ABSTRACT: Patient confidentiality is the keystone for the trust necessary for medical care. The Internet creates new opportunities for medial treatment and medial research. These new opportunities in turn create new vehicles for old evils. Existing medical security protocols neither anticipate behaviors considered normal by computer users nor facilitate these new opportunities while preserving patient confidentiality. This paper will explore parameters for future medial security protocols needed to serve treatment and research environments including Internet access to patient information.
NOTE: This is a thought piece to help scope out a research project which is under funding consideration by the American Board of Radiology. Comments of either a global or a minute nature are most welcome.
INTRODUCTION
Where are your medical records? Are they in your doctor's office? May your doctor choose to use an off-site warehouse? Must the warehouse be in the same State as your doctor's office? May your doctor digitize your records? May your doctor contract with firms in foreign countries to transcribe your medical records into digital formats? Are such foreign firms legally bound to respect your doctor's confidentiality obligations?
Such questions are beginning to plague medical record keeping in the information age. These questions assume righteous providers in the pursuit of efficiency. Are the questions changed if we assume nefarious characters? If you were foolish enough to run for President, would you also be foolish enough to assume your medical records were safe? Especially if those records had been digitized?
Today's high tech medicine is information intensive. That is one basis of the its success. Mountains of information are gather and stored about a patient's condition and treatment options, then multiple fields of medicine are activated to serve a patient's needs. Effective high tech medicine requires all relevant information to be immediately available in multiple physical locations. Accordingly, hospitals and clinics plunge into the information age often for the explicit purpose of digitizing and delivering relevant information to all care providers regardless of physical location.
This paper will focus on medical imaging as one form of medical information. Medial images are increasing in frequency and increasing in detail. Also, unlike most other forms of medical information, medial imaging is just now blossoming in terms of ease of copying and database storage. Previously, medical images were largely limited to single copy X-ray films. As the digital revolution comes to medial imaging it will prompt re-examinations of the protocols for protecting patient confidentiality.
Imaging is rushing towards digitalization. Perhaps you have seen General Electric's television ads for rapid, full-body scans that allow for visualization of discrete body systems, such has bones versus blood vessels versus 3D organ displays. Digital images can be mathematically tweaked to magnify sections of the image; also contrast and brightness can be altered to improve image quality. All of which is good for the patient. Another advantage of the digital image is that it can be called up at any computer linked to the hospital database, allowing for simultaneous access to information necessary for providing treatment services. The pathologist in the lab and the nurse on the floor and the doctor visiting with family all may use the images simultaneously. The single copy of static quality X-ray film need not be walked over the miles of hospital corridor.
However, two immediate problems are obvious. First, while a patient may have entered the emergency room because of a car accident, the full body scan now reveals other socially significant but (presently) medically irrelevant information, such as a previous face lift. Second, of course, while (well-run) hospitals have firewalls separating their intranet from the world's internet, there are floppy disks taken home. As a consequence, confidential medical images might be called up and viewed anywhere in the world. How? If either a careless technological neophyte or, worse, internal or external nefarious characters exposes the confidential information to the internet it will be impossible to restore confidence in the confidentiality.
EXPECTATIONS
New technology invariable surprises the law by defeating the reasonable expectations the law seeks to protect. Technology tends to change what a person feasibly can do as well who feasibly can do. Often, the law has problems with new technology since new actors begin to act in ways that the law prohibited for prior actors.
Chronically, technological evolution produces conflict between the expert and the ordinary person. They have wildly divergent expectations.
Typically, technological evolution starts in a confined space affecting not much more than the expert innovator. Within that confined space, new technology alters the feasible and thus the "efficient" for the expert. Also within that confined space, experts come to expect unimpeded access to the technology. Then, with or without fanfare (but almost certainly, in the USA, without prior legislative or judicial review) the new technology is unleashed upon broader vistas. Once upon broader vistas, spillover effects come into play.
Spillover effects are consequences experienced beyond the voluntary parties to a transaction. New technology always produces spillover effects. Quite often the spillovers are profoundly negative and/or positive. Experts attempt to anticipate and accommodate spillovers. However, typically, experts fail to anticipate many significant spillovers and, hence, the expert's initial calculation of "efficient" is in error.
In the parlance of contract law, unintended third party beneficiaries experience positive spillovers. Importantly, note that unintended third parties lack the legal standing to sue concerning either the addition or the deletion of a spillover unless and until the unintended third party has vested a legally recognized right. However, vesting is legally impossible in many circumstances.
Negative spillovers are the province of tort law, but only when the spillover is unreasonable. In the USA the social policy analysis surrounding the calculation of "unreasonable" is biased in favor of individual freedom and in favor of technological change. Thus, tort law will characterize fewer negative spillovers as unreasonable. In effect, a reasonable person would expect technological evolution and its spillovers.
Who is the "reasonable person" has been and continues to be a major debate in the law. Moving from the "reasonable man" to the "reasonable person" was not a minor change with no more significance than "political correctness." Additionally, the Uniform Commercial Code's distinction between "merchant" and "consumer" is another variation of reasonable person. What rules govern a transaction are dependent upon who is the standard for the reasonable person. Neither the judiciary nor the legislatures have been consistent in evaluating new technologies from the perspective of the expert or of the ordinary person.
Once new technology is unleashed upon broader vistas, the divergent expectations are brought into conflict. The expert assumes "everyone" knows of and anticipates the new technology (that by now is "old" to the expert). In contrast, the ordinary person might be vaguely aware of the new technology's whizbang, but tends to blithely assume old relationships will not be altered by the new technology. However, since new technology changes what and who is feasible, the ordinary person's blithe assumptions usually are defeated.
TRANSMISSION
The traditional and ordinary transmittal of confidential medical information is relatively straightforward. A person who has lawfully obtained custody of the information does so either via a contract with the patient or via a subagent's contract. Accordingly, the lawful custodian is under an obligation to maintain the confidentiality, and if the lawful custodian makes a transmittal, then the lawful custodian will be vicariously liable for the recipient's failure to maintain the confidentiality. These rules work because there are a limited number of likely senders and receivers and each is very likely to know of and respect confidentiality.
However, with new technology the number of actors in greater and their predictable knowledge is less. For an example let's use the transmission, in a digital form, of the same confidential medical information. Further, let's compare the use of the internet, rather than a dedicated line.
Figure 1
The ordinary situations can be seen in Figure 1 and in Figure 2. The internet situation can be seen in Figure 3. Simplicity and a narrowly defined array of recipients are the hallmarks of Figure 1 and Figure 2. Complexity and a very broadly defined array of recipients are the hallmarks of Figure 3. [Note, in all three figures I did not include third party payors (e.g., insurance companies). The addition of third party payors makes Figure 1 and Figure 2 slightly more complex, but as long as none of the communications are digital, these figures are not substantially different. However, Figure 3 would be substantially different in terms of the scope of the porous boundaries with the addition of third party payors.]
Transmission of medical data over the internet grants many new persons custody of the medial data without also imposing legal obligations on the new custodians. The net is made up of millions of interconnected computer systems and the data will seek the most efficient path between the points of origin and destination. On the internet, the sender can not (easily, if at all) specify the path between the point of origin and destination. A communication from Saint Louis, Missouri to Kansas City, Missouri may take the route St. Louis/Paris/Toronto/Kansas City or it may go St. Louis/Kansas City. In fact, if it is a digitally large communication, such as a high definition digital image, then portions of the communication may go by one path and the remainder may go by another path. At each node along the path, at a minimum, a temporary copy of the data will exist. Additionally, many of these computer systems routinely backup the entire contents on the system at set intervals for security purposes. Thus it is likely that an archival copy will be made and retained at some node.
The existence of multiple copies in not per se a problem. Problems arise from the patient's lack of consent, the patient's lack of knowledge of the existence of and/or location of the copies, and, most importantly, the custodian's lack of legal obligation to maintain the confidentiality of the information.
VERY BROAD LAW
Existing State laws clearly addresses the doctor's and the hospital's obligations. Existing federal laws and regulations address the hospital's obligations. Both extend vicarious liability for knowing and/or unreasonable releases.
The internet's physical operations are beyond the expectations of the ordinary person, doctor, and hospital staff (outside of the hospital's information technology department). The ordinary person will rely upon their expectation of the telephone's point to point security (especially given the ubiquitous modem dial up access to the internet).
An unclear question is whether a doctor or hospital whose ignorant release over the internet is per se unreasonable. Note that most releases will be ignorant, and most releases will have no impact on the patient since the new custodian will neither be aware of the custody nor be looking for the meaning in the data. However, patient's can suffer significant loses due to such ignorant releases either due to nefarious characters actively seeking out security lapses for confidential medical information or from those that merely relay curious information. An example of "curious information" would be release of a celebrity's body scan. The person doing the release may have no knowledge that the scan reveals socially significant information about the celebrity.
Confidential medical information always has been subjected to inappropriate release either by the custodian or by a thief. However, the porous digital boundary is different in degree and kind.
POROUS BOUNDARIES
When information becomes digitized the boundary between custodian and the world becomes substantially more porous.
First, digital copies can be made much more easily and the custodian need not be aware of the copying. It is physically possible to make a copy (typically inferior to the original) of an X-ray film. However, unlike the floppy disk, that technology is far from ubiquitous. Also, the original typically is stored under a sign-out protocol, requiring the person who appropriately obtains the original to appear before the primary custodian. While even minimal digital security systems (e.g., username and password) approximate security of a sign-out protocol, passwords are less protected than one's own body. This makes it easier to act as an imposter.
Second, the physical invasion of the digital thief can be over a phone line rather than through a broken front door, thus reducing the visibility of the invasion.
Third, there are fewer locks. Few doctors and hospitals would fail to install a door lock on a door leading to confidential information. However, fewer doctors than that would install the electronic equivalent of a door lock: a firewall. Most hospitals will have computer firewalls of varying strength.
Fourth, the essence of a digitized environment is multiple copies, which increases tremendously the difficulty of maintaining security. Given the "open design" of shared workspaces, such as in hospitals, the copies are more likely to be displayed in a semi-public environment. When effective viewing of an X-ray requires a wall mounted light box, the workspace tends to be more enclosed. Also, the display of the original tends to more temporary as the film needs to be returned to its envelope for preservation of image quality, preservation of correct storage, and physical return to the primary custodian. In contrast, the computer display has none of these needs and thus is more likely to be left on display for any passerby to see long after the authorized viewer has finished.