Ethical Issues In Handling Sensitive Information: A Case Study Of Max (Essay).

Max works in a large state department of alcoholism and drug abuse. The agency administers programs for individuals with alcohol and drug problems, and maintains a huge database of information on the clients who use their services. Some of the data files contain the names and current addresses of clients. Max has been asked to take a look at the track records of the treatment programs. He is to put together a report that contains the number of clients seen in each program each month for the past five years, length of each client’s treatment, number of clients who return after completion of a program, criminal histories of clients, and so on. In order to put together this report, Max has been given access to all files in the agency’s mainframe computer. After assembling the data into a file that includes the clients’ names, he downloads it to the computer in his office. Under pressure to get the report finished by the deadline, Max decides he will have to work at home over the weekend in order to finish on time. He burns the information onto a CD and takes it home. After finishing the report he leaves the CD at home and forgets about it.

You are to select one case, and using the title of the case as the title for a report, you are to write a report that addresses the ethical issues in the case study.

The Doing Ethics Technique for Analyzing Ethical Issues

Ethics is a set of moral principles. It is a discipline dealing with what is good and bad and with moral duty and obligation (webster, 2018). They form the basic beliefs and standards that run an organizations and institutions. In this case, the ethical issues dictate how the information about the patient should be handled.

This study uses Max’s situation as a case study for the analysis of ethical issues related to the information and communication technology as means of keeping electronic records. Max works in one of the state department working on rehabilitation of alcohol and drug addicts. The information about the patients are stored in the main frame computer within the department. Without proper authentication, Max is ordered to access the clients’ information in order to update the medication record, but due to pressure for work to be done and shortage of manpower, Max extracts the information, goes with it to his home and forgets about it. This presents the great danger not only to the clients, but also to the institution at large if the data gets into untrusted hands. Therefore, this work gives some proposals on some of the ways that can be applied in handling and solving the challenges related to ICT ethical issues.

The Doing Ethics Technique is one of the methods applied in examining any issues relating to ethics in any situation. This technique approaches the issues at hand by taking note of what is going on, the things which prove and confirm what ever is going on, the issues surrounding an event in question, the parties involved in the event, there relationship with the event and how they are affected by the event in question (Poissant, et al., 2008, p. 8). In addition, the technique identifies the possible best ways that can be employed to resolve the issue based on the nature of the challenge.  

In the case study under analysis, there are several ICT- related ethical issues which come out.  The major issues include: Privacy and confidentiality and security breaches. These are discussed in detail on how they occur, who the affect and how they can be handled by the concerned personnel.  

Based on the doing ethics technique of analysis, the question on what is going on is answered by the unethical behaviour of Max accessing the clients’ information, carrying it home and leaving it there. This is creating risk on the security of clients. The question on the facts is answered by the fact that unauthorized data access by Max was made. There is no point that the patient has been consulted to retrieve his information especially by the person who is not a physician, in this case, Max. According to the ACS professional ethics and physician-patient relationship ethics state that the information about the patient should be kept confidential as much as possible. In this case, confidentiality was breached by Max who extracted data and left in his house which could be accessed by any person who could use for his own benefits at the expense of the patient. The issues in question are about the security, privacy and confidentiality of clients’ information. The security, privacy and confidentiality of clients through exposure of their details which are very sensitive is at stake. Security wise, Max copied the data into the CD which is not password encrypted or otherwise it could be stolen or misplaced. The point of information security is wanting as the information is not totally secure as seen that Max left the CD contain data in his house where it can be accessed by anyone. Confidentiality on the department to secure the clients’ data is not trustable as well. The parties affected include both the clients and the staff. When the negative information about the client land into the hands of their enemies, it can be used against them. Likewise, the trust to the rehabilitation department and its staff by the patients will be totally lost. This will result into the facility losing its clients, destroying its reputation, experiencing losses and even prosecution for breaching clients’ right to privacy. The ethical issues arising in this case are on security, privacy and confidentiality. The information being carried home by Max with no supervision paused a risk of information loss. Once the information gets into the hands of third party, its privacy is destroyed. When personal information of the client reaches the public, the confidence of the client on the service providers shall cease. This has negative impacts on the client as well as to the service providers. The client could be stigmatized by the information while the department could be prosecuted for violating their clients’ rights. To resolve the issues at hand, several options can be put in place. This include creating strong security on the information by using security codes, personnel and computer softwares that will ensure security of data. The training of both information manager as well as the physicians serving clients should be properly be done on how the information of the client should be guarded. Training of involved parties on the information security is the most important solution to the above challenges encountered on database security.

Major Ethical Issues in the Case Study

Privacy has been defined in different ways but have the same meaning, for example, it is defined as “to be let alone” according to Samuel and Louis.  It can also be defined as” the right of an individual to keep information about themselves from being disclosed to others; the claim of individuals to be let alone, from surveillance or interference from other individuals, organization or the government” by Richard Rognehaugh. Every individual has right to privacy and physician- patient relationship ethics require that any personal information about the patients should only be released to other parties only with the patient’s permission or under law order (Ones, 2018, p. 10). In special situations when the patient is not in a position of authenticating the access of his or her information, his or her relatives should be sought for permission. If the relatives are not available, a legal representative such as a family or state advocate should be sought for authentication. This is aimed at making sure that only the authorized individuals have an access to the patients’ information as this will ensure protection of patient’s right of privacy as well as maintaining high standards of confidentiality (National Academies of Sciences, 2015., p. 8). In the case at hand, Max accessed the clients’ information without the patients’ consent. The person who gives access permission to Max is not supervising him in any way, there is no legal representative of the clients and therefore, the right of privacy was breached by the department. Nevertheless, the ethics demand that the accessor of information should have the pre-established role?based privileges. Where an administrator identifies the person and determines the level of information to be accessed by the person. In the case at hand, Max was not identified before but he was just given an access urgently. This is evident in the way that he was working under pressure to prepare report, which shows a higher level of unpreparedness Such careless access of the highly confidential and sensitive information of thee clients which include criminal records when careless handled and end up in the public will harm the reputation of the clients. The clients will lose confidentiality to the department and the information will also present social disadvantage to them. To ensure privacy and confidentiality of the information, the user should be made aware of the way they should handle the information and consequences they can face in any case they misuse thee information. He should be held responsible.in addition, access privileges should be assigned to a specific user whom him only has an access to the information. Besides, strong privacy and security policies securing patients information should be strictly observed.

Privacy and Confidentiality of Information

Security violation endangers the client’s privacy once his or her information is at any situation made available to other parties without his consent or legal approval. (Oliver, 2012, p. 3)The information can be made available to unauthorized persons either intentionally or unintentionally, knowingly or unknowingly (RinehartThompson & Harman, 2010, p. 53). This can happen in the case where the information is stored in mobile devices such and personal laptops and phones which are not approved to be used by the information technology department. Such devices can easily be stolen or hacked into and the information gets accessed by the unauthorized individuals. This happened with Max who had access to the information, copied it to his personal laptop and burned to the compact disc. He went ahead and went with the information to his own home. This posed a great risk to the information. He could be attacked on the way and the disc contained the information taken away by perpetrators. Also, there are higher chances of the disc being taken by unknown person since after preparing the report, he forgot about it. To remedy this, security measures should be observed. Such measures include using cloud storage for mobile devices, password protection and content encryption. Data integrity should be protected by including antivirus, intrusion and firewall softwares into the devices containing information. There should be a routine auditing of information and tracking of activities including the date and type of events done on daily basis to eradicate any cases of forgetfulness.

The Australian Computer Society (ACS) is an association for information and communications technology professionals which aims to advance professional excellence in information technology and promotion of information and communications technology resource development. ACS is among the worldwide associations working as a unit to professionalise and standardize different disciplines. To achieve these, the members of ACS are required to uphold and advance dignity, honour and effectiveness of professionalism. The member should be a good citizen who places the public interests above his own, work towards promoting quality of his clients, honest in the course of his duties and service to the public, competent enough to work with intelligence while working towards development of his profession and that of others in the ICT industry. Having considered the professional requirements according to the ACS, Max did not meet the threshold. Having sacrificed his time to finish preparing the report, he showed some sense of having the interests of community above his own interests, however, he failed when he took the information out of the department’s vicinity which risked its security. In addition, Max being given privileges to access the clients’ information shows that he was knowledgeable in matters pertaining information and communication technology but he failed to contribute in the development of carrier of his fellows within the department by not teaching them on how the sensitive electronic information is supposed to be handled.

Security Breaches

ACS operates under professional codes of ethics which follow the guidance of the International Federation for Information Processing (IFIP) (Berleur, et. al, 2004). The major codes of ethics are code of conduct and code of practice. The code of conduct governs how the person to whom it applies conducts him or herself in an ethical manner (Berleur, 2004, p 11). The code of practice for professionals governs how the person to whom it applies carries out his or her work technically (Berleur, 2004, p 11). With the observance of the above conducts, the rules and procedures regarding information protection and handling is achieved with ease since the way a person handling the information has to behave at a given situation is well provided (Ratanawongsa, et al., 2016, p. 176). For instance, an individual is not supposed to move out of the safe with the private information unless otherwise under protection by the state.

Health care documentations are created by any person who deals with patients and clients at any level. When documentation is accurate, complete and secure, proper care of the clients can be achieved easily. However, no person or process is perfect. There are various factors that contribute in the creation of poor documentation which include compliance concerns, time constraints and poor education. To come up with solution, several steps have to be taken. First, poor documentation should bee define by establishing what contributes to poor documentation information mismanagement, these can be incomplete documentation, poor or lack of facilities for information documentation. Once the cause is known, it should be addressed in a proper way. This includes educating the concerned personnel on how they are supposed to manage the documents and devices having the information. They should be properly organized to allow easy management and retrieval when required. The records should be timely prepared and updated to prevent any constrains of the information managers. Stores should be organized and information access should be controlled by laid down rules on who should access them, when, how and under what circumstances should such information be accessed (OdomWesley, et al., 2009, p. 21).

Conclusion and recommendations.

Ethical Principles for Medical Research Involving Human Subjects places a responsibility upon physicians and any person attending to the patients at any capacity to protect their rights to life, health, integrity, dignity, privacy, right to self-determination, and confidentiality of personal information in use for any purpose. Although the patients may give their consent their information to be used, confidentiality should be held high as this essential for supporting absolute trust and integrity between the patient and physician. Clients’ information confidentiality creates their trust in service providers.

Possible Solutions to the ICT Ethical Issues

The major parties that are responsible in ensuring information confidentiality are service providers to the clients either directly or indirectly. This consists of medical professionals and the manager of the clients’ information, the IT manager. The medical practitioner acquires firsthand information from the patient while the record manager may acquire as a firsthand from the client or secondarily from the physician. In whatever the case, the professional ethics of both medical practitioners and information and communication technology professionals are required by all means to keep the information secure by all means.

To achieve the security and confidentiality of information, the professionals have to meet the laid down moral values that will guide them in their work. Besides these, security measures have to be made strong by making the devices containing any sensitive information inaccessible to any unauthorized individuals. The information must be encrypted in a way that on a specific individual is allowed to decrypt it. In addition, the computer devices in which the information is stored in should be installed with softwares that prevent or notify any unauthorized access. These include installing unto date antiviruses, antirootkits and strong firewalls. Also, the strict rules and policies regarding the criteria of information access and use should be made clear to all the staff. It should be made a general responsibility to guard the information. A schedule and timelines for performing certain tasks should be made known in advance. There should be set periods and timelines in which medication reports about the patients’ progress should be prepared. This will help the responsible parties to plan their work and allocate enough time in advance to avoid rushing up with the work in order to catch up with time. Rushing up with time will encourage inaccuracy and poor-quality work. Most effective way of ensuring absolute security to the information is dependent on the individual handling the information, only a person with high integrity is to be entrusted.

National Academies of Sciences, 2015.. Engineering, and Medicine Committee on Diagnostic Error in Health Care. Improving diagnosis in. Washington, DC: , National Academies Press;.

OdomWesley, B., Brown, D. & Meyers, C., 2009. Documentation of Medical.. Chicago: American Health Information Management,.

Oliver, K., 2012. Australian Institute of Computer Ethics. Applying the ACS Code of Ethics, Issue Ethics in computing, p. 3.

Ones, P., 2018. Permission-Based Marketing under Canada's New Privacy Laws.. Franchise Law Journal, Volume 4, p. 10.

Poissant, L., Pereira, J. & Rose T., 2008. The impact of electronic health records on time efficiency of physicians and nurses.. A systematic review., monday May, p. 16.

Ratanawongsa, N., Barton, J. & Esther. a., 2016. Association between clinician computer use and communication.. JAMA .: Intern Med..

RinehartThompson, L. & Harman, L., 2010. Privacy and confidentiality.. In: Jones & Bartlett, eds. Ethical Challenges in the Management of Health Information. Sudbury: MA press, p. 53.

webster, M., 2018. The Merriam webster dictionary. ed 18 ed. Amazon: Amazon publishers.

Santhosh Patel,2013 “Virtual Information and Intellectual Freedom”. Authors press.

Menachemi N, Ford EW, Beitsch LM, Brooks RG, 2009. Incomplete HER adoption: Late uptake of patient safety and cost control functions. Am J Med Qual, P.319?26.

Odom?Wesley B, Brown D, Meyers CL, 2009. Documentation of Medical Records. Chicago: American Health Information Management Association. p. 21.