical, administrative, public health and even business decisions (see example below under Health information for advertising campaigns). This probative data serves in developing criteria, rules and standards that earmark how these decisions are made, including those on individuals. The production of each of these criteria, rules and standards constitutes a secondary use of information.

Information and decisions about individuals or groups

However, the individual, to whom this personal information belongs, does not stop being concerned about its use simply due to the fact that this information has been denominalized (altered so it can no longer be identified) or assimilated into a statistic about a group. Denominalized or assimilated information - or data derived from it - can be used to make decisions directly affecting an individual or a member of a group. The individual or group can also grant or refuse approval for the specific purpose or use of the denominalized or assimilated information, even if this information does not directly affect them. The individual or member of a group can also wish to use this information or have an influence on its use. Denominalization lays out a boundary for the application of personal information protection legislation. However, it still does not define the purpose of the information use or that of the involvement of the individuals, groups, populations or organizations. This is why this chapter does not make, a priori, distinction between information about an individual, a group, a population or an organization, or between information which does or does not identify them.

¹ Laws or normative texts relating to presonal information protection use the terms "aim", "pupose" and "object" more or less as interchangeable synonyms. The same is true for the terms "usage" and "use".
² Eight of the ten CSA (Canadian Standards Association) Model Code principles directly refer to the notion of "purpose"; as is the case for six of the eight principles from the OECD (Organisation de coopération et de développement économiques).
³ Péladeau P. « L'informatique ordinatrice du droit et du procès d'information relatif aux personnes », [Translation: Computer informatics of the rights and processing of personal information], Technologies de l'information et société 1989; 1/3: 35-56.
⁴ Advisory Council on Health Infostructure, Canada Health Infoway: Paths to Better Health: Advisory Council on Health Infostructure Final Report, Ottawa, Health Canada, February 1999. http://www.hc-sc.gc.ca/hcs-sss/ehealth-esante/infostructure/com/achi_ccis_e.html

Information of strategic value

The ultimate goal of networking health information is to transform health information into a potentially useful resource for different health system stakeholders, not only for clinical functions, but also administrative, public health, research, political and business purposes.⁵ Data and knowledge produced in this manner will therefore be used as arguments in public debates or in lobbying activities of certain interest groups. It will notably serve as the basis of decisions for the allocation of resources in a region, between institutions or within an institution; as a definition element for practice or criteria standards for access to health care or services; as a method for defining public health intervention targets; as a representation of the realities and challenges with which public policy deals; as an evaluation tool for efficient health programs, treatments and intervention methods. This is why networked information will become more and more important.

Other relationship changes

In fact, this issue of the secondary use of health information reproduces on a larger scale the problem of relationship changes between patients, health professionals and health care institutions which were described in Chapter 10, Changing relationships. The changes we are talking about here also include administrative health system stakeholders, public and private insurers, professional bodies, public health authorities, policy makers and citizens, researchers and statistics institutions, charitable foundations, businesses (such as pharmaceutical companies), as well all kinds of groups, populations and communities. All these stakeholders are likely to request broader access to networked information as well as to the methods to process this information in order to support their projects or justify their claims. Conversely, all are likely to try and modify or prevent the use of networked information about themselves if it serves their interests.

New relationship arbitrators

Decision arbitrators related to secondary uses - and therefore new relationships established between stakeholders - are not only used by personal information protection commissions, but public institution professional service branches, research ethics boards, professional bodies and information system and network managers also dealing with these challenges. Ultimately, the courts and parliaments are also likely to be forced to determine which secondary uses are permitted and under which conditions.

⁵ See Chapter 1, Health information networking

Information altered by changes in purpose

Multiple and altered information

As we have already seen, networking increases the usage possibilities of health information. However, by going beyond the scope of the initial relationship or purpose, the meaning of the information changes, as does its value for those wishing to use it. In fact, it can be said that it is no longer the same information. Let us get rid of a possible misunderstanding: contrary to what one might believe, networked information seldom travels. Most of the time, it remains in the same location it was initially produced its entire lifespan. Copies, excerpts and derivatives of this information are what travels through a network. When this information travels, it is integrated into a new compilation, for example, in a new personal record or an accounting record, a statistics table or databank. This integration often requires prior transformation of the received information.

Unedited information

Apart from exceptions, new information is therefore not an identical duplicate of the source information. Subsequently integrated with other data, not only does the information no longer appear the same or have the same structure (the same syntax), but its meaning (its semantics) could have also been changed since the context (the purpose) has changed as well. More importantly, the value of the use that the new recipients grant it (its praxic aspect) has also been altered in relation to the different objectives for which the new collection of information will be subsequently used. This phenomenon is however discussed in Chapter 3, Adapting standardized and automated applications to particular concrete situations.⁶ However, the following example provides an illustration of this type of transformation that occurs when a purpose is changed. With this example, we will be able to better explain the issues raised by secondary uses, and as a result, the questions that must be asked with respect to a networking project.

⁶ Refer specifically in Chapter 3 to paragraphs The meaning of information depends on context..., ...and the stakeholders' intentions and Example 15, Networking patients' addresses.

The complexity in managing secondary uses

The simple world of paper

Before the advent of computers, managing secondary uses of health information was clearly simpler. Each health care professional or institution had its own record for its own patient. Paper records were generally used for defined purposes (ex: health care) relating to specific stakeholders (a healthcare professional and a patient; an institution, its professionals and a patient) playing specific roles (patient, attending family doctor, nurse, referring physician or medical consultant, etc.). In this simple world of paper records and well-defined practices, any secondary use was immediately identifiable because it corresponded to a file being transferred to a third party related to the initial relationship between the stakeholders or to a notable change in this relationship.

The complex world of networked information

With networking, these defined limits that paper support spontaneously provides, no longer exist. The definition of a record, whether paper or electronic, has always been the result of a simple convention. Already with paper, one could state that the various sets of patient information held by the different units of a large hospital, consisting of just as many separate records, were merely parts of a single large record. With computerization and networking, however, information held by multiple institutions can be subdivided and merged into an infinite number of records, from a very small record to a very large one.⁸ The exact same is true with determining initial purposes of a record. In fact, the same set of information can then simultaneously or successively serve or satisfy numerous clinical, administrative, public health or research functions.

⁸ See Chapitre 1, Health information networking as well as Péladeau, P., "Data Protection as an Art: What's in a File?", Privacy Files, 1:3, pp. 9-10.

Who defines what purpose?

Theses possibilities raise one set of questions:

• What is the initial purpose or purposes in producing and collecting a specific set of health information?
• What is the scope or limit of each of these purposes?

The answer to both of these questions is defined as "secondary", any use of information serving a purpose other than that of the initial purposes. The list of relevant information to be collected or produced, as well as its specific semantic significance, is dependant upon defining the object, scope and limits of the purpose. Equally dependant is the application of several legal standards, as well as ethical and management principles, particularly with respect to personal information protection, confidentiality of health information and consent for its communication and research ethics. The initial purposes also determine the use value (praxics) that the stakeholders will give to the information. The issues surrounding the process of defining purposes raise certain questions:

• Who is legitimately the one who decides upon these purposes and their scope?
• What criteria must be met for a decision to be made?

Health care: single or multiple purpose?

Let us remain within the realm of health care, where the majority of health care information is still produced. Do the initial purposes of various patient files still need to be limited to the old paper record definitions, such as "family medical care", "hospital care", "psychiatric care" or "pharmacy services"? Or instead, should we amalgamate all clinical practices as components into a single, all-encompassing purpose called "health care"? Or should we organize purposes according to other criteria, such as the fields of practice recognized by various professions? For instance, since pharmacists are responsible for dispensing medication, it could be said that all pharmacist records are part of the same purpose: their contents could then be completely shared among pharmacists since they were collected for the same purpose. The possibilities of file designs and the definition of their purposes are endless. However, according to those that have been retained, the possible consequences will be completely different.

Another relationship, another purpose, another praxic meaning

Let us accept for a moment the possibility of a single health record serving a universal purpose called "health care". For the sick secretary stuck between her bosses in our previous example, this scenario could change her situation altogether. Perhaps she would have preferred the doctor prescribe her medications in order to keep her job until she found a new position rather than see a psychiatric diagnosis written in her single-client file. There are numerous unfortunate cases that occur as a result of a psychiatric note.⁹ Here we see how redefining the initial purpose of collected information, and thus the initial established relationships, can radically change the meaning and use value of the information for the stakeholders (praxic aspect). This demonstrates how the objectives of a consultation, diagnosis and treatment can be directly affected. In summary, there is a clear difference between finding oneself in the presence of one doctor holding a medical record that strictly serves this particular relationship (very restricted "health care" purpose) and finding oneself in the presence of a doctor holding a medical record that potentially relates you to an entire medical body (very broad "health care" purpose).

⁹ Such is the case of a patient who arrived at the emergency unit for an arm bone fracture. She was placed in observation for several hours, then subjected to a psychiatric examination rather than simply having a cast put on. Case communicated during a presentation of the Association des groupes d'intervention en défense de droits en santé mentale du Québec (AGIDD-SMQ) [Translation: Quebec association for intervention groups defending rights in mental health], Thursday, March 7, 2002 before the Commission permanente des affaires sociales de l'Assemblée nationale du Quebec [Translation: Permanent commission on social affairs of the Quebec National Assembly] during the Consultation générale sur l'avant-projet de loi sur la carte santé du Québec [Translation: General consultation regarding the preliminary plan for the Quebec health card] http://www.assnat.qc.ca/fra/Publications/debats/journal/cas/020307.htm

Purposes: a question of relationship

Purpose = object of the relationship + those participating

The definition of a purpose is made up of two components. The first is the object of the established relationship between the stakeholders in the manipulation of the information elements in question. The second is the determination of the stakeholders participating or able to participate in this same relationship.

Therefore, in the same hospital, let us say that one single patient record exists, containing all the health information produced on the same person by all the care units. However, we can also decide that the information produced by the psychiatric unit, perhaps by a single psychiatrist, serves a distinct purpose (the "psychiatric care" relationship between the patient and this unit or psychiatrist). In this case, any use by another unit would be considered related to a secondary purpose. The personal information protection standards and principles related to the use of secondary information would then be applicable. This restricted scope of the "psychiatric care" purpose would also determine the semantic significance of the information, as well as the use value (praxics) that the patients, psychiatrists and other members of the health care staff in the psychiatric department might give to this information.

Who decides on a purpose?

We have seen that there are numerous and significant issues that can result in defining an initial purpose. However, the definition of a purpose constitutes a decision that largely relies on an imposed or agreed upon convention between the stakeholders. In fact, we can decide that the same information serves one or several initial purposes. We can also decide that each of these purposes corresponds to very different relationships, which allows for a relatively greater number of stakeholders. But who decides this? Who makes this extremely important decision considering its multiple effects?

Recognized personal information protection principles and Quebec and Canadian laws on this matter avoid this question. They require that the purposes of a set of personal information be determined prior to the information being collected or produced. However, no legal entity is ever specifically designated to make this decision.

In practice, different stakeholders can decide. It could be those who collect or produce the information, such as the health institutions. These decision makers can also be legislators or regulators. Therefore, various laws define the respective missions of several organizations (RAMQ, Institut de la statistique du Québec [Statistics Quebec], etc.) or the obligations of various stakeholders (e.g. reportable diseases) through which so many information handling purposes are established. With respect to health, professional bodies also play a role in determining what information can be handled and which stakeholders will be in charge of handling it. In fact, it could be one or several stakeholders directly involved in the relationship. This is often the case in the psychosocial field where clients, institutions and their staff members jointly decide whether or not certain information will be recorded, and if so, why.

Independent or imposed

Consequently, the decision of who determines the initial purposes can be made by the same stakeholders involved in the information handling relationship, just like the decision can be imposed by an outside stakeholder. A purpose can also be co-determined. To illustrate these cases, let us use the example of a purpose that we will call "pharmacological supervision". This purpose is based on the generally accepted and demonstrated idea that creating an updated list of prescription medications dispensed and prescribed to a patient enables a health professional to identify the risks of over-medication and harmful interactions.

Completely independent to define the purpose

The Ministry of Health could decide to implement a networking application that would allow for the production of such a list of medications, but would leave it up to the health professionals and their patient to decide whether or not to produce or use it. The stakeholders would be completely free to enter into this "pharmacological supervision" relationship, and define its scope (between one or several doctors, pharmacists or other health care professionals).

Imposed purpose

The Minister of Health could also pass a law making pharmacological supervision mandatory and specifically determine which professionals would be responsible (therefore, who would have access to the list of medications) in which circumstances. Here, the existence of information and its purpose (object of both relationship and stakeholders) would be predetermined.

Both imposed and independent

Or, the law could state that the patient must have at least one "pharmacological supervisor" at all times, but also that the patient is free to designate the professional or professionals who would fulfill this role. Consequently, a patient could decide, one at a time, that each one of his doctors prescribing him a new medication is his pharmacological supervisor at that point in time. Another patient could decide that his psychiatrist will solely act as his, permanent pharmacological supervisor because the patient does not want other health professionals knowing he is suffering from a psychiatric problem. And yet another patient could designate his pharmacist to play this role since he wants to ensure compatibility with his over-the-counter medications, food supplements and natural products that he also purchases on site. In this scenario, the relationship is imposed, its object is predetermined, but its scope is not (i.e., who exactly the stakeholders involved in this relationship are).

Required questions

Consequently, evaluating primary and secondary uses already creates issues between different clinical uses even before one considers the uses for completely different functions. In the case of patient list of medications, we think of the secondary uses conducted by researchers to understand drug effects, by public health authorities to detect and follow certain health problems, by professional bodies to have their members supervise the prescription or dispensing of medications and by pharmaceutical companies for marketing strategy purposes. In fact, the simple description of the possible secondary uses could take up a considerable number of pages in this handbook.

Beyond the description, the socio-ethical evaluation of networking must first ask questions about the who, what and how the primary purpose is determined. All these new uses cannot be qualified as "secondary" due to the fact that someone first decided that certain uses would, in themselves, be defined as "primary". Moreover, questions must be asked about the authorization conditions of the secondary uses, particularly when they are required without the direct consent of the stakeholders directly involved, or even with their knowledge for any practical purpose. We particularly think about the uses relating to research, administration, public health and possibly business. Maintaining the necessary relationships of confidence between the different stakeholders cannot in all likelihood be based on vague secondary purpose claims at the time information is collected or upon the creation of a file pertaining to them. It is also important to consider implementing measures relating to transparency and dialogue, perhaps even related to the participation of those affected by the definition of the uses, conditions in which they are conducted and controlled.

Conclusion

Understanding endless and more complex processes

Networking specifically aims to increase possibilities for secondary use of health information. However, we have seen how the socio-ethical evaluation of secondary uses permitted by networking as well as their management would represent an increasingly difficult challenge. Already, the systematic identification of the initial uses on one hand and the secondary uses on the other, require that the processes involved be reconstructed and remodeled: the information used, the manipulations required for these uses, the stakeholders involved with each use, and the respective roles they play in relation to one another. This documentation exercise is also necessary to allow for transparency of practices upon which confidence relationship are based whether required in the proper functioning of the health system.

Centrality of the concept of purpose

We have observed the centrality of the concept of purpose for the discussion of questions and issues related to secondary uses of health information. This concept is also important in the overall socio-ethical evaluation of networking. In effect, it is also by determining the purpose that semantic and praxic significances of manipulated information are organized, social and institutional relationships are formed, as well as the different methods of exercising power between the stakeholders or their position in the manipulation of information.

Understanding to evaluate and manage

This is why we have proposed below an approach composed of three documentation steps, which precedes the evaluation approach itself. The first three descriptive steps recreate a large part of the different information processes. They can therefore serve as a basis for evaluating other aspects of network applications.¹⁰

¹⁰ The approach requires a full understanding of the interrelated concepts describing the processes of personal information. For more information, see Péladeau. P. Les processus d'information sur les personnes par delà la vie privée : Théorie, modélisation et analyse à l'usage des informaticiens, juristes, administrateurs et citoyens [Translation: Personal information processes beyond privacy: theory, modeling, and analysis for the use of computer specialists, lawyers, administrators and citizens] Version 2.0, Montreal, first version of chapters from a manuscript in preparation.
http://www.ircm.qc.ca/bioethique/francais/telesante/documents/theorie_processus.html

Chapter 14 - Political Transformation of the Health System

Introduction

The design, deployment and management of a health information network are not strictly technical matters. An information network is also a political system that defines power relations between people (Chapter 11), determines a number of the respective rights of people (Chapter 13) and imprints itself on the health system. In this chapter, we will focus on the latter aspect, examining the link between a networking project and the very structure of the health system, which can thus be modified in such a way as to alter its nature.

In all cases, one must resist taking the easy path of basing system definition on technical considerations alone. Too often, technical staff or consultants base the selection of system solutions solely on a changing and theoretical definition of the needs and objectives, or on objectives largely specified in vague terms by certain dominant players. This approach amounts to giving technical people the power to define the system on a political level. It is vital to ensure that the technical solutions serve political objectives that have been appropriately stated and discussed, and that they not be used to impose unintended or concealed purposes.

Health information networking and the standardization of practices that it implies are also essential and central measures for in-depth transformation of the health system. Over and above its purely technological dimension, health information networking is a master tool for achieving a thorough reform of the health system. The link between current or future health system reforms and deployment of new information technologies should be further studied and better understood. Moreover, it is known that a number of business interests-the insurance industry and financial institutions, for example-promote computerization at the same time that they advocate partial privatization of the public system and establishment of public-private partnerships for health care funding or delivery.

Ethical evaluation of health information networking projects must include analysis of the links between computer systems deployment and the intentions behind transformation of the political structure of the health system over the short and long terms.

Technofix mentality

An impressive technical deployment...

Health information networking requires deployment of technical equipment that uses new computer, telecommunications, encryption, smart card and other technologies. It often mobilizes large teams of engineers, computer specialists, designers, and equipment and service providers. Such an undertaking often requires considerable investments, with the budgets largely going to technical devices and consultations with information technology experts.

...that masks the political issues...

The scope of the technological and financial resources needed, as well as the type of expertise mobilized, are likely to put technical discussions in the forefront, at the expense of other issues such as the impact on the very structure of the health system, the organization of powers and the way power is exercised.

...and may escape the democratic process...

In a democracy, such far-reaching political transformations in the public health system require application of the accepted democratic process. In Chapter 9, we saw the importance of providing for implementation conditions that favour participation by all the players, individuals or groups directly or indirectly involved. However, these legitimate concerns must never serve as a screen or alibi for restricting or limiting thorough socio-ethical assessment, including on the clearly political level of the goals and aims pursued by a networking project. Study of the potential that information networking has to transform the health system enables us to avoid this hazard.

...while transforming the political structure of the health system

The context for networking is one in which certain potential political transformations through technology may materialize. Networking may also present an opportunity seized on to effect far-reaching political transformation of the health system, without going through the accepted democratic process. To better understand its directions, computerization of the health network must be analysed in the general context of health system reform and government re-engineering promoted by the national public authorities.

The role of outside experts

Public policy analyses carried out by private consultants

The general context for the recent waves of health system reform and health network computerization is one in which the MSSS [Quebec department of health and social services] has been the subject of large staff cuts and the Conseil du Trésor [Quebec treasury board] encourages private sector outsourcing of consultation contracts for studies and analyses in support of policy making. This context, far from being neutral with respect to the nature of the questions asked and the solutions proposed, gives rise to fear that computerization projects will be more a reflection of the needs and interests of the private consultants or partners and their business associates than of the objectives of public policy developed in a democratic framework in which the common good and the public interest must take priority over the business interests of the industrial or business class.

In the designing of and follow-up on a networking project, it must therefore be possible to answer the following questions and to discuss the related issues openly and publicly:

A coveted public service

Equal in life and in death

The public health system represents, in Quebec and Canada, a democratic achievement of the greatest importance to the public, an achievement that resulted from hard-fought political struggles in the twentieth century. Health care and health services differ fundamentally from goods and services that can be purchased in quantities and at quality levels consistent with the economic comfort of consumers. In the public system, the right to health services and health care is independent of the patient's financial situation. Health care provided by the public system is a public service, in the sense that each person's access to it is equal, protected by law, determined by his or her medical needs, and without regard to his or her socio-economic status or monetary participation in the funding of the system. Sometimes, people summarize the basic nature of the public health system by saying that citizens are all equal in illness and in death. This characteristic of the health system is reflected in funding mechanisms completely distinct from those found, for example, in the private insurance industry.

A market share to be conquered

Health care and services account for a sizeable share-about 10%- of Canada's Gross Domestic Product (GDP). The public health insurance system impacts directly on the commercial insurance sector, reducing the latter's market share. The historical opposition that existed throughout the process that led to establishment of the public system, and the more contemporary pressures to re-open or expand the private insurance market in the health field bear witness to the interest that a transformation of the health system in tune with industry's business interests would have for certain sectors of the economy. This context must be taken into account in the ethical analysis of health information networking projects.

Computerization and networking can be aimed at improving the public system

Health information networking projects or suggestions for sector computerization are not necessarily detrimental to improvement or modernization of public health systems. The Romanow Report [Romanow Report, 2002, Chap. 3], for example, makes creation of electronic health records an important recommendation in support of the overall direction of the report, which advocates strengthening and stabilizing the public health insurance system, in order to ensure its long-term sustainability.

In other cases, such as that presented in the following example, an information networking project may clearly play an active part in the planning of a fundamental political transformation of the health system to the benefit of health industries.

Lessons to be learned from water distribution

What is the device really used for?

In an effort to better understand the dynamics at work, a parallel can be drawn with reforms in the area of water distribution, where certain technologies play a role similar to that seen in the previous example. Take, for instance, the installation of water metres by municipal public authorities, on the grounds that they help make water consumption more efficient and thus reduce the public costs of water treatment and distribution. Studies seem to indicate that water metres on Quebec residences have a mixed impact on domestic water consumption [Collin et al., 1999]. However, it is known that investment in this technology would be essential and unavoidable if management or ownership of the water supply system were to be transferred to a private company or a public-private partnership.

A funding method that requires specific information

The funding of goods and services provided by private authorities is calculated on the basis of each person's consumption. The company has to be able to measure this consumption. This situation therefore requires installation of water metres to capture the data needed for the billing of each household. A public organization (municipality) providing the same water distribution service may fund it on the basis of completely different fiscal rules, in which the rule that prevails is that of the owner's ability to pay, measured on the municipal level in terms of the value of the building served by the water distribution system, without regard to water consumption. Private funding of a service therefore imposes its own requirements with respect to the information necessary to the system: individualized consumption for private-sector management; and individualized property value for public-sector management. In short, the information systems needed for an activity, such as water distribution to residences, are likely to be completely different in nature and in organization, depending on the approach to the funding of the activity and the nature of the organization responsible for it. The same is true for information systems in the health field.

A municipal water-metre technology installation project warrants socio-ethical analysis to ensure that it does not support with public funds equipment that will then be used by the private sector for commercial water distribution. In the health field, when deployment of information networks is accompanied by establishment of structural reforms for which the model is borrowed from private-sector-dominated health systems (the American system, for example), it is appropriate to analyse the ethics of the networking in even greater depth. In this way, review of the networking project makes it possible to consider the goals ultimately sought through the planned reforms.

On the next few pages, we will look at the link between networking and questioning of the structure of the health system from two standpoints-that of medical practice and, more generally, that of the political organization of the health system.

Transformation through the organization of medical practice

Integrated health care and services

The integrated care network as a method for transformation of the health system

The integrated health care network promoted in Quebec beginning in the mid-1990s has served as an action plan for transformation of the health system. The integrated network has been put in place for target clienteles-for example, seniors, persons suffering from mental illness, or persons suffering from chronic illness. A number of experiments have been conducted in various regions, with as yet inconclusive results [Fleury, 2002].

Quebec's Commission d'étude sur les services de santé et les services sociaux (commission of study on health and social services) made such networks the subject of a major recommendation for the above-mentioned specific clienteles [Clair Report, 2000].

The integrated health care network is always associated with a health information network to ensure continuous medical management of the patient by the various participants responsible at one time or another for providing the patient with care or services.

A strong political will to establish networks

The political will to establish integrated health care networks was considerably reinforced by the adoption in December 2003 of the Act respecting local health and social services network development agencies, which transforms the regional boards into integrated network development agencies. The Act has been in force since January 30, 2004, and has as its central mission the establishment of these integrated networks throughout Quebec. The director of the Montreal agency confirms that one of the key elements in the successful creation of these networks is computerization and the sharing of health information among the various network partners (Paré, 2004].

Following the links between the integrated health care network, funding methods and the information network

The deployment of an integrated health care network and of the information network associated with it raises fundamental questions regarding the political structure of the health system, insofar as it is defined by integration among the public and private players to ensure continuity of health care and services, and implementation of standard care protocols. Networking makes it possible to proceed with integration, the political aims of which are not always clearly discernable from a reading of the legislation. In addition, deployment of integrated networks is usually accompanied or followed by significant modification of health care funding methods. Often, such political transformation in successive stages can mask the political direction of privatization that is generally being pursued in various forms, away from public debate and democratic processes.

The people responsible for the information network must be able to answer the following questions and broaden the debate to include related issues:

Standard care protocols

A concept associated with managed care

The exponential growth in HMOs (health management organizations) in the United States over the past decade took place at the same time that computerized systems for the monitoring and control of standard care protocols were being established, with the paired objectives of improving services to patients and controlling costs. Clearly, these objectives, although they may sometimes go together, can also conflict with one another, especially when physicians are subject to a financial incentives system that encourages them not to follow certain procedures or not to use certain equipment, or to generally limit the care and services provided. Financial incentives aimed at limiting delivery of care and services are already fairly widespread in the United States.

It could be maintained that the situation in Quebec is different, insofar as the central fee-for-service funding method is generally thought to have the opposite effect, promoting the multiplication of medical procedures. In addition, standard protocols have gradually been implemented in Quebec since the 1970s, in follow-up to the recommendations of national hospital accreditation committees, essentially with a view to patient safety.

Monitoring the role of networks in the context of the more general health system reforms

In the wake of the more recent reforms and in anticipation of those that are coming, the designing and implementing of standard health care protocols, envisaged as an integral part of networking projects, could challenge the premises of autonomy in medical practice based on the professional judgment of health care personnel. The standard care protocol or the decision-support expert systems, depending on the terms for their use and the modifications to the funding methods with which they are connected, could cut deeply into professional autonomy through recommendations, incentives or imperatives designed to direct medical practice in accordance with the standards set down in the computer system.

In this sense, a networking project that includes standard care protocol implementation therefore involves control of medical practice (and its political aims) by a technical system, and thus requires targeted ethical evaluation.

Among other things, it would be necessary to be able to answer the following questions and to openly discuss the social issues raised:

Transformation through political organization of the health system

Implementation of public-private partnerships

An oft-repeated recommendation

Implementation of partnerships between the public and private sectors for health system reform has been recommended over the past few years in a number of reports and policies [Arpin Report, 1999; Clair Report, 2002; Bédard Report, 2002].

Promoting computerization without making the link with structural reforms

Public-private partnership is closely associated with the other reforms presented above, from implementation of integrated health care networks and standard care protocols to changes in health care funding methods, all heralding in-depth transformation of the public health care system, in which health information networking plays a determining role. However, too often, the official reasons given for computerization only emphasize its role with respect to efficient circulation of information, improved quality of patient care or, simply, system modernization, while skirting around the major role played by computerization in the system's political transformation.

Need for transparency in political transformations

It is important for socio-ethical analysis to be done on all networking projects, to identify the political role played by the computer system in establishing an organization likely to redefine the political structure of the health system, ensuring that this role is clear and made transparent for all players and for the public.

Among other things, it is important that the following questions be answered and that related social issues be discussed openly:

Controlling care utilization

Fuller picture makes control of access to care possible

Networking of health information on patients can eventually make it possible to develop a fairly complete picture of the care and services obtained by each patient visiting a physician. Without this tool, the physician cannot know whether the patient has already had a consultation for the same problem and, if so, what the results of the consultation were. The real-time availability of this information also enables the insuring agent to modify the funding rules-for example, adopting quotas limiting or placing conditions on access to certain services. It makes it possible to consider establishing ceilings for a set period of time-for example, one complete medical examination a year or one ultrasound per pregnancy, or the rationing of certain types of particularly expensive treatments.

Control by risk selection

Control of care utilization may also be done in a more general manner, invisible to the patient, if health information networking is combined with in-depth modification of health system funding methods-for example, establishment of family medicine groups or integrated care networks, funded on a capitation basis, which may lead to a screening out of patients, with the result that patients with the most difficult or most costly problems find it difficult to get accepted by a care group. A number of studies in countries where these organizational approaches are in place report that patients are screened out or that risk selection occurs [Béguin, 1999].

Patient likely
to be penalized

In short, health information networking opens the door to establishment of control measures or sanctions for the use of health care and services, and this can be particularly detrimental to high-risk patients or patients with complex medical situations. This is another dimension where technology may contribute to transformation of the system's current political characteristics and that thus requires close ethical monitoring. Networking-project players must therefore be able to answer the following questions and encourage discussion of all related social issues:

Lessons to be learned from the Quebec smart card project

The Quebec health smart card deployment project has much to teach regarding socio-ethical issues of health information networking, owing to public discussions concerning this project (see also the summary presentation in Example 4, Chapter 1).

Public discussion of this project was sought in the winter of 2002 by a parliamentary commission studying a draft bill entitled the Québec Health Card Act. The networking project seemed to be merely a program to modernize public health insurance plan management mechanisms. However, many intervenors among the approximately fifty organizations and individuals submitting a brief on the planned network were critical of the far-reaching political repercussions that would come with computerization, even though that impact was not clearly explained or even acknowledged by the project proponents. As a result of the strong objections expressed to the parliamentary commission, and mobilization of public health system advocacy organizations and medical organizations, the project had to be shelved, but not before it had cost a considerable amount of money and shaken public confidence in the institutions responsible for the health system-namely, the RAMQ and the Ministère de la Santé et des Services sociaux [department of health and social services].

A Centre for Bioethics watch site on the Web¹ presents all the highlights in the public discussion of the project.

The following is a summary of the main weaknesses of this networking project and of the lessons to be learned from it:

¹ http://www.ircm.qc.ca/bioethique/english/telehealth/observations.html. A number of the briefs and articles in teh print media are to be found on this site.

1. Presentation of computer systems as being mere black boxes is unacceptable.
   
   The presentation of the project largely glosses over the computer systems being considered, and refers only to use of information technologies or to telematics or computer applications, without giving any clear explanations or sufficient details regarding the specific nature of the devices involved. The essence of networking lies in the computer systems involved. It is therefore socially and ethically unacceptable for these systems not to be fully revealed when the project is debated, both by expert teams and by the public. Negation of this principle of transparency challenges the very legitimacy of any process that fails to clearly set out all the functions put in place by the computer system.
2. All the pertinent reforms, even when they are carried out in other sectors, must be put on the table and presented in such a way that the links that are made may be clearly understood, in order to better comprehend the issues connected with the information networking project.
   
   The project is based on parallel reforms carried out in other places and in other fields, although this is not explicitly stated by the proponents, who thus avoid clearly establishing what the project means, in that some dimensions may be understood only when the links are made between the project and other reforms or other systems. The FIIQ [FIIQ, 2002] brief had, among other things, pointed out the links between the smart health card system and the rules established through adoption a few months earlier of the Act to establish a legal framework for information technology, which was aimed at, among other things, creating a legal framework conducive to electronic commerce through establishment of identification and authentication mechanisms.
3. Complete information on the networking issues and aims must be presented with the same transparency to the executive and legislative authorities, as well as to all the players and the public.
   
   Project objectives are very briefly referred to in official documents of the democratic institutions, but are hidden from the public or communicated only to a select few. These objectives for political transformation of the health system are not presented clearly as being the engine for network deployment. Planning of the Quebec health card project had involved two health and social services ministers, whose memorandums to obtain the support of the Conseil des ministres [cabinet] and Conseil du trésor [treasury board] indicated that the project was aimed at paving the way for future changes in the health system and managing a new equilibrium between the public and private players. These key dimensions of the project challenged the entire political structure of the health system, while being completely hidden by the public authorities when the draft bill was presented and defended.
4. Never mislead the public authorities, the players or the public regarding the objectives pursued through networking and its products.
   
   Computer-generated statements of health care costs for individuals are presented as a tool for increasing awareness and saving public funds. As in the example given earlier, where installation of water metres on Quebec residences is really meant to pave the way for complete or partial privatization of the water distribution system, statements of health care costs for individuals can be justified only if the political framework is altered in such a way that the patient must pay all or part of the cost of the care he or she receives, or if the way institutions are funded is radically changed. However, the authorities have not gone so far as to admit that this could happen. They have only made general statements about system modernization. This incomplete justification has more to do with manipulating public opinion than with the transparent and open discussion patients and the public have a right to expect in a democracy.

Conclusion

Ethical assessment is essential

Numerous technical, administrative, economic, social and political factors influence the different decisions for allocation of resources for information technologies, however, the direction the health information networking and its objectives will take are not pre-determined by this. Moreover, the potential impacts of networking on populations and the health system are neither obvious nor predictable in any definitive way, as networking is developing in a health system and society that are themselves in perpetual motion.

Multiples choices to be made

As observed in this handbook, the changes brought about by networking will result in large measure from choices that will be made, or not, between different types of networking, different technological options and different forms of regulation, whether that be the regulation of change, of operation of technological applications, of the relationships between stakeholders or of networking issues.

Ethical assessment to help make the best choices

Ethical assessment as a means for identification of the issues and prevention of problems takes on critical importance from the start. If used to full advantage from the outset of applications or policy projects, it will allow reflections and decisions to be connected to principles and considerations likely to contribute to networking's success. It will help to prevent a number of pitfalls that can create high costs and great difficulties for the stakeholders, such as patients, professionals and institutions, and for the whole of society alike.

Assorted crucial considerations must be analyzed.

Ethical assessment of networking freely sidesteps, without being unaware of, considerations of computer system security, consent and protection of personal information. It encompasses a number of considerations as varied as allocation of resources, suitability of technical tools for the needs and social realities of the environment, accountability and control of stakeholders, social and institutional relationships, human and social vulnerabilities, the secondary use of health information or alternatively, the trust of the public, the users and control agencies in networking and its proponents.

Requirements of an ethical assessment

In terms of this handbook, we believe it is important to draw attention to certain specific requirements that are characteristic for ensuring a quality ethical assessment for every health information networking application or policy project.

• First, the considerations identified in this handbook cannot provide exact interpretations or ready-made answers that will invariably apply to every situation. These considerations must, instead be the topic of discussions and debates among the different stakeholders involved. Those in charge of networking are not the only ones involved; everyone who will have to bear the costs and the direct and indirect effects of the decisions is also involved.
• Beyond the individual initiatives, health information networking is a social phenomenon and therefore eventually calls upon all of society's members. That is why it is not only up to those in charge of local or regional initiatives and other stakeholders committed to a specific project to encourage reflection, debate and realization of an ethical assessment; it is also the business of all the governments and interested members of civil society.
• It is accepted that the comparison of point of view in the context of the deliberation process allows an enrichment and fine-tuning of the understanding of the problems to be solved, the needs that must be met and the questions and issues to be considered. It also allows the advantages, disadvantages and impact of every solution contemplated to be better balanced as well as the conditions and restrictions of their implementation. The objective of participation must be to arrive at a common position or one that is at least acceptable for a majority of the stakeholders.
• The participation of a diversity of stakeholders in the context of a credible deliberative process held at various critical stages of a project ought to allow examination of its numerous social and ethical implications. However, just like ethical assessment, participation loses all meaning if the individuals involved in the process do not have access to all the necessary information or if their involvement occurs when it is too late to react or change course. The lack of transparency, the hidden objectives and the "fait accompli" are contrary to every credible networking process at the socio-ethical level.
• Finally, ethical assessment of networking cannot be contemplated without discussion and debate on the multiple links woven among the implementation of information technologies and the planned transformation of the organization of the health system and health policies, as well. Networking is at the core of health system reform projects and projects to review government's role. Early analysis of the potential to transform political, financial and organizational structures of the health system as allowed by information networking projects, could contribute to avoiding certain obstacles or impasses as well as unpleasant surprises.

Search for the public good

Time and again we have stressed the multiplicity of choices pertaining to technology and guidance and the fact that none of these choices is socially, culturally or politically neutral. Thus, the choices must be made with a perspective that transcends special interests in favour of a vision in line with the society's fundamental values, the primary mission of our health system and its institutions as well as with the main principles they support. A socially and ethically successful change will be able to be spoken of in terms of these conditions in particular.