Journal of General Internal Medicine

, Volume 30, Supplement 1, pp 3–6 | Cite as

How Bioethics Principles Can Aid Design of Electronic Health Records to Accommodate Patient Granular Control



Ethics should guide the design of electronic health records (EHR), and recognized principles of bioethics can play an important role. This approach was recently adopted by a team of informaticists who are designing and testing a system where patients exert granular control over who views their personal health information. While this method of building ethics in from the start of the design process has significant benefits, questions remain about how useful the application of bioethics principles can be in this process, especially when principles conflict. For instance, while the ethical principle of respect for autonomy supports a robust system of granular control, the principles of beneficence and nonmaleficence counsel restraint due to the danger of patients being harmed by restrictions on provider access to data. Conflict between principles has long been recognized by ethicists and has even motivated attacks on approaches that state and apply principles. In this paper, we show how using ethical principles can help in the design of EHRs by first explaining how ethical principles can and should be used generally, and then by discussing how attention to details in specific cases can show that the tension between principles is not as bad as it initially appeared. We conclude by suggesting ways in which the application of these (and other) principles can add value to the ongoing discussion of patient involvement in their health care. This is a new approach to linking principles to informatics design that we expect will stimulate further interest.


Electronic health records Ethics Patient preferences 

The increasing use of electronic health records (EHRs) has spawned an important discussion about the ethical acceptability of giving patients more control over the content of and access to their personal health information.1 Patients want access to their records,2,3 and clinicians need to have access,4 generating important policy discussions wherever EHRs are being implemented.5,6 Consider the patient who sincerely believes that her neurologist should not have access to her history of substance abuse and prefers to not have this information shared, which contrasts directly with the neurologist’s equally sincere belief that any withholding of medical information will delay diagnosis, and possibly compromise the patient’s medical best interest. Resolving these issues in a single clinical encounter is challenging enough; developing an EHR that can accommodate these ethical decisions invokes additional ethical trade-offs.

The idea of appealing to a set of well-reasoned ethical principles to aid in health-related decision making reflects a tradition and practice stretching back millennia. In its more contemporary instantiation, however, many look to Beauchamp and Childress’s Principles of Biomedical Ethics first published in 1979 and revised in 2012 in a seventh edition7 as the standard text for this approach. Others have adopted similar versions with variations,8 or suggested additional principles entirely,9 but the basic idea of using principles such as respect for autonomy, beneficence, nonmaleficence and justice to provide a justification for specific actions or decisions has been sufficiently well adopted in the health professions as to be considered the standard approach, even though, as we note below, it is not without its detractors.

Just as bioethics principles have been used to provide guidelines for medical and research decision-making practices, they can also play a helpful role in anticipating the questions that EHR designers should be answering as they build more adaptable systems and put them into operation as part of the evolution of bringing computers into medicine.10,11 We recently developed an ethics framework12 for helping informaticists at the Regenstrief Institute in Indianapolis take into account relevant ethical issues when designing a system that would give patients “granular control” over who views their personal health information. The framework was in the form of a ‘Points to Consider’ (P2C) document, which poses key questions and possible answers set against the background of accepted bioethics principles of bioethics and Fair Information Practices (FIPs)13 as a way to build ethics into the design process. A simplified version of the framework containing the six key questions is found in Table 1. In practical terms, the P2C framework is a decision aid that translates bioethics principles and FIPs into a problem-solving tool. By answering the questions – each of which have been constructed using bioethics principles and FIPS – informaticists can immediately “consider patient preferences for sharing information about themselves at the outset, rather than building a functional EHR and then asking how it can be ethically employed after the fact.”12 The overall project, the outcomes of which are found in several other papers published in this Supplement, accepts the premise that building ethics in from the start would increase the likelihood of an EHR being accepted by patients. The early evidence of the impact of designing an EHR system in this way can be found in these papers.14-16 While the evidence of the successful adoption of an ethics-informed EHR is promising, more work is required to determine whether the ethics framework we developed was sufficient for the longer term task of rolling out EHRs that give patients granular control. In this paper, we confront a basic issue that arises when creating and using an ethical framework in EHR design: How can bioethical principles contribute when they are quite general, and if they conflict with one another?
Table 1

Points to Consider12

1. How will the system make transparent the uses and flows of clinical information so that patients can make informed choices about disclosing/restricting their information?

2. How will the system structure the array of choices patients can specify for disclosure and nondisclosure of their clinical information?

3. How will technologically and/or medically unsophisticated patients, or those with other challenges, exercise their choices for granular control of their information?

4. How will the system inform providers of a patient’s preferences for data access/restrictions?

5. Under what circumstances/conditions will the system allow health care providers to access patient data in ways that may override stated preferences for granular control?

6. How will patients be told about mandatory reporting requirements (e.g., public health, gunshots, abuse, disease registries, etc.) and their impact on granular control?

The debate over whether and how patients should exert control over the content of and access to information in their medical records has been with us at least since Mark Siegler called out patient confidentiality as a “decrepit concept” in medicine more than three decades ago.17 Anticipating the present discussion about EHRs, Siegler made the following sensible proposal pertaining to the traditional paper medical record:

Finally, at some point most patients should have an opportunity to review their medical record and to make informed choices about whether their entire record is to be available to everyone or whether certain portions of the record are privileged and should only be accessible to their principal physician or to others explicitly designated by the patient.17, p. 171

Siegler had a prescient conception of the problem that we now face and proposed a reasonable possible solution. Where’s the fuss? What’s ethics got to do with this? As usual, the devil is in the details: we may be closer to implementing the general system he envisioned, but in so doing, we face an apparent battle royale among important bioethical principles, especially respect for autonomy on one side, and nonmaleficence and beneficence on the other. This strategy has been adopted before.18 Other principles may be implicated, including more nuanced ones emerging from the sharing of data in literature.19 We have chosen to limit our discussion to a more traditional balancing of respect for autonomy, nonmaleficence, and beneficence, because the principal argument for giving patients any control of personal health information (PHI) in their EHR is a logical extension of the application of the principle of respect for autonomy in decision-making about medical treatment and research generally,20 and in particular about patient empowerment and informed choice in the clinical encounter.21, p. 392 Permitting control of any sort demonstrates respect for patients’ capacity to make informed decisions, to exercise choice, and to act as autonomous agents of their own self-actualization. In short, giving patients control over PHI demonstrates respect for their autonomy, and by implication, inhibiting the capacity of patients to control their personal health information fails to respect their autonomy.

At the same time, an institution in which patients have complete access to and control over their own medical record—choosing what information will be seen by whom—fails to respect physicians in an important way. Physicians may feel that such a system questions their ability (or autonomy) to exercise their skill and judgment according to their expertise and training. In the former case, denying patients any control treats them paternalistically; in the latter case, denying physicians access to the entire record treats them unprofessionally. Neither extreme makes sense, and reasonable people seek middle ground. But there is no independent way to settle on the precise location of that middle ground (How much control? Are there exceptions?). Indeed, when Beauchamp and Childress introduce the principle of respect for autonomy, they say that it “runs as deep in the common morality as any principle,” but add that presenting it first “does not imply that this principle has moral priority over other principles.”7, p. 99

Similar complexity arises when applying the principles of beneficence and nonmaleficence, the Janus-faced labels for the ethical obligations to benefit and not harm, respectively, that are found in countless compendia of bioethics principles and guidelines. Concerns about benefitting and not harming patients provide a compelling ethical counter-balance to the argument that patients should have substantial control over the access to and use of their medical information. The worry is that patients will hinder their own medical care and hurt themselves, by exerting ill-conceived granular control over who views parts of their health records. A patient, for example, might decide not to give a cardiologist access to information in the health record that shows that the patient is being treated for depression. If this means that the cardiologist prescribes a medication that has a dangerous interaction with the one that the patient is taking for depression, then it seems that something has gone horribly wrong. A system that should protect patients from harm and promote their well-being has failed.

In this way, we see a more complex picture begin to form, where one principle supports granular control by the patient, but at the cost of impeding the clinician’s ability to exercise their abilities; and similarly, other principles may conflict with one another. This complexity is not unique to the EHR debate, and can be found wherever the interests patients have in exercising self-determination may be challenged by the interests that clinicians have in helping and healing. The persistent conversation about end-of-life decision-making care is only the most recent example of a long standing public conversation that struggles to balance competing and legitimate principles.22 It is this very difficult task of getting the balance right that preoccupied critics of the use of principles to guide moral decisions—pejoratively called, “Principlism”23—emphasizing their inability to resolve difficult cases because they lack any internal coherence or deep theory to organize them. These critics see conflicting principles as being like the two arms of the straw man in the Wizard of Oz, pointing ineffectively in opposite directions. Beauchamp and Childress have spent several editions of their Principles of Biomedical Ethics defending their approach against these critiques, so we will not address these debates here. However, we think consideration of the case of granular control reflects and informs important parts of this somewhat abstract debate.

First, as we have shown in our prior work with the Points to Consider framework,12 the use of bioethics principles as part of an EHR design process makes good sense. Ethical principles highlight important considerations, and recognizing that such considerations may stand in tension is the beginning of a more robust understanding of the trade-offs that arise. The Points to Consider highlights the existence of such tension and the need for a decision. Designers can acknowledge the conflicting principles and make an informed decision about how to proceed.

Second, buried in the disagreement about the application and interpretation of abstract principles may lie a way forward: the need to dig in to details and context. Once we know more about the specifics of troubling situations, we may better appreciate what an EHR can and cannot be expected to do, and what blame should (or should not) be placed at the feet of granular control. For instance, was the patient who denied his cardiologist access to information about his treatment for depression told that this would undermine an automated system for identifying dangerous interactions between medications? If the patient was not told this, and was not given tools to effectively respond (perhaps being directed to a website where he could input the names of his medications), then the fault may lie in inadequate education rather than the mere existence of an EHR that supported granular control.

Turning to the patient who did not give her neurologist access to records regarding substance abuse, it is important to note that many people who use illegal drugs often don’t tell their doctor, and the EHR may contain nothing indicating such use, a situation becoming complicated by current privacy policy debates.24 Further, a history of substance abuse does not mean that the patient is currently using. There are better ways for a healthcare professional to try to find out whether her patient is using drugs than looking in the EHR (e.g., by asking, or by doing certain tests), and looking in the EHR is neither sensitive nor specific for current use.

Defenders of granular control sometimes point out that patients have always had the ability to pick and choose what to tell their doctors, and that failing to create a real system of granular control could simply drive patients to avoid healthcare altogether. Perhaps the patient who initially hides information from his neurologist learns later to trust her with these facts. There is much the EHR can do to enhance transparency between clinicians and patients, but it not a substitute for the collaborative doctor–patient relationship, where both parties benefit when it succeeds and suffer when it goes bad.

Considering these details about the cases suggests that there may not be a conflict between principles, but rather a dance between them in real-life cases. But it also illustrates the important nuance that comes from digging deeper into the content of each situation. Applying bioethics principles to cases requires a process that the philosopher Henry Richardson has called specification, defined as “a process of reducing the indeterminate character of abstract norms and generating more specific action-guiding content.”7, p. 17 This explanation emphasizes that principles are not, as Beauchamp and Childress point out, “wooden standards that disallow compromise.”7 p. 14 Respect for autonomy does not battle to the death with beneficence or nonmaleficence, with only one side emerging victorious. Sometimes, what is at stake is the same principle being interpreted or applied in the same situation by different people or with different assumptions about alternative outcomes or possibilities. Principles are applied at a time and place by real people considering real situations.

That said, it is still true that some situations are truly unethical: they can violate all the principles at once. None of the principles are satisfied when a patient makes an ill-informed decision, perhaps impulsively, not to give a provider access to information, without knowing the dangers, and then suffers harm due to that decision. Nor are ethical principles respected when providers dismiss patient preferences in an equally impulsive or reflexive way. A system of granular control can be designed to support respect for autonomy, beneficence, and nonmaleficence, perhaps most importantly if there is an effective system by which patients are educated about the benefits and risks of their choices. What is most worrisome about granular control may be the unlikelihood that the healthcare system as currently configured will be able to educate patients in effective ways, or to encourage them to make wise decisions about sharing information. In fact, one of the key benefits of patients viewing and interacting with their medical records more directly is to engender greater awareness, trust and confidence in the system—something proving elusive to date, especially in light of data breaches in banking, commerce, and national security environments. But if the healthcare system cannot adequately educate patients or create cooperation and trust around medical records, then the principles of bioethics will be only the first (and probably least important) casualty.

While our emphasis here is on the clinical encounter, we cannot help but note that society’s massive investment in creating and linking electronic health records is already raising ethical questions about the appropriate investment of resources to advance this technology, as contrasted with other needs.25 If granular control weakens the ability of the healthcare system to take care of patients, it not only violates bioethics principles supporting patient empowerment and clinician’s interests in promoting patient well-being, but others, including justice, solidarity, transparency and reciprocity. This discussion must be picked up elsewhere.



This study was supported in part by grant number 90HT005 from the Office of the National Coordinator for Health Information Technology (ONC) to the Indiana Health Information Technology Corporation (IHIT) and NIH grant #UL1TR001108. The opinions expressed in this work are the authors’ and do not necessarily reflect the positions of ONC, IHIT, Indiana University, or the Regenstrief Institute, Inc.

Conflict of Interest

The authors declare that they have no conflict of interest. Eric Meslin had a consultancy within the last 3 years with Eli Lilly & Company on unrelated topics.


  1. 1.
    Spriggs M, Arnold MV, Pearce CM, et al. Ethical questions must be considered for electronic health records. J Med Ethics. 2012;38:535–9.PubMedCrossRefGoogle Scholar
  2. 2.
    Caine K, Hanania R. Patients want granular privacy control over health information in electronic medical records. J Am Med Informatics Soc. 2013;20:7–15.CrossRefGoogle Scholar
  3. 3.
    Al-Ubaydli M. Patients must have control of their medical records. BMJ. 2012;345Google Scholar
  4. 4.
    Doctors Helping Doctors. Clinician Perspectives on Electronic Health Information Sharing for Transitions of Care. October 2012. (Accessed September 24 2014)
  5. 5.
    Gunter T, Terry N. The Emergence of National Electronic Health Record Architectures in the United States and Australia: Models, Costs, and Questions. Med Internet Res. 2005;7(1):e3. doi: 10.2196/jmir.7.1.e3.CrossRefGoogle Scholar
  6. 6.
    Showell, CM, Citizens, patients and policy: a challenge for Australia’s national electronic health record, Health Information Management Journal, 40, (2) pp. 39–43. ISSN 1833–3583 (2011)
  7. 7.
    Beauchamp TL, Childress JF. Principles of Biomedical Ethics. 7th ed. New York: Oxford University Press; 2012.Google Scholar
  8. 8.
    Gillon R, Lloyd A, eds. Principles of Health Care Ethics. Chichester: Wiley; 1994.Google Scholar
  9. 9.
    UNESCO, Universal Declaration on Bioethics and Human Rights, 19 October 2005, {Accessed, September 25, 2014)
  10. 10.
    Goodman KW, ed. Ethics, Computing, and Medicine: informatics and the transformation of health care. New York: Cambridge University Press; 1998.Google Scholar
  11. 11.
    Goodman KW, Miller RA. Ethics and health informatics: users, standards, and outcomes. In: Shortliffe EH, Cimino JJ, eds. Biomedical Informatics: Computer Applications in Health Care and Biomedicine. 3rd ed. New York: Springer New York; 2006:379–402.CrossRefGoogle Scholar
  12. 12.
    Meslin EM, Alpert SA, Carroll AE, Odell JD, Tierney WM, Schwartz PH. Giving patients granular control of personal health information: Using an ethics ‘Points to Consider’ to inform informatics system designers. Int J Med Inform. 2013;82:1136–43.PubMedCrossRefGoogle Scholar
  13. 13.
    Secretary’s Advisory Committee on Automated Personal Data Systems. Records, computers and the rights of citizens. DHEW Publication No. (OS) 73–94, Stock No. 1700–00116. Superintendent of Documents, US Government Printing Office. Washington, DC, July 31, 1973.Google Scholar
  14. 14.
    Tierney WM, Alpert SA, Byrket A, et al. Patient Control of Access to their Electronic Health Records: Real World Experience in Primary Care. J Gen Intern Med doi: 10.1007/s11606-014-3061-0
  15. 15.
    Caine K, Kohn S, Lawrence C, Hanania R, Meslin EM, Tierney WM. Designing a patient-centered User Interface for Access Decisions about EHR Data: Implications from Patient Interviews. doi: 10.1007/s11606-014-3049-9
  16. 16.
    Schwartz PH, Caine K, Alpert SA, Meslin EM, Carroll AE, Tierney WM. Patient Preferences to Control Access to Their Electronic Health Records in a Prospective Cohort Study in Primary Care. doi: 10.1007/s11606-014-3054-z
  17. 17.
    Siegler M. Confidentiality in medicine—a decrepit concept. N Engl J Med. 1982;307:1518–21.PubMedCrossRefGoogle Scholar
  18. 18.
    Layman EJ. Ethical issues and the electronic health record. Health Care Manag (Frederick). 2008;27(2):165–76. doi: 10.1097/01.HCM.0000285044.19666.a8.PubMedGoogle Scholar
  19. 19.
    Knoppers BM, Harris JR, Tassé AM, et al. Towards a data sharing Code of Conduct for international genomic research. Genome Medicine. 2011;3:46. Scholar
  20. 20.
    Emanuel EJ, Emanuel LL. Four models of the physician–patient relationship. JAMA. 1992;267:2221–6.PubMedCrossRefGoogle Scholar
  21. 21.
    Faden RR, Beauchamp TL. A History and Theory of Informed Consent. New York: Oxford University Press; 1986.Google Scholar
  22. 22.
    Committee on Approaching Death. Institute of Medicine. Dying in America. Improving Quality and Honoring Individual Preferences Near the End of Life. National Academies Press, September 2014. (Accessed September 25, 2014)Google Scholar
  23. 23.
    Clouser KD, Gert B. A critique of principlism. J Med Philos. 1990;15:219–36.PubMedCrossRefGoogle Scholar
  24. 24.
    Beck M. Drug Treatment Swept Up in Push for Medical-Records Sharing. Wall Street Journal. (Accessed September 25, 2014)
  25. 25.
    Were MC, Meslin EM. Ethics of implementing electronic health records in developing countries: Points to Consider. AMIA Annu Symp Proc. 2011;2011:1499–505.PubMedCentralPubMedGoogle Scholar

Copyright information

© Society of General Internal Medicine 2014

Authors and Affiliations

  1. 1.Indiana University School of MedicineIndianapolisUSA
  2. 2.Indiana University Center for BioethicsIndianapolisUSA
  3. 3.Center for Law, Ethics, and Applied Research in Health InformationBloomingtonUSA
  4. 4.IndianapolisUSA

Personalised recommendations