Author's personal copy i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 journa l h omepage: www.i jmi journa l .com Giving patients granular control of personal health information: Using an ethics 'Points to Consider' to inform informatics system designers Eric M. Meslina,b,c,d,∗, Sheri A. Alperta, Aaron E. Carroll e,f, Jere D. Odell a,g, William M. Tierneyb,h, Peter H. Schwartza,b,c a Indiana University Center for Bioethics, Indianapolis, United States b Department of Medicine, Indiana University School of Medicine, United States c Indiana University Center for Law, Ethics, and Applied Research in Health Information (CLEAR), Indianapolis, United States d Philosophy Department, Indiana University – Purdue University, Indianapolis, United States e Indiana University Center for Health Policy and Professionalism Research, Indianapolis, United States f Department of Pediatrics, IU School of Medicine, Indianapolis, United States g IUPUI University Library, Indianapolis, United States h The Regenstrief Institute, Inc., Indianapolis, United States a r t i c l e i n f o Article history: Received 2 May 2013 Received in revised form 22 August 2013 Accepted 26 August 2013 Keywords: Electronic health records Ethics Medical records systems Computerized Patient access to records Physician–patient relations Privacy a b s t r a c t Objective: There are benefits and risks of giving patients more granular control of their personal health information in electronic health record (EHR) systems. When designing EHR systems and policies, informaticists and system developers must balance these benefits and risks. Ethical considerations should be an explicit part of this balancing. Our objective was to develop a structured ethics framework to accomplish this. Methods: We reviewed existing literature on the ethical and policy issues, developed an ethics framework called a "Points to Consider" (P2C) document, and convened a national expert panel to review and critique the P2C. Results: We developed the P2C to aid informaticists designing an advanced query tool for an electronic health record (EHR) system in Indianapolis. The P2C consists of six questions ("Points") that frame important ethical issues, apply accepted principles of bioethics and Fair Information Practices, comment on how questions might be answered, and address implications for patient care. Discussion: The P2C is intended to clarify what is at stake when designers try to accommodate potentially competing ethical commitments and logistical realities. The P2C was developed to guide informaticists who were designing a query tool in an existing EHR that would permit patient granular control. While consideration of ethical issues is coming to the forefront of medical informatics design and development practices, more reflection is needed to facilitate optimal collaboration between designers and ethicists. This report contributes to that discussion. © 2013 The Authors. Published by Elsevier Ireland Ltd. All rights reserved.  This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial-ShareAlike License, which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and source are credited. ∗ Corresponding author at: IU Center for Bioethics, 410 West 10th Street, Indianapolis, IN 46202, United States. Tel.: +1 317 278 4034; fax: +1 317 278 4050. E-mail address: emeslin@iu.edu (E.M. Meslin). 1386-5056/$ – see front matter © 2013 The Authors. Published by Elsevier Ireland Ltd. All rights reserved. http://dx.doi.org/10.1016/j.ijmedinf.2013.08.010 Author's personal copy i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 1137 1. Introduction 1.1. Access to and control of health information by patients Determining how much information to give to patients about their medical care has been the subject of discussion for as long as there have been physicians, patients, and medical information. For close to three decades, bioethics scholarship and case law reflect a deliberate trend toward giving patients more information and more control over health decision making [1]. How much information to give, in what format, and by who remains a source of continuing interest, though [2]. With the advent of electronic health records (EHRs), in which data are stored electronically, transmitted via regional health information exchanges (HIEs) and accessed by many providers and insurers, the idea that within certain limitations patients should be able to control what information is made available to physicians has taken on greater urgency and complexity. More data and information about patients – which includes test results, genome analyses, prognoses, diagnoses, prescription patterns, admission or discharge plans – can be collected, stored, and accessed by more people than ever before [3,4]. This potential "tsunami of data" [5] may create several ethical and legal barriers [6], complicated by the different perspectives of physicians [7], patients [8], and consumers [9] about the proper scope of such control. Indeed, privacy issues alone are responsible for considerable commentary and reflection [10,11]. For instance, the Health Insurance Portability and Accountability Act (HIPAA) stipulates numerous uses and disclosures of health information that do not require patient authorization (e.g., for treatment, payment, and health care operations) that could result in the disclosure of information to dozens of recipients [12]. Asking patients to consider disclosure of information for all potential recipients/uses could prove overwhelming to them and detrimental to the health care system. For example, a patient might wish to restrict her cardiologist from seeing information regarding prior psychiatric treatment, or an individual who abuses pain killers might wish to block access by his family doctor to information about previous drug abuse or concurrently prescribed controlled medications. Patients might believe they have good reasons for exercising control given the selective history of discrimination in health care [13–15]. Whether the reasons are defensible or not, there are consequences, particularly for physicians to safely prescribe medications. 1.2. Ethical issues in the use of health information technology The purported benefits to patients and society from the use of health information technology have been well documented [16,17] though these benefits come with profound logistical, policy, and ethical challenges [18,19]. While some ethical guidance exists for using these new tools, gray areas remain, particularly at the intersection of personal health information and decision making [20]. Indeed, while it has recently been argued that it might be as ethically blameworthy not to apply such tools as it would be to apply them inappropriately [21], the available policy tools are not yet nuanced enough to guide ethical decision making. For example, the Health Information Technology for Economic and Clinical Health (HITECH) Act [22] includes additional privacy and security requirements over those mandated by HIPAA [23], but does not specify the scope of patient control. The President's Council of Advisors on Science and Technology (PCAST) 2010 report raised this point when it discussed, among other things, the need for "innate, strong, privacy protection on all data, both at rest and in transit, with persistent patient-controlled privacy preferences. . ." [24]. PCAST also recognized that there are risks of patients' exercising unbridled granular control of the information in the EHR. Developers of EHR systems and policies, therefore, must balance the benefits of granular control by patients with the risks of clinical harm to patients. Support for the idea of giving patients "granular" control also emerged from the U.S. Office of the National Coordinator for Health Information Technology (ONC), which indicated that patients should have a "greater degree of choice to determine, at a granular level, which personal health information should be shared with whom, and for what purpose" [25]. 1.3. Bioethics principles and fair information practices The idea of granular control is a logical application of many well-accepted ethical principles including respect for autonomy, beneficence, non-maleficence and justice [26]. For example, the argument for giving patients greater autonomy in decision making about medical treatment and research builds on developments over the past three decades aimed at supporting patient empowerment and informed choice [27–29]. At the same time, the argument for restricting the scope of control follows from a long tradition of benevolent paternalism in medicine [30]. Thus, granular control fits within the fundamental interest that individuals have in informational privacy, which is generally exercised, at least in part, through the ability to limit access by others to personal information [3]. Providing this type of control may be seen to re-balance the relationship between clinician and patient, to promote trust, and to enhance overall quality of care [31–33]. Similarly, granular control is a logical application of Fair Information Practices (FIPs), described originally in a 1973 report of the Department of Health, Education and Welfare's Secretary's Advisory Committee on Automated Personal Data Systems [34], and which have evolved over time [35]. The nine FIPs as described by the ONC are: individual access, correction, openness and transparency, individual choice, collection, use and disclosure limitation, data quality and integrity, safeguards, and accountability. Indeed, many versions of FIPs exist in the US (e.g., the Federal Trade Commission's FIPs, the ONC HIT FIPs), in countries other than the US (e.g., Canada's FIPs), and in non-national organizations (e.g., the Madrid Privacy Declaration [36]). Author's personal copy 1138 i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 2. Background 2.1. Accommodating patient control In its 2010 report, PCAST asserted that "The overarching goal is to have a national health IT ecosystem in which every consumer, doctor, researcher, and institution has appropriate access to the information they need, and in which these groups are served by a vibrant market of innovators." They went on to identify a set of mid-term goals for achieving this overarching goal including: "(1) Universal access by clinicians and patients to the current frontier of EHR functionality; (2) A robust platform for developers to create user interfaces, decision support, storage, and archiving services that will be broadly available to end-users and will not require major capital investments; (3) Seamless, user-transparent, cross-organizational data exchange; (4) Innate, strong privacy protection on all data, both at rest and in transit; and (5) Efficient means for the aggregation of de-identified data for public health and research purposes." [24]. In 2011, ONC funded several projects to study key components of EHR systems, one of which was awarded to investigators at the Regenstrief Institute and the Indiana University School of Medicine. The overall goal of the project was to focus on PCAST's mid-term goals 3–5 (above) by creating a system within an EHR browser that would restrict access to patient data based on patient preferences, the identity of the user, and metadata describing each EHR element. Providing both greater patient choice in information sharing and more precise querying by physicians can provide a means for balancing clinician access to key information and patients' desires for confidentiality, especially concerning sensitive data [8]. The environment in which this work took place was unique: the state of Indiana has a "real world" health information exchange that has been operating for over 15 years. The Indiana Network for Patient Care (INPC) includes more than 100 hospitals, clinics, public health departments, laboratories, radiology centers, physician practices, pharmacies, urgent visit centers, and payers, involving more than 12 million patients and 20,000 Indiana providers [37,38]. This project was designed as a collaborative effort involving experts in informatics, ethics, human factors, and medicine to combine three key components to support the ethical and user acceptability of the query tools: the application of Fair Information Practice Principles, the application of a human factors approach, and the development of an ethics framework to guide the design of the user interface. This manuscript focuses on the third product, the ethics framework. A common locus of many bioethics discussions about management of patient information is the emphasis on the clinical encounter between physicians and patients. Little attention, however, has been given to the upstream work being undertaken by experts responsible for designing EHRs, databases, query tools and other infrastructure to enable patients and physicians to make use of the potential for EHRs. Fortuitously, the Regenstrief Institute, whose faculty designed and were modifying the query tools and patient data browser for the INPC, and the Indiana University Center for Bioethics, whose faculty were designing the ethics framework, worked in the same building and had a prior history of research partnerships, enabling productive and regular collaboration. 3. Approach 3.1. The ethics framework/Points to Consider for system designers Our goal was to produce an ethics framework to guide those designing EHRs intended to accommodate granular control. We settled on a "Points to Consider" document (P2C), an instrument that we and others have used elsewhere [39–41] because it can be used both to identify issues and guide decisions about complex ethical, regulatory, and policy choices. The P2C consists of a set of key questions that frame an important technical (or ethical) problem, and a commentary reflecting on the factors that might help answer the question. The idea, borrowed from one of the first P2C's designed to help researchers respond to difficult ethical issues in recombinant DNA research [42], is for those using the P2C to attempt to answer the questions, and in so doing gain a deeper appreciation of the ethical tradeoffs. We assembled an internal team with expertise in philosophy, ethics, patient privacy, clinical medicine, and health policy to conceptualize the project and design the P2C. Given the emphasis of this project on an ethics framework our team did not include a legal scholar. However, we were mindful of the many legal and regulatory issues arising and for that reason commissioned a separate paper on the subject [43]. We met regularly with health informaticists and computer science experts at Regenstrief to share progress and solicit input – a process that occurred over nine months until a consensus document was produced. The draft P2C was circulated to an outside panel of national experts brought together for a one-day workshop in Indianapolis on February 29, 2012. Eleven individuals with backgrounds in law, health policy, technology, bioethics, patient privacy, advocacy and government regulations provided substantive comments on the content of the P2C and its potential usefulness, but were not asked to endorse or approve the final document (see Appendix). Additional input was sought from others who could not attend the expert panel meeting, as well as ONC program officials. 4. Results Below we provide a brief summary of the final P2C. A full report describing the process we used, more extended discussions of each point, and related material is available at: http://hdl.handle.net/1805/2936 [44]. Author's personal copy i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 1139 4.1. The Points to Consider 1. How will the system make transparent the uses and flows of clinical information so that patients can make informed choices about disclosing/restricting their information? This point encompasses at least three interconnected issues: • How will patients be told about the flows, uses, and users of their health information? • How will patients learn what information is contained in their EHR so they can appreciate what they are granting access to – a prerequisite for individual choices to be meaningful? • How will patients be assisted in understanding the meaning of the medical information in their EHR (e.g., terminology used in pathology, laboratory, and radiological tests/reports)? This point highlights the need to help patients understand what information exists in their EHR, who can view it, and how this information is used and disclosed, to allow them to make an informed choice about granular control. Without such understanding, the opportunity to exercise granular control is impossible. While the main focus of this point is on the FIP of openness and transparency, we recognize that achieving that transparency will involve educating patients about these topics. This issue is also addressed in P2C #3, below. Three ethically defensible options exist: i. Provide no education regarding what information exists in the EHR or the flow and uses of information besides the required, and fairly general, Notice of Privacy Practices. Patients will utilize whatever additional understanding they happen to have, including any misunderstanding, in exercising granular control. ii. Provide educational materials for patients to review before exercising granular control. These materials can be more or less specific or customizable to the literacy and interests of different patients. iii. Give all patients access to a trained educator or practitioner who can brief or tutor them on the EHR. 2. How will the system structure the array of choices patients can specify for disclosure and non-disclosure of their clinical information? This point asks designers to consider the many different ways that the choices for granular control can be structured and presented to the patient. First, this involves determining the level of granularity of the medical data involved. At one end of the spectrum, patients could be presented with the option of allowing or limiting access to each individual data element, such as a specific lab result or the clinical note relating to a single visit. The advantage of offering choices at this level of granularity is that it allows the individual to exert fine control. The disadvantage is the overwhelming number and variety of observations recorded in most EHRs. At the other end of the spectrum, the patient may be presented with only broad categories of data, such as being able to restrict access to all data relating to a single diagnosis (e.g. diabetes), date of service, person (e.g., clinicians, non-clinicians), treatment (e.g., prescription medications), area of medical care (e.g., data relating to endocrinology), and/or sensitivity of the data (e.g., reproductive health, mental health, substance abuse, or genetic information). It might be simpler for at least some patients to comprehend choices at these coarser levels of granularity. A similar range of granularity might apply to determinations regarding potential recipients of the data: the system could allow patients to determine access for individual clinicians, perhaps identified by name, or could allow broader choices, such as determining access for clinicians from an entire institution or specialty. Similar categories could be developed for non-clinicians (office staff, billing clerks, etc.). Finally, one could allow variable levels of granularity: some patients might wish to make decisions at a fine level of granularity, regarding data or providers, while others would prefer a coarser level. While this would provide the highest level of patient choice, it also would introduce another level of complexity to the decisions the patient would face and a level of complexity in educating the patient adequately to make an informed choice. It would also dictate the kinds and levels of metadata EHR developers would use to tag observations. Another option is for patients to choose a less granular standardized choice from a limited menu of options but could make requests for restrictions at finer levels as needed. 3. How will technologically and/or medically unsophisticated patients, or those with other challenges, exercise their choices for granular control of their information? This point considers issues of technological and medical literacy, as well as standard literacy, and the need to accommodate patients of varying physical/sensory abilities. Educating patients about these topics will be challenging, since it will require explaining medical science and terminology at least to some degree, as well as helping patients understand the range of providers who may be involved in their care who might be aided by information in the EHR. It may not be possible to make a system equally accessible, and their data equally understandable, for all individuals. Therefore, there exists an ethical obligation to ensure that a patient's capacity to exercise granular control is not dependent on their ability to read/speak English, be fluent in medical terminology, and/or be able to use a computer. Creative and practical methods will need to be considered to provide assistance to individuals with challenges in exercising access controls. Because the overall goal is to allow patients to express and record their information-sharing preferences, it is important that the options for doing so span a reasonably broad range of patient capabilities. In this case, that may mean that the system should be designed to accommodate various input methods. For instance, the system could: • Provide an electronic input option for choices to be recorded by the patient (and/or his representative) only, and be available in a variety of languages (at least English and Spanish); Author's personal copy 1140 i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 • Devise a two-step process for input, giving patients a paper form containing the choices available, which is then taken by a medical staff member to be recorded in the electronic system; • Provide other means for patients to learn about their options and indicate their preferences, for instance through discussion with a medical staff member (e.g., for those who have difficulty reading, or are sight-challenged) who would then record the patient's choices and preferences. 4. How will the system inform providers of a patient's preferences for data access/restrictions? This point acknowledges that providers also have a stake in the exercise of patient granular control. Fundamentally, the question asks whether a provider should be alerted in some way (e.g., by a notation in the EHR) that a patient has restricted access to at least some part of their EHR. Any answer has direct implications for the doctor/patient relationship, both in terms of trust and in the ability to adequately render care. For instance, while it is possible that most patients would want their primary care physician to have access to most or all of their medical record for clinical purposes, patients might prefer that medical specialists or allied medical professionals (e.g., an orthopedist or a pharmacist at the local drugstore) have less than full access to the entire record, for any number of reasons. While there may be practice issues that result from a provider having restricted EHR access, it is also true that this is largely the way in which providers practice medicine today – seldom does a single provider have full access to all of a patient's data, electronic or otherwise. The question becomes whether to inform providers that information has been restricted at the behest of the patient. Three options may be considered: • When a physician views the patient's EHR, the system will specify which information exists and is accessible, and which information exists but is being restricted due to the patient's prior preferences and privacy settings. • When a physician views the patient's EHR, the system will only display the information that is allowed by the privacy settings, without disclosing the existence of other information that is subject to access restrictions. • When a physician views the patient's EHR, a broad statement that information has been restricted would be provided without specifying which types of information are not accessible. 5. Under what circumstances/conditions will the system allow health care providers to access patient data in ways that may over-ride stated preferences for granular control? This point addresses access in emergency, life-threatening situations, although the prospect of non-emergency situations in which providers might want to override patient preferences also are addressed. Health care providers accept responsibility for the health and wellbeing of their patients and may feel that having less than full access to a patient's information will inhibit their ability to care for that patient or even cause harm. Options range from never allowing overriding of patient preferences to allowing overriding of patient preferences in non-emergency situations. If overriding of patients' preferences is allowed, then the system should require the provider to justify the override, and this information should be stored in the patient's record. In this way, we mean to convey that the act of overriding a patient's access preferences is not something to be taken lightly, particularly in a non-life-threatening situation. Additionally, whatever approach a provider takes to the patient's expressed access preferences, patients should be informed before such a circumstance might arise in which preferences are overridden. This is consistent with the ethical principle of respect for patient autonomy. 6. How will patients be told about mandatory reporting requirements (e.g., public health, gunshots, abuse, disease registries, etc.) and their impact on granular control? This point addresses the issue of mandatory reporting requirements for public health. Federal and state laws require that medical information pertaining to a possible criminal activity (e.g., child abuse or neglect, domestic violence, and gunshot wounds) be reported to the appropriate authorities. Similarly, when a patient with a communicable disease presents for treatment (whether for that condition or something unrelated), state and/or federal laws/regulations often require reporting of identifiable health information about the disease. Because of this, patients will not be able to exert granular control on such information. Any system of granular control must anticipate and address this issue. In these instances, patients have no choice as to whether providers disclose their information to others, so the question addressed is the extent to which patients are informed of the types of situations requiring information reporting, the level of specificity about which they are told of the information that is reported, and the potential vehicle used to convey this information. For instance, would general information on the nature of the potential disclosures be conveyed to patients via treatment consent statements or posters at clinical intake areas, or might patients be given explicit information that, in the case of a sexually transmitted disease for example, their name, address, infection status, and sexual partners' names and addresses would be reported to public health officials? While more specific information is deferential to respect for patient autonomy, a small minority of patients might avoid seeking treatment, knowing that the information will be reported to the appropriate authorities. However, if a provider suspects a particular patient might not seek treatment, he or she may wish, in exceptional cases, to withhold information about the specific nature of the disclosures required. Three options exist: • Do not explicitly inform patients regarding legally mandated reporting requirements (i.e., that irrespective of her desire to restrict disclosure, some circumstances mandate disclosures). • Provide a general explanation that there may be legal reasons why some personal health information must be disclosed, but do not detail those reasons. This could Author's personal copy i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 1141 include, for example, putting posters in patient intake areas in clinics, physicians' offices, hospitals, outpatient facilities, etc., or very general statements in Notices of Privacy Practices given to patients. • Inform patients more specifically what sort of situations would require disclosure of personal health information to public health authorities and/or law enforcement (e.g., STIs, communicable diseases, epidemic and/or pandemic outbreaks, abuse, gunshots, suspected bioterrorism), and what sort of information would be disclosed (e.g., name, address, diagnosis, etc.). 5. Discussion 5.1. Use of the P2C The P2C was developed to guide Regenstrief Institute informaticists who were designing a query tool for an existing EHR that would permit patient granular control. Identifying ethical issues is an inherent part of designing and implementing any technology [45], and EHRs are no different [46]. While every institution is different, one can envision the use of this P2C as a valuable tool for engaging informatics experts, clinicians, administrators, patient groups and health care teams in important discussions about these emerging issues in patient care. Given the scope for interpretation of the each "point" it is sensible to imagine that systems designers and clinicians might sit down to work through each of the points to determine how and to what extent the points were applicable to the institutional environment in which such issues arise. These discussions could come in the form of broader institutional discussions, policy deliberations or as the subject of in-service educational activities. While consideration of ethical issues is coming to the forefront of medical informatics design and development practices, more reflection is needed to facilitate optimal collaboration between designers and ethicists [47]. Rather than providing Regenstrief designers with a finished ethics framework, the ethics team met regularly with the query tool designers, presented updated versions of the P2C, and worked together on the design of the INPC's patient granular control system. Unlike most traditional ethics consultation programs for clinicians [48] or researchers [49], our intention here was not to identify and address a particular ethical challenge facing a person or team. Rather it was to build ethical considerations into the design process of a query tool from the start. That helped the designers keep the implications for Fair Information Practices and other patient-centered issues front and center when programming the technical aspects of capturing and implementing patients' preferences for viewing of their EHRs. We recognized that the use of the P2C should not be limited to the initial designs of the query tool. As with P2C's that have been used for evaluative purposes [50] this P2C can be used to assess how responsive the query tool is to the six Points, both in its initial instantiation and through its inevitable modifications. P2Cs should not, therefore, be viewed as a "one time only" tool, but should continue to be used as part of ongoing monitoring, evaluation, and redesign processes. Indeed, this may be the real value for various institutions: to use the P2C as an opportunity to start an informed conversation about ethical issues with various stakeholders. Finally, this document examines granular control in the clinical context, and does not explicitly consider the myriad additional issues that arise from secondary uses of EHRs (as defined by HIPAA as uses beyond treatment, payment, and health care operations) including quality improvement and cost-containment activities, research [51], or public health [21]. These warrant separate study and analysis. Support This publication was supported by: Award No.: 90HT0054/01, a cooperative agreement program from the US Department of Health and Human Services, Office of the National Coordinator for Health IT to Indiana Health Information Technology, Inc. (IHIT) under the State HIE – Challenge Grant Program to the Indiana University School of Medicine and Regenstrief Institute, Inc. (EMM, AEC, JDO, PHS, WMT); Pierre de Fermat Chair d'Excellence Région Midi-Pyrénées, Toulouse, France (EMM); NIH grant # UL1RR025761 Indiana Clinical and Translational Sciences Institute (EMM, SA, JDO, PHS, WMT); IU Center for Law, Ethics and Applied Health Research (CLEAR) (EMM, SA, PHS). Author contributions EMM contributed to reviewing the existing literature, developing the "Points to Consider," convening and participating in the expert panel, drafting the manuscript, and checking the final version of the paper. SA contributed to reviewing the existing literature, developing the "Points to Consider," convening and participating in the expert panel, drafting the manuscript, and checking the final version of the paper. AEC contributed to reviewing the existing literature, developing the "Points to Consider," convening and participating in the expert panel, drafting the manuscript, and checking the final version of the paper. JDO contributed to reviewing the existing literature, developing the "Points to Consider," convening and participating in the expert panel, drafting the manuscript, and checking the final version of the paper. WMT contributed to developing the "Points to Consider", participating in the expert panel, drafting the manuscript, and checking the final version of the paper. PHS contributed to reviewing the existing literature, developing the "Points to Consider," convening and participating in the expert panel, drafting the manuscript, and checking the final version of the paper. Conflict of interest At the time of this writing EMM was a consultant to Eli Lilly & Company. The other authors declare no conflicts of interest. Author's personal copy 1142 i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 Summary points What was known before the study? • There is longstanding ethical support for giving patients more autonomy in their health decision making, though it has not yet translated into control of EHRs. • U.S. policy supports deployment of EHRs but literature says little about how to build ethics into the upstream design of EHR systems. • Bioethics principles have not been merged with Fair Information Practices. What has the study added to the body of knowledge? • Developed an ethics Points to Consider that incorporates bioethics principles and FIPs for accommodating patient and clinician considerations in EHR design. • Illustrates the potential value of a P2C using an existing collaboration designers and ethicists. Appendix. Expert Input (*denotes participant at February 29, 2012 Expert Panel Workshop) *Denise Anthony, Dartmouth College *Mike Burgess, University of British Columbia *Kelly Caine, Center for Law, Ethics and Applied Health Research (CLEAR) (until Fall 2012); Clemson University (current) *Fred Cate, Center for Law, Ethics and Applied Health Research (CLEAR) (Indiana University) *Stan Crosley, Center for Law, Ethics and Applied Health Research (CLEAR) (Indiana University) Jon Duke, Regenstrief Institute *Ellen Fox, Veteran's Administration *Joyce E. Garrett, Health Policy & Public Engagement Consultant Robert Gellman, Privacy Consultant, Washington, D.C. *Jenny Girod, Hall, Render, Killian, Heath & Lyman, P.C. *Ken Goodman, University of Miami *Jeremy Leventhal, Regenstrief Institute *Deven McGraw, Center for Democracy & Technology *Mark Rothstein, University of Louisville Doug Martin, Regenstrief Institute Kory Mertz, DHHS, ONC Theda Miller, Regenstrief Institute Mark Overhage, Seimens Chris Power, Regenstrief Institute *Joy Pritts, DHHS, ONC *Andy VanZee, Indiana Health Information Exchange Scott Weinstein, DHHS, ONC r e f e r e n c e s [1] R.R. Faden, T.L. Beauchamp, N.M.P. King, A History and Theory of Informed Consent, Oxford UP, New York, 1986, 392 pp. [2] P.H. Schwartz, E.M. Meslin, The ethics of information: absolute risk reduction and patient understanding of screening, J. Gen. Intern. Med. 23 (6) (2008) 867–870. [3] S.A. Alpert, Health care information: access, confidentiality, and good practice, in: K.W. Goodman (Ed.), Ethics, Computing and Medicine: Informatics and the Transformation of Health Care, Cambridge UP, New York, 1998, pp. 75–101. [4] S. Alpert, Privacy issues in clinical genomic medicine, or Marcus Welby, M.D., meets the $1000 genome, Camb. Q. Healthc. Ethics 17 (4) (2008) 373–384. [5] S. Saul, Drowning in Data (Internet), 2002, Available from: http://www.a-website.org/mnemosyne/no signposts/ 01tsunami.html (cited 2013 April 13). [6] J.G. Anderson, Social, ethical and legal barriers to e-health, Int. J. Med. Inform. 76 (May–June (5/6)) (2007) 480–483. [7] A. Boonstra, M. Broekhuis, Barriers to the acceptance of electronic medical records by physicians from systematic review to taxonomy and interventions, BMC Health Serv. Res. 10 (2010) 231. [8] K. Caine, R. Hanania, Patients want granular privacy control over health information in electronic medical records, J. Am. Med. Inform. Assoc. 20 (1) (2013) 7–15. [9] A. Civan, M.M. Skeels, A. Stolyar, W. Pratt, Personal health information management: consumers' perspectives, in: AMIA Annu. Symp. Proc., 2006, pp. 156–160. [10] B.A. Malin, K.E. Emam, C.M. O'Keefe, Biomedical data privacy: problems, perspectives, and recent advances, J. Am. Med. Inform. Assoc. 20 (1) (2013) 2–6. [11] G. Perera, A. Holbrook, L. Thabane, G. Foster, D.J. Willison, Views on health information sharing and privacy from primary care practices using electronic medical records, Int. J. Med. Inform. 80 (February (2)) (2011) 94–101. [12] OCR HIPAA Privacy, Uses and Disclosures for Treatment, Payment, and Health Care Operations (Internet), 2003, April, Available from: http://www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/usesanddisclosuresfortpo. html (cited 2013 April 13). [13] M.R. Hebl, J. Xu, M.F. Mason, Weighing the care: patients' perceptions of physician care as a function of gender and weight, Int. J. Obes. Relat. Metab. Disord. 27 (2) (2003) 269–275. [14] M. Shaw, D. Tomlinson, I. Higginson, Survey of HIV patients' views on confidentiality non-discrimination policies in general practice, BMJ 312 (7044) (1996) 1463–1464. [15] G. Thornicroft, E. Brohan, D. Rose, N. Sartorius, M. Leese, Indigo Study Group, Global pattern of experienced and anticipated discrimination against people with schizophrenia: a cross-sectional survey, Lancet 373 (9661) (2009) 408–415. [16] C.J. McDonald, J.M. Overhage, W.M. Tierney, P.R. Dexter, D.K. Martin, J.G. Suico, A. Zafar, G. Schadow, L. Blevins, T. Glazener, J. Meeks-Johnson, L. Lemmon, J. Warvel, B. Porterfield, J. Warvel, P. Cassidy, D. Lindbergh, A. Belsito, M. Tucker, B. Williams, C. Wodniak, The Regenstrief Medical Record System: a quarter century experience, Int. J. Med. Inform. 54 (3) (1999) 225–253. [17] D. Blumenthal, Stimulating the adoption of health information technology, N. Engl. J. Med. 360 (15) (2009) 1477–1479. [18] National Research Council (U.S.), Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. For the Record: Protecting Electronic Health Information, National Academy Press, Washington, DC, 1997, 264 pp. [19] K.W. Goodman, Ethics, Computing, and Medicine: Informatics and the Transformation of Health Care, Cambridge UP, New York, NY, USA, 1998, 180 pp. Author's personal copy i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 8 2 ( 2 0 1 3 ) 1136–1143 1143 [20] R.A. Miller, Why the standard view is standard: people, not machines, understand patients' problems, J. Med. Philos. 15 (6) (1990) 581–591. [21] K.W. Goodman, E.M. Meslin, Ethics, information technology, and public health: duties and challenges in computational epidemiology, in: J.J. Magnusen, P. Fu, J. Aspevig (Eds.), Public Health Informatics and Information Systems, 2nd ed., Springer (forthcoming). [22] Title XIII (Health Information Technology for Economic and Clinical Health Act, "HITECH") of the American Recovery and Reinvestment Act of 2009 ("AARA"), Pub. L. No. 111-5, 123 Stat. 115, 226-79, 2009 (codified in scattered sections of 42 U.S.C.). [23] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 1996 (codified in scattered sections of title 42 U.S. Code); 45 C.F.R. parts 160 and 164 (HIPAA Privacy and Security Rules). [24] President's Council of Advisors on Science & Technology (PCAST), Report to the President Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: A Path Forward, PCAST, Executive Office of the President, U.S., Washington, DC, 2010, 108 pp. Available from: http://www.whitehouse.gov/sites/default/files/ microsites/ostp/pcast-health-it-report.pdf (cited 2012 February 15). [25] Health IT Policy Committee, Privacy and Security Tiger Team, Letter to David Blumenthal, Chairman of the Office of the National Coordinator for Health IT, August 19, 2010 (cited 2013 March 20). Available from: http://www.healthit.gov/ sites/default/files/tigerteamrecommendationletter8-17.pdf [26] T.L. Beauchamp, J.F. Childress, Principles of Biomedical Ethics, 6th ed., Oxford UP, New York, 2009, 417 pp. [27] E.J. Emanuel, L.L. Emanuel, Four models of the physician–patient relationship, JAMA 267 (16) (1992) 2221–2226. [28] J. Katz, The Silent World of Doctor and Patient, Free Press, New York, 1984, 263 pp. [29] J. Calvillo, I. Román, L.M. Roa, Empowering citizens with access control mechanisms to their personal health resources, Int. J. Med. Inform. 82 (January (1)) (2013) 58–72. [30] E.D. Pellegrino, D.C. Thomasma, For the Patient's Good: The Restoration of Beneficence in Health Care, Oxford UP, New York, 1988, 240 pp. [31] T.E. Quill, H. Brody, Physician recommendations and patient autonomy: finding a balance between physician power and patient choice, Ann. Intern. Med. 125 (9) (1996) 763–769. [32] A.A. Kon, The shared decision-making continuum, JAMA 304 (8) (2010) 903–904. [33] R.A. McNutt, Shared medical decision making: problems process progress, JAMA 292 (20) (2004) 2516–2518. [34] Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens. DHEW Publication No. (OS) 73-94, Stock No. 1700-00116, Superintendent of Documents, US Government Printing Office, Washington, DC, 1973, July. [35] Office of the National Coordinator for Health Information Technology (ONC), Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, ONC, U.S. Department of Health and Human Services, 2008, December, Available from: http://www.healthit.gov/sites/default/files/nationwide-psframework-5.pdf (cited 2013 March 16). [36] The Madrid Privacy Declaration (Internet), 2009, November, Madrid, Spain. Available from: http://thepublicvoice.org/ madrid-declaration/ (cited 2013 March 16). [37] Indiana Health Information Exchange, Indiana Network for Patient Care (Internet). Available from: http://www.ihie.org/ indiana-network-for-patient-care (cited 2013 April 20). [38] C.J. McDonald, J.M. Overhage, M. Barnes, G. Schadow, L. Blevins, P.R. Dexter, B. Mamlin, I.M. Committee, The Indiana network for patient care: a working local health information infrastructure. An example of a working infrastructure collaboration that links data from five health systems and hundreds of millions of entries, Health Aff. (Millwood) 24 (5) (2005) 1214–1220. [39] R.S. Fife, P. Keener, E.M. Meslin, M. Randall, R.L. Schiffmiller, Faculty ownership of medical facilities: inappropriate conflict or an opportunity that benefits physicians and patients? Acad. Med. 79 (11) (2004) 1051–1055. [40] B.M. Knoppers, T. Leroux, H. Doucet, B. Godard, C. Laberge, M. Stanton-Jean, S. Fortin, J. Cousineau, C. Monardes, N. Girard, L. Levesque, C. Durand, Y. Farmer, M. Dion-Labrie, M.E. Bouthillier, D. Avard, Framing genomics, public health research and policy: points to consider, Public Health Genomics 13 (4) (2010) 224–234. [41] M.C. Were, E.M. Meslin, Ethics of implementing Electronic Health Records in developing countries: points to consider, in: AMIA Annu. Symp. Proc., 2011, pp. 1499–1505. [42] D.S. Fredrickson, The Recombinant DNA Controversy: A Memoir: Science, Politics, and the Public Interest 1974–1981, ASM Press, Washington, DC, 2001, 388 pp. [43] K. Drabiak-Syed, Granular control of EHRs to overcome fragmented disclosure law: how policy choices for granularity will affect clinical care, impact secondary use of health information, and alter risks for patients and providers, Ind. Health Law Rev. 10 (39) (2013) 39–74. [44] E.M. Meslin, S. Alpert, A.E. Carroll, J.D. Odell, P.H. Schwartz, Points to Consider in Ethically Constructed Patient-Controlled Electronic Health Records, Indiana University Center for Bioethics, Indianapolis, Indiana, 2012, August, Available from: http://hdl.handle.net/1805/ 2936 [45] H. Jonas, The Imperative of Responsibility: In Search of An Ethics for the Technological Age, University of Chicago Press, Chicago, 1984, 255 pp. [46] H. van der Linden, D. Kalra, A. Hasman, J. Talmon, Inter-organizational future proof EHR systems: a review of the security and privacy related issues, Int. J. Med. Inform. 78 (March (3)) (2009) 141–160. [47] A. Van Gorp, I. Van de Poel, Deciding on ethical issues in engineering design, in: P. Vermaas, P. Kroes, A. Light, S. Moore (Eds.), Philosophy and Design: From Engineering to Architecture, Springer, Dordrecht, 2008, pp. 77–104. [48] J. La Puma, C.B. Stocking, M.D. Silverstein, A. DiMartini, M. Siegler, An ethics consultation service in a teaching hospital. Utilization and evaluation, JAMA 260 (6) (1988) 808–811. [49] M.K. Cho, S.L. Tobin, H.T. Greely, J. McCormick, A. Boyce, D. Magnus, Research ethics consultation: the Stanford experience, IRB 30 (6) (2008) 1–6. [50] E.M. Meslin, J.M. Alyea, P.R. Helft, Pandemic Influenza Preparedness: Ethical Issues and Recommendations to the Indiana State Department of Health, Indiana University Center for Bioethics, Indianapolis (IN), 2008, August, Available from: http://hdl.handle.net/1805/1912 [51] E.M. Meslin, K.W. Goodman, An ethics and policy agenda for biobanks and electronic health, Sci. Prog. (2010, February), Available from: http://www.scienceprogress.org/2010/02/ bank-on-it/