e-Ethics JUNE 2003
Stewards of Information, Stewards of Trust
|
Compliance with the HIPAA
Privacy Rule—the privacy regulations
under the Health Insurance
Portability and Accountability Act
became mandatory on April 14,
2003. Many, however, have questioned
the spirit or specific requirements
of these regulations. Such
questioning is a useful reminder that
it is one thing to comply with regulations,
and another to understand
why we do so.
The motivation that law supplies
for prescribed conduct is powerful,
yet largely negative. That is, people
normally want to "stay out of trouble"
even if they lack enthusiasm for
the law's requirements. Furthermore,
regulations such as the
Privacy Rule typically establish a
minimum standard—a "floor"
1
—of
acceptable conduct. From an ethical
standpoint, there may be instances
when a given law asks less than we
think morality requires. Healthcare
practitioners and institutions may,
and in practice often do, choose to
establish policies and practices that
go beyond what law demands.
Many have expressed fears that
the HIPAA regulations will actually
do harm, both to providers and to
patients, and fail to do the good
they are meant to achieve. Others
endorse not only the intent but the
likely impact of the Privacy Rule.
Undoubtedly its merits as public
policy will continue to be debated.
Closer to the ground, however,
the Privacy Rule creates a clear and
undeniable opportunity to promote
ethically sound practice by everyone
who is entrusted with patients'
health information. "The extensive
privacy regulations enforce the
adoption of privacy-conscious
behavior by caregivers and employees
of hospitals and health care
practices—an area in which medicine
has historically been rather lax . . ."
2
Developing a deeper, more pervasive,
more consistent awareness of
the need to protect patients' privacy
would mark a positive cultural
change
3
in any healthcare organization,
including Advocate—especially
when that awareness is consistently
translated into appropriate action.
Preserving patients' privacy and
respecting the confidentiality of
information they divulge have long
been values central to health care.
They are bedrock to the trust that is
essential for the effective practice of
medicine. While the focus of HIPAA
is privacy of information, ethical
concern for privacy also includes
physical or bodily privacy.
4
Attending
to patients' needs for physical privacy,
e.g., by closing bedside curtains,
covering exposed portions of the
body, and knocking before entering
a room, remains vitally important.
Thus privacy should not be cast
exclusively as a "HIPAA" concern,
nor solely as a matter of protecting
information.
At the same time, HIPAA's concept
of privacy incorporates much
that is normally discussed under the
heading confidentiality. As "a subset
of informational privacy," confidentiality
protects privacy by pre-venting
or restricting "redisclosure"
of information that emerges in a
confidential relationship.
5
In the
Privacy Rule, obligations to protect
confidential information and refrain
from disclosing it without permission
are addressed as privacy concerns,
and measures that protect
confidentiality are called "privacy
protections."
Concerns about confidentiality
and privacy matter because information
about a person is an extension
of the person;
6
health information
"belongs," first and foremost, to that
person. There are further reasons,
particularly in a faith-based organization
such as Advocate, to respect
and protect a patient's privacy, and
to comply with HIPAA regulations as
one means of doing so.
Healthcare personnel recognize
that patients can be vulnerable for
many reasons. Their sense of control
over their lives and health is
often diminished, sometimes drastically.
Because treatment often, if
necessarily, involves exposure and
invasion of the body, patients can
feel that their dignity and privacy are
continually compromised, or even
under assault. Their vulnerability
elicits our compassion and empathy—
and it reinforces the importance
of treating not only their bod-ies
but their medical information
with the respect that each person
deserves.
Sometimes in fear and trembling,
patients entrust themselves—
their bodies, their personal information,
and in a sense their very per-sonhood—
to clinicians and health-
care facilities in the hope of finding help
and healing. Implicitly, they assume
that those who care for them will be
trustworthy stewards of their well-being—
and will provide trustworthy care
of their personal information as a
dimension of that well-being.
7
To be a
steward is to be entrusted with something
that belongs to another. If compassion
leads us to recognize and
respond to patients' vulnerability, stewardship
leads us to recognize that we
are routinely entrusted with personal
information that belongs to patients and
not to us, information that is sensitive
and subject to misuse unless it is carefully
and diligently protected.
In Advocate, stewardship means
that "we"—Advocate as a whole, its
sites and services, its associates, and all
who represent Advocate—are "account-able"
for the resources given into our
care.
8
One of those resources is trust,
not only trust in Advocate or individual
caregivers, but trust in the very enterprise
of medicine, care, and healing.
On one hand, everyone with access
to patients' information instantly
becomes a steward of a specific body of
information about a particular patient, a
person "created in the image of God"
9
who may be helped or harmed by our
management of that information. At the
same time, everyone entrusted with personal
health information instantly
becomes a steward of a whole system
of healthcare delivery and clinical practice—
a system whose effective functioning
depends on the trustworthiness of
each clinician and every other "information
manager."
Mismanagement of the information
entrusted to us undermines patients'
willingness to rely on this system, even
their readiness to seek health care when
it is most needed. Our trustworthiness
is judged not only by what we do deliberately,
by intention, but also by what
we do or fail to do with patients' information
through inadvertence or lack of
sufficient attention to detail.
From this perspective the HIPAA privacy
regulations are not only a bureaucratic
requirement—sometimes an
inconvenient
10
one—but a potentially
useful if imperfect means to vital ends:
enhancing patients' privacy, better protecting
confidential information, and—
perhaps even more—increasing the trust
and sense of safety that patients experience
when they are in our care.
1. George J. Annas, "HIPAA Regulations—A
New Era of Medical-Record Privacy?" New
England Journal of Medicine 348, no. 15 (10
April 2003): 1487.
2. Peter Kilbridge, "The Cost of HIPAA
Compliance," New England Journal of Medicine
348, no. 15 (10 April 2003): 1424. Italics added.
3. See also Judith Miller, "What's the Big Deal
about HIPAA Privacy?" HIPAA Legal Symposium
(Advocate), 29 October 2002.
4. Tom L. Beauchamp and James F. Childress,
Principles of Biomedical Ethics, 5th ed. (New
York: Oxford University Press, 2001), 294.
5. Ibid., 304.
6. D. Gene Kraus, "Confidentiality in the United
Church of Christ: Some Theological Reflections,"
Parish Life and Ministry Leadership Team
(February 2002), 2.
7. Ibid.
8. Advocate Values.
9. Advocate Mission.
10. Miller, op cit.
|
|
|
|
|
|
|
To view other Publications, click
here.
|
|
|
To view other issues of e-Ethics, click
here.
|
|
|
|
