Patient privacy in the era of medical computer networks: a new paradigm for a new technology.

For twenty five years the legal system has tried to protect the privacy of identified patient data contained in information systems. The rapid development of such technology has repeatedly frustrated the public policies incorporated into the legal system. However the newest information technologies provide the possibility of fundamentally changing the way information is stored in the health care system and, by "De personalizing the data," allow restoration of a reasonable level of personal privacy, without interfering with the legitimate needs for medical data. The system would require a secure "identifier control facility" and act as a network "file access table" able to reconstruct widely distributed bits of the patients record. A disaggregated "virtual record" would replace the integrated patient file, and the risks to data privacy inherent in the use of names or permanent identification numbers would be eliminated.

A framework for "Need to Know" authorizations in medical computer systems: responding to the constitutional requirements.

"Need to Know" systems which restrict access to computerized data to those with a specified need for the data have been described as part of the solution to the problem of privacy in health care information systems. However, no operational "need to know" system is described in the medical literature. Recent legal developments in constitutional privacy protection make a "need to know" system mandatory, not optional. In sophisticated information systems users can utilize the unique characteristics of the system itself to implement a high level "need to know" system, based on the institution's own patient treatment pattern. This article provides an analytical tool for helping to define a "need to know" system with reference to the specific problems of health care institutions.

Protection of patient data in multi-institutional medical computer networks: regulatory effectiveness analysis.

Privacy protection is one of the major issues in the development of multi-institutional clinical information networks. Judicial decisions have confirmed patient's rights to protection of a "reasonable expectation of privacy". Incorporating this protection into a system requires analysis of appropriate models. The National Practitioner Data Bank (NPDB) contains confidential data concerning physician competence. The medical profession had substantial input into the privacy protection features of the NPDB, which are much more comprehensive than those used in many clinical information systems. The NPDB represents the privacy protection which physicians expect for their own data. Regulatory Effectiveness Analysis can be used to analyze the suitability of the NPDB as a model for patient privacy protection. Judicial opinions set public policy and legal structures for privacy, and the NPDB provides an inventory of useable technical tools. After eliminating minor discontinuities, the NPDB can be used as a model to create a useable standard for privacy for multi institutional data transfers.

Protecting the privacy of patient information in clinical networks: regulatory effectiveness analysis.

Patient privacy is one of the major issues in the development of modern clinical information system networks. Such networks will have to demonstrate an appropriate concern for privacy as a precondition of operation. Regulatory effectiveness analysis is a novel technique for measuring compliance with a technological regulatory system. By examining the public policies, legal structures, and technical tools involved in the regulatory system, it is possible to discover discontinuities that may result in noncompliance with the regulatory system.

Risk, statistical inference, and the law of evidence: the use of epidemiological data in toxic tort cases.

Toxic torts are product liability cases dealing with alleged injuries due to chemical or biological hazards such as radiation, thalidomide, or Agent Orange. Toxic tort cases typically rely more heavily than other product liability cases on indirect or statistical proof of injury. There have been numerous theoretical analyses of statistical proof of injury in toxic tort cases. However, there have been only a handful of actual legal decisions regarding the use of such statistical evidence, and most of those decisions have been inconclusive. Recently, a major case from the Fifth Circuit, involving allegations that Benedectin (a morning sickness drug) caused birth defects, was decided entirely on the basis of statistical inference. This paper examines both the conceptual basis of that decision, and also the relationships among statistical inference, scientific evidence, and the rules of product liability in general.

Computerized patient information under the Privacy Act: a regulatory effectiveness analysis.

Regulatory Effectiveness Analysis is a new technique for measuring compliance with a technological regulatory system. By examining the public policies, legal structures and technical tools involved in the regulatory system, it is possible to discover discontinuities which may result in non compliance with the regulatory system. This technique can be used to analyze the Veterans Health Administration's (VHA) actions under the Privacy Act.

Regulation of clinical laboratory information systems after the 1990 amendments to the Food and Drug Act.

Clinical laboratories are among the most sophisticated software users in the modern hospital. The 1990 Medical Device Amendments to the Food and Drug Act caused a significant change in the legal regulation of medical software. The Act replaces the earlier emphasis on premarket approvals with postmarket surveillance. Hospitals and other institutional users are now required to report to the Food and Drug Administration (FDA) product defects that cause injuries or death. The Act also provides for civil penalties. The combination of these factors may lead to enhanced FDA supervision of medical software, particularly with unregistered producers. Clinical laboratories must understand both the regulatory system and their own responsibilities under the Act.

Software quality regulation under the Safe Medical Devices Act of 1990: hospitals are now the canaries in the software mine.

The 1990 Medical Device Amendments to the Food and Drug Act have caused a significant change in the regulation of medical software. The 1990 Act replaces the prior emphasis on premarket approvals with an emphasis on postmarket surveillance. Hospitals and other institutional users are now required to report to the FDA product defects that cause injuries or death. They are also required to report product defects to the manufacturer. The Act provides for rapid suspensions of device approval, recalls of defective products and civil penalties for violators. The combination of these factors may lead to enhanced FDA supervision of the purchase and use of medical software, and particularly an emphasis on finding unregistered producers. In addition, the new Act will have a direct effect on the regulation of software, because it is much better suited to addressing the problem of software quality than the 1976 Act.

Regulatory and other public policy issues.

Regulatory and other public policy issues in the future of biomedical engineering, as they relate to the development and use of medical devices, are discussed. At the federal level, agencies that directly influence the application of medical technology include the Food and Drug Administration (FDA), with its clinical trials and premarket and regulatory authority, and the Health Care Financing Administration (HCFA), with its reimbursement policy. The Occupational Safety and Health Administration (OSHA), the Environmental Protection Agency (EPA), and the Department of Commerce can have a considerable impact on corporate profitability, which is a driving force for most new technology and new product introductions. Another area of public policy that has been cited as significantly influencing health care and medical device development, namely, civil litigation, is also considered. To illustrate the issues, the impact of the regulatory environment on the application of computer software to a wide variety of medical products is examined. The humanistic and ethical problems brought about by technological advances are discussed. Ten key technologies that are likely to have the greatest importance in the next few years and ten external influences on the future of the medical device technology industry that have been identified by the Health Industry Manufacturers Association are described.

Liability for personal injuries caused by defective medical computer programs.

During the past ten years, the use of computer programs in medicine has become increasingly prevalent. As these programs proliferate, however, their potential to injure patients also increases. Although the question of liability for personal injuries caused by defective medical computer programs has not been addressed by the courts, it is inevitable that this question will arise in a judicial forum. In this Article, the authors examine the questions a court will face when addressing this novel cause of action. They attempt to resolve some of these questions by exploring the relevant characteristics of medical computer programs and examining their relationship to the tort law doctrines of negligence and strict products liability. The authors conclude that medical computer programs will be treated as products by the courts, subjecting their manufacturers to strict liability in tort for any defects in the program that cause injury. As a result, the authors contend, hospitals are likely to face a new source of liability for patient injuries if, under the particular circumstances, they are deemed to be the manufacturer or the distributor of a medical computer program that causes an injury.