December 3, 2008 2 Comments
A colleague of mine presented an interesting bioethics issue for our lunch time seminar today. It was a discussion motivated by the New York City Department of Health’s recent initiative for diabetes prevention, which adds an amendment to the health code requiring laboratories to report results from a blood sugar test called A1C to the Dept of Health and Mental Hygiene*. High A1C corresponds to high blood sugar. Test results are entered into the A1C registry; medical providers will receive quarterly reports listing patients and their A1C level and patients with high A1C levels might be notified in the mail about the finding.
This initiative is striking in two ways. First, it collects and distributes patient health information without knowledge or consent from the patient. This isn’t necessarily new – a lot of health information is collected and used in the name of public health. Either the NYC DOH is casting diabetes prevention as a public health concern or it is setting a new precedent for the use of health information. Second, it circumvents the usual transmission of health information from provider to patient by sending the patient test results directly, and there’s a question whether it is ethical to send patients this information without the context that their health provider could give.
As part of the discussion, we looked at examples of an emerging grey area for patient health data. GoogleHealth, Microsoft HealthVault, and 23andMe are all services that collect information about a person’s health (or genetics) through that person’s consent, but they reserve the right to use that information for reasons they see fit, nominally research. There then becomes what looks increasingly to be a slippery slope. Medical providers at one end who are bound by HIPAA rules, public health activities, and at the other end, commercial companies who do not provide medical services but handle patient health data. How important are medical providers when you dispense health information? Should these companies be regulated by HIPAA (or some variation), i.e. is health information qualitatively different from other types of data? Is it ok for the government to monitor your health and distribute that information without your knowledge (especially in situations of low public health risk, at least to others)?
Obviously, we are moving towards more access and more information. But there seem to be many complex issues when health information is involved. Should it be treated differently?
* By the way, does anyone else think the term “mental hygiene” sounds dated?