Indian Pediatrics 2001; 38: 884-888  

The Information Highway: A Threat to Medical Confidentiality

S.K. Verma

From the Department of Forensic Medicine and Toxicology, University College of Medical Sciences, Dilshad Garden, Delhi 110 095, India.

Correspondece to: Dr. S.K. Verma, A-197, Ram- prastha, P.O. Chander Nagar, Ghaziabad 201 011, India.
E-mail: [email protected] or
[email protected]

Communication is a basic link in the patient doctor relationship. Successful communication of information improves the patients under-standing of the diagnosis and increases adher-ence to therapeutic recommendations and interventions(1). The ways and means of communication of information have changed with time. From the traditional face to face talk we have now advanced to computer aided communication via Internet, the "Information Highway"(IH).

Networking of four computers by the Advanced Research Projects Agency of the United States Department of Defense created the first Internet in the year 1969(2). In October 1990, a young scientist Tim Berner-Lee working on the European Particle Physics Laboratory in the Swiss Alps produced the internet’s first browser called World Wide Web (WWW)(3). During the last 10 years it has grown into an extensive network of computers spanning the entire globe. Initially, the facility was available to few due to the high cost of the hardware and software, but now it has broken all barriers and is available to millions of people all around the world. The internet has now reached a stage where practically every aspect of human life including health, law, entertainment, communication, commerce, science, etc., is represented in some form or other. The current Internet users worldwide are around 140 million and in our country the number estimated is about 15 million. These figures are changing rapidly due to tremendous popularity currently being enjoyed by this technology. It is estimated that the number of net user worldwide will grow to 350 million by the year 2003(3). Gross estimates also indicate that a quarter of the data on the Internet is health related and about one third of surfers are searching for this information(4). A large percentage of such users are medical professionals, who utilize internet not only for quick access of medical information, but also to communicate and advise their patients, sitting in their home/clinic/chamber at click of mouse. The proliferation of electronic data within the modern health information infrastructure pre-sents significant benefits to health care providers and patients, including enhanced patient autonomy, improved clinical treatment based on advances in health research, public health surveillance and modem security techniques(5). However, there are some reservations about this technology, such as: (a) quality of information; (b) limited availability in local languages; (c) emergence of new syndromes; (d) self-medication hazards; (e) increased consumerism; and (f) increased litigations(6). In this context, one issue is that of medical confidentiality, which has posed a threat to the basic ethics of the doctor-patient relationship. Presently, world-wide a dozen of countries have cyber laws including India where The Information Technology Act, 2000 was notified on october 17, 2000. But unfortunately, these also do not address the issue of medical confidentiality specifically, although they have provisions related to breach of confidentiality and privacy. To overcome this lacuna, the US Congress has even proposed enactment of comprehensive medical legislation. The initial draft of the said legislation was recently made available for public comment(7).

Medical Confidentiality

Medical confidentiality is believed to be one of the basic ethics for a physician since ancient time. It was perhaps Hippocrate who first described medical confidentiality as, "whatever, in connection with my professional practice, or not in connection with it, I may see or hear in the lives of men which ought not to be spoken abroad, I will not divulge as reckoning that all should be kept secret"(8). Presently, in the era of high tech information technology this environ-ment of confidentiality is fast changing. The situation of one doctor, one patient and one medical file belongs to the past. Patients records have become computer based, linked to clinical decisions making systems and are accessible to subsequent health care providers irrespective of time and place(9). Health data about individuals are among the most sensitive types of personal information(10). Computerized data bases of personally identifiable information may be accessed, changed, viewed, copied, used, disclosed or deleted more easily by more people (both authorized and unauthorized) than paper based records(6). As the access to patient record is not limited to those involved in the health care delivery and patient management, they can be retrieved and used secondarily for different purposes like: (a) education (classroom teaching and conferences); (b) regulation (limitation, post marketing surveillance and accreditation); (c) commercial enterprises (development of biotechnology and marketing strategies); (d) social services and child protection (medical records of spouse or child abuse); and (e) public health services (reports on disease mortality and morbidity, partner notification and surveil-lance)(10). Since each of the searcher has different aim of search on the vast amount of health and personal information available on the information highway, there is every likelihood of breach in privacy. For example, millions of patients records are scrutinized each year by pharmaceutical benefit management (PBM) companies that have overt financial interest in manipulating prescribing practices(11). Patients are usually not told that these entities have access to their records. A recent survey suggests that they would object, if this was brought to their knowledge(12).

Electronic mail (e-mail) is gaining popu-larity in our country also though in recent years it has increased dramatically in the western and developed world(13). E-mail can be an effective communication tool with the advantage that it: (a) circulates information efficiently; (b) enables thoughtful exchanges of medical information; (c) allows authorized receivers to save messages electronically or in paper form; and (d) can be linked to other educational websites(14). However, e-mail in the medical context not only generates liability concerns but also raises serious questions about privacy, confidentiality, and authenticity of authorship and patient consent(14). E-mail poses threat to confiden-tiality as others can interrupt unsecured e-mail en route. Any one having access to a doctor’s e-mail account can access, alter and even respond to an e-mail with the illusion of authority.

Another area of concern apart from electronic patient files and e-mail is tele-medicine. Telemedicine uses communication technologies to deliver health care information and services between medical care providers and patients separated by geographical boundary(15). Telemedicine improves clinical care standard to underserved population, broadens access to speciality care and advanced technology, and facilitates clinical encounters and educational activities between physicians and patient(16). Yet, it is also not free from the risk of invasion on privacy of the patient, e.g., the patient identifiable information can be sent in telemedicine through interceptable tele-communication having risks of breaching patient-physician confidentiality(15).

Additionally, some physicians have estab-lished web site for the purpose of paid diagnosis(17). Even though some of these sites invite transmission of specific, identifiable patient data, only a few doctors operated sites are protected by secure servers or encryption technology (the software that scrambles the message in transit and requires an authentication code for both transmission and reception and hence the data/message can be sent/retrieved only by the authorized persons and not by anybody else)(18). Thus, there are fair chances of breach in confidentiality even in the web communication. Even though, technological safeguards in electronic communication like encryption software can render electronic messages relatively secure, technology alone can not ensure its legal and ethical use in medical practice. Thus, a physician should adhere to the legal and ethical standards while communicating electronically. The American Medical Association (AMA) has suggested guidelines for its members for AMA web sites(19).

Physician’s Role in Medical Confidentiality

The sensitive nature of the medical information makes it more deserving for special protection. The duty to preserve confidentiality resides with the holder of the record which may not be limited to a single primary care physician alone(20). Medical files are never free from undue access. The risk is more pertinent with electronic patient file. This risk has potentials to disrupt the fiduciary relationship between the patient and doctor, rather than supporting it(21). Thus, the physician who uses electronic files and e-mail must ensure reasonable precautions to avoid exposing patient’s data specially related to identity to unauthorized entities. Moreover, physicians should caution patients against using e-mail for those matters that patients themselves would not wish to be available to payers, employers and others(18).

The patient should be made aware of the potential risk and benefits of using electronic communication methods. Further, the patients should be informed about the potential ramifica-tion of e-mail use, storage and retention, prior to agreeing or declining. It is always advisable to have an informed consent from the patient prior to communication via electronic means. Different countries have enacted laws to maintain the communication privacy such as Electronic Communications Privacy Act of USA, which also includes electronic commu-nication. The consent form should have all the necessary details of the methodology and pros and cons of the technology. While sending a consulting e-mail to a colleague, physicians should refrain from mentioning several cases in one message and may submit unrelated personal messages under separate cover. All patients related e-mail messages should be notified confidential(10). Physicians who are not prepared to respond to e-mail regularly may decide not to offer this facility to their patients. Privacy has been found only where the sender and recipient have exclusive access to their messages with no risk whatsoever that anyone else could retrieve the information. The Internet whose gateways are numerous and often unpredictable prior to transmitting a message and the providers of on line services may have access to the messages of their subscribers without specific warning. Yet, there is strong social expectation of confidentiality in electronic communication, which could ultimately be legally enforced. So, the physicians should raise their voice individually as well as collectively (through professional associations/societies) to keep this issue of medical confidentiality in the cyber laws of their country. India is among a dozen countries of world and second in whole of Asia to have Information Technology (IT) Act (cyber related law). The act was passed by Parliament on May 17, 2000, and got the President’s approval on June 9, 2000. The act came in force on October 17, 2000 when Government issued notification to this giving legal sanctity to e-documents. Section 72 of the act that deals with breach of confidentiality and privacy states "Save as otherwise provided in this act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both(22). But, this act is also silent on the special nature of medical confidentiality. Thus till the time it is incorporated in the act, physicians should adhere to the basic principles of medical confidentiality strictly in order to avoid ethical as well as legal repercussions.

Concluding Comments

Information highway has created a new social relationship between the patient and physicians. The traditional human contact to develop trust and render medical diagnosis might be replaced by electronic and impersonal means. Communication via electronic means may be legal, efficient and even cost effective but is bound to reshape the way medical care is delivered. Physicians and patients alike will resist and perhaps alter their expectations of face to face or voice to voice medicine(18). At present there are fair chances of breach in the patient’s confidentiality while interacting through Internet, e-mail and web though it can be minimized, by using more vigil while communicating electronically. Adequate legal protection of personally identifiable health data is necessary to facilitate the transmission of electronic data through e-mail, telemedicine and other routes. Existing legal safeguards are however inadequate and fragmented with major gaps in coverage. Thus, while communicating electronically, it is pertinent for a doctor to adhere to the ethical principles pertaining to patient-physician relationship. Further, enact-ment of comprehensive and uniform cyber law related to the following should be considered to safeguard the patients right to privacy: (a) the unique status of identifiable health information; (b) providing privacy safeguards based on fair information practices (c) empowering patients with information and rights of consent; (d) limiting the disclosure of health related data; and (e) incorporating industry wide security protections(5).

Funding: None.

Competing interests: None stated.

1. Bertakis KD. The communication of infor-mation from physicians to patients: A method for increasing patient retention and satisfac-tion. J Fam Pract 1977; 5: 217-222.

2. Inderjit IK, Nagpal S, Roy N. Medicine and the Internet: A survey of the information highway. Natl Med J India 2000; 13: 139-200.

3. Sen A, Chaudhari PP. Man who spins the World Wide Web. The Hindustan Times, October 13, 2000.

4. Dobson R. Medical revolution is underway on the net. Times of India, December 17, 1999; p 15.

5. Hodge JG, Gostin LO, Jacobson PD. Legal issues concerning electronic health informa-tion; Privacy, quality and liability. JAMA 1999; 282: 146-171.

6. Passi GR. Cybermedicine: Promises and perils. Indian Pediatr 2000; 37: 481-485.

7. Office of Secretary, Department of Health and Human Services. Standards for privacy of individually identifiable health information. 64 Federal Register 59918-60065(1999). http:\\www.access/gpo.gov/su_docs/aces/140.html.

8. Knight B. Legal Aspect of Medical Practice, 5th edn. Edinburg, Churchil Livingstone; 1992; pp 4-5.

9. Abbing HR. Medical confidentiality and electronic patient filer. Med Law 2000; 19: 107-112.

10. Gostin L. Health care information and the protection of personal privacy: Ethical and legal considerations. Ann Intern Med 1997; 27: 683-690.

11. Rosoff AJ. The changing face of pharmacy benefits management. St. Louis University Law J 1998; 42: 1-53.

12. Appelbaumm PS. Threats to the confiden-tiality of medical records: No place to hide. JAMA 2000; 28: 795-797.

13. Kane B, Sandz DZ. Guidelines for the clinical use of electronic mail with patients. J Am Med Inform Assoc 1998; 5: 104-111.

14. Borowitz SM, Wyatt JC. The origin, content and workload of e-mail consultations. JAMA 1998; 280: 1321-1324.

15. Bashshur RL. On the definition and evalua-tion of telemedicine. Telmed J 1995; 1: 19-30.

16. Sanders JH, Bashshur RL. Perspectives: Challenges to the implementation of tele-medicine. Telemed J 1995; 1:115-123.

17. Greene J. Sign on and say "ah-h-h-h". Hosp Health Network 1997; 7l: 45-46.

18. Spielberg AR. On call and online - socio-historical, legal and ethical implications of e-mail for the patient physician relationship. JAMA 1998; 280: 1353-1359.

19. Guidelines for AMA Web Sites. JAMA 2000; 282: 1602-1607.

20. Gostin LO. Health information privacy. Cornell Law Rev 1995; 80: 451-527.

21. Abbing HR. Medical confidentiality and electronic patient files. Med Law 2000; 19: 107-112.

22. The information Technology Act 2000 (Act. No. 2l of 2000). Delhi, Commercial Law Publisher (India) Pvt. Ltd., 2000.