Foundations of the eHealth Code of Ethics
by Bette-Jane Crigger, The Hastings Center
Note: This paper originally was presented at the 2001 Quality Healthcare Information on the Net Conference, November, 2001. See also The New Frontier: Exploring eHealth Ethics.
The Internet offers real potential to improve well-being by offering unprecedented access to health information, products, and services. At the same time, it also makes possible forms of communication and kinds of practice that raise ethical, social, and legal concerns. We are only beginning to develop a clear, shared understanding of how to participate in the virtual environment of the health Internet. And only beginning to think carefully about what opportunities we can take advantage of and what opportunities may be technically possible but are ones that we should not pursue in the new world of ehealth.
Trust is a fundamental concern in ehealth. Indeed, it is fundamental to health care. To receive the care they need, patients must share private information and be willing to take medications, use medical devices, or often accept interventions that intrude on their bodies. They rely on health care providers to keep their personal information confidential, to provide accurate and appropriate information about their conditions and possible treatments, and to recommend the therapy they believe to be in the patient’s interest.
But trust can be particularly difficult to sustain in the anonymous, virtual environment of the Internet and World Wide Web. Anyone, anywhere, who has access to a computer, a link to the Internet, and modest technical skill is able to set up a web page offering health information, products, or services, regardless of his or her qualifications. And anyone, anywhere is able to present him- or herself as a patient-whether to a health care professional or to an online patient community-whatever his or her actual health status.
Moreover, unlike traditional health care, the Internet is not restricted by geographical or political boundaries, making it possible for users to seek, and others to offer, health information, products, and services across international or local borders-where different languages may be spoken, and different laws govern how medical professionals are licensed, how health products or services may be advertised and sold, how personal information is handled. Determining which existing national or local laws apply to online practices and what new regulation may be needed is the subject of ongoing debate and deliberation. Importantly, with the technology currently available, health care professionals cannot examine a patient who seeks personal advice or services over the Internet. Instead, caregivers must rely on what an “e-patient” tells them — about symptoms or health habits or concerns — and thus work without much of the rich information that a physical exam and face-to-face conversation would provide. While the technology will surely evolve, today, health care professionals must find ways to compensate for this lack of information if they are to offer advice that is both medically and ethically sound.
The eHealth Code of Ethics
The eHealth Code of Ethics is an important part of the effort to make it possible for the Internet to realize its potential to enhance people’s health status and well-being worldwide. The goal of the code is to help create a trustworthy environment for all users, whether they are patients, health care professionals, website sponsors, people who develop health applications and content for the Web, or individuals who turn to the Internet to help them stay well.
First and foremost, taken together the principles of the eHealth Code identify the fundamental values at stake in creating conditions for trust in the health Internet: candor and honesty; quality of information, products, and services; respect for individuals’ right to give informed consent; and respect for privacy and protection of confidential information. The principles identify as well the essential features of good professional and business practices that instantiate those values.
These values are not new, or unique to the health Internet, of course — they are just as fundamental when health care is provided face to face. The eHealth Code extends the ethical guidance that frames health care offline to meet the special challenges raised by the technical possibilities of the online world, in which information flows much more rapidly, to potentially many more people than has ever been possible before. In which computers enable us to compile and manipulate vast amounts of personal health data more readily than ever, and in which a whole new set of players can take a central role in health care, including not only health care professionals and institutions, but information technology specialists and new kinds of entities like health Web portals as well.
Ethical Foundations of the eHealth Code
The philosophical foundation of the eHealth Code is the principle of respect for persons; that is, the ethical obligation to treat each individual as having dignity and moral worth him- or herself, and never simply as a means to someone else’s purposes. The principle of respect requires that we treat individuals as independent decision makers and allow them to make choices — about what products to buy, what services to use, what is most important in living a good life — based on their own values. Obviously, that doesn’t mean that anything goes, that we should or do permit individuals to make just any choices or act in just any ways. We do not condone murder, or permit people to voluntarily sell themselves into slavery; we condemn torture, exploitation, and a host of other activities. But the principle of respect for persons does mean that we have a strong ethical duty to acknowledge individual dignity and allow individuals to make well thought through decisions about how they live their lives.
The principles of the eHealth Code of Ethics pick out different aspects of what the principle of respect for persons means for the health Internet. At the same time, they set out the conditions for trust in this new health care environment. As the philosopher Annette Baier has noted, trust is like the air we breathe — we take it for granted and only notice it when it is polluted or violated. Most of the time, we assume that we can trust people or institutions, and do so until we learn something that causes us to question whether we should. As Baier further notes, “reasonable trust” requires “good grounds for … confidence in another’s good will, or at least the absence of good grounds for expecting another’s ill will or indifference.” The eHealth Code specifies in the broadest sense what count as “good grounds” for confidence.
Candor & Honesty
To treat someone with respect, and as an autonomous decision maker, requires that we be forthcoming and truthful with him or her. We must present ourselves fairly, neither withholding information a reasonable individual would want to know in dealing with us nor presenting information in ways that lead him or her to form mistaken impressions about us. That is, the principle of respect requires that we be both candid and honest.
We rest our trust on assumptions we make about how individuals and organizations behave, relying on what we think we know about them. Sometimes we learn about them from others who have dealt with them, but often we know only what the people or institutions themselves have told us about who they are and what they do. That is the case more often than not when we visit a website. In such circumstances, to be worthy of well-placed trust, the individuals and organizations responsible for websites have an obligation to openly provide the kind of information we generally rely on in making decisions about whether we should trust and use the information, products, or services they offer. To treat us with respect, they must not withhold information that a reasonable person would want to know, for example, about risks involved in using their products or services, or that they have commercial sponsors. And they must be truthful and not deceptive in their claims, for example, about the benefits of their products or services. Forthright disclosure, then, is the means by which ehealth sites embody the principle of respect and lay a foundation for users’ trust.
Because health is a foundation for enabling individuals to form and carry out life plans and to enjoy all other goods, health care has special moral significance. It serves important human needs — especially relieving pain, suffering, and disability, and preventing premature death. With so much at stake, we rightly expect that information, products, and services offered in the name of health and health care will be of high quality.
Defining “quality” for the health Internet — as for face-to-face health care in fact — is not an easy task, however. At minimum information must be accurate and not misleading, easy to understand, and up to date. But there are different standards for what counts as accurate information with regard to health. Western “scientific” medicine rests on one set of understandings of disease and claims about how to treat it, while “complementary” or “alternative” medicine rest on very different understandings. Science-based medicine is enormously powerful, offering many benefits. Thus there is a strong argument that the information, products, or services offered by health-related websites should conform to the standards set by leading biomedical journals, such as the New England Journal of Medicine or British Medical Journal: that claims be rigorously tested and supported by the best available scientific evidence. Yet practitioners and patients of complementary and alternative medicine also claim benefits for their disciplines, and argue that the standards of biomedicine simply aren’t applicable in this different context. And even within biomedicine, there are often competing understandings of what the “best” treatment for a particular patient with a particular health condition should be — for example, lumpectomy and radiation therapy, or mastectomy for treatment of breast cancer.
To make reasonable decisions about what health information they will trust, or what products or services they will use, then, individuals need to know what standards a site employs in developing content. To support users’ independent, considered decisions websites have an obligation to make clear the sources they have used and the kinds of evidence they have relied on to support the claims they make, and to candidly disclose alternatives in a balanced way when there is disagreement in the professional community. Are claims based on scientific research, or an individual health care practitioner’s or patient’s personal experience? Are they backed by recognized professional organizations or other sources the individual trusts?
Ultimately, individuals who visit websites seeking health information, products, or services must judge for themselves whether they believe the information they are given is credible. This does not mean that we would all agree with that judgment or the decision an individual makes, nor that his or her decision will always be wise. That is a risk we run in respecting persons as autonomous moral agents. The ethical obligation of health-related websites is not specifically to assure that individuals always make the “right” decision, but to assure that they have the information they need to reach considered decisions.
This obligation extends to presenting information in ways that make it easy to understand and use. Medical information is often complex, and studies have shown that many people do not have the skills to understand what their health care providers tell them or written materials they are given. Information that is not understood, however, cannot help an individual make responsible decisions. Websites thus have an ethical obligation to identify who is most likely to visit the site (that is, who their primary intended audience is) and to make good faith efforts to assure that information is as accessible as possible to those visitors. Sites intended for primarily a Spanish-speaking audience clearly should not present information only in English, for example. Similarly, if pictures or other graphics will help make information clear and easy to understand, they should be used alongside-or even in place of — written text.
Informed consent is one of the cornerstones of contemporary medical ethics, and is as binding in the ehealth environment as it is in face-to-face health care. Respect for persons as autonomous decision makers requires that we acknowledge individuals’ right to decide what will be done to their bodies and to determine what we may do with their personal information. Given the technical ability of websites (or even third parties) to collect personal data without users’ knowledge, informed consent becomes a particularly important condition for a trustworthy health Internet.
Many individuals are more than willing to share personal data online for a variety of purposes, for example, to enable a website to tailor the information visitors receive to their particular needs or interests. The same individuals may object to other uses of their information, however — for example, they may not want sites to use that information for future marketing or to share their data with business affiliates. To make informed decisions about whether they will avail themselves of a site’s services, products, or information, visitors also need to know what consequences there may be if they decline to give personal data- will they be able to access all areas of the site or not, for example? For some, the cost of giving up control of personal data will outweigh the anticipated benefits of using the site; for others, the trade-off will seem worth it.
Health Internet websites that collect personal information about visitors have an obligation to clearly disclose what information they gather and for what purposes they use personal data, as well as whether they share that information and if so, with whom. They have a further obligation to allow visitors themselves to decide for themselves whether they will permit such uses of their information, by explicitly seeking visitors’ informed consent for specific data-gathering and data-sharing activities.
Privacy & Data Security
Privacy is generally understood to be an instrumental value: It makes good things possible, and/or helps us to avoid harms. Privacy enhances our ability to form and sustain the kinds of intimate relationships important to our flourishing as human beings. Like informed consent, privacy and confidentiality are widely seen as essential to health care. To receive needed care, patients perforce must often reveal information about themselves that is highly sensitive. They must be able to trust that their personal health information will be kept confidential and will not be inappropriately disclosed or used in ways that could harm them. The harms that can follow when confidentiality is breached range from the affront of receiving unwanted communications, to material losses when personal information is used to discriminate against individuals in employment, housing, health or life insurance, and other areas.
Our concept of privacy and concern for confidentiality are very much bound up with our concept of the self, of what it is to be a person. We idealize persons who are “self-made” and in important ways see our lives as projects of our own creation. Our sense of individual independence, nourished on Enlightenment principles of respect for autonomous decision making, tells us that a fundamental condition of our lives should be that we be known by or interact with others only in the ways we each choose to be known or to interact.
Privacy, as we have come to understand it, involves a bundle of rights: to physical privacy, to prevent unwanted or unwelcome intrusions on our bodies and minds; to decisional privacy, to forestall intrusions on our capacity to make choices for ourselves based on our individual values and understanding of what is in our best interest; and to informational privacy, to control how we are known in the world. When others collect and share information about us, especially when they do so without our knowledge, our control of how we are known — and by whom — is thwarted. Our dignity as persons is violated.
The sharing of personal health information and use by third parties solely for commercial purposes especially violates our sense of self. What we object to in finding ourselves being marketed as prospective consumers is that we are treated not as whole persons, but as bundles of discrete facts. We are reduced to details of health condition, gender, age, etc., based on information we shared in what we thought — and had good reason to think — was a relationship in which confidentiality was a core commitment. This reduction of “me” to an impoverished data set bought and sold for ends that are not my own is an assault on dignity. It is, in the end, a violation of the principle of respect and the obligation to treat persons always as ends in themselves, never as means merely.
The intentional sharing of personal information without consent is only one facet of our concern with online privacy, however. Unauthorized access to personal data — whether health, financial, or other — is also a risk to confidentiality, one that is exacerbated by the technological capabilities of the Internet and Web. Users have the right to expect that sites will take reasonable precautions to protect personal data from such intrusions. Whether those measures take the form of protecting files by passwords that allow access only to specific users, protocols to encrypt data or other security software, removing obvious personal identifiers (such as name or email address), “audit trails” that allow them to trace who has accessed files, or some combination of such measures depends in part on the legitimate, agreed-to ways in which information is shared and used.
Just as sites have a duty to seek informed consent whenever they collect, use, or share personal information, they have a duty to warn users that there are other risks to privacy and confidentiality on the Internet. Websites themselves, especially smaller sites, may be vulnerable to intrusion; or despite good intentions, sites may unwittingly partner with entities that gather data through the site without the site’s knowledge. Users need to understand that there may be risks a site cannot control.
Professionalism in Online Health Care
The health Internet can pose new challenges for physicians, nurses, and other health care professionals. Offline providers, for example, may find that they spend a great deal of time explaining information that patients have found on the Web. Or that their practices must change to accommodate new forms of electronic record keeping, communication, and information sharing — with patients, insurance plans, other caregivers, laboratories, and others. Moreover, emerging technologies that enable providers to give personal medical care or advice online raise a further set of challenges. In particular, health care professionals who practice on the Internet must help “epatients” understand the limitations of online health care.
The touchstone for professional practice online are the professional codes of ethics that govern medicine in face-to-face relationships with patients. The Internet in no way changes practitioners’ fundamental ethical obligations to live up to their professional commitments to do no harm, to put patients’ and clients’ interests first, and to protect confidentiality. And they must of course obey the laws and regulations that govern offline practice, such as medical licensing or public health reporting laws.
In serving their patients’ good, health care professionals offline or online must be sure that patients understand their options for treating and managing their health conditions, and provide the information patients need to make informed decisions about care. Online health care also imposes new professional duties arising out of this fundamental ethical requirement, however, that are specific to the Internet environment. They must help epatients understand when an online relationship cannot substitute for a face-to-face visit with a physician or other professional. And they must be clear when licensing and other regulations mean that they cannot offer a particular patient specific advice. In such cases, online practitioners arguably have a duty to make good faith efforts to help an epatient identify health care resources that are available to him or her locally. Because they may not “see” the epatient again, they must also make every effort to be sure the patient understands instructions for any follow-up care that may be needed. Further, since at present online health care is rarely covered by insurance plans, practitioners caring for epatients must be clear about what fees, if any, they charge for an online consultation and how payment is to be made.
Health-related websites are rarely self-contained entities. Sites may be sponsored by one party (an individual, a professional medical organization, or a commercial enterprise such as a drug company, for example) and hosted by a different one (often a commercial web-hosting service with many clients). Specific content for the site may be developed by a variety of different people or organizations-health information might be drawn from published sources, or developed by site staff or special consultants, or provided by the entities whose products or services are made available through the site. Most ehealth sites are in fact a network of such business relationships.
Like online professional medical practice, these online business relationships are governed by principles of business ethics that apply to the offline world. Individual websites are the visible face for users of the network of relationships that make the site possible, and in essence they “speak” for all of their partners. To preserve their own integrity and credibility in fulfilling their ethical obligations to users, sites must make good faith efforts to assure that the people and organizations they work with uphold the same high ethical standards as the sites themselves. To knowingly work with an entity that does not meet ethical standards is to violate the trust sites invite users to place in them.
Importantly, sites must assert editorial control over their content, assuring that sponsors or advertisers do not inappropriately dictate how information will be presented to users or how search results will be displayed for specific information. Sites must make clear to users whether information provided on the site itself or links to other sites are provided “for information only” or are an endorsement of the content or of the sites to which the links take visitors. And they must clearly indicate when links are taking visitors away from the site itself, not simply to another page within the site.
Accountability To uphold the principle of respect for persons means that we must take people’s concerns seriously. For the health Internet, that means making good faith efforts to be candid and honest, to seek visitors’ informed consent about whether their personal information may be collected and how it may be used or shared, to respect visitors’ privacy and take reasonable measures to keep personal data confidential, to assure that health care professionals affiliated with the site fulfill the ethical duties of their professions, and to partner only with ethically responsible business affiliates.
And it means that sites must make reasonable efforts to monitor their own performance, and give visitors meaningful ways to provide feedback. Sites must make it easy for both staff and users to bring problems — or praise — to the site’s attention, at the least by clearly indicating how to contact the site manager or webmaster. Sites must also develop appropriate ways of responding to users’ feedback and assure that staff understand and follow those procedures — if no one is clearly held responsible for reading and responding to the comments in a “suggestions box,” efforts to improve site performance will be a sham. Ehealth sites should take guidance from continuous quality improvement efforts in other sectors of health care to help assure that their operations uphold the eHealth Code of Ethics. They must actively work to create the conditions of trust that are essential if the health Internet is to live up to its promise of improving people’s health and not doing harm.
Ethics or Regulation?
Codes of ethics — like the eHealth Code, the code of the American Medical Association, or the Hi-Ethics Guidelines — are not legally binding regulations themselves. They are voluntary standards adopted by an organization, profession, or entire industry that set expectations for how all participants will behave. Codes of ethics rarely require or forbid particular activities, though some do. Instead, codes set out the important goods served by the activities of those who adopt them. Codes of ethics educate participants, and the public, about what’s at stake — in providing health information, products, or services, or in other specific professional activities or commercial endeavors. And they identify the values that should shape best practices generally. In this sense, they can be a foundation for more specific regulations.
Codes of ethics are not self-interpreting. As general statements of value and commitment, they provide fundamental guides for thinking about practices; they must be general enough to apply meaningfully in many situations. Day-to-day, those who adopt codes of ethics must work to specify just what they mean for particular activities; that is, they must think carefully and critically about how specific practices will, or won’t, serve important values. That is all to the good. Too often, regulations can be seen as something that matters only to special personnel — lawyers, risk managers, compliance officers, or privacy officials, for example — not values that should guide everyone, all the time. If regulations serve to forestall a “race to the bottom” in a profession or an industry, codes of ethics serve to remind us of what matters, ethically and socially, in our activities.
Codes of ethics and regulations are complementary, then. Codes of ethics make explicit and so help us to understand overall goods and values. They promote best practices as part and parcel of what it means to be involved in different kinds of activities — whether providing health care or programming computers. Regulations stipulate in much more detail expectations for practices to serve those goods and values — and spell out specific material consequences when practices deviate from those expectations. Codes of ethics alone probably cannot do all the work of assuring that our conduct conforms to our expectations for excellence. Regulations, in their turn, cannot tell us enough about why and how our practices matter.
Readings and Resources
The philosophical and business ethics literature is rich with resources that can help to illuminate the ethical issues facing the health Internet. Those listed below are, of course, only a small set of many articles, books, and online resources for those who wish to explore issues in more depth, but they can serve as portals into wider reading.
1. The Health Internet
2. Philosophical Foundations
Respect for Persons
3. Codes of Ethics
4. Ethical Issues in eHealth
Health Care Professionals Online