Shared expectations for protection of identifiable health care information- Report of a national consensus process

OBJECTIVE: The Ethical Force Program is a collaborative effort to create pe rformance measures for ethics in health care. This report lays out areas of consensus that may be amenable to performance measurement on protecting th e privacy, confidentiality and security of identifiable health information. DESIGN: Iterative consensus development process. PARTICIPANTS: The program's oversight body and its expert panel on privacy include national leaders representing the perspectives of physicians, patie nts, purchasers, health plans, hospitals, and medical ethicists as well as public health, law, and medical informatics experts. METHODS AND MAIN RESULTS: The oversight body appointed a national Expert Ad visory Panel on Privacy and Confidentiality in September 1998. This group c ompiled and reviewed existing norms, including governmental reports and leg al standards, professional association policies, private organization state ments and policies, accreditation standards, and ethical opinions. A set of specific and assessable expectations for ethical conduct in this domain wa s then drafted and refined through seven meetings over 16 months. In the fi nal two iterations, each expectation was graded on a scale of 1 to 10 by ea ch oversight body member on whether it was: (1) important, (2) universally applicable, (3) feasible to measure, and (4) realistic to implement. The ex pectations that did not score more than 7 (mean) on all 4 scales were recon sidered and retained only if the entire oversight body agreed that they sho uld be used as potential subjects for performance measurement. Consensus wa s achieved on 34 specific expectations. The expectations fell into 8 conten t areas: addressing the need for transparency of policies and practices, co nsent for use and disclosure of identifiable information, limitations on wh at information can be collected and by whom, individuals' access to their o wn health records, security requirements for storage and transfer of inform ation, provisions to ensure ongoing data quality, limitations on how identi fiable information may be used, and provisions for meaningful accountabilit y. CONCLUSIONS: This process established consensus on 34 measurable ethical ex pectations for the: protection of privacy and confidentiality in health car e. These expectations should apply to any organization with access to perso nally identifiable health information, including managed care organizations , physician groups, hospitals, other provider organizations, and purchasers . Performance measurement on these expectations may improve accountability across the health care system.