Abstract
Personal health record (PHR) systems are a subject of intense interest in the move to improve healthcare accessibility and quality. Although a number of vendors continue to put forward PHR systems, user-centered design research has lagged, and it has not been clear what features are important to prospective PHR users. Here, we report on a user-centered design study that combines qualitative and quantitative approaches to investigate several dimensions relevant to PHR design, and to look at the effect of health status on user needs. The results indicate that health status, especially disability and chronic illness, is relevant to PHR design. Further, the results provide empirical evidence about the role of privacy and security in users’ attitudes toward PHR use. The exact nature of these attitudes differs from widely held perceptions about consumer values in healthcare information management.
Introduction
If present federal government goals are accomplished, all people in the United States will have electronic access to their personal health information by 2014. 1 The motivation to empower consumers through personal health record (PHR) systems * comes from a desire to improve healthcare quality and to reduce healthcare costs through increased transparency and consumer control. Yet, despite these goals, which are widely supported across a broad spectrum of society, and despite numerous commercial and other entries into the PHR market, adoption has been slow. A recent US-based survey found that, at the time the data reported here were being collected, † only 2.5 million (< 1%) of the population had ever used a PHR. 2 One reason for this state of affairs may be that there has been relatively little research aimed at understanding what consumers would actually prefer in a PHR. Understanding those preferences better may help to identify the drivers and the limiters to PHR adoption.
We believe that this study is among the first to have investigated PHR user needs. In it, we examined the hypothesis that PHR user needs vary based on healthcare status, e.g. whether a person is well, not well, or disabled. Using a triangulation approach combining qualitative and quantitative methods, we looked at what we believe are some of the most basic factors influencing consumer adoption of PHRs as health information management tools: privacy, security, portability, and interoperability. This article presents a closer look at privacy and security issues.
Personal health records adoption: Challenges of measurement
Personal health records are still in the very early stages of adoption. With fewer than 1 per cent of the US population having adopted PHRs by the time our data were collected, the ‘early adopters’ segment of Rogers’s diffusion of innovations curve had yet to be achieved.
3
In these circumstances, traditional models of information systems (IS) adoption are difficult to apply to the case of PHR. The technology acceptance model (TAM) and its heirs are widely used adoption models,
4, 5
but perhaps more useful
User values versus health status 9
In this work, health status was divided into three categories; well, unwell, and disabled. Clearly, these are not mutually exclusive, and this posed another measurement challenge. Detailed analysis of behaviors and attitudes in the context of personal health information management, reported elsewhere, 9 showed that people with disabilities who are otherwise healthy tend to express their preferences very similarly to non-disabled healthy persons and so the two groups’ responses can be classified together. § This is only a small (< 10%) segment of the disabled population. Most of the disabled respondents also met the criteria for being classified as unwell. However, disabled persons, regardless of the presence of chronic illness, tended to cluster around similar behaviors and attitudes which were distinct from those of unwell people who were not otherwise disabled. Using this information, the health status groups were found to align as follows:
well: not chronically ill, may have a physical disability
unwell: chronically ill, not physically disabled
disabled: physically disabled, may be chronically ill.
Research methods
This study was conducted using a triangulation approach and took place in two phases: qualitative in-depth interviews, followed by a larger-scale quantitative survey. This method was selected because of the novelty of the research area, where there was little or no precedent to inform the research methodology. The initial exploratory qualitative study allowed us to elicit issues and values important to the participants while also assuring that important quantitative comparisons could be made later. An iterative research design allowed survey questions to be devised based on what people actually reported as their issues of concern (as opposed to using intuitively derived questions) and to create a feedback loop that successively informed each phase of the work. In the qualitative phase, 28 individual semi-structured interviews were conducted in three sessions in late 2006. Each of the sessions was targeted at one of the three health status groups. 10 Because of the sensitive nature of the qualitative interviews and the importance of a trust relationship with the interviewer, interview participants were not asked to provide detailed demographic data. Analysis based on interviewer observations and interviewee-volunteered data indicates that the participants ranged in age from their late 20s through to their 90s. More women (62%) than men participated. Employment status was evenly divided among employed, not employed, and retired.
A 40-question quantitative survey was conducted in April 2007. The sample was purposive in order to include comparable numbers of responses from each of the three health status groups, which are not evenly distributed across the population. ¶ Responses were obtained from a total of 210 individuals, approximately evenly distributed among the health status groups. Since this was a non-representative sample, statistics based on the assumption of a normal distribution were not computed and are not presented here. For the purposes of this exploratory study, the sacrifice of these correlation measures was deemed to be a worthwhile tradeoff.
To dilute possible effects of demographic factors related to technology acceptance, such as age, income, and employment status, 11 wide demographic bands were sampled. The sample included: equal numbers of males and females; an age range from the teens to the over 70s; a majority (60%) employed, 28 per cent non-working, 11 per cent retired; household income brackets from < $25,000 to > $150,000; education from less than high school to postgraduate degrees.
Qualitative interview questions broadly addressed the dimensions of interest. Respondents were prompted to surface issues, problems, and questions relevant to the role of personal health information management in their lives. Responses were analyzed with the assistance of qualitative analysis software. ** Concepts and categories were developed by identifying common themes and keywords that were then aggregated into semantically related clusters. The qualitative analysis was used to devise the quantitative survey items which were, in turn, interpreted in light of the qualitative interview responses, to reach a fuller and more textured understanding of the total study results than either approach alone would have been able to produce.
Quantitative data were analyzed using techniques common in consumer research. Preferences were elicited through the use of multi-choice ranking, multi-choice non-ranking, and concept matching. 12–15
Results
The study tended to confirm the hypothesis that there are observable differences among prospective PHR users, and that these are associated with health status. It has also tended to disconfirm some assumptions common in the consumer health informatics dialogue, for example, ideas about the value of privacy and security in a personal health record system.
Consumer privacy preferences
Within the US consumer healthcare sphere, considerable attention is paid to the topic of healthcare information privacy. The American Health Information Community (AHIC) †† has been, since 2005, the most important public–private health information advisory body to the US Secretary of Health and Human Services. AHIC working groups have studied issues identified as critical to health information modernization at the national level, and one of these groups is dedicated to confidentiality, privacy, and security. Further, an important strategic goal sought by Secretary Leavitt of HHS has been the development of a national-level privacy and security framework for health information. 16 Although consumer health information privacy is receiving this high-level attention, there are those who take the position that health information privacy is being rampantly disregarded. 17, 18 These privacy advocates frequently assert that privacy is the paramount concern of consumers, although empirical research to justify this claim is rarely provided. This study sheds a more objective light on consumer attitudes toward health information privacy. The findings here support the conclusion that there is actually a plurality of views on healthcare information privacy, and that those with special medical needs may be more interested in access to necessary healthcare than in an extreme approach to protecting their health information privacy.
Health information privacy and willingness to share data
Quantitative survey respondents were asked about their overall level of concern with health information privacy and given a choice of three options reflecting high, medium, and lower levels of concern. Between 54 and 59 per cent of respondents expressed a high level of concern, depending on health status. Those with disabilities and chronic illnesses expressed a lower level of concern than those without these problems. This difference is in direct conflict with assertions that those with health problems are the most protective of their health information privacy. 19 Further, 33 to 40 per cent of respondents classified their privacy concern as medium, agreeing with the statement that health information privacy should be balanced with needed access to care. Individuals with health problems were more likely to choose this approach. Finally, between 6 and 9 per cent of respondents expressed a low level of concern for privacy, agreeing with the statement ‘the privacy of my health information is of no great concern.’ Healthy people were the most likely to agree with this.
Probing this question more deeply, the respondents were asked about their willingness to share their health information with a range of groups, including family members, healthcare providers, and others. People with health problems were shown to be more open to sharing their information with other people, even employers. Across all groups, > 94 per cent would permit a spouse to view their health data, and large majorities would be comfortable permitting a child (> 80%) or parent (> 75%) to view them. While 9 per cent of people without health problems said they would be willing to let their employers see their health information, 22 per cent of chronically ill individuals and 19 per cent of disabled individuals would do so. This conflicts with the assertion that people with health problems are more concerned than others about keeping this information from their employers. 18, 20 That this is commonly assumed to be true was evident from the qualitative interviews in which several of the retired participants expressed concern over this issue on behalf of younger, working-age individuals. Asked specifically about the risk of personal health information being exposed to an employer, one disabled interviewee’s response was typical:
My health is kind of an open book. I have no secrets. (Ron, age 48, who continued to be professionally employed post-diagnosis with multiple sclerosis)
In an emergency, most people (> 93%) would be willing to share their health information with an emergency room physician and their personal physician. Most would also permit emergency room nurses and emergency medical technicians (> 70%) to have access to their personal health information. More than 25 per cent of the respondents would even allow admitting clerks in the ER, as well as police and fire first responders, to view their personal health information in an emergency. For all of these categories, chronically ill and disabled people were more permissive in allowing their data to be viewed. These results do not support the idea that individuals are, in general, highly protective of the privacy of their health data. Instead, it supports the conclusion that people place more value on the accessibility of their health information when they need it than on keeping it tightly controlled. In interviews, access to care in an emergency was often deemed more important than rigid privacy protection. As one disabled respondent put it:
I feel that if [I’m] going to a doctor and … need help or whatever I have nothing to hide … with all doctors I would want them to know. I’d want them to know me as a whole so they can treat me as a whole. (Stephanie, age 31, traumatic brain injury, quadriplegic)
While some argue that people in the US are deeply concerned with protecting health information privacy at all costs, these results show instead that even among the well, who are generally the least likely to be willing to share health information, only 1.3 per cent are completely unwilling to share their information with anyone when it comes to an emergency. This, more than any other statistic, shows that a desire for extreme privacy protection represents a very narrow minority view.
Health information privacy and medical identification
One proxy measure for general concerns over privacy is the use of a national medical identifier. Some advocates oppose a national medical identifier, claiming widely held privacy concerns among the general population. 21 This claim is also not supported by our data. In the qualitative interviews, respondents were asked how they would feel about a medical identifier. None of the interviewees expressed any objection to having one, and many provided suggestions about how they would prefer such numbers to be assigned. Based on these responses, a survey question was generated which asked respondents to rank several methods, including creation of a new national medical identification number, using the Social Security number, ‡‡ and having a number assigned by one’s personal physician or by an insurance company or another third party. Responses were distributed across all choices, with a national medical identifier ranked highest by the well and the unwell and second by the disabled. A physician-assigned number was the second choice for the well and unwell, and the first choice of the disabled. Social Security number (SSN) was ranked substantially higher by the disabled people than by the other groups. Some of the qualitative interviewees, especially the elderly and the disabled, expressed a preference for SSN because of difficulties with having to memorize another number.
Consumer security preferences
Information security is the means by which health information privacy is implemented. Without security practices, there can be no privacy. Through qualitative interviews and quantitative survey questions, we assessed consumers’ concern about information security and their willingness to adopt security measures to protect their health information.
To test attitudes toward health information security, survey respondents were first asked to rank their concerns about security as applied in several different contexts: health information, banking information, tax information, and residence history. Regardless of respondents’ health status, securing their banking information was ranked most important, exceeding the next most important by 30 per cent. Security of tax data and medical data were ranked nearly equally important by all the groups and essentially tied in second place, followed by residence history.
As another measure of security concern, respondents were asked to rank several information exposure risks: to a stranger, an employer, a researcher, or an associate. Exposure of their personal health information to a stranger ranked as the greatest risk in all the health status categories. Qualitative interviewees cited as concerns the prospect of identity theft and potential discrimination on the basis of health status. The risk of having an employer receive access to health information ranked second among the concerns. Some of the interviewees mentioned that, although they were not personally at risk from exposure of information to an employer (e.g. due to retirement), they view it as an important risk for workers. §§ Concern over researchers accessing their data ranked a strong third, 30 per cent lower than ‘stranger’. This may imply that consumers’ mistrust toward healthcare researchers could present a potential barrier to achieving improvements in clinical care and population health. 22 Polling fourth was the risk of exposure to family or friends, and this was still not an insignificant concern, with 15–20 per cent of the total ranked weight. Health status was not a major discriminator on this question.
There is a wealth of literature related to security and risk behavior in information systems. 23 It is beyond the scope of this study to completely investigate risk behavior in regard to PHR users, but it does explore one behavioral factor: consumer attitude toward information security in general. Survey participants were asked to select their attitude from among three choices: fatalistic (security breaches will happen no matter what), trusting (safeguards will protect my data), and unworried about security. The fatalistic attitude heavily predominated. Regardless of health status, at least 50 per cent believe that despite any precautions they or others may take, if a data thief wants access to this information, he will get it. There are some differences among the health status groups in terms of their perceptions of data security. The unwell tend to be a bit more fatalistic, while the disabled tend to be a bit more trusting, but also more worried than most. Yet, that worry and concern for information security and privacy does not necessarily translate into willingness to take proactive steps to protect it. Although most people, whatever their health status, express some concern for keeping their medical information safe, making the investment in personally providing that protection is another matter.
The privacy/security paradox
‘Consumers express a lot of concern about their privacy online in surveys. At the same time, very few engage in privacy-protecting activities,’ according to the director of a privacy group. 24 That claim is supported by the results of this research.
Survey respondents were presented with four options for managing their PHR security: creating a profile that sets access permissions, reviewing their information to examine it for errors or unauthorized use, purchasing a device or service to secure their information, or doing none of these. Respondents could select as many as applied. More than half would agree to do the no-cost/low-cost tasks (creating a profile, reviewing reports) but far fewer were willing to purchase a security service or device (< 20% of the total selected options). Health status made a substantial difference between unwell and disabled individuals compared to their well counterparts when it comes to securing information. Individuals without health problems selected creating a security profile 12.5 per cent more frequently than others. The reviewing records option (similar to an annual credit report review) ranked second with all groups, and showed an 11 per cent gap between the healthy and those with problems. The unwell (13.4%) and the disabled (17.2%) were more likely than others to decline any sort of security measures. By comparison, the well selected ‘none’ 6 per cent of the time. Similar disparities between recognizing a need for security and willingness to implement it have been investigated in the context of general information security strategy, where it has been shown that ‘individuals are seldom willing to adopt privacy protective strategies’. 25 Rather than acting as a purely rational agent might be expected to do, people engage in numerous contradictory ways with respect to securing their privacy. 26
Assumptions that people’s top concerns include privacy and security of their personal health information are not well supported by these data. Instead, this study finds that individuals are relatively less concerned about security of their health data than of their financial data. Disabled individuals differ on security in that they are even less willing than others to take proactive steps to secure their medical information. Design decisions based on the assumption that all PHR users desire extremely high security, and especially an assumption that people are willing to pay for this, may be less well founded than previously thought. A corollary notion that those who are most affected by health problems are most interested in securing their health data is directly contradicted here.
Conclusions
As one of the first empirical studies of prospective PHR users to specifically include a disabled population, this analysis has revealed new information that may be at odds with views held both by policy makers and by system developers. PHR system design decisions, if they are based on assumptions other than those supported empirically, risk contributing to the public’s failure to widely adopt PHRs, and more specifically may fail to provide for the specific needs of different population segments.
These data show that health status does play a role in how individuals think about their personal health information, especially about keeping it private and secure, but that the role health status plays is not necessarily the role that one might think. Regardless of health status, people generally want to maintain privacy of their personal health information, yet they also believe that achieving this goal may not be possible, given the current state of information security. Those who have arguably the most at risk through the exposure of their personal health information – the unwell and the disabled – are, ironically, the ones who are most willing to share this information and the least likely to take steps to secure it. This may represent an adaptation to disability in which the perception of control can shift to focus on areas where the disabled individual has greater control and away from those where she has less. 27 This suggests an important lesson both for privacy advocates and for system designers: decisions made on behalf of others must take account of empirical evidence that accurately describes the values, attitudes, and preferences of those they would seek to represent. Those who claim to speak for the health information privacy interests of the unwell and the disabled must fully represent these groups by incorporating them as members and actively working to understand their positions. ¶¶
Those who would design PHR systems to fit the needs of disabled and unwell people must consult empirical evidence in order to understand the system requirements involved. Under-representation of disabled people in the IT workforce is even more severe than in the workforce as a whole. As of 2002, the US National Science Foundation reported that only 5.8 per cent of the science and engineering workforce are people with disabilities.
28
System designers would be hard pressed to gather a focus group of their peers who could provide input on these issues. Adopting
Footnotes
Acknowledgements
Deborah Beranek Lafky is now affiliated with the US Department of Health and Human Services. This research was completed while she was affiliated with Claremont Graduate University.
*.
PHR systems are defined here as a user-centric and user-controlled means for individuals to track health status over a lifetime. These systems represent a new model of information system design in that they are voluntary, are longitudinal over long periods, may have varying degrees of affiliation with institution-based records systems, and must be designed to serve all individuals, regardless of the individual’s health status.
†.
Data were collected in 2006 as part of the first author’s doctoral dissertation research.
‡.
Space limitations do not allow for the inclusion of this list here. A full discussion and the list of dimensions are available in the cited source which describes the authors’ first stage in this research.
§.
Analysis of the consumer preference survey showed that on every metric, with the exception of technology type preference (smart card, internet-based, or implantable chip-based PHR), individuals with disabilities having no chronic health conditions aligned with other well individuals, i.e. those with no serious or chronic health conditions and non-disabled, and were distinct from unwell individuals.
¶.
About 18 per cent of the US population is considered disabled, and 45 per cent have at least one chronic health condition (sources: US Census Bureau, 2005; HRSA, 2008).
**.
XSight 2.0 (2006) from QSR International.
††.
Which has now been succeeded by the public–private partnership of the National eHealth Collaborative or NeHC.
‡‡.
A mandatory national identifier tied to the US old age and disability pension plan.
§§.
This attribution may not reflect levels of concern that those in the workforce actually have, as noted above.
¶¶.
The ‘Patient Privacy Rights Coalition’, which claims to represent an extremely broad cross-section of Americans, includes only one disability organization among its members. However, that organization is tiny (annual income in 2006 of $1.6m) compared to better known disability organizations such as Easter Seals ($83m) or Disabled American Veterans Trust ($36m) (source: CharityNavigator.org).