Social and technological developments have cast their shadow on physicians and their oath, and threaten to break the fragile relationship between doctors and their patients. This presentation gives one example of these developments: Seven years ago, the Israeli Ministries of Finance and Health decided to establish a “National Medical Record,” an IT system that compiles all the medical records of a patient and allows them to appear in every medical facility around the country. This specific story about the National Medical Record is an illustration of what NOT to do. A democratic society which respects human rights, privacy, and the autonomy of patients should not build a system in this way.
In the modern era physicians do not work alone. Modern medical care is based on expertise and collaboration. The physician is but a small cell in a large organism: hospitals, health corporations or medical insurance, and above all – the State that regulates and supervises their activity.
There is no doubt that expertise and institutionalization improve the quality of medicine and of the medical care. But organizations tasked with these processes have a “life” of their own. They aren’t motivated exclusively by medical considerations but also by economic, bureaucratic and political interests. And sometimes those interests contradict with the ethical obligations for confidentiality.
Perhaps this is “old news”. Health services have been provided for generations by such organizations. The relatively new thing is the integration of IT into healthcare systems. This development is done in a way that strengthens the bureaucrats’ control over the health care system and medical information that passes through it. Technology personnel are recruited by bureaucracy, and they work primarily to meet its needs and demands. The main political power of technology derives from its neutral’, “transparent”, image. Of course this image is false. IT systems are not divine creations. They are man-made. IT expert designed and built them in accordance with the interests and values of their clients. But under the “neutral,” “objective” guise bureaucrats and their IT staff succeed in establishing facts on-the-ground. And those facts disrupt the ethical discourse – of doctors, of lawyers, and the general public.
Working as coordinator of ACRI’s Privacy Department in recent years, I received a first-hand impression of how several government IT initiatives were conducted. But recently, I was able to observe the grandiose IT project of the Israeli Health System up close as member of the Ethics and Law Committee of the National Health Records (NHR) project.
Established some 6 years ago by the Ministry of Health (MOH), the committee comprised physicians and legal experts, as well as representatives of health organizations, the Israel Medical Association, government ministries, and of state bodies such as the IDF, the Israel Police, and others. The committee’s task was to produce an ethical code that would apply to the NHR IT system’s construction and its usage. It was no secret, however, that at least one of the purposes of the committee was to provide the project with moral and public legitimacy since even its initiators realized it was highly sensitive and feared public resistance.
The first stages were impressive. The committee members spent months studying the issue and listening to lectures by various bodies that operate medical IT systems, but once the learning phase ended and the committee started discussing the ethical issues on the agenda, serious problems emerged that immediately disrupted the committee’s work. The few resolutions that the committee managed to make did not coincide with the positions of the senior Health and Finance Ministry officials involved, and they did everything they could to nullify them, sending the discussions right back to square one.
For example, the committee decided that only doctors should be allowed to access the system, but the officials wanted a system that would be accessible to other caretakers, administration officials, and even MOH employees. They insisted that the system should “serve as a strategic tool for the development of health policies that are based on the advantages it could offer, for system-control purposes, and as a decision-making aid.” The ethical decision to restrict access to the IT system did not match the bureaucrats’ plans, so they simply ignored it and opened the subsequent session notifying us that the committee’s mission statement has been narrowed.
A similar dynamic occurred when we discussed the issue of the patient’s consent to even having their medical data in the system, and their ability to decide who may view it. Consent is critical when considering privacy. Privacy is not about “keeping secrets,” but deals with a person’s control over his personal information and his ability to restrict the access of others to it. The e-consent issue comprises numerous secondary questions that are thoroughly discussed by medical and IT experts worldwide. To maintain true control of their personal data, patients must be offered a variety of options to choose from, not just a “yes” and “no.” Among other things, patients should be allowed to offer their partial and differential consent. For example, patients may refuse to let the system contain psychiatric, gynecological, or other information that they consider particularly sensitive.
Of course, a differential consent model requires more efforts and resources when constructing and operating the system, but the entire project requires vast resources anyway. Respecting patients’ autonomy and privacy is not a less worthy cause than the reasons for creating the NHR Project in the first place. Lip service and empty promises – that privacy will be observed – are not enough. Parties that take human and patients’ rights seriously must be willing to invest time, effort, and money in them, not only in projects that threaten those rights.
When the committee tried to suggest complex consent arrangements (not “all or nothing”), the Health Ministry stopped the discussion, claiming that the system does not allow that. I admit that when these things were taking place, I did not have the insights I have today, but let us for a moment reflect on what went on there. The officials who initiated the project had already decided how the system should be built and had a certain kind of technological infrastructure in mind, already knowing that if that architecture did not allow it, they would not accept a differential consent model. It just so happened that the architecture they had in mind served the official’s interests. It presented patients with a cruel choice – all or nothing – which forces them to give their total consent. I assume that some may argue that this model is the right one. We could argue about that, but holding an ethical discussion that is minimized and constrained by a technological framework is distorted and outrageous. It is technology that should be shaped according to ethical principles, not the other way around.
In fact, the first obstacle appeared already in the project’s definition. The committee’s starting point was that “The Ministries of Health and Finance decided to establish a central NHR database,” but this is not as simple as it sounds because the ministries skipped over, ignored, and avoided alternative models that could serve the medical system that are not so harmful for the patients’ right to privacy and autonomy.
As pointed out by Dr Yoram Blachar, Israel Medical Association chairman, the decision to establish an NHR was made without consulting physicians or “conducting an extensive public discussion that should have addressed the question of how patients feel about the management of medical information that belongs to them and no one else. Such a discussion should have additionally allowed for a real examination of alternatives as considered by other countries – for example, a ‘smart card’ that the patients holds, or creating an information center with a minimal set of basic data.”
Technology is not good or bad. It depends on the way it is used. A technology that employs a privacy-oriented design could, for example, prevent the state (the police, tax authorities, and other bodies) from making additional uses of our medical data. A national health record system is a precious resource. Experience shows that legislation that impairs on privacy tends to change for the worse with time. Passing laws that restrict the use of medical information is not enough because politicians and bureaucrats do not have to violate the law; they can simply change it.
In Germany for example, there is not a central IT system of medical records. During another debate – the debate on the National Biometric Database – one of the senior lawyers from the AG office told us, that because of their historical reasons the Germans are afraid of centralized powers. “A lot of things in Germany” he concluded “are de-centralized, because of history” Of course, one can wonder, why only Germans should include the lesson of history in their considerations.
Of course alternatives such as the ‘smart card’ could prevent the MOH from making secondary uses of the IT system, but what could possibly be more corrupt that selling megalomaniac IT projects to patients based on a promise that this is our only option of receiving better medical care, all the while designing those projects to serve other purposes?
The ethics and law committee is not working anymore. Most of its members, particularly the senior physicians, realized they were wasting their time there because the MOH never intended to hold a true ethical debate. Eventually, the state officials too decided they can do without an ethical debate, terminated the committee’s discussions, and went on to establish facts on the ground. Another debate between legal experts of the public administration and Health and Finance Ministry officials is presently underway. In it, the latter blame the legal experts that the system is not yet up and running because of them and, as a result, patients are dying. This is an utter lie. I could not find a better word to describe it. Other MOH projects are being delayed for years not because of the legal people, but for technological and budgetary reasons. Yet, every time someone dares to raise an ethical issue, they immediately lash at them and blame them for the deaths of patients.
Most important is the fact that ethical and legal discussions take an intolerably long time not due to some inherent flaw in the legal or the ethic discourse. It is because the parties are unable to reach agreement on ethical issues or ways to introduce them in the NHR. Legal experts are not more ethical than state officials, and certainly not more than physicians. As lawyers and doctors who engage in ethical debates find themselves on both sides of the fence, the debate itself is fading away and when it resurfaces, it would be too late. The Knesset and the public will have to decide whether or not to approve the project as is, and experience shows that once we reach that stage, all such discussions are false because it is simply too late and they do not matter.
This is because the administrators and the technology people who serve them have, for the past several years, continued to plan the NHR, introduced structural changes, and invested fortunes in its infrastructures. The MOH has already instructed all the Israeli medical service institutions to standardize their IT systems to create uniformity and allow for interconnectedness. Trial runs of pilot versions of the NHR project are already being conducted. They use the same technology, architecture, and infrastructures that the NHR will, only on smaller scales.
In one of those pilots, the system was instructed to process medical information so as to trace cases of family violence. Two years after that pilot started running, we received a report about it from the MOH. After we watched an impressive presentation, I posed two questions: What rules and procedures were introduced to guarantee data protections? and – What findings do the –”pilot” operators have concerning information and privacy protection? The answer to both these questions was, “None.” There are no regulations that guarantee data protection, the issue was never examined as part of the project, and thus there are no findings about it.
To sumarize: A central, nationwide system is being established in Israel that will contain sensitive medical information on the entire population, but it does not protect the people’s privacy.
The project has been promoted and shaped according to a narrow perspective of bureaucratic interests and it lacks an appropriate ethical base. A public debate on the ethical challenges and implications of the project was stifled because it failed to meet the interests of the bureaucrats. It might be renewed in the future, but then it will be too late: the system will be a reality, and the sensitive medical data will run within its channels. This IT system, based on the vision of the Israeli bureaucracy, is going to entrust the state with a “key” to the medical records of all Israeli residents. It will dramatically transform the traditional model of health care –a model which placed the patient at the center of its concern.
Over the years, Chairman of the IMA Yoram Balsar says “we cultivated the faith that a patient has in us for confidentiality, faith that leads him to expose critical information from his perspective, that allows us to provide him with the best possible care. How will the same patient feel – who puts his faith in us – if he knows that that information is passed forward to other doctors and staffs and can easily end up in the hands of an array of interested bodies?” I am convinced that this question bothers us today. We do not need to wait and see what happens once we have a National Health system that ignores morality and ethics altogether up and running. It is our duty to act now to prevent its establishment.