SecurityArchitecture.comPublic trust in health IT as a case study in system trust
In a typically insightful blog post last weekend, Margalit Gur-Arie considers issues of trust in electronic health records and other health information technology through a comparison with the banking system, financial institutions, and the use of paper currency. By using as a frame of reference a system in which public trust is well-established (we’re talking here about banking in general, not any greed-driven actions taken by Wall Street investment bankers), she highlights some of the distinct differences involved when we talk about trust in a system as opposed to trust in specific organizations or individuals. This distinction is one of the fundamental points in Niklas Luhmann’s seminal work on trust (Luhmann, 1979), in which Luhmann uses societal trust in money specifically and the financial system in general to emphasize the different factors contributing to trustworthiness in a system compared to the basis of trust involved in interpersonal relationships.
The point of the contrast between the financial system and the health care system pending the widespread adoption of health IT is that the process by which public trust is established is neither trivial nor rapid, and health IT is currently still at a very early stage in that process. Gur-Arie draws important lessons from the evolution of the banking industry in terms of safety and security as well as laws and regulations, noting that all of these elements collectively were needed to reach the level of public trust the financial system currently enjoys — robust enough that it manages to shake off the effects of even major setbacks, although historically government regulation has a lot to do with those recoveries. She notes that in the earlier days of the system, “as long as banks were easily robbed on a daily basis, and as long as nobody guaranteed that your money was safe in a bank, and as long as you didn’t travel much, the cowshed was the best option” for your keeping your money safe. Gur-Arie suggests that health IT is currently at the “daily bank robbery” stage, and it will take changes in privacy and security practices among health care organizations, in addition to appropriate policies and regulations where necessary, to provide sufficient evidence for the public to have confidence in the system and trust it to handle their personal health information.
There are many valid parallels that can be drawn between financial institutions and health care institutions, but there are some fundamental differences in the nature of a commodity like money (and all the things it enables or facilitates) and nature of individual health. The core decision involved with money (whether to put it in a bank for safekeeping or whether to put it under your mattress) is not the same as the decision to store your health record electronically or on paper, because in either case the patient is still placing the record under the stewardship of the provider (or insurance plan, or agency, or other entity). No one would suggest that the alternative to putting your medical record online is keeping it at home or with you (perhaps ironically, the whole idea of personal health records is to give consumers a means to play a more central role in managing their own health and health data). A point of greater commonality between finance and health care is the fiduciary role that both banks and health care organizations have to look after the interests of their customers. Bernard Barber (1986) among other theorists have drawn particular attention to trust in the sense of expectations that trusted entities will fulfill their fiduciary obligations, rather than betraying the trust placed in them by appropriating the objects entrusted to them (money in the case of banks, medical records in the case of health care entities) for use in self-interested purposes, whether or not those purposes are explicitly legal.
One other important difference between trust in the financial system and trust in the health care system is the focus of trust by an individual. Following the familiar characterization (Hardin, 2006; Levi, 1998; etc.) of trust as a three-part relationship — truster, trustee, and the context of the relation — the truster (patient) trusts the trustee (provider, health care organization) within the limits of a specific context, such as delivering care, but that trust need not extend beyond a given purpose for use. This potentially limited scope of trust is seen in banking as well (for instance, you may put your salary in a checking account with your bank, but may choose not to have them manage your investments), and in the health care arena, is a central aspect of the current health IT policy debate about consent and consumer privacy preferences. In the health care system, the key trusting relationship is between the patient and the provider, or perhaps the patient and institution, if the patient receives care in an environment where he or she might see a different doctor at each encounter. In most banking contexts, the relationship is likely to be more impersonal, where the bank teller or loan officer may or may not be well known to the customer, but in either case is explicitly an agent of the financial institution they represent. There are of course many people who travel and move residences quite frequently, and for these people at least, trust in the health care system goes beyond a specific doctor-patient relationship, and it is at this same systemic level that public trust in health IT needs to be established.
It is important to distinguish here that trust in EHRs as an alternative to paper-based medical records is a quite different proposition than trust in health information exchange or the interoperability (and presumed broad availability) of the data stored in electronic health records, and this distinction isn’t the same in the financial services sector. In banking, getting access to your money while away from home seems similar in nature to a doctor in another city accessing your records when you visit during your vacation, but the use of what’s exchanged is quite different, as is the relevant time horizon, since once the remote bank gives you your money, it no longer has any stewardship responsibility. Interoperability and data exchange in the banking industry (which became more or less universal on a technical level some 20 years ago) is in many ways simpler than it is in a health care setting, since the information the bank needs is largely details about your account (and the liquidity of the associated assets), while in health care the focus is more on the contents of the health record, and less about whether you happen to be a member of a given plan or customer of a given provider organization.
To bring the health IT sector anywhere close the level of nearly pervasive public trust enjoyed by the banking industry, there are important contributions to be made by many different stakeholders, including the providers and other health care entities, the technology vendors and operators whose health IT solutions will be used in the market, and the government that, in the form of regulations and oversight, can do more to encourage organizations holding health information to behave appropriately. Most sociological and economic theories of trust would stipulate that appropriate organizational behavior that occurs because it is constrained by laws, contracts, or regulations is not actually evidence of trustworthiness, at this point in the process of maturing the health care system and its use of health information technology, greater public confidence will substitute for public trust until the system reaches a point where it can rely on unconstrained demonstrations of trustworthy conduct.
References:
Barber, B. (1986). The logic and limits of trust. New Brunswick, NJ: Rutgers University Press.
Hardin, R. (1996). Trust. Cambridge, England: Polity Press.
Levi, M. (1998). A state of trust. In V. Braithwaite & M. Levi (Eds.), Trust and governance (pp. 77-101). New York, NY: Russell Sage Foundation.
Luhmann, N. (1979). Trust and power. Chichester, England: John Wiley & Sons.
1 Comments on “Public trust in health IT as a case study in system trust”
This is fascinating!
I think we are looking at a decade or two, at the very least, before trust in HIT reaches the state of trust in banking (barring unexpected disasters in both areas).
Seems that I have quite a bit of reading to do in the interim…