5.1.1 Deliberations about control in the case of MyHealth
The decision to introduce MyHealth as a patient-controlled solution that would be part of the national health service offering, led the design team to deliberate on how this could be translated into actual design decisions on allocation of control rights. In other words, what kind of approaches would be adopted for handling the health information content, and what would be the logic for user control? One of the first issues discussed relates to the national and universal character of MyHealth. Because this is a national-level initiative addressing all residents of the country, would everyone need to have a PHR? The straightforward answer was that it would be something that each person would have to decide. The technical functionality would be available and the connections that allow information flow between various systems and MyHealth would be in place, but it would be activated only if a person decided to activate it. One of the legal experts in the team investigated how adequate control could be ensured in legal terms: “consent might not even be enough, because it will be so much information that you will store … We need probably a regulation in law. We had a meeting with the Data Protection Authority on Friday, but it is unclear yet how we will do this … You will store too much information in one place, each citizen will kind of be responsible for so much. And people do not know much about information security and they do not know how to do it safely. So, it is a big responsibility to put on the citizen.” There was uncertainty both about how to regulate access and how to inform citizens about what to expect from the new electronic solution.
One key aspect that sets the idea of a national PHR apart from previous personalized information initiatives within HealthNorway is the accumulation of sensitive personal information. At the time of the study, there were already two personalized services offered through HealthNorway: one for viewing prescriptions and one for viewing vaccinations. The new initiative was considered different from prescription viewing, which “is deleted after three months, so there is no history there.” Furthermore, it was also considered different from viewing vaccination records: “information on vaccination is not very related to you as a person; for instance, the child vaccination program is just the standard vaccination—it does not say anything about you as a person.” Even more importantly, patient ownership is something that sets the new initiative apart, as a team member explained: “that you are responsible, you as a person are responsible for that information … An archive is not the same as your medical health record. You can include things like appointments for your physiotherapist, dentist, anything, and then it can be things that they send you like lab results and things like that, but it is not like a medical journal where a doctor or nurse decides what should go into the journal … For instance, if you test your sugar level ten times a day, not all of them would be part of the medical record, only a few, the important ones. In the medical record, you are not supposed to enter all information but just the relevant information. The personal health archive will be different because you can put in whatever you like, even your own notes.” A core characteristic of the solution was that it was up to citizens to decide what the archive would contain.
This new solution would provide connections to various systems within healthcare, but this would also need to be controlled by the patients. A team member elaborated on how this control could be enacted: “the hospitals will be able to send you things, but you need to give your consent of who can send you anything. It is not that anyone can start sending … You can also make your personal notes … No one can access your personal archive. If you give your consent I can send you something. Others cannot log on or look at it. And then you can decide if you want to share information, but it won’t be by logging in, it will be that you send out information like an email, so it is still your responsibility and your archive.”
The initial discussions led to the realization that designing for control by patients has multiple facets. First, it is important to ensure that patients will be in a position to make informed decisions about having or not having such a PHR and that patients will be able to control what pieces of information are stored in their archive and with whom they share specific pieces of information. In a design workshop, the team discussed how patients would be able to restrict access. During the discussion, the information flow paradigm was used. Patients would have their own space, and information could flow in and out of this space based on their will according to a messaging logic. In the discussions, the team said that input from the doctors´ association is also required on the patient options, and they were in dialogue with the association. When interviewed, the design team’s legal expert said that there are many issues related to doctors’ professional responsibility: “you should be able to make your own notes and you can decide to share it with your doctor, but also you need to make sure to know when is it that the doctor is responsible. For instance, if I send a note to the doctor, a message where I say that I will kill myself, is he then going to be responsible for that? You cannot have an open channel to the doctor because then the doctor will have to sit with all the messages, when is the doctor going to read them and how fast?” This extreme example was used to illustrate the implications of design decisions and how the team had to consider possible unintended consequences.
In the workshop, there were more discussions about what it means to have control over sharing. Can a patient decide to share a message written by a doctor with a third doctor? The answer was yes, in principle, because this is a patient-controlled record. Similarly, the team said that in principle, patients should be able to export data. However, there were concerns about how patients would treat their data in a way that ensures that data are kept safe and private and how to “find ways so that it is not too easy to resend it, or download by default. It should be a little bit difficult to do those things, not very difficult, but a little bit difficult … If people download everything to their laptop, then the safety will be as safe as the laptop … so it is better if you log on and everything is kept in the same place and that the place takes care of the security. If you make it easily accessible and everything is very easy after you log on, then I would not expect people to download.” These concerns show how the issue of delegating control is closely related to issues of personal information security.
Following the general mandate of patient control, the design team had to put in place routes and methods for patients to handle their health information. This entailed taking a position on a number of issues and making choices among different design options. The design team had to balance the autonomy of patients with the need to provide protective mechanisms, to facilitate sharing and to ensure adherence to established logics of healthcare delivery.
5.1.2 Deliberations about control in the case of MyBook
The doctor-entrepreneur who came up with the idea for MyBook conceptualized it as patient owned and selected a name that signals that this is something that belongs to the patient. To make this point clear, he made comparisons with other initiatives that simply modify existing record systems by giving patients access to specific documents. He explained that the key difference between MyBook and these initiatives is that they do not allow patient ownership and responsibility. Although the idea of patient control was clear from the start, the details of it were not; the actual ways of giving to patients control over MyBook had to be worked out. For instance, the doctor-entrepreneur envisioned that patients would be given functionality to control sharing at the level of the “whole book” but during a workshop with patients it became apparent that they wanted more granular control (i.e., sharing parts of their health document collection). One patient explained that selective disclosure was required because some things were more personal or “taboo” than others. Although the patients expressed a preference for selective/granular sharing, this was not adopted by the design team because it opposed the principle of simplicity that the initiator of MyBook had defined as a key requirement. In a different workshop discussion, patients expressed concern about using mobile phones for taking photos and uploading documents because some apps can access the phone’s photo album. The technical developer explained that there are ways to develop the application to ensure that no photo will end up being stored on the phone. This indeed became part of the specifications and the functionality in the prototype developed. Additionally, a design decision was to allow patients to set the duration of sharing with particular healthcare providers (i.e., the number of days, months or years) and enable them to revoke access to documents at any times.
In the case of the national solution, the sharing approach was conceptualized in terms of information flow to and from the personal health archive; in other words, a messaging logic was adopted rather than an access logic. Unlike MyHealth, in the case of MyBook, the preferred approach was to grant access. In the workshop with patients, the actual functionality that would implement such an access logic was discussed. Patients discussed the possibility of giving their doctors a one-time password and referred to their experiences with such passwords when using internet banking solutions. After discussion, the solution of giving a password with a patient-specified duration was selected.
Giving control to patients also meant that they would have the ability to delete their book permanently or temporarily deactivate it if they wanted. A key question was whether the patients would have the ability to export and locally store the content of their book before deleting it from the central remote storage. The doctor-entrepreneur objected to this: “I see a security risk in copying and moving data. It can lead to things going astray, and the system coming into discredit.” This security concern was similar to the concerns expressed in the discussions we followed for MyHealth: downloading the accumulated information to local computers was considered risky.
Interestingly, when discussing the possibility of deleting individual files from MyBook, some patients expressed doubts. One patient said that it is one thing to take a document under the radar (by not allowing it to be shared) and a very different thing to remove it permanently; the patient was concerned about the desirability of a delete option. Another patient said, “I will not delete anything. My history should be there … Doctors have to trust that we have entered all data.” The patients wanted control, but at the same time they felt that the book was not totally private and that they had to ensure some sort of integrity by informally following some of the rules that hold for medical records. They felt accountable for the completeness of information in MyBook.
It was interesting to identify also in the MyBook case the tension between the autonomy of patients and the need to provide protective mechanisms against privacy threats (as illustrated in the decision not to provide a download functionality). Furthermore, concerns about balancing patient autonomy with the need to facilitate sharing and ensure adherence to the established logic of healthcare delivery emerged. Although the tensions observed around issues of control during design deliberations are similar in the two cases, the two teams made different choices.