Article
Personal health records: Consumer attitudes toward privacy and security of their personal health information
Health Informatics Journal 17(1) 63–71 © The Author(s) 2011 Reprints and permission: sagepub. co.uk/journalsPermissions.nav DOI: 10.1177/1460458211399403 jhi.sagepub.com
Deborah Beranek Lafky and Thomas A. Horan Claremont Graduate University, USA
Abstract Personal health record (PHR) systems are a subject of intense interest in the move to improve healthcare accessibility and quality. Although a number of vendors continue to put forward PHR systems, user-centered design research has lagged, and it has not been clear what features are important to prospective PHR users. Here, we report on a user-centered design study that combines qualitative and quantitative approaches to investigate several dimensions relevant to PHR design, and to look at the effect of health status on user needs.The results indicate that health status, especially disability and chronic illness, is relevant to PHR design. Further, the results provide empirical evidence about the role of privacy and security in users’ attitudes toward PHR use. The exact nature of these attitudes differs from widely held perceptions about consumer values in healthcare information management.
Keywords personal health records, PHR, privacy, security
Introduction If present federal government goals are accomplished, all people in the United States will have electronic access to their personal health information by 2014.1 The motivation to empower consumers through personal health record (PHR) systems* comes from a desire to improve healthcare quality and to reduce healthcare costs through increased transparency and consumer control. Yet, despite these goals, which are widely supported across a broad spectrum of society, and despite numerous commercial and other entries into the PHR market, adoption has been slow. A recent US-based survey found that, at the time the data reported here were being collected,† only 2.5 million (< 1%) of the population had ever used a PHR.2 One reason for this state of affairs may be that there has been relatively little research aimed at understanding what consumers would actually
Corresponding author: Deborah Beranek Lafky, MSIS PhD CISSP, Kay Center for E-Health Research, Claremont Graduate University, School of Information Systems and Technology, 150 E. Tenth St, Claremont, CA 91711, USA. Email: [email protected]
64
Health Informatics Journal 17(1)
prefer in a PHR. Understanding those preferences better may help to identify the drivers and the limiters to PHR adoption. We believe that this study is among the first to have investigated PHR user needs. In it, we examined the hypothesis that PHR user needs vary based on healthcare status, e.g. whether a person is well, not well, or disabled. Using a triangulation approach combining qualitative and quantitative methods, we looked at what we believe are some of the most basic factors influencing consumer adoption of PHRs as health information management tools: privacy, security, portability, and interoperability. This article presents a closer look at privacy and security issues.
Personal health records adoption: Challenges of measurement Personal health records are still in the very early stages of adoption. With fewer than 1 per cent of the US population having adopted PHRs by the time our data were collected, the ‘early adopters’ segment of Rogers’s diffusion of innovations curve had yet to be achieved.3 In these circumstances, traditional models of information systems (IS) adoption are difficult to apply to the case of PHR. The technology acceptance model (TAM) and its heirs are widely used adoption models,4, 5 but perhaps more useful ex post facto than a priori. In the case of information systems that have yet to be adopted, a prospective, not a retrospective viewpoint is required. Further complicating the research picture, personal health information management is a novel task for nearly everyone. Over the past several decades, advances have been made in assuring patients’ access to their own medical records.6 However, unless individuals have complex care needs, this right of access has not translated into widespread routine management of personal health information. Paper records, which may be scattered among multiple providers, make health information management a daunting task.7 Consequently, very few people have much experience with the task of personal health information management. Unlike other kinds of systems, which usually just model familiar tasks, PHR models this very unfamiliar task, which makes (prospective) user judgments about ease of use and utility difficult to obtain. To better understand the novel PHR task, we have taken a usercentered exploratory approach that looks at underlying attitudes, behaviors, and competencies. To do this, we used a matrix of core user values and basic user attributes. The core values were derived from a list of 17 candidates‡ using a Delphi-like technique with an expert panel.8 Four values topped the panel’s list: privacy, security, portability, and interoperability. These dimensions were used to formulate the research questions. Two of these, privacy and security, are the focus of this article. In this work, health status was divided into three categories; well, unwell, and disabled. Clearly, these are not mutually exclusive, and this posed another measurement challenge. Detailed analysis of behaviors and attitudes in the context of personal health information management, reported elsewhere,9 showed that people with disabilities who are otherwise healthy tend to express their
Table 1. User values versus health status9 Health status
Well Unwell Disabled
User values Privacy
Security
Interoperability
Portability
higher higher lower
higher higher lower
lower lower higher
lower lower higher
Lafky and Horan
65
preferences very similarly to non-disabled healthy persons and so the two groups’ responses can be classified together.§ This is only a small (< 10%) segment of the disabled population. Most of the disabled respondents also met the criteria for being classified as unwell. However, disabled persons, regardless of the presence of chronic illness, tended to cluster around similar behaviors and attitudes which were distinct from those of unwell people who were not otherwise disabled. Using this information, the health status groups were found to align as follows: •• well: not chronically ill, may have a physical disability •• unwell: chronically ill, not physically disabled •• disabled: physically disabled, may be chronically ill.
Research methods This study was conducted using a triangulation approach and took place in two phases: qualitative in-depth interviews, followed by a larger-scale quantitative survey. This method was selected because of the novelty of the research area, where there was little or no precedent to inform the research methodology. The initial exploratory qualitative study allowed us to elicit issues and values important to the participants while also assuring that important quantitative comparisons could be made later. An iterative research design allowed survey questions to be devised based on what people actually reported as their issues of concern (as opposed to using intuitively derived questions) and to create a feedback loop that successively informed each phase of the work. In the qualitative phase, 28 individual semi-structured interviews were conducted in three sessions in late 2006. Each of the sessions was targeted at one of the three health status groups.10 Because of the sensitive nature of the qualitative interviews and the importance of a trust relationship with the interviewer, interview participants were not asked to provide detailed demographic data. Analysis based on interviewer observations and interviewee-volunteered data indicates that the participants ranged in age from their late 20s through to their 90s. More women (62%) than men participated. Employment status was evenly divided among employed, not employed, and retired. A 40-question quantitative survey was conducted in April 2007. The sample was purposive in order to include comparable numbers of responses from each of the three health status groups, which are not evenly distributed across the population.¶ Responses were obtained from a total of 210 individuals, approximately evenly distributed among the health status groups. Since this was a non-representative sample, statistics based on the assumption of a normal distribution were not computed and are not presented here. For the purposes of this exploratory study, the sacrifice of these correlation measures was deemed to be a worthwhile tradeoff. To dilute possible effects of demographic factors related to technology acceptance, such as age, income, and employment status,11 wide demographic bands were sampled. The sample included: equal numbers of males and females; an age range from the teens to the over 70s; a majority (60%) employed, 28 per cent non-working, 11 per cent retired; household income brackets from < $25,000 to > $150,000; education from less than high school to postgraduate degrees. Qualitative interview questions broadly addressed the dimensions of interest. Respondents were prompted to surface issues, problems, and questions relevant to the role of personal health information management in their lives. Responses were analyzed with the assistance of qualitative analysis software.** Concepts and categories were developed by identifying common themes and keywords that were then aggregated into semantically related clusters. The qualitative analysis was used to devise the quantitative survey items which were, in turn, interpreted in light of the qualitative
66
Health Informatics Journal 17(1)
interview responses, to reach a fuller and more textured understanding of the total study results than either approach alone would have been able to produce. Quantitative data were analyzed using techniques common in consumer research. Preferences were elicited through the use of multi-choice ranking, multi-choice non-ranking, and concept matching.12–15
Results The study tended to confirm the hypothesis that there are observable differences among prospective PHR users, and that these are associated with health status. It has also tended to disconfirm some assumptions common in the consumer health informatics dialogue, for example, ideas about the value of privacy and security in a personal health record system.
Consumer privacy preferences Within the US consumer healthcare sphere, considerable attention is paid to the topic of healthcare information privacy. The American Health Information Community (AHIC)†† has been, since 2005, the most important public–private health information advisory body to the US Secretary of Health and Human Services. AHIC working groups have studied issues identified as critical to health information modernization at the national level, and one of these groups is dedicated to confidentiality, privacy, and security. Further, an important strategic goal sought by Secretary Leavitt of HHS has been the development of a national-level privacy and security framework for health information.16 Although consumer health information privacy is receiving this high-level attention, there are those who take the position that health information privacy is being rampantly disregarded.17, 18 These privacy advocates frequently assert that privacy is the paramount concern of consumers, although empirical research to justify this claim is rarely provided. This study sheds a more objective light on consumer attitudes toward health information privacy. The findings here support the conclusion that there is actually a plurality of views on healthcare information privacy, and that those with special medical needs may be more interested in access to necessary healthcare than in an extreme approach to protecting their health information privacy. Health information privacy and willingness to share data. Quantitative survey respondents were asked about their overall level of concern with health information privacy and given a choice of three options reflecting high, medium, and lower levels of concern. Between 54 and 59 per cent of respondents expressed a high level of concern, depending on health status. Those with disabilities and chronic illnesses expressed a lower level of concern than those without these problems. This difference is in direct conflict with assertions that those with health problems are the most protective of their health information privacy.19 Further, 33 to 40 per cent of respondents classified their privacy concern as medium, agreeing with the statement that health information privacy should be balanced with needed access to care. Individuals with health problems were more likely to choose this approach. Finally, between 6 and 9 per cent of respondents expressed a low level of concern for privacy, agreeing with the statement ‘the privacy of my health information is of no great concern.’ Healthy people were the most likely to agree with this. Probing this question more deeply, the respondents were asked about their willingness to share their health information with a range of groups, including family members, healthcare providers, and others. People with health problems were shown to be more open to sharing their information
Lafky and Horan
67
with other people, even employers. Across all groups, > 94 per cent would permit a spouse to view their health data, and large majorities would be comfortable permitting a child (> 80%) or parent (> 75%) to view them. While 9 per cent of people without health problems said they would be willing to let their employers see their health information, 22 per cent of chronically ill individuals and 19 per cent of disabled individuals would do so. This conflicts with the assertion that people with health problems are more concerned than others about keeping this information from their employers.18, 20 That this is commonly assumed to be true was evident from the qualitative interviews in which several of the retired participants expressed concern over this issue on behalf of younger, working-age individuals. Asked specifically about the risk of personal health information being exposed to an employer, one disabled interviewee’s response was typical: My health is kind of an open book. I have no secrets. (Ron, age 48, who continued to be professionally employed post-diagnosis with multiple sclerosis)
In an emergency, most people (> 93%) would be willing to share their health information with an emergency room physician and their personal physician. Most would also permit emergency room nurses and emergency medical technicians (> 70%) to have access to their personal health information. More than 25 per cent of the respondents would even allow admitting clerks in the ER, as well as police and fire first responders, to view their personal health information in an emergency. For all of these categories, chronically ill and disabled people were more permissive in allowing their data to be viewed. These results do not support the idea that individuals are, in general, highly protective of the privacy of their health data. Instead, it supports the conclusion that people place more value on the accessibility of their health information when they need it than on keeping it tightly controlled. In interviews, access to care in an emergency was often deemed more important than rigid privacy protection. As one disabled respondent put it: I feel that if [I’m] going to a doctor and … need help or whatever I have nothing to hide … with all doctors I would want them to know. I’d want them to know me as a whole so they can treat me as a whole. (Stephanie, age 31, traumatic brain injury, quadriplegic)
While some argue that people in the US are deeply concerned with protecting health information privacy at all costs, these results show instead that even among the well, who are generally the least likely to be willing to share health information, only 1.3 per cent are completely unwilling to share their information with anyone when it comes to an emergency. This, more than any other statistic, shows that a desire for extreme privacy protection represents a very narrow minority view. Health information privacy and medical identification. One proxy measure for general concerns over privacy is the use of a national medical identifier. Some advocates oppose a national medical identifier, claiming widely held privacy concerns among the general population.21 This claim is also not supported by our data. In the qualitative interviews, respondents were asked how they would feel about a medical identifier. None of the interviewees expressed any objection to having one, and many provided suggestions about how they would prefer such numbers to be assigned. Based on these responses, a survey question was generated which asked respondents to rank several methods, including creation of a new national medical identification number, using the Social Security number,‡‡ and having a number assigned by one’s personal physician or by an insurance company or another third party. Responses were distributed across all choices,
68
Health Informatics Journal 17(1)
with a national medical identifier ranked highest by the well and the unwell and second by the disabled. A physician-assigned number was the second choice for the well and unwell, and the first choice of the disabled. Social Security number (SSN) was ranked substantially higher by the disabled people than by the other groups. Some of the qualitative interviewees, especially the elderly and the disabled, expressed a preference for SSN because of difficulties with having to memorize another number.
Consumer security preferences Information security is the means by which health information privacy is implemented. Without security practices, there can be no privacy. Through qualitative interviews and quantitative survey questions, we assessed consumers’ concern about information security and their willingness to adopt security measures to protect their health information. To test attitudes toward health information security, survey respondents were first asked to rank their concerns about security as applied in several different contexts: health information, banking information, tax information, and residence history. Regardless of respondents’ health status, securing their banking information was ranked most important, exceeding the next most important by 30 per cent. Security of tax data and medical data were ranked nearly equally important by all the groups and essentially tied in second place, followed by residence history. As another measure of security concern, respondents were asked to rank several information exposure risks: to a stranger, an employer, a researcher, or an associate. Exposure of their personal health information to a stranger ranked as the greatest risk in all the health status categories. Qualitative interviewees cited as concerns the prospect of identity theft and potential discrimination on the basis of health status. The risk of having an employer receive access to health information ranked second among the concerns. Some of the interviewees mentioned that, although they were not personally at risk from exposure of information to an employer (e.g. due to retirement), they view it as an important risk for workers.§§ Concern over researchers accessing their data ranked a strong third, 30 per cent lower than ‘stranger’. This may imply that consumers’ mistrust toward healthcare researchers could present a potential barrier to achieving improvements in clinical care and population health.22 Polling fourth was the risk of exposure to family or friends, and this was still not an insignificant concern, with 15–20 per cent of the total ranked weight. Health status was not a major discriminator on this question. There is a wealth of literature related to security and risk behavior in information systems.23 It is beyond the scope of this study to completely investigate risk behavior in regard to PHR users, but it does explore one behavioral factor: consumer attitude toward information security in general. Survey participants were asked to select their attitude from among three choices: fatalistic (security breaches will happen no matter what), trusting (safeguards will protect my data), and unworried about security. The fatalistic attitude heavily predominated. Regardless of health status, at least 50 per cent believe that despite any precautions they or others may take, if a data thief wants access to this information, he will get it. There are some differences among the health status groups in terms of their perceptions of data security. The unwell tend to be a bit more fatalistic, while the disabled tend to be a bit more trusting, but also more worried than most. Yet, that worry and concern for information security and privacy does not necessarily translate into willingness to take proactive steps to protect it. Although most people, whatever their health status, express some concern for keeping their medical information safe, making the investment in personally providing that protection is another matter.
Lafky and Horan
69
The privacy/security paradox ‘Consumers express a lot of concern about their privacy online in surveys. At the same time, very few engage in privacy-protecting activities,’ according to the director of a privacy group.24 That claim is supported by the results of this research. Survey respondents were presented with four options for managing their PHR security: creating a profile that sets access permissions, reviewing their information to examine it for errors or unauthorized use, purchasing a device or service to secure their information, or doing none of these. Respondents could select as many as applied. More than half would agree to do the no-cost/lowcost tasks (creating a profile, reviewing reports) but far fewer were willing to purchase a security service or device (< 20% of the total selected options). Health status made a substantial difference between unwell and disabled individuals compared to their well counterparts when it comes to securing information. Individuals without health problems selected creating a security profile 12.5 per cent more frequently than others. The reviewing records option (similar to an annual credit report review) ranked second with all groups, and showed an 11 per cent gap between the healthy and those with problems. The unwell (13.4%) and the disabled (17.2%) were more likely than others to decline any sort of security measures. By comparison, the well selected ‘none’ 6 per cent of the time. Similar disparities between recognizing a need for security and willingness to implement it have been investigated in the context of general information security strategy, where it has been shown that ‘individuals are seldom willing to adopt privacy protective strategies’.25 Rather than acting as a purely rational agent might be expected to do, people engage in numerous contradictory ways with respect to securing their privacy.26 Assumptions that people’s top concerns include privacy and security of their personal health information are not well supported by these data. Instead, this study finds that individuals are relatively less concerned about security of their health data than of their financial data. Disabled individuals differ on security in that they are even less willing than others to take proactive steps to secure their medical information. Design decisions based on the assumption that all PHR users desire extremely high security, and especially an assumption that people are willing to pay for this, may be less well founded than previously thought. A corollary notion that those who are most affected by health problems are most interested in securing their health data is directly contradicted here.
Conclusions As one of the first empirical studies of prospective PHR users to specifically include a disabled population, this analysis has revealed new information that may be at odds with views held both by policy makers and by system developers. PHR system design decisions, if they are based on assumptions other than those supported empirically, risk contributing to the public’s failure to widely adopt PHRs, and more specifically may fail to provide for the specific needs of different population segments. These data show that health status does play a role in how individuals think about their personal health information, especially about keeping it private and secure, but that the role health status plays is not necessarily the role that one might think. Regardless of health status, people generally want to maintain privacy of their personal health information, yet they also believe that achieving this goal may not be possible, given the current state of information security. Those who have arguably the most at risk through the exposure of their personal health information – the unwell and the disabled – are, ironically, the ones who are most willing to share this information and the least
70
Health Informatics Journal 17(1)
likely to take steps to secure it. This may represent an adaptation to disability in which the perception of control can shift to focus on areas where the disabled individual has greater control and away from those where she has less.27 This suggests an important lesson both for privacy advocates and for system designers: decisions made on behalf of others must take account of empirical evidence that accurately describes the values, attitudes, and preferences of those they would seek to represent. Those who claim to speak for the health information privacy interests of the unwell and the disabled must fully represent these groups by incorporating them as members and actively working to understand their positions.¶¶ Those who would design PHR systems to fit the needs of disabled and unwell people must consult empirical evidence in order to understand the system requirements involved. Underrepresentation of disabled people in the IT workforce is even more severe than in the workforce as a whole. As of 2002, the US National Science Foundation reported that only 5.8 per cent of the science and engineering workforce are people with disabilities.28 System designers would be hard pressed to gather a focus group of their peers who could provide input on these issues. Adopting a priori the idea that disabled and unwell persons desire a higher level of privacy and security in their PHRs may well be an example of the kind of design bias that has been documented in other domains.29 Care must be taken to avoid this bias, which is both inaccurate and presumptuous. Acknowledgments Deborah Beranek Lafky is now affiliated with the US Department of Health and Human Services. This research was completed while she was affiliated with Claremont Graduate University.
Notes *. PHR systems are defined here as a user-centric and user-controlled means for individuals to track health status over a lifetime. These systems represent a new model of information system design in that they are voluntary, are longitudinal over long periods, may have varying degrees of affiliation with institutionbased records systems, and must be designed to serve all individuals, regardless of the individual’s health status. †. Data were collected in 2006 as part of the first author’s doctoral dissertation research. ‡. Space limitations do not allow for the inclusion of this list here. A full discussion and the list of dimensions are available in the cited source which describes the authors’ first stage in this research. §. Analysis of the consumer preference survey showed that on every metric, with the exception of technology type preference (smart card, internet-based, or implantable chip-based PHR), individuals with disabilities having no chronic health conditions aligned with other well individuals, i.e. those with no serious or chronic health conditions and non-disabled, and were distinct from unwell individuals. ¶. About 18 per cent of the US population is considered disabled, and 45 per cent have at least one chronic health condition (sources: US Census Bureau, 2005; HRSA, 2008). **. XSight 2.0 (2006) from QSR International. ††. Which has now been succeeded by the public–private partnership of the National eHealth Collaborative or NeHC. ‡‡. A mandatory national identifier tied to the US old age and disability pension plan. §§. This attribution may not reflect levels of concern that those in the workforce actually have, as noted above. ¶¶. The ‘Patient Privacy Rights Coalition’, which claims to represent an extremely broad cross-section of Americans, includes only one disability organization among its members. However, that organization is tiny (annual income in 2006 of $1.6m) compared to better known disability organizations such as Easter Seals ($83m) or Disabled American Veterans Trust ($36m) (source: CharityNavigator.org).
Lafky and Horan
71
References 1. Secretary of Health and Human Services Michael O. Leavitt. Testimony before the House Ways and Means Committee. Washington, DC, 2007. 2. Manhattan Research. Cybercitizen health v8.0. New York, 2009. 3. Rogers EM. Diffusion of innovation. 5th edn. New York: Free Press, 2003. 4. Davis FD. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quart 1989; 13 (3): 319–340. 5. Venkatesh V, and Davis F. A theoretical extension of the technology acceptance model: four longitudinal field studies. Man Sci 2000; 46 (2): 186–204. 6. Fisher B, and Britten N. Patient access to records: expectations of hospital doctors and experiences of cancer patients. Brit J Gen Practice 1993; 43 (367): 52–56. 7. Solomon C. The mother’s bond. Sonoma, CA: Follow Me, undated. 8. Lafky D, Tulu B, and Horan TA. A user-driven approach to personal health records. Commun AIS 2006; 17 (46). 9. Lafky D. Personal health records: an empirical user taxonomy. In: School of Information Systems and Technology, Claremont Graduate University, Claremont, CA, 2008. 10. Lafky D, and Horan TA. Toward a taxonomy of personal health records users. In: Americas Conference on Information Systems (AMCIS), AIS, Acapulco, Mexico, 2006. 11. Fox S. Demographic realities and consumer behavior online. Pew Internet & American Life Project, Editor, Pew Charitable Trusts, Washington, DC, 2007. 12. Green PE, and Srinivasan V. Conjoint analysis in marketing: new developments with implications for research and practice. J Marketing 1990; 54 (4): 3–19. 13. Fraenkel L, Bodardus S, and Wittink DR. Understanding patient preferences for the treatment of lupus nephritis with adaptive conjoint analysis. Med Care 2001; 39 (11): 1203–1216. 14. Ryan M, and Farrar S. Using conjoint analysis to elicit preferences for health care. BMJ 2000; 320: 1530–1533. 15. Malhotra NK, and Jain AK. A conjoint analysis approach to health care marketing and planning. J Health Care Marketing 1982; 2 (2): 35–44. 16. Kolodner RM. Developing a privacy and security framework. Department of Health and Human Services, Washington, DC, 2007. 17. Peel DC. Review of the personal health record (PHR) service provider market: privacy and security 2007. http://www.patientprivacyrights.org/site/News2?page=NewsArticle&id=6811. 18. Goldman J. Personal health records: employers proceed with caution. California Healthcare Foundation, Oakland, CA, 2007. 19. Peel DC. Testimony before the Judiciary Committee’s Constitution Subcommittee, United States House of Representatives: Hearing on Genetic Privacy, 2002. 20. Gellman R. Personal health records: why many PHRs threaten privacy. In: World Privacy Forum, 2008. 21. Stolberg SG. Health identifier for all Americans runs into hurdles. New York Times 1998: A.1. 22. National Committee on Vital and Health Statistics. Enhancing protections for uses of health data: a stewardship framework. US Department of Health and Human Services, editor, Washington, DC, 2008. 23. Martin L. Understanding and managing risk. ISSA J 2007: 8–12. 24. Greenberg A. The privacy paradox. In: Forbes 2008. 25. Acquisti A, and Grossklags J. Privacy and rationality in individual decision making. IEEE Secur Priv 2005; 3 (1): 26–33. 26. Norberg PA, Horne DR, and Horne DA. The privacy paradox: personal information disclosure intentions versus behaviors. J Consumer Aff, 2007. Online. 27. Schulz R, and Decker S. Long-term adjustment to physical disability: the role of social support, perceived control, and self-blame. J Personality & Soc Psych 1985; 48 (5). 28. National Science Foundation. Science and engineering indicators, B. Directorate for Social and Economic Sciences; Division of Science Resources Statistics, Editor, 2002. 29. Feinberg M. Hidden bias to responsible bias: an approach to information systems based on Haraway’s situated knowledges. Inf Res 2007; 12 (4).
Copyright of Health Informatics Journal is the property of Sage Publications, Ltd. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
Personal health records: Consumer attitudes toward privacy and security of their personal health information
Health Informatics Journal 17(1) 63–71 © The Author(s) 2011 Reprints and permission: sagepub. co.uk/journalsPermissions.nav DOI: 10.1177/1460458211399403 jhi.sagepub.com
Deborah Beranek Lafky and Thomas A. Horan Claremont Graduate University, USA
Abstract Personal health record (PHR) systems are a subject of intense interest in the move to improve healthcare accessibility and quality. Although a number of vendors continue to put forward PHR systems, user-centered design research has lagged, and it has not been clear what features are important to prospective PHR users. Here, we report on a user-centered design study that combines qualitative and quantitative approaches to investigate several dimensions relevant to PHR design, and to look at the effect of health status on user needs.The results indicate that health status, especially disability and chronic illness, is relevant to PHR design. Further, the results provide empirical evidence about the role of privacy and security in users’ attitudes toward PHR use. The exact nature of these attitudes differs from widely held perceptions about consumer values in healthcare information management.
Keywords personal health records, PHR, privacy, security
Introduction If present federal government goals are accomplished, all people in the United States will have electronic access to their personal health information by 2014.1 The motivation to empower consumers through personal health record (PHR) systems* comes from a desire to improve healthcare quality and to reduce healthcare costs through increased transparency and consumer control. Yet, despite these goals, which are widely supported across a broad spectrum of society, and despite numerous commercial and other entries into the PHR market, adoption has been slow. A recent US-based survey found that, at the time the data reported here were being collected,† only 2.5 million (< 1%) of the population had ever used a PHR.2 One reason for this state of affairs may be that there has been relatively little research aimed at understanding what consumers would actually
Corresponding author: Deborah Beranek Lafky, MSIS PhD CISSP, Kay Center for E-Health Research, Claremont Graduate University, School of Information Systems and Technology, 150 E. Tenth St, Claremont, CA 91711, USA. Email: [email protected]
64
Health Informatics Journal 17(1)
prefer in a PHR. Understanding those preferences better may help to identify the drivers and the limiters to PHR adoption. We believe that this study is among the first to have investigated PHR user needs. In it, we examined the hypothesis that PHR user needs vary based on healthcare status, e.g. whether a person is well, not well, or disabled. Using a triangulation approach combining qualitative and quantitative methods, we looked at what we believe are some of the most basic factors influencing consumer adoption of PHRs as health information management tools: privacy, security, portability, and interoperability. This article presents a closer look at privacy and security issues.
Personal health records adoption: Challenges of measurement Personal health records are still in the very early stages of adoption. With fewer than 1 per cent of the US population having adopted PHRs by the time our data were collected, the ‘early adopters’ segment of Rogers’s diffusion of innovations curve had yet to be achieved.3 In these circumstances, traditional models of information systems (IS) adoption are difficult to apply to the case of PHR. The technology acceptance model (TAM) and its heirs are widely used adoption models,4, 5 but perhaps more useful ex post facto than a priori. In the case of information systems that have yet to be adopted, a prospective, not a retrospective viewpoint is required. Further complicating the research picture, personal health information management is a novel task for nearly everyone. Over the past several decades, advances have been made in assuring patients’ access to their own medical records.6 However, unless individuals have complex care needs, this right of access has not translated into widespread routine management of personal health information. Paper records, which may be scattered among multiple providers, make health information management a daunting task.7 Consequently, very few people have much experience with the task of personal health information management. Unlike other kinds of systems, which usually just model familiar tasks, PHR models this very unfamiliar task, which makes (prospective) user judgments about ease of use and utility difficult to obtain. To better understand the novel PHR task, we have taken a usercentered exploratory approach that looks at underlying attitudes, behaviors, and competencies. To do this, we used a matrix of core user values and basic user attributes. The core values were derived from a list of 17 candidates‡ using a Delphi-like technique with an expert panel.8 Four values topped the panel’s list: privacy, security, portability, and interoperability. These dimensions were used to formulate the research questions. Two of these, privacy and security, are the focus of this article. In this work, health status was divided into three categories; well, unwell, and disabled. Clearly, these are not mutually exclusive, and this posed another measurement challenge. Detailed analysis of behaviors and attitudes in the context of personal health information management, reported elsewhere,9 showed that people with disabilities who are otherwise healthy tend to express their
Table 1. User values versus health status9 Health status
Well Unwell Disabled
User values Privacy
Security
Interoperability
Portability
higher higher lower
higher higher lower
lower lower higher
lower lower higher
Lafky and Horan
65
preferences very similarly to non-disabled healthy persons and so the two groups’ responses can be classified together.§ This is only a small (< 10%) segment of the disabled population. Most of the disabled respondents also met the criteria for being classified as unwell. However, disabled persons, regardless of the presence of chronic illness, tended to cluster around similar behaviors and attitudes which were distinct from those of unwell people who were not otherwise disabled. Using this information, the health status groups were found to align as follows: •• well: not chronically ill, may have a physical disability •• unwell: chronically ill, not physically disabled •• disabled: physically disabled, may be chronically ill.
Research methods This study was conducted using a triangulation approach and took place in two phases: qualitative in-depth interviews, followed by a larger-scale quantitative survey. This method was selected because of the novelty of the research area, where there was little or no precedent to inform the research methodology. The initial exploratory qualitative study allowed us to elicit issues and values important to the participants while also assuring that important quantitative comparisons could be made later. An iterative research design allowed survey questions to be devised based on what people actually reported as their issues of concern (as opposed to using intuitively derived questions) and to create a feedback loop that successively informed each phase of the work. In the qualitative phase, 28 individual semi-structured interviews were conducted in three sessions in late 2006. Each of the sessions was targeted at one of the three health status groups.10 Because of the sensitive nature of the qualitative interviews and the importance of a trust relationship with the interviewer, interview participants were not asked to provide detailed demographic data. Analysis based on interviewer observations and interviewee-volunteered data indicates that the participants ranged in age from their late 20s through to their 90s. More women (62%) than men participated. Employment status was evenly divided among employed, not employed, and retired. A 40-question quantitative survey was conducted in April 2007. The sample was purposive in order to include comparable numbers of responses from each of the three health status groups, which are not evenly distributed across the population.¶ Responses were obtained from a total of 210 individuals, approximately evenly distributed among the health status groups. Since this was a non-representative sample, statistics based on the assumption of a normal distribution were not computed and are not presented here. For the purposes of this exploratory study, the sacrifice of these correlation measures was deemed to be a worthwhile tradeoff. To dilute possible effects of demographic factors related to technology acceptance, such as age, income, and employment status,11 wide demographic bands were sampled. The sample included: equal numbers of males and females; an age range from the teens to the over 70s; a majority (60%) employed, 28 per cent non-working, 11 per cent retired; household income brackets from < $25,000 to > $150,000; education from less than high school to postgraduate degrees. Qualitative interview questions broadly addressed the dimensions of interest. Respondents were prompted to surface issues, problems, and questions relevant to the role of personal health information management in their lives. Responses were analyzed with the assistance of qualitative analysis software.** Concepts and categories were developed by identifying common themes and keywords that were then aggregated into semantically related clusters. The qualitative analysis was used to devise the quantitative survey items which were, in turn, interpreted in light of the qualitative
66
Health Informatics Journal 17(1)
interview responses, to reach a fuller and more textured understanding of the total study results than either approach alone would have been able to produce. Quantitative data were analyzed using techniques common in consumer research. Preferences were elicited through the use of multi-choice ranking, multi-choice non-ranking, and concept matching.12–15
Results The study tended to confirm the hypothesis that there are observable differences among prospective PHR users, and that these are associated with health status. It has also tended to disconfirm some assumptions common in the consumer health informatics dialogue, for example, ideas about the value of privacy and security in a personal health record system.
Consumer privacy preferences Within the US consumer healthcare sphere, considerable attention is paid to the topic of healthcare information privacy. The American Health Information Community (AHIC)†† has been, since 2005, the most important public–private health information advisory body to the US Secretary of Health and Human Services. AHIC working groups have studied issues identified as critical to health information modernization at the national level, and one of these groups is dedicated to confidentiality, privacy, and security. Further, an important strategic goal sought by Secretary Leavitt of HHS has been the development of a national-level privacy and security framework for health information.16 Although consumer health information privacy is receiving this high-level attention, there are those who take the position that health information privacy is being rampantly disregarded.17, 18 These privacy advocates frequently assert that privacy is the paramount concern of consumers, although empirical research to justify this claim is rarely provided. This study sheds a more objective light on consumer attitudes toward health information privacy. The findings here support the conclusion that there is actually a plurality of views on healthcare information privacy, and that those with special medical needs may be more interested in access to necessary healthcare than in an extreme approach to protecting their health information privacy. Health information privacy and willingness to share data. Quantitative survey respondents were asked about their overall level of concern with health information privacy and given a choice of three options reflecting high, medium, and lower levels of concern. Between 54 and 59 per cent of respondents expressed a high level of concern, depending on health status. Those with disabilities and chronic illnesses expressed a lower level of concern than those without these problems. This difference is in direct conflict with assertions that those with health problems are the most protective of their health information privacy.19 Further, 33 to 40 per cent of respondents classified their privacy concern as medium, agreeing with the statement that health information privacy should be balanced with needed access to care. Individuals with health problems were more likely to choose this approach. Finally, between 6 and 9 per cent of respondents expressed a low level of concern for privacy, agreeing with the statement ‘the privacy of my health information is of no great concern.’ Healthy people were the most likely to agree with this. Probing this question more deeply, the respondents were asked about their willingness to share their health information with a range of groups, including family members, healthcare providers, and others. People with health problems were shown to be more open to sharing their information
Lafky and Horan
67
with other people, even employers. Across all groups, > 94 per cent would permit a spouse to view their health data, and large majorities would be comfortable permitting a child (> 80%) or parent (> 75%) to view them. While 9 per cent of people without health problems said they would be willing to let their employers see their health information, 22 per cent of chronically ill individuals and 19 per cent of disabled individuals would do so. This conflicts with the assertion that people with health problems are more concerned than others about keeping this information from their employers.18, 20 That this is commonly assumed to be true was evident from the qualitative interviews in which several of the retired participants expressed concern over this issue on behalf of younger, working-age individuals. Asked specifically about the risk of personal health information being exposed to an employer, one disabled interviewee’s response was typical: My health is kind of an open book. I have no secrets. (Ron, age 48, who continued to be professionally employed post-diagnosis with multiple sclerosis)
In an emergency, most people (> 93%) would be willing to share their health information with an emergency room physician and their personal physician. Most would also permit emergency room nurses and emergency medical technicians (> 70%) to have access to their personal health information. More than 25 per cent of the respondents would even allow admitting clerks in the ER, as well as police and fire first responders, to view their personal health information in an emergency. For all of these categories, chronically ill and disabled people were more permissive in allowing their data to be viewed. These results do not support the idea that individuals are, in general, highly protective of the privacy of their health data. Instead, it supports the conclusion that people place more value on the accessibility of their health information when they need it than on keeping it tightly controlled. In interviews, access to care in an emergency was often deemed more important than rigid privacy protection. As one disabled respondent put it: I feel that if [I’m] going to a doctor and … need help or whatever I have nothing to hide … with all doctors I would want them to know. I’d want them to know me as a whole so they can treat me as a whole. (Stephanie, age 31, traumatic brain injury, quadriplegic)
While some argue that people in the US are deeply concerned with protecting health information privacy at all costs, these results show instead that even among the well, who are generally the least likely to be willing to share health information, only 1.3 per cent are completely unwilling to share their information with anyone when it comes to an emergency. This, more than any other statistic, shows that a desire for extreme privacy protection represents a very narrow minority view. Health information privacy and medical identification. One proxy measure for general concerns over privacy is the use of a national medical identifier. Some advocates oppose a national medical identifier, claiming widely held privacy concerns among the general population.21 This claim is also not supported by our data. In the qualitative interviews, respondents were asked how they would feel about a medical identifier. None of the interviewees expressed any objection to having one, and many provided suggestions about how they would prefer such numbers to be assigned. Based on these responses, a survey question was generated which asked respondents to rank several methods, including creation of a new national medical identification number, using the Social Security number,‡‡ and having a number assigned by one’s personal physician or by an insurance company or another third party. Responses were distributed across all choices,
68
Health Informatics Journal 17(1)
with a national medical identifier ranked highest by the well and the unwell and second by the disabled. A physician-assigned number was the second choice for the well and unwell, and the first choice of the disabled. Social Security number (SSN) was ranked substantially higher by the disabled people than by the other groups. Some of the qualitative interviewees, especially the elderly and the disabled, expressed a preference for SSN because of difficulties with having to memorize another number.
Consumer security preferences Information security is the means by which health information privacy is implemented. Without security practices, there can be no privacy. Through qualitative interviews and quantitative survey questions, we assessed consumers’ concern about information security and their willingness to adopt security measures to protect their health information. To test attitudes toward health information security, survey respondents were first asked to rank their concerns about security as applied in several different contexts: health information, banking information, tax information, and residence history. Regardless of respondents’ health status, securing their banking information was ranked most important, exceeding the next most important by 30 per cent. Security of tax data and medical data were ranked nearly equally important by all the groups and essentially tied in second place, followed by residence history. As another measure of security concern, respondents were asked to rank several information exposure risks: to a stranger, an employer, a researcher, or an associate. Exposure of their personal health information to a stranger ranked as the greatest risk in all the health status categories. Qualitative interviewees cited as concerns the prospect of identity theft and potential discrimination on the basis of health status. The risk of having an employer receive access to health information ranked second among the concerns. Some of the interviewees mentioned that, although they were not personally at risk from exposure of information to an employer (e.g. due to retirement), they view it as an important risk for workers.§§ Concern over researchers accessing their data ranked a strong third, 30 per cent lower than ‘stranger’. This may imply that consumers’ mistrust toward healthcare researchers could present a potential barrier to achieving improvements in clinical care and population health.22 Polling fourth was the risk of exposure to family or friends, and this was still not an insignificant concern, with 15–20 per cent of the total ranked weight. Health status was not a major discriminator on this question. There is a wealth of literature related to security and risk behavior in information systems.23 It is beyond the scope of this study to completely investigate risk behavior in regard to PHR users, but it does explore one behavioral factor: consumer attitude toward information security in general. Survey participants were asked to select their attitude from among three choices: fatalistic (security breaches will happen no matter what), trusting (safeguards will protect my data), and unworried about security. The fatalistic attitude heavily predominated. Regardless of health status, at least 50 per cent believe that despite any precautions they or others may take, if a data thief wants access to this information, he will get it. There are some differences among the health status groups in terms of their perceptions of data security. The unwell tend to be a bit more fatalistic, while the disabled tend to be a bit more trusting, but also more worried than most. Yet, that worry and concern for information security and privacy does not necessarily translate into willingness to take proactive steps to protect it. Although most people, whatever their health status, express some concern for keeping their medical information safe, making the investment in personally providing that protection is another matter.
Lafky and Horan
69
The privacy/security paradox ‘Consumers express a lot of concern about their privacy online in surveys. At the same time, very few engage in privacy-protecting activities,’ according to the director of a privacy group.24 That claim is supported by the results of this research. Survey respondents were presented with four options for managing their PHR security: creating a profile that sets access permissions, reviewing their information to examine it for errors or unauthorized use, purchasing a device or service to secure their information, or doing none of these. Respondents could select as many as applied. More than half would agree to do the no-cost/lowcost tasks (creating a profile, reviewing reports) but far fewer were willing to purchase a security service or device (< 20% of the total selected options). Health status made a substantial difference between unwell and disabled individuals compared to their well counterparts when it comes to securing information. Individuals without health problems selected creating a security profile 12.5 per cent more frequently than others. The reviewing records option (similar to an annual credit report review) ranked second with all groups, and showed an 11 per cent gap between the healthy and those with problems. The unwell (13.4%) and the disabled (17.2%) were more likely than others to decline any sort of security measures. By comparison, the well selected ‘none’ 6 per cent of the time. Similar disparities between recognizing a need for security and willingness to implement it have been investigated in the context of general information security strategy, where it has been shown that ‘individuals are seldom willing to adopt privacy protective strategies’.25 Rather than acting as a purely rational agent might be expected to do, people engage in numerous contradictory ways with respect to securing their privacy.26 Assumptions that people’s top concerns include privacy and security of their personal health information are not well supported by these data. Instead, this study finds that individuals are relatively less concerned about security of their health data than of their financial data. Disabled individuals differ on security in that they are even less willing than others to take proactive steps to secure their medical information. Design decisions based on the assumption that all PHR users desire extremely high security, and especially an assumption that people are willing to pay for this, may be less well founded than previously thought. A corollary notion that those who are most affected by health problems are most interested in securing their health data is directly contradicted here.
Conclusions As one of the first empirical studies of prospective PHR users to specifically include a disabled population, this analysis has revealed new information that may be at odds with views held both by policy makers and by system developers. PHR system design decisions, if they are based on assumptions other than those supported empirically, risk contributing to the public’s failure to widely adopt PHRs, and more specifically may fail to provide for the specific needs of different population segments. These data show that health status does play a role in how individuals think about their personal health information, especially about keeping it private and secure, but that the role health status plays is not necessarily the role that one might think. Regardless of health status, people generally want to maintain privacy of their personal health information, yet they also believe that achieving this goal may not be possible, given the current state of information security. Those who have arguably the most at risk through the exposure of their personal health information – the unwell and the disabled – are, ironically, the ones who are most willing to share this information and the least
70
Health Informatics Journal 17(1)
likely to take steps to secure it. This may represent an adaptation to disability in which the perception of control can shift to focus on areas where the disabled individual has greater control and away from those where she has less.27 This suggests an important lesson both for privacy advocates and for system designers: decisions made on behalf of others must take account of empirical evidence that accurately describes the values, attitudes, and preferences of those they would seek to represent. Those who claim to speak for the health information privacy interests of the unwell and the disabled must fully represent these groups by incorporating them as members and actively working to understand their positions.¶¶ Those who would design PHR systems to fit the needs of disabled and unwell people must consult empirical evidence in order to understand the system requirements involved. Underrepresentation of disabled people in the IT workforce is even more severe than in the workforce as a whole. As of 2002, the US National Science Foundation reported that only 5.8 per cent of the science and engineering workforce are people with disabilities.28 System designers would be hard pressed to gather a focus group of their peers who could provide input on these issues. Adopting a priori the idea that disabled and unwell persons desire a higher level of privacy and security in their PHRs may well be an example of the kind of design bias that has been documented in other domains.29 Care must be taken to avoid this bias, which is both inaccurate and presumptuous. Acknowledgments Deborah Beranek Lafky is now affiliated with the US Department of Health and Human Services. This research was completed while she was affiliated with Claremont Graduate University.
Notes *. PHR systems are defined here as a user-centric and user-controlled means for individuals to track health status over a lifetime. These systems represent a new model of information system design in that they are voluntary, are longitudinal over long periods, may have varying degrees of affiliation with institutionbased records systems, and must be designed to serve all individuals, regardless of the individual’s health status. †. Data were collected in 2006 as part of the first author’s doctoral dissertation research. ‡. Space limitations do not allow for the inclusion of this list here. A full discussion and the list of dimensions are available in the cited source which describes the authors’ first stage in this research. §. Analysis of the consumer preference survey showed that on every metric, with the exception of technology type preference (smart card, internet-based, or implantable chip-based PHR), individuals with disabilities having no chronic health conditions aligned with other well individuals, i.e. those with no serious or chronic health conditions and non-disabled, and were distinct from unwell individuals. ¶. About 18 per cent of the US population is considered disabled, and 45 per cent have at least one chronic health condition (sources: US Census Bureau, 2005; HRSA, 2008). **. XSight 2.0 (2006) from QSR International. ††. Which has now been succeeded by the public–private partnership of the National eHealth Collaborative or NeHC. ‡‡. A mandatory national identifier tied to the US old age and disability pension plan. §§. This attribution may not reflect levels of concern that those in the workforce actually have, as noted above. ¶¶. The ‘Patient Privacy Rights Coalition’, which claims to represent an extremely broad cross-section of Americans, includes only one disability organization among its members. However, that organization is tiny (annual income in 2006 of $1.6m) compared to better known disability organizations such as Easter Seals ($83m) or Disabled American Veterans Trust ($36m) (source: CharityNavigator.org).
Lafky and Horan
71
References 1. Secretary of Health and Human Services Michael O. Leavitt. Testimony before the House Ways and Means Committee. Washington, DC, 2007. 2. Manhattan Research. Cybercitizen health v8.0. New York, 2009. 3. Rogers EM. Diffusion of innovation. 5th edn. New York: Free Press, 2003. 4. Davis FD. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quart 1989; 13 (3): 319–340. 5. Venkatesh V, and Davis F. A theoretical extension of the technology acceptance model: four longitudinal field studies. Man Sci 2000; 46 (2): 186–204. 6. Fisher B, and Britten N. Patient access to records: expectations of hospital doctors and experiences of cancer patients. Brit J Gen Practice 1993; 43 (367): 52–56. 7. Solomon C. The mother’s bond. Sonoma, CA: Follow Me, undated. 8. Lafky D, Tulu B, and Horan TA. A user-driven approach to personal health records. Commun AIS 2006; 17 (46). 9. Lafky D. Personal health records: an empirical user taxonomy. In: School of Information Systems and Technology, Claremont Graduate University, Claremont, CA, 2008. 10. Lafky D, and Horan TA. Toward a taxonomy of personal health records users. In: Americas Conference on Information Systems (AMCIS), AIS, Acapulco, Mexico, 2006. 11. Fox S. Demographic realities and consumer behavior online. Pew Internet & American Life Project, Editor, Pew Charitable Trusts, Washington, DC, 2007. 12. Green PE, and Srinivasan V. Conjoint analysis in marketing: new developments with implications for research and practice. J Marketing 1990; 54 (4): 3–19. 13. Fraenkel L, Bodardus S, and Wittink DR. Understanding patient preferences for the treatment of lupus nephritis with adaptive conjoint analysis. Med Care 2001; 39 (11): 1203–1216. 14. Ryan M, and Farrar S. Using conjoint analysis to elicit preferences for health care. BMJ 2000; 320: 1530–1533. 15. Malhotra NK, and Jain AK. A conjoint analysis approach to health care marketing and planning. J Health Care Marketing 1982; 2 (2): 35–44. 16. Kolodner RM. Developing a privacy and security framework. Department of Health and Human Services, Washington, DC, 2007. 17. Peel DC. Review of the personal health record (PHR) service provider market: privacy and security 2007. http://www.patientprivacyrights.org/site/News2?page=NewsArticle&id=6811. 18. Goldman J. Personal health records: employers proceed with caution. California Healthcare Foundation, Oakland, CA, 2007. 19. Peel DC. Testimony before the Judiciary Committee’s Constitution Subcommittee, United States House of Representatives: Hearing on Genetic Privacy, 2002. 20. Gellman R. Personal health records: why many PHRs threaten privacy. In: World Privacy Forum, 2008. 21. Stolberg SG. Health identifier for all Americans runs into hurdles. New York Times 1998: A.1. 22. National Committee on Vital and Health Statistics. Enhancing protections for uses of health data: a stewardship framework. US Department of Health and Human Services, editor, Washington, DC, 2008. 23. Martin L. Understanding and managing risk. ISSA J 2007: 8–12. 24. Greenberg A. The privacy paradox. In: Forbes 2008. 25. Acquisti A, and Grossklags J. Privacy and rationality in individual decision making. IEEE Secur Priv 2005; 3 (1): 26–33. 26. Norberg PA, Horne DR, and Horne DA. The privacy paradox: personal information disclosure intentions versus behaviors. J Consumer Aff, 2007. Online. 27. Schulz R, and Decker S. Long-term adjustment to physical disability: the role of social support, perceived control, and self-blame. J Personality & Soc Psych 1985; 48 (5). 28. National Science Foundation. Science and engineering indicators, B. Directorate for Social and Economic Sciences; Division of Science Resources Statistics, Editor, 2002. 29. Feinberg M. Hidden bias to responsible bias: an approach to information systems based on Haraway’s situated knowledges. Inf Res 2007; 12 (4).
Copyright of Health Informatics Journal is the property of Sage Publications, Ltd. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
