Every health care provider is aware of the ethical and legal obligations to protect the privacy, confidentiality, and security of patient health information. Today, that duty mainly involves the uses and disclosures of information in paper records, but most health record systems in the United States are about to undergo a dramatic change because the American Recovery and Reinvestment Act of 2009 commits substantial government resources to developing and implementing a nationwide system of electronic health records.
The shift to electronic health records raises a variety of important privacy issues. For example, in developing technical standards, policymakers need to decide what degree of control individuals should have over the content and disclosure of their health records. In addition, regulators must decide what, if any, rules beyond the current privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) should govern electronic health information exchange.
Social networking sites have grown at an astounding rate. Facebook was launched in February 2004, and by July 2009, it had over 250 million users. Social networking sites are used widely – but by no means exclusively – by teens and young adults. Many of the users freely and unabashedly share intimate information, thoughts, and feelings about extremely personal matters with their online friends. Others post personal information on Web sites accessible to the public.
Is it possible to reconcile traditional notions of privacy, including informational health privacy, and the voluntary disclosure of extraordinarily private information, such as substance abuse, sexual activity, and health status? Assuming there is less public concern about privacy in general, it could be argued that it does not make sense to spend substantial amounts of time, money, and effort in safeguarding the privacy of health information. In particular, it could be asserted that privacy protection for the next generation of health records should take into account that many members of the younger generation of Americans now freely share details about highly sensitive matters with numerous friends or even strangers.
Before jettisoning long-standing public policy in the wake of newly emerging technologies and seemingly changing social mores, policymakers should consider the following five points.
First, postings on social networks do not necessarily reflect an “anything goes” attitude. Personal disclosures on social networks vary widely from the mundane to the outrageous. Some of the more exotic postings involve fictional accounts that do not accurately portray the off-line life of the individual.
Moreover, even less sophisticated users generally understand that it is inadvisable to post confidential information such as social security and credit card numbers. Users of several social networking sites also have strenuously objected to perceived commercial exploitation of their information.
Second, social networking as a means of self-revelation is novel. It is not clear that the popularity of the technology for disclosure of personal data will grow from or even remain as high as it is today. Consequently, it is venturesome to base long-term health information policy on a social phenomenon that may prove to be fleeting.
Third, there have been numerous reported incidents in which youthful users of social networking technologies who did not consider the consequences of disclosing personal information and details of indiscrete behavior later regretted posting material that adversely affected their educational opportunities, employment prospects, or social relations. Health information policy should not be based on ill-considered personal preferences that are likely to change.
Fourth, although certain Web sites, such as PatientsLikeMe, were expressly created for sharing personal health information among similarly affected individuals, even these sites provide privacy options. For example, PatientsLikeMe users are given a choice whether to limit access to their personal information to registered users or to make the information more widely available.
Fifth, legal standards and ethical guidelines traditionally have permitted individuals to decide whether to disclose health information to others and, if so, what information and to whom. Such policies are consistent with the ethical principles of autonomy, nonmaleficence, and respect for persons. In a pluralistic society it would be irresponsible to remove or lessen individual choice and base health information policy on dubious characterizations of a supposed decline in interest in health privacy.
Health privacy in its various forms, including informational privacy, has been a fundamental tenet of Western values and medical practice at least since the time of Hippocrates. Privacy and confidentiality protections encourage prompt treatment of health conditions and the full disclosure of medical and social information essential to effective care. Health privacy also protects individuals from the economic and social consequences of their health status. In short, it is difficult to imagine modern health care without strict privacy protections.
For individuals and entities unconvinced that health privacy is worth the cost in the electronic age, it is tempting to point to social networking as evidence that privacy is no longer valued and that stringent health privacy measures are unnecessary. Such a conclusion is unwarranted and jeopardizes the public support for and potential benefits of health information technology. It would be a grievous mistake for policymakers to abandon or lessen the traditional commitment to protect health privacy based simply on expediency or unsubstantiated assumptions about a generational shift in attitudes regarding privacy.
Mark A. Rothstein, J.D., is the Herbert F. Boehl Chair of Law and Medicine and director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine.