Harvard Pilgrim Health Care Home
  Learn more.
  Sign up for HPHConnect.
Medical Management
For Your Patient
News Center
Office Support
Provider Manual
Medicare Advantage
Research & Teaching
Resources & Links
Ethics Program
Hospital Advisor
Print    Text Size
HPHConnect: How can HPHC use the web to make health care management easier for its key constituents and address confidentiality concerns at the same time?

Wednesday, February 28, 2001


In his weekly email to HPHC staff on February 2, 2001, Charlie Baker wrote that:

Health plans that take down the administrative noise and build strong relationships with their key constituencies will succeed. Plans that don't, won't.

HPHConnect, (pronounced "HPHC Connect"), the term for HPHC's new ways of relating to employers, providers and members through the web, is a (perhaps "the") central element of HPHC's strategy for reducing administrative noise and strengthening relationships with members, providers and employers. HPHConnect will be the focus of the February 28 meeting.

HPHC's financial crisis was in large measure a failure of information management in areas like claims processing and timely financial reporting. HPHConnect is a series of projects intended to make HPHC an accurate, timely, understandable, reliable and user-friendly information manager. To the maximum extent possible, provider activities like verifying eligibility, understanding the benefits and copayments that apply to the patient, submitting claims, checking on claims and more will be done via Internet. Employers will be able to enroll and disenroll employees and check on their roster of members, and members will be able to select and change their PCP, view specific benefits, request new ID cards and enroll or disenroll dependents, all via the web. (See Appendices A and B.) Employers and providers who have started to use HPHConnect have been tremendously positive. At a personal level, I found it convenient and easy to reenroll and make changes in my health insurance status via HPHConnect.

None of these are new functions and none give patient information to parties who did not previously have access to that information. But the Internet does change things, both at the level of public perception and logistics. Even though encryption and other security techniques may make Internet transmission safer than other modes, polls consistently show that the public worries about the privacy and security of personal information on the web. And, the tremendous convenience of the Internet-potentially allowing access to data bases from any site where a constituent with a password can log on-may create concerns about unauthorized people having access to information in circumstances such as the legitimate user leaving the computer without logging off or by appropriating and using a legitimate user's password.

Customer for the Ethics Advisory Group

The customer for the February 28 meeting was Dave Segal, Vice President, Operations, and Program Director for HPHConnect. However, HPHConnect touches virtually every component of HPHC activity, and other members of the HPHConnect project team, members of the HPHC Confidentiality Oversight Committee, and others who are close to the project, were also present at the meeting. Although Dave was the formal customer, this larger group was the customer as well.

Questions for the Ethics Advisory Group

  1. HPHConnect is crucial to HPHC's future success. Everyone working on HPHConnect expects it to make a big difference to members, providers and employers. Getting it up and going rapidly is a top organizational priority. Speed is important. But at the same time, this new way of doing business will raise questions and concerns about confidentiality and security. Addressing these concerns could take time and add complexity. What principles can the Ethics Advisory Group suggest to help HPHC address two potentially competing goods-getting HPHConnect up and going as fast as possible and addressing confidentiality concerns as fully as possible?
  2. HPHC handles tens of thousands of transactions every day-processing claims, enrolling members, providing information to employers, responding to regulators, and much more. These transactions require exchange of information between HPHC and its constituents. The area of greatest concern centers on the member-identifiable medical information that is necessarily included in the provider-HPHConnect claims function. HPHC can set and monitor its own confidentiality policies, but it cannot directly control its multiple partners. Given HPHC's commitment to being "the most trusted and respected name in health care," what are its ethical responsibilities with regard to the confidentiality practices of its partners? Put differently, what are HPHC's responsibilities beyond its own walls?
  3. With the improved data management systems HPHC will soon have the potential to use the information it accumulates in new ways. If the pharmacy data base shows that John Jones is filling prescriptions for insulin but the claims system shows no appointments for eye examinations or important other aspects of diabetes care, it would be possible to reach out to Mr. Jones to encourage him to have proper care. Mr. Jones might be enormously grateful and benefit from the outreach, but another member might be suspicious and resentful. What principles can the Ethics Advisory Group suggest to help the project team in the future when it considers potential uses of the data base for patient care purposes?

Relevant precedents

On November 20, 1996 the EAG discussed "Confidentiality and the Self-insured." The discussion focused on ethical issues associated with giving member specific information to self-insured accounts. The EAG identified both the member's expectation of confidentiality and the self-insured employer's expectation of the information needed to manage the risk pool as significant values that might conflict. The EAG recommended a proactive approach involving partnership with self-ensured employers to create guidelines aimed at meeting member/employee confidentiality concerns and employer insurance management concerns. The EAG felt that providers and even employees of self-insured companies did not understand the confidentiality issues well and it recommended education about how the self-insured sector works.

On July 30, 1997 the EAG discussed "Confidentiality and Fair Information Practices," focusing on the request from a large account for detailed claims data to be released to a health care consultant. The EAG recognized that the data request served legitimate employer interests but that members were entitled to know who would have access to information about them and for what purposes. The EAG concluded that "while we cannot simply deny legitimate requests for data, and we cannot pragmatically reach beyond the fire walls of our own systems to secure data and protect confidentiality-we can work toward mutually agreeable principles that guide the release and subsequent use of information."

EAG Discussion/ Recommendations

Because HPHConnect is a central enterprise for HPHC with a high velocity implementation schedule an unusually large number of guests participated in the meeting. In addition to three visitors from the Organizational Ethics Committee at Allina Health Plan (Minnesota) there were fifteen HPHC staff members who are actively involved with HPHConnect and with HPHC's confidentiality policies and practices.

Overall considerations regarding HPHConnect and confidentiality:

  1. The last 18 months at HPHC have been devoted to the turnaround process and the receivership-survival and recovery activities. The next 18-36 months will be devoted to achieving dramatic improvements in the value HPHC provides to members, providers and purchasers. This next phase involves moving from surviving to thriving. HPHConnect is the heart of that effort. It is crucial to understand the ethical dimensions of HPHConnect and to get them right.
  2. Addressing the ethical dimensions of HPHConnect is not a one-time enterprise. As HPHConnect evolves it will give HPHC the potential for making new uses of the information it develops in the course of its business activities. These new opportunities will almost certainly engender new ethical questions as well. Just as new technologies like the respirator introduced new issues into clinical ethics in the past, new technologies like the web are introducing new issues into organizational ethics now.
  3. Members of the HPHConnect team emphasized the importance of making sure that as HPHC moves more of its functions onto the web it needs to make sure to retain the human touch at the same time. [Thirty years ago in Future Shock Alvin Toffler predicted that finding ways to combine "high tech and high touch" would be a major challenge for our era. That was good futurology!]
  4. Even if properly managed Internet-based access to medical information is as secure or even more secure than paper-based systems, focus groups and the EAG discussion show that there is widespread public concern about danger and misuse of personal information. Society is on a steep learning curve with regard to understanding the Internet and forming opinions about its use.
  5. As HPHConnect offers progressively more value to Internet-literate stakeholders the impact of the digital divide will increase. HPHC's mission is to improve the health of all of its members and its community and the HPHC Foundation is committed to reducing health disparities. The digital divide could increase the gap between the haves and the have-nots. HPHC should develop strategies to address this danger.

I. Principles to help HPHC address the competing goods of getting HPHConnect up and going as fast as possible and, at the same time, adequately addressing confidentiality concerns.
The central EAG recommendation to the HPHConnect team was that the team is right to give intense attention to understanding, anticipating and responding to confidentiality concerns and that it should continue to do so. In addition to the focus group findings that documented how concerned members are about Internet access to personal medical information, when EAG members thought of themselves as health care consumers they expressed similar concerns. One member summarized the sentiment of much of the group by stating--"information about a person's health is no one else's business without authorization from the person himself or herself."

The EAG identified four values as especially pertinent to the ethics of HPHConnect and confidentiality. First, all parties need clarity about the facts about HPHConnect. What kinds of information are available to what parties with what security features? There is a lot of ignorance, confusion, fantasy and fear about web-based activities. HPHC needs to work diligently to inform members, providers and purchasers what the facts are about HPHConnect and the possibilities it creates and to learn about their fears and concerns. Second, going by the focus group findings and the EAG discussion, individuals want to have control of personally important information, and choice about who will have access to it. Finally, the team needs plan for coordination of access to information. It is great for members to have access to medical information, but their providers want access to that information as well when they deal with their patients. It is great for members to be able to update their personal information in the administrative systems, but employers want to make sure their own systems are updated at the same time.

II. Principles to help HPHC address its ethical responsibilities with regard to the confidentiality practices of its partners.
The questions involved with HPHC's responsibility for the confidentiality practices of its partners proved to be complex and multiple. The EAG felt that it was only able to make a start in looking at this area. Its primary recommendation was that in light of HPHC's vision of being "the most trusted and respected name in health care," HPHC should do all it realistically can to ensure that it and its partners follow high standards of confidentiality and communicate clearly about what it is doing to all of the involved parties. The specific points that emerged included:

A. HPHConnect will allow members to track the status of referrals and claims. If they do this from work, would company monitoring of employee use of email and Internet make these interactions available to others in the company? Here the EAG heard about the Caregroup system, in which the technology allows members to have access from the workplace but blocks access to the content for anyone else.

B. It will be very helpful to physicians and other providers to have access to claims and referral data, but members often see more than one provider and may not want them all to have access to this data. The EAG felt that members should have control of who has access to the data. The EAG was told the technology can support member control of this function.

C. Family members are enrolled through the employee subscriber. Although the enrollment is a single account, individual family members may want their health information to be private from the rest of the family. This is especially true in circumstances of separation and divorce and with adolescent and young adult children. The EAG felt that systems needed to allow each family member to be treated as an individual. The employee subscriber should not automatically have access to information about other family members. Here too the EAG was told that the technology can be adapted to allow this to be done.

D. With regard to the core issue of HPHC's responsibility for its provider partner's confidentiality practices, the EAG learned about the distinction between "role-based access authority" and "authentication." The HPHConnect team is establishing levels of access to medical information based on need to know. Thus physicians, office managers and office staff that directly works with claims can have access to their submitted claims but other staff cannot. This access is password protected. However, if authorized staff give their passwords to clerks or colleagues HPHConnect cannot currently authenticate who is actually requesting that information. The integrity of the system depends on the practices of everyone who uses it.

The EAG recognized this as the thorniest of the questions it was dealing with. It recognized that HPHC cannot have the same direct control of confidentiality practices for its partners that it has for itself. (The HPHC confidentiality policy has been appended to this document.) The EAG recommended five guiding considerations. First, technological supports for strengthening the authentication process should be used to the maximal feasible extent. Second, the systems HPHC sets up for providers should be a) educative about HPHC's confidentiality expectations and values and b) careful to ask audit-like questions about how the provider will implement and manage confidentiality practices. Third, there should be ongoing reinforcement of the expectations about confidentiality, as by reminders that appear on the screen. Fourth, members need to be as active as possible in understanding and "co-managing" the confidentiality process, as by conveying their own expectations to their providers and to HPHC and by using the audit trail function if they are want to know who has actually had access to their information. Finally, since Internet ethics is an area of new learning for society as a whole, HPHC should benchmark practices from elsewhere and join in wider efforts to learn from experience and establish broadly accepted confidentiality guidelines.

III. Principles to help the HPHConnect project team in the future when it considers potential uses of the data base for patient care purposes.
EAG members were very interested to learn about the potential for using the HPHC database for targeted outreach and provision of health information tailored to the needs of the individual member. These new possibilities would enhance HPHC's capacity to promote improvements in member health, but we know from the focus groups that members used terms like "Big Brother" to express ambivalence about this kind of activism and outreach.

Conflict between potentially beneficial uses of new information technologies like HPHConnect and privacy or "Big Brother" concerns will be increasingly common, and not just in health are. As an extreme example of what public is exposed to with regard to the web, four days after the EAG meeting the New York Times had a front page article (3/4/01) headlined "Location Devices' Use Rises, Prompting Privacy Concerns." The article described a chip made by a company called Digital Angel that could be implanted beneath the skin, allowing 24/7 tracking of the location of the individual(!):

After all, [the inventor] reasoned, wouldn't the whereabouts of an Alzheimer's patient be important to relatives? Wouldn't the government want to keep track of paroled convicts? Wouldn't parents want to know where there children are at 10 p.m., or 11 p.m., or any hour of the day? A review of Digital Angel's commercial potential, though, revealed concern over the possibility of privacy abuses…

Some EAG members felt that privacy concerns are currently too unreflective and absolute. They recommended vigorous education of members as to the benefits that could come from using health information for education, outreach and disease management. The EAG felt strongly, however, that members should control whether or not they received these outreach services. The group briefly discussed whether members should be asked to "opt in" (actively request) these services or simply be given the opportunity to "opt out" (decline them). The dominant sentiment appeared to favor the "opt in" approach as giving the member most choice and control. Interestingly, on March 12 William Safire had an Op-Ed piece arguing for the "opt-in" approach, which used "Big Brother" language. The final sentence of Safire's piece reads: "Americans will either insist on a libertarian Age of Consent or succumb to Big Brother's Age of Surveillance."


The EAG thanked Dave Segal and the HPHConnect team for inviting it to consult prior to the program being fully launched. The group felt that the question of how to balance vigorous development of the full potential for HPHConnect with vigorous attention to cultivating trust and respect through careful attention to confidentiality values would require continuing attention. This balancing process is not a one time ethical riddle to be answered and put aside but rather a long-term learning curve for HPHC, its stakeholders and society. The EAG hoped to be able to contribute to this learning curve at future meetings.

Jim Sabin