Neurodiagn J.

52:34-41, 2012
ASET, Missouri

Ethical Considerations in Internet Use of Electronic

Protected Health Information
Jacquelyn M. Polito, R. EEG T., RPSGT, RST, MHA
Neurology Department
South Shore Hospital
Weymouth, Massachusetts

ABSTRACT. Caregivers, patients, and their family members are

increasingly reliant on social network websites for storing, communicating, and referencing medical information. The Health Insurance Portability and Aceountability Act (HIPAA) Privacy Rule seeks balance by
protecting the privacy of patients ' health information and assuring that
this information is available to those who need it to provide health care.
Though federal and state governments have created laws and policies to
safeguard patient privacy and confidentiality, the laws are inadequate
against the rapid and innovative use of electronic health websites. As
Internet use broadens access to information, health professionals must
be aware that this information is not always secure. We must identify
and reflect on medical ethics issues and be accountable for maintaining
privacy for the patient.
KEY WORDS. Autonomy, beneficence, confidentiality, electronic
health records, ethics, Health Insurance Portability and Accountability
Act (HIPAA) Privacy Rule, Internet, medical information, nonmaleficence, online, patient privacy, protected health information, social
network.
'

INTRODUCTION
The explosion of technological advances in Internet usage for storing,, communicating, and referencing medical information has undeniably enhanced patient care
and, concomitantly, created a slippery slope of ethical-legal considerations.

Received: July 20, 2011. Accepted for publication: September 20, 2011.

34

ELECTRONIC PROTECTED HEALTH INFORMATION

35

It is widely accepted that patients have the right to obtain and control their medical
records, including who gets to see the records and to what extent. Key questions
necessarily arise regarding who will be responsible for maintaining confidentiality,
how will confidentiality be monitored, and who will be held accountable for breaches
and to.what degree. In addition, will caregivers be able to trust that records given to
them by patients are up-to-date and complete, without crucial omissions or alterations that patients may not wish current or future caregivers to see? How will patients
who are storing personal health records on websites built for that purpose be assured
of privacy and confidentiality? How much patient information should be shared by
caregivers on public social network websites?
Physicians, technologists,,and other healthcare professionals increasingly access
the Internet to obtain the latest developments in disease management and to discuss
treatment options with colleagues. How can they be sure of the integrity and security
of the information obtained in this manner? Internet use broadens access to information and permits links and associations that are not always secure. Internet transmission of medical information can be retrieved, copied, and retransmitted by anyone
with access and passwords. How will this access affect the level of trust between
patient and caregiver, as well as safeguarding privacy?
This paper will illuminate some of the ethical concerns arising with the dizzying
increase in online access to and sharing of medical information and how these
concerns have been addressed thus far. In fact, many of these concerns have yet to be
brought before the court system (Weiss 2004). In many cases, new precedents have
yet to be set with regards to conflict resolution arising from the expansion of Internet
use for medical iriformation.

Conservative estimates are that there exist hundreds of thousands of World Wide
Web sites that are used by 90% of physicians and 86% of adults with Internet access
to obtain medical information. These websites vary widely in degrees of quality and
accuracy (Harrison and Lee 2006). For example, one study compared information
from 60 websites on childhood diarrhea to recommendations from the American
Academy of Pediatrics and found that 80% of those sites contained inaccurate information. Furthermore, most medical health websites are sponsored by large drug and
durable medical supply companies who pay large sums of money for endorsements
(Anderson and Goodman 2002) creating opportunities for conflicts of interest.
THE PRIVACY RULE
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by
Congress in 1996. Titie I of HIPAA protects health insurance coverage for workers
who change or lose jobs. Title.l requires the establishment of national safeguards for
electronic healthcare transactions and creates provisions for the safety and privacy of
health information. The H I P A A Privacy Rule, enacted in 2003, is further divided into
several essential sections, including:

36

ELECTRONIC PROTECTED HEALTH INEORMATION

The Privacy section, which protects patients' privacy and provides patients
access to their medical records.
The Security section, which includes:
o An Administrative component, requiring formal documented practices,
security measures to protect data, and policies and procedures to regulate the
conduct of personnel in protecting data.
o A Physical Safeguards component, protecting computer systems and network
systems from physical intrusion and hazards.
o A Technical Security Services component, regulating the safety and security
of stored data on the network.
o A Technical Security Mechanisms component, addressing how protected
health information (PHI) is transmitted by encryption over a communication
network such as the Internet (Pozgar 2007).
HIPAA seeks to balance protecting the privacy of patients' health information and
assuring that this information is available to those who need it to provide health care,
payment for care, and for other important purposes (Office for Civil Rights 2011).
Moreover, the Office for Civil Rights (OCR) specifies that "a central aspect of the
Privacy Rule is the principle of 'minimum necessary' use and disclosure. A covered
entity (such as medical facilities and their staff) must make reasonable efforts to use,
disclose, and request only the minimum amount of protected health information
needed to accomplish the intended purpose of the use, disclosure, or request." The
Rule does grant authorization to disclose health information with the individual's or
a personal representative's written permission (Office for Civil Rights 2011).
Additionally, there exist many other laws and regulations at both the state and
federal level regarding the privacy and confidentiality of medical information. One of
the most important of these is the Privacy Act of 1974, in which Congress mandates
that "the privacy of an individual is directly affected by the collection, maintenance,
use, and dissemination of personal information" and that the right to privacy is an
individual's Constitutional right (Klemens 2008).
Indeed, the regulatory framework can be a seemingly chaotic tangle of laws and
policies by local, state, and federal agencies. Several of the most important of these
rule-making organizations include The Joint Commission, the Office of the Attorney
General, the Centers for Medicare and Medicaid Services (CMS), and the Occupational Safety and Health Administration (OSHA) to name a few. All these layers
of regulatory agencies impact legal decisions in the court systems and vice versa,
as well as impacting how health providers deliver care. Moreover, technologists
and healthcare providers must be knowledgeable of their own facility's policies and
procedures with regards to privacy and security.
With such ambiguous wording and layers of potentially confusing regulations,
therein lies the capacity for different interpretations and misunderstandings among

ELECTRONIC PROTECTED HEAL TH INFORMA TION

37

healthcare providers, patients, and their families. The following case example illustrates the need for greater clarification, education, and regulation regarding sharing
health information electronically. Identifying information has been changed to
protect participants' privacy.
CASE REPORT
In late 2009, Ms. R, a previously healthy, 49-year-old female, suffered a left
hemispheric closed head trauma, resulting in coma. She was brought to one of the
most highly-respected neurological intensive care units in the United States. While
there, her family set up a journal on the hospital's sponsored website, similar to
carepages.com, caringbridge.org, or mylifeline.org. Friends and family could post
well-wishes and words of encouragement during the patient's recovery. After
creating a user name and password once, a user can access any pafient's established
journal by typing in a patient's name.
Ms. R was the charismatic manager of a popular venue where many famous
performers have appeared. As word spread of her unfortunate condition, many people
began accessing the site; in part, drawn by a fascination for journal entries made by
several celebrifies. In addition, there were several entries signed by a person identifying herself as Ms. R's nurse, with her first and last name, email address, credentials,
and the name of the hospital.
The nurse's stated purpose of these entries was to post updates on Ms. R's condition and included detailed references to course of treatment and neurological status.
The nurse's notations also included that the patient was on a ventilator, responded to
noxious stimulation, and showed signs of unilateral weakness. In one post, she
encouraged anyone to come by during her shift and ask questions. She added that
Ms. R's sibling had given her written permission to share "any information with
everyone so please feel free to ask me anything."
Did the sibling really know what she was giving away permission for and understand the potential ramifications of her decision? Perhaps her worry and loneliness
over her sister's condition clouded her judgment. As a professional, should the nurse
know better than to accept such permission and use it to invite the electronic worid
into Ms. R's hospital room? What policies does this hospital, or any hospital, have
with regards to patient privacy and how much education and accountability is
required of staff? Clearly, it is the responsibility of each of us as technologists,
nurses, physicians, and other healthcare professionals to develop and comply
with comprehensive patient privacy policies, especially with respect to the rapidly
growing capabilities of Internet technology.
Prior to Ms. R's hospitalization, she had secured money from investors to purchase
her own venue. One of the investors expressed the desire to withdraw his investment.

38

ELECTRONIC PROTECTED HEALTH INFORMATION

The investor's decision was based on the neurological deficits described by the nurse,
one who is perceived to be close to the scene and trusted as having advanced medical
knowledge. What are the consequences for Ms. R's future earning potential if her
investors consider her a bad risk? What of potential insurers, since Ms. R was intending to change employment, who can and do access this type of information to screen
for high-risk customers?

ETHICS ANALYSIS
Ethics can be defined as a subjective standard of behavior guided by moral values,
in sharp contrast to law, which is an objective rule of conduct or action. Ethics
addresses issues about "whether an action is good or bad, right or wrong, appropriate
or inappropriate, praiseworthy or blameworthy" (Anderson and Goodman 2002).
The nurse in the above example potentially did nothing wrong legally, but were her
actions appropriate? In considering the general principles of the HIPAA rule, were
the disclosures, albeit made with written permission from a family representative
while Ms. R was incapable of speaking for herself, the "minimum necessary to
provide, health care, payment for care, and for other important purpses"? Should
written permission grant carte blanche in sharing information?
In Ms. R's case, one can propose that the harm of disclosure (loss of trust by her
investors and possible inability to be insured by a new carrier of her choice if she
becomes a business-owner) outweighs the benefit (words of encouragement for a
comatose patient who cannot read them just yet).
One of the most widely used frameworks for identifying and reflecting on medical
ethics issues is The Four Principles Approach developed by authors Beauchamp and
Childress (2001). These four principles are general guidelines for moral decisionmaking in health professions and are briefly outlined below:
Respect for Autonomy
Healthcare professionals must respect the decision-making capacities of autonomous persons, enabling them to make reasoned, informed choices. In the case of
those of limited, compromised, or diminished autonomy, such as a child or comatose
patient, respect should be given to what decisions would render the least risk of harm
and the most likelihood of benefit (Beauchamp and Childress 2001). Had Ms. R been
able to speak for hei-self, she may not have wished that such confidential information
be posted for possible investors to know. Furthermore, consideration must be given
to what the patient most likely would have chosen if decision-making capacity was
not diminished, regardless of whether the health professionals or family members
agree with it.
,
. .

ELECTRONIC PROTECTED HEALTH INFORMATION

39

Beneficence
The healthcare professional should balance the benefits of treatment against the
risks and costs. Beneficence "asserts the duty to help others further their important
and legitimate interests" (Beauchamp and Childress 2001). While well wishes and
expressions of concern may have offered great comfort to the family, posting detailed
medical information on Ms. R's condition may have been detrimental to Ms. R's
livelihood and should not have been included. Ms. R was, in fact, discharged from
the hospital and began to resume her previous responsibilities.
Nonmaleficence
The healthcare professional should not harm the patient, where harm is defined
as an adverse effect on a patient's interests. Invasive procedures such as surgery or
simple needle sticks cause harm, and therefore, the benefit of the treatment must
outweigh the harm. Eor example, putting a comparatively healthy patient without
complicating co-morbidities at risk during a carotid endarterectomy would outweigh
the risk of stroke and possible death from not removing artery-blocking plaque.
Moreover, Beauchamp and Childress (2001 ) specify that the principle of nonmaleficence includes not "depriving others of the goods of life."
Justice
Benefits, risks, and costs should be distributed fairiy and patients in similar positions should be treated in a similar manner. An injustice occurs when a benefit is
d.enied for no valid reason or when a burden is placed unduly on any particular person
or segment of society. Beauchamp and Childress (2001 ) reference examples throughout history of the inequality of the burdens of medical research falling on prisoners,
the poor or the mentally incompetent, while the more affluent portion of society
reaped the benefits. Two of the more heinous examples are the unwilling research
subjects in Nazi concentration camps and the 1940s Tuskegee syphilis study, which
used disadvantaged black men to track the untreated effects of the disease.
THE DANGERS OF SOCIAL NETWORKING
Social networking sites are gaining popularity at an astonishing rate. Of note, such
social networking sites have recently been in the news for unprofessional comments
made by medical students. A 2008 article cites online posts by medical students
who breached patient confidentiality by describing medical situations in which the
unnamed patient could be identified. In a poll of medical school administrators
nationwide, 60% said they were aware of unprofessional postings and 13% of those
postings contained breaches of patient confidentiality (Boyles 2008).

40

ELECTRONIC PROTECTED HEALTH INFORMATION

Furthermore, the use of social networking for gathering the latest medical information, for consulting medical experts on difficult cases, and for offering medical
opinions and advice has tripled. In one recent poll, nearly 86% of physicians have
acknowledged using the Internet for such purposes (Derse 2010). Remarkably, many
organizations that offer electronic health records, such as those by Google, Inc.
(Google Health), Microsoft Corporation (HealthVault) and others, are not required
to follow the rules of HIPAA (Wynia 2008). According to Internet Business Law
Services (IBLS) Internet Law, "any companies running health care sites can amend
or change their privacy policies at any time, without consent" (O'Connell 2008).
Moreover, privacy laws vary from state to state; a fragmentation that would make
legal resolutions difficult in an age of instant transference of medical information
around the world.

CONCLUSION
Without doubt, electronic medical information has many important advantages.
It can streamline patient care, cut costs, improve accuracy, prevent errors, keep caregivers informed in a quickly evolving field, and bring the latest, most specialized
information to more rural areas. If physicians are relying increasingly on Internet
consultations and since failure to consult is punishable by law, then not using the
Internet could have legal and ethical consequences for caregivers. Federal and state
governments have created laws and policies to safeguard patient privacy and confidentiality. Unfortunately, these are inadequate against the rapid and innovative use
of electronic health websites. Despite nearly two decades of burgeoning Internet use,
no online activities can be guaranteed absolute privacy. Clearly, these sites and their
usage must be closely monitored, yet by whom and how? As technologists and
healthcare professionals, we need to be ever mindful of safeguarding privacy, of the
uncertain integrity of information received, and of emerging policies and laws with
regard to Internet use of electronic protected health information with every patient,
every time. Much work remains to be done by technology systems, policymakers,
and healthcare organizations to ensure quality health care without compromising
patients' fundamental rights.
REFERENCES
Anderson JG, Goodman KW. Ethics and Information Technology: A Case-Based Approach to a
Health Care System in Transition. Secaucus,-NJ: Springer-Verlag, Inc.: 2002.
Beauchamp TL, Childress JE. Principles of Biomdical Ethics: Fifth edition. Oxford: Oxford
University Press: 2001.
Boyles S. Med students put unprofessional info online. 2009. WebMD Health News. On the Internet
at: http://www.medscape.com/viewarticle/709406Accessed February 2010.

ELECTRONIC PROTECTED HEALTH INFORMATION

41

Derse AR. Social media consults may harbor dangers. Feb. 8, 2010. American Medical News.
On the Internet at: http://www.ama-assn.org/amednews/2010/02/08/prca0208.htm Accessed
February 2010.
Klemens J. Ethical considerations of privacy and cyber-medical information. March 2008. On the
Internet at: http://ezinearticles.com/7Ethical-Considerations-of-Privacy-and-Cyber-MedicalInformation&id= 1077289 Accessed February 2010.
Harrison JP, Lee M. The role of e-Health in the changing health care environment. Nurs Econ 200624:283-88.
O'Connell K. Internet law - Internet medical records project not protected by federal privacy act.
IBLS Internet Law - News Portal. March 2008. On the Internet at: http://www.ibls.com/
internet_law_news_portal_view.aspx?id=2005&s=latestnews Accessed February 2010.
Office for Civil Rights. The HIPAA privacy rule and electronic health information exchange in
a networked environment. 2010. On the Internet at: http://www.hhs.gov/ocr/privacy/hipaa/
understanding/special/healthit/introduction.pdf Accessed March 2010.
Office for Civil Rights. Health information privacy. 2011. On the Internet at: http://www.hhs.gov/
ocr/privacy/hipaa/understanding/consumers/index.html Accessed July 2011.
Pozgar GD. Legal Aspects of Health Care Administration: Tenth edition. Sudbury, MA: Jones and
Bartlett Publishers, 2007.
Weiss N. E-mail consultations: clinical, financial, legal, and ethical implications. Surg Neurol 200461:455-59.
Wynia MK. Electronic personal health records: should doctors worry? August 2008. On the Internet
at: http://www.medscape.com/viewarticle/57918l Accessed February 2010.

Copyright of Neurodiagnostic Journal is the property of ASET - The Neurodiagnostic Society and its content
may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.