National Committee on Vital and Health Statistics
11 January 2001
Bette-Jane Crigger, Ph.D.
The Hastings Center
This afternoon I would like to focus on two themes relevant to concerns about the privacy of personal health information: I would like first to reflect briefly on privacy as a cultural value, and then to draw attention to a dimension of the "privacy question" that seems to me often overlooked. Both speak to the matter of creating conditions for trust in the collection and use of health information, which I take to be one of the Committee's central concerns.
Privacy as a Value
Americans today have seemingly contradictory stances toward privacy. On the one hand, we are deeply and sincerely concerned that others may seek and obtain personal information about us; the more intimate the information, the stronger our desire to protect it. On the other hand, we are also curiously profligate in revealing information ourselves--we casually share our "private" conversations with whoever may be in earshot when we use cellular phones in public places, or even broadcast the most intimate moments of our lives to strangers on the World Wide Web. The former may evidence simple inattention, the latter surely represents a conscious, though one might argue poorly considered, decision to make oneself known.
Both stances seem to me ultimately rooted in the Western conception of the self as autonomous agent. We see ourselves and our lives to be importantly projects of self-creation--never entirely unfettered, to be sure, but ideally crafted willfully and independently in significant measure. One aspect of that project of self-creation is to have meaningful control over how we are known in the world. We wish to be able to determine how we present ourselves in different contexts: which facets of our selves we reveal and which withhold, which we foreground, which background. The kind of information about ourselves that we share with others can be one way to mark the level of intimacy and trust in a relationship.
This is not to suggest that this conception of the self is universally shared in a strong form in contemporary American culture, a term I use advisedly. Nor is it to suggest that our projects of self-creation ought never to be constrained in any way, or that our choices about sharing information are always worthy ones simply because they are ours. Discerning just what constraints our life in community may rightly impose, under just what conditions, is an ongoing challenge both philosophically and practically. As this Committee's interim reports(1) and the Institute of Medicine's recent report Protecting Data Privacy(2) make clear, for example, there are important individual and public health reasons to allow access to and use of personally identifiable health information even against individual preference. Neither do I mean to suggest that our presentations of self are always innocent; we may slyly direct others' attention to our strengths rather than our weaknesses, or we may outright mislead them. My point, rather, is that some such conceptions of self and the work of a life underlie privacy as a value in our society. Some such conceptions inform our concerns that privacy not be abridged thoughtlessly or inappropriately, that information about us not be collected or revealed without at least our knowledge and, in some circumstances, our consent.
We have heard much today about choice, and rights, and much about the harms that may befall us when the confidentiality of personal health information is breached: embarrassment, stygmatization, discrimination in employment or insurance coverage. Such breaches violate the underlying notion of what it is to be a self in different ways. Stygmatization and discrimination, in particular, contravene the conception of the self as autonomous moral agent in focusing on aspects of our lives taken out of context. The part is made to stand for the whole; I am reduced to the datum of age, gender, or place of residence; of height, weight, or health condition. This is very much of a piece, I think, with the kind of reductive objectification vigorously opposed by the disability community.
Rather less has been said about the further prospect of exploitation, even when we are not harmed materially. The use of personal health information for marketing purposes--especially when such information is exchanged without the individual's knowledge or consent--reduces the self still further, to a commodity. Significant personal details become no more than a flag identifying me as a potential source of enrichment for one or more others. Such affronts to dignity are recognized, and condemned, by the European Group on Ethics in Science and New Technologies, which asserted that "Personal health data form part of the personality of the individual, and must not be treated as mere objects of commercial transaction."(3) In comparison, the privacy and confidentiality provisions of the Health Insurance Portability and Accountability Act offer thin protection: Individuals may opt out of receiving further communication only after they have been contacted for marketing and fundraising purposes, and only from further use by the specific entity that approached them. No provisions are made to allow an individual to restrict the exchange of personal health information in this way at the source.
Although I have sketched only one, admittedly partial, account we might offer of why privacy matters, I hope it serves my goal of returning our attention to the philosophical and ethical considerations that undergird our more often legal and political conversations about privacy. With this much in place as background, then, let me turn to my second theme.
Education: A Missing Piece of the Privacy Puzzle
Much of our public discussion about privacy has, particularly in the context of personal health information, focused for good reason on developing technological means to minimize breaches of privacy. But consider the following scenario:
A resident and an attending physician wait for a hospital elevator in mid-morning. They take the opportunity of a few moments together to talk about an 84-year-old woman admitted the previous afternoon. Their brief conversation continues as they enter the elevator, and touches on the patient's diagnosis, pneumonia; the fact that she was admitted from Valley View Nursing Home--the one that had all those problems last year; that she seems not to understand that she has been hospitalized; and that she resists treatment--she insists that Audry, probably one of the nursing home staff, should bring her the pink pills. In response to the attending's question, the resident notes that Mrs. Halberstrom seems to have no family in the area; he's not sure she has family at all--she's been on Medicaid for years.
The elevator reaches the resident's floor and he makes his way out through the crowd of two orderlies, a nurse, and three visitors.
Not even the most sophisticated encryption protocols, or user verification systems, or audit trails could have protected Mrs. Halberstrom's privacy. Absent a robust culture of respect for privacy, technology itself cannot fully protect the confidentiality of an individual's medical information. So too, absent a robust culture of respect for privacy, rules, regulations, and sanctions cannot truly safeguard an individual from that first, even un-thought-about exposure.
To remind us of this is neither to disparage nor to discount our well taken concern to create the best technological and regulatory safeguards we can for personal health information, including anticipating how new technologies may generate new kinds of information and new ways in which that information and individual privacy may be imperiled. It is, rather, to call attention again to the human dimension of the challenge of protecting privacy and to underscore the need to nurture habits of thought and practice that will complement our technological and legal "solutions" and better assure that their potential to protect privacy appropriately is realized.
It is, in essence, a call to attend to the ways we might cultivate the faculty of discernment among all who handle personal health information. As the IOM noted in a somewhat different context in addressing the role of the institutional review board in good privacy practices in health services research, "regulations and guidelines are important to provide norms, but they must still be implemented with the judgment and practical experience of individuals . . ."(4) The IOM went on to note, again in this narrower but illuminating context,
Education is critical not only for IRB members, but also for researchers, technicians, and any other employees who may come into contact with personally identifiable health information. Better education about how to protect confidentiality and possible sources of risk will help investigators design better confidentiality protections for their proposed studies from the start. Better education of all employees who may come in contact with the data will help raise the level of understanding and alertness throughout the organization.(5)
Indeed, among the recommendations offered in Protecting Data Privacy, education plays a significant role (Recommendation 5-2):
The DHHS and other federal departments and private organizations such as the Association of American Medical Colleges, the Association for Health Services Research (now the Academy for Health Services Research and Health Policy), the American College of Epidemiology, the International Society for Pharmacoepidemiology, Public Responsibility in Medicine and Research, the Applied Research Ethics National Association, and others should continue or expand educational efforts regarding the protection of the confidentiality of personally identifiable health information in research.(6)
The Centers for Disease Control have similarly recognized the importance of ongoing education. Its 1995 report Integrating Public Health Information and Surveillance Systems emphasized education as strongly as it did technological responses to privacy concerns:
CDC/ATSDR disseminates data in reports and tabulations and through electronic means. These data are critical to health care researchers. CDC/ATSDR educates employees and reviews all products to ascertain that data that identify persons or establishments are not released inappropriately.
CDC/ATSDR has prepared written manuals to describe the confidentiality guidelines applicable to its surveys and data collection efforts. All CDC/ATSDR employees, and contractors who handle confidential information are required, as a condition of employment, to sign a "Nondisclosure Statement." This statement discusses the confidential nature of selected information covered by section 308(d) of the Public Health Service Act. It describes the penalties for unauthorized disclosure under Title 18, Section 1905 of the U.S. Code and the Privacy Act of 1974. In addition, the issue of confidential data is presented at orientation sessions for new employees.(7)
Engaging agencies and professional organizations in renewed and ongoing efforts to educate members about privacy concerns through formal programs is certainly an appropriate activity, as is encouraging workplace training. One would hope to see such programs address more than just regulations and organization-specific policies and practices. Ideally, protecting privacy should be an ingrained habit of thought, not simply a technical application of rules or protocols. Moreover, as the Committee on Enhancing the Internet for Health Applications has noted (in a somewhat different context), traditional continuing education programs have not been effective in improving clinical knowledge or patient outcomes in medicine. We cannot realistically expect more of "privacy seminars" or similar programs, valuable though they may still be. We might instead apply that committee's insight that training should be integrated into routine practice: "The general success of interventions such as computerized reminders suggests that knowledge delivered in the context of daily patient care and for the assistance of problem solving is where C[ontinuing] E[ducation] should focus in the future."(8)
Designing "privacy reminders," if you will, into information management applications themselves might help continually to reinforce awareness of privacy as a value as people carry out their various tasks of gathering, transferring, accessing identifiable health data on a day-to-day basis.
Mentors and role models within institutions and organizations might play a vital role in creating conditions for trusting that their institutions take seriously the task of balancing institutional goals, day-to-day information management, public needs, and respect for the privacy of individuals who entrust personal health information to them. Having one or more colleagues who routinely exemplify good privacy practices helps to build a culture of discernment, whatever the individuals' function within the organization. The contributions of such individuals to the moral culture of the organization should be recognized.
Institutionalizing the role of "privacy officer" can also help to foster the desired awareness and signal the institution's commitment to respecting the privacy of identifiable health information. But the strategy is double edged: if the goal is to nourish a culture of respect for persons and for privacy, symbolically segregating privacy protection as a discrete function may risk undermining the very organizational ethos it is intended to support.
Codes of ethics, of which there are many among the various professions and organizations involved in generating and managing health information, equally play a role in creating and sustaining the moral culture of a profession or organization. They are "reflections of the morally permissible standards of conduct which members of a group make binding upon themselves."(9) Codes of ethics, that is, identify the moral values at stake in a domain of activity and articulate the broad principles of conduct that serve and protect those values.
Despite the fact that--unlike legal regulation--they are voluntary, codes of ethics do fulfill valuable functions. They help to create an environment in which ethical behavior, that is, conduct that conforms to and expresses the core values of the group, is the expected norm, not the exception. They provide a means by which a profession or group collectively acknowledges responsibilities--to fellow members and to those whom the profession serves. Codes demonstrate as well a group's commitment to ethics. And, of course, they offer moral guidance, not so much by providing specific rules of conduct perhaps, as by reminding us of what ethical considerations we must take into account in deciding how to act.
No code is ever fully self-explanatory. To provide broad moral guidance, a code of ethics is necessarily written in general terms that can apply to the many different situations in which individuals will have questions about what the ethical course of action is. At the same time they help foster discernment, that is, they call on those who subscribe to them to exercise that discernment in the process of specifying and interpreting the code in concrete situations.
The overarching goal shared by codes of ethics that are evolving for the health Internet is to create a trustworthy environment for those who use the Internet for health-related purposes. All stress among their core values the obligation to respect the privacy of individuals and to preserve the confidentiality of the information individuals provide. And all recognize that privacy is not the only value at stake but that it is the synergy among fundamental values that ultimately creates conditions for trust.
Trust has been steadily eroding across our health care and public health systems for many years, for reasons too complex to address here. Where trust has been undermined, the understandable response is to seek to specify all of our relationships in quasi-contractual terms, as explicit agreements about the particular acts we will or will not undertake. Calls to assure that individuals are empowered to make explicit decisions--to give or withhold their consent--about specific uses of identifiable health information are part of this larger process. It is an unfortunate consequence that can impede the pursuit of worthy social goals, a state of affairs that is itself further corrosive of trust.
Creating an environment in which trust can safely be given and accepted requires more than even our best technological ingenuity or the most fulsome legal regulations. A culture of trust that can sustain our common life together and provide a foundation for pursuing common goods requires an investment in the human dimension of the system. Understanding what privacy properly means and why it matters calls for skills of discernment and judgment that must be nurtured continuously.
1. 1. NCVHS, Toward a National Health Information Infrastructure, 2000. http://www.ncvhs.hhs.gov/NHII2kReport.htm; NCVHS, Shaping a Vision for 21st Century Health Statistics, 2000. http://www.ncvhs.hhs.gov; accessed January 2000.
2. 2. IOM, Protecting Data Privacy. National Academy Press, 2000.
3. 3. European Group on Ethics in Science and New Technologies, "Ethical Issues of Healthcare in the Information Society." Opinion 13, 30 July 1999, 2.1 Status of personal health data. Http://www.europa.eu.int; last accessed March 2000.
4. 4. IOM, Protecting Data Privacy, p. 5.
5. 5. IOM, Protecting Data Privacy, pp. 11-12.
6. 6. IOM, Protecting Data Privacy, Recommendation 5-2, p. 15.
7. 7. Centers for Disease Control and Prevention, Integrating Public Health Information and Surveillance Systems: A Report and Recommendations, 1995. Http://www.cdc.gov/hissb/docs/katz.htm; accessed 8 January 2000.
8. 8. Committee on Enhancing the Internet for Health Applications, Computer Science and Telecommunications Board, Networking Health: Prescriptions for the Internet. Washington, D.C.: National Academy Press, 2000. http://www.nap.edu; accessed January 2001.
9. 9. Olson AT. "Authoring a Code: Observations on Process and Organization." Illinois Institute of Technology, Center for the Study of Ethics in the Professions, nd. http://18.104.22.168/codes/coe/Writing_A_Code.html; accessed January 2000.