department (ABCCHD) 1 : trade-offs analysis and evaluation Keng Siau, Hwee-Joo Kam Department of Management, 209 College of Business Administration, University of Nebraska-Lincoln, Lincoln, NE, USA Correspondence: K Siau, Department of Management, 209 College of Business Administration, University of Nebraska- Lincoln, Lincoln, NE 68588-0491, USA. Tel: 1 402 472 3078; Fax: 1 402 472 5855; E-mail: ksiau@unl.edu Abstract The issue of privacy stirred a tumultuous uproar when the ABC County Health Department (ABCCHD) was planning for an e-Healthcare system that utilized information technology to streamline the administration process of patients. ABCCHD had hired a software vendor, Info-Health, a company that specialized in information system development for the healthcare industry to help in the project. The privacy of patients with Sexually Transmitted Diseases/Human Immunity System was a thorny issue in the implementation of the e- Healthcare system. A trade-off between privacy and cost was discussed and debated. Three alternatives, with varying degrees of privacy and cost, were considered. Journal of Information Technology (2006) 21, 6671. doi:10.1057/palgrave.jit.2000054 Published online 24 January 2006 Keywords: information privacy; e-Healthcare; trade-off evaluation Case summary The ABC county health department (ABCCHD) T he ABCCHD was a government unit that was administered by the mayors office. ABCCHD served the community by providing health care to under- privileged people based on the Federal Poverty Guidelines. ABCCHD had a Health Board that advised the operations of the department, set policies for the department, and appointed the director of the department. The Health Board comprised of nine people in total one from the City Council, one County Commissioner, one physician, one dentist, and five lay people, who were selected by the City Council and County Commissioners. In cooperation with the community resources, the ABCCHD, as the official agency, was responsible for the health and welfare of the community. The ABCCHD was committed to population- based public health services services that were focused on improving the health status of people in general, as opposed to the treatment of individuals. This mission was accomplished through three core public health functions: Assess, Address, and Assure. First, the ABCCHD assessed the community health status and determined whether the community had adequate resources to address the problems that were identified. Second, the ABCCHD addressed identified problems by developing health policies and recommending programs to carry out those health policies. Third, the ABCCHD assured that necessary, high-quality, effective services were available. Part of this assurance activity included the responsibility for quality assurance through licensing and other mechanisms. System planning for the epidemiology program at ABCCHD ABCCHD was undergoing information system planning, which included the revamping and remodeling of the entire Sexually Transmitted Diseases/Human Immunity System (STD/HIV) registration system. This inevitably involved the Epidemiology Program, a subdivision under the ABCCHD. The Epidemiology Program had supported the ABCCHD in developing assessment tools and applying epidemiological analysis to public health (disease) prevention, protection, and health promotion efforts (see Exhibit 1 for more detail). The STD/HIV testing process required epidemiologists to interview STD/HIV patients as well as to provide the necessary education and counseling. Epidemiologists col- lected and analyzed patients data for research purposes. In addition to implementing healthcare needs for STD/HIV patients, epidemiologists must protect sensitive patient data. Owing to the nature of the disease, epidemiologists Journal of Information Technology (2006) 21, 6671 & 2006 JIT Palgrave Macmillan Ltd. All rights reserved 0268-3962/06 $30.00 palgrave-journals.com/jit must be extremely careful about the issue of privacy with regard to the STD/HIV patients. The issue of privacy and cost of privacy ABCCHD had met with its software vendor, Info-Health, a company that specialized in information system develop- ment for the healthcare industry to discuss this contro- versial issue. The privacy of patients with STD/HIV was raised and discussed extensively during the meeting with system analysts. So was the cost of providing privacy. The trade-off between privacy and cost was the issue that was holding up the implementation of the e-Healthcare system. Three alternatives were studied for the implementation of the STD/HIV system (in decreasing amount of cost): Implement a separate system for STD/HIV patients. This STD/HIV system would be a stand-alone system that was separated from the main system. Also, the registration of STD/HIV patients would be handled at a different counter or front desk from other patients. This option required separate hardware and software. Operation cost would also be higher because of the need to have different staff to man the new counter or front desk. Implement the STD/HIV system as part of the main system but with built-in security and privacy features. This option required a few additional modules of software to handle the security and privacy features. Also, a different counter or front desk would be set up to manage the registration of STD/HIV patients separately from other patients. Implement the STD/HIV system as part of the main system but with built-in security and privacy features. Registration for STD/HIV patients would occur at the same counter or front desk as other patients. This option would not incur additional operational cost unlike the other two options with separate counter or front desk for STD/HIV patients. Background The existing information systems at ABCCHD Cynthia May (Project Manager) and Susan Lee (Informa- tion System Coordinator) had both chosen Info-Health, a well-known software vendor in the healthcare area, to head the e-Healthcare system planning. According to Cynthia May, Info-Health was chosen as it had deep knowledge regarding healthcare information systems and the company had proprietary software designed for e-Healthcare sys- tems. Currently, STD/HIV registration was separate from the central registration system (an AS/400 system). When a patient came in to take a HIV test, he/she needed to fill out laboratory forms, consent forms, and a patient intake form. The patient would later attend a counseling and education session with an epidemiologist and a public health nurse. In addition, lab technicians would conduct a HIV lab test after regular work hours. Next, only positive test results were recorded in a logbook. The test result would then be confidentially disclosed to the patient. No names were displayed in the logbook, but a unique identifier was used for tracking the patients. After testing, the logbook was locked in a safe place. Periodically, the data in the logbook was entered and saved in the Management Information System-Sexually Transmitted Disease (MIS-STD) database and the HIV/AIDS Reporting System (HARS) for further data analysis. The MIS-STD and the HARS systems were not linked to the central registration system. The MIS-STD and HARS systems data were strictly confidential and access to the systems was tightly controlled. One of the major shortcomings of the existing informa- tion system was that the laboratory test report was generated by hand, which made it tedious to create other reports that were categorized by gender, race, age, behavior, and disease. The existing system was of a great incon- venience in the report-generating process. As a result, an e-Healthcare system was planned to replace and integrate existing information systems such as the central registra- tion system, the MIS-STD, and HARS. The New e-Healthcare system During the Joint Application Meeting, epidemiologists indicated a need to block unauthorized access to STD/ HIV data. They required Info-Health to impose strict security and privacy control for the STD/HIV data in order to protect people with STD/HIV coming in for multiple services from being cross-referenced by their name, social security number, date of birth, and address. The new e-Healthcare system must be able to eliminate paper- work, including laboratory forms, the HIV consent forms, and the (general) consent forms. According to epidemiol- ogists, it was essential to have a tool to effectively generate reports by age, gender, and risk behavior. The privacy issue The initial proposal After listening to the requirements of the epidemiologists, Info-Health decided that it would incorporate the STD/HIV registration system into the central registration system while it simultaneously imposed restrictions for data accessibility. In other words, STD/HIV patients would be registered using the same screen as other patients, but access to details relating to STD/HIV patients would be protected. The main reason for this approach was that a patient who used STD/HIV services had also presumably used other services in the Health Department. In fact, one of the Info-Healths goals was to design an efficient system by eliminating data redundancy. This new system provided convenience and reduced the amount of paperwork. However, epidemiologist John Watson strongly objected to this idea due to the fact that it might infringe on the privacy rights of the patient. He argued that the support staff members who recorded a patients visits on a daily basis could know which patient was infected with STD/HIV or had made appointments for STD/HIV testing. To fully protect a patients privacy, John insisted on a separate system just for the STD/HIV patients. On the other hand, assistant nursing supervisor, Mary Foster, felt that system efficiency should be the top priority. She mentioned that having a separate system for STD/HIV patients would limit the ability to integrate data and provide the doctors with a e-Healthcare in ABCCHD K Siau and H-J Kam 67 complete picture of a patient. Cynthia May, as the Project Manager, was concerned about the cost of the e-Healthcare system and the operating cost. Info-Health analyst, Nicole Davis, pondered the privacy, systems efficiency, and cost issues related to the case. Analysis of debate issues The debate issues here are related to: (i) The privacy protection of STD/HIV patients. (ii) Information Access and Control. (iii) The cost of privacy. Privacy protection of STD/HIV patients John Watson pointed out that the STD/HIV data was strictly confidential. While the Public Health Nurse wanted an effective integrated system, s/he and the ABCCHD must realize that both the debated issues of public health and privacy were synergistic. If patients suspected that their confidentiality might be violated, they would be much less likely to come forward for testing, education, counseling, examination, and treatment. Without complete trust, individuals would be less likely to freely divulge personal information, causing difficulties in collecting data, and also imposing limitations on improving the quality of the data collected. In the long run, failure to gather quality data from patients impeded the implementation of a sound e-Healthcare system (Gostin et al., 2001). Cynthia May and Susan Lee agreed that due to the confidentiality of the STD/HIV data, there was a dire need for privacy protection. Mishandling of private information might also expose ABCCHD to potential lawsuits. The concept of confidentiality is assumed for a relationship that requires intimacy or trust between two or more persons, in which private or secret information was shared. This was based on the understanding that this information should not be repeated or made available to unauthorized persons (Fombad, 2001). This definition was applied to the relationship between STD/HIV patients and the ABCCHD. Information access and control Mary Foster highlighted the advantages of the new e- Healthcare system. Although the current paper-based system was less accessible, and therefore, the information was less exposed and less vulnerable to information abuse, it was painstaking to generate reports from the paper-based data gathered from the laboratory, patient intake, and HIV consent forms. With the paper-based system, the accessi- bility of the data was limited. In addition, paperwork could be easily misplaced or lost. And these problems could be resolved or alleviated with the new e-Healthcare system. The new e-Healthcare system would enhance data accessibility. Mary Foster mentioned that nurses would prefer to have an integrated and efficient e-Healthcare system to facilitate data retrieval and reports generation. The nurses played a major role and had critical responsi- bilities in ABCCHD. Blocking the accessibility of STD/HIV data in the new e-Healthcare system would require nurses to make adjustments and adaptations to the new system. In addition, nurses might find it necessary to relinquish certain types of decision-making with the STD/HIV system. This might engender resistance from the nurses. Also, with the use of this new e-Healthcare system, they might have to perform tasks that were not within their normal realm. An advantage on data accessibility, however, could easily be transformed into a threat when the issue of the privacy of information pertaining to STD/HIV data was taken into account. Enhanced data accessibility with the e-Healthcare system would also mean that the sensitive and confident STD/HIV data would become easily accessible and vulner- able. This was the main concern of John Watson. The new information system could inadvertently increase the danger of data exposure. STD/HIV patient data could be retrieved effortlessly and be passed to third parties as valuable information. In other words, when it became easier for epidemiologists to retrieve and analyze data, it also became easier for unauthorized parties to unscrupulously hack into the system and steal valuable information. John Watson argued that in the case of the STD/HIV system, third parties would like to access and obtain HIV data simply for their own benefits. For example, employers might want to know if a prospective employee was a HIV patient. This information was valuable to the employers due to the fact that employers were usually unwilling to provide insurance for HIV patients, and, in the worst-case scenarios, they would even terminate employment. Wrong- ful discharge of HIV-positive employees could end in a costly lawsuit, which could even wind up costing the company millions of dollars. Unauthorized disclosure of a persons HIV status might result in other serious repercus- sions the individual might suffer from social rejection, ostracism, discrimination, inferences about his sexual preferences, and drug use (Fombad, 2001). The cost of privacy Although Cynthia May stressed the importance of privacy, she understood that there was a cost associated with privacy and security control. As a government department operating with public funding, ABCCHD could not operate as if it were a wealthy private healthcare institution. The cost of developing the e-Healthcare system was an issue and a constraint. Cynthia May understood the need to do a trade-off between privacy features and cost of providing those features. Three information privacy management alternatives Info-Health analyst, Nicole Davis, proposed three approa- ches. Each approach has its distinct advantages and disadvantages, and cost. Alternative A Implement a separate system for the STD/HIV system and a separate counter or front desk for registering STD/HIV patients. The cost of obtaining and implementing a separate system was an important issue with this approach. Other major shortcomings include repetition and redundancy, since the separate system was similar to the main system, but on a smaller scale. However, its main strength was that a separate registration system would be established solely for STD/HIV patients. In other words, the stand-alone STD/HIV system did not share the STD/HIV data with e-Healthcare in ABCCHD K Siau and H-J Kam 68 the primary network system, which therefore allowed more privacy and security for STD/HIV patients. On the other hand, because the stand-alone STD/HIV system and the e-Healthcare system were separated, understanding and retrieving the patients health history would prove to be a headache. There was also the danger that doctors, who were using the STD/HIV system, might prescribe drugs that would interact with other drugs prescribed by other doctors using the primary healthcare system. Having a different counter or front desk for STD/HIV patients would also increase the operation cost as additional staff would be required. Alternative B Incorporate the STD/HIV system into the main system with the necessary built-in security and privacy features, but provide a different counter or front desk for STD/HIV registration. Even with built-in security and privacy features, data piracy and abuse might still happen. A different counter or front desk allowed for more privacy and patients records would not be as easily exposed to the public because the STD/HIV front desk would be in a separate area away from the public. However, the ABCCHD might not have enough resources to set up a different front desk. Alternative C Embed the STD/HIV system in the main system with built- in security and privacy features. The STD/HIV patient registration would be handled by the same front desk staff who also managed the registration for regular patients. This approach was more economically feasible as it cost less to implement the STD/HIV system. However, with this option, the security of STD/HIV patients would be more question- able and uncertain. When information sharing occurred in the main healthcare system, the possibility of information piracy and abuse would be a constant and ongoing concern. Another obvious problem was that the front desk environ- ment significantly exposed sensitive STD/HIV data to the public. Any person within viewing distance from the computer screen would have the ability to view the patients record. Having the STD/HIV patients registering at the same counter or front desk as other patients might make the STD/HIV patients uncomfortable and uneasy. Study questions 1. How should the trade-off be managed? a. Should there be a trade-off between privacy concerns and system efficiency? b. Should there be a trade-off between privacy concerns and cost of implementing the system? c. What should be the cost of privacy? How do you determine the cost? d. What should be the criteria used to evaluate the trade- off? 2. What are the advantages and disadvantages of each alternative? a. Which of the three alternatives is the most effective in preventing information abuse, and thus safeguards STD/HIV patient records? b. Which of the three alternatives is the most efficient? c. Which of the three alternatives is the least expensive? 3. What recommendations would you make to ABCCHD? Exhibit 1 The epidemiology program promoted the use of scientific knowledge about health and disease within the population to effectively conduct public health assessments as well as policy developments and assessments. This program provided services to enable public health agencies to conduct several important services as listed below: Monitor health status to identify community health problems. Diagnose and investigate health problems and health hazards within the community. Inform, educate, and empower people about health issues. Evaluate the effectiveness, accessibility, and quality of personal and population-based health services. Research for new insights and innovative solutions to health problems. Program planning, management, and evaluation activities were dependent on the public health surveillance and data systems, which required epidemiological capacity for data collection, analysis, interpretation, and dissemination. In addition, the epidemiology service was important for an effective and timely response to communicable disease outbreaks, environmental emergencies, and reported clus- ters of disease. Finally, epidemiological capacity was crucial to the publics role in community health planning and policy development. Each year, epidemiological information and assistance was provided to hundreds of interested citizens, commu- nity agencies, health professionals, students, businesses, schools, human service providers, researchers, and elected officials, including the Health Board, City Council, Mayor Officials, County Board of commissioners, and the State Legislature. Notes 1 The name of the county has been changed to ABC County. We have also disguised the names of the characters involved in this case to protect their identities. References Gostin, L.O., Hodge Jr., J.G. and Valdisseri, R.O. (2001). Informational Privacy and the Publics Health: The Model State Public Health Privacy Act, American Journal of Public Health 91(9): 13881392. Fombad, C.M. (2001). The Crisis of Confidentiality in the Control of HIV/AIDS pandemic in Botswana, International Social Science Journal 53(170): 643656. Further Reading Siau, K. (1999). Xcert Software Inc, Journal of Information Technology 14(3 September): 235242. Siau, K. (2003). Health Care Informatics, IEEE Transactions on Information Technology in Biomedicine 7(1): 17. Siau, K. and Chong, C. (2000). Is E-Commerce A Solution for the Mary Riepma Ross Film Theater? Quarterly Journal of Electronic Commerce 1(4): 363392. e-Healthcare in ABCCHD K Siau and H-J Kam 69 Siau, K., Nah, F. and Teng, L. (2002). Acceptable Internet Use Policy, Communications of the ACM 45(1): 7579. Siau, K., Southard, P. and Hong, S. (2002). e-Healthcare Strategies and Implementation, International Journal of Healthcare Technology and Management 4(1 and 2): 118131. About the authors Keng Siau is a Full Professor of Management Information Systems at the University of Nebraska-Lincoln. He is the Editor-in-Chief of the Journal of Database Management and editor of the book series Advanced Topics in Database Research. He received his Ph.D. degree from the University of British Columbia where he majored in Management Information Systems and minored in Cognitive Psychology. His master and bachelor degrees are in Computer and Information Sciences from the National University of Singapore. He has edited 12 books and authored more than 15 book chapters. He is also the author of over 80 refereed journal articles and over 90 refereed conference papers (including nine ICIS papers). His research articles have appeared in such journals as Management Informa- tion Systems Quarterly, Communications of the ACM, IEEE Computer, IEEE Transactions on Information Technology in Biomedicine, IEEE Transactions on Professional Commu- nication, IEEE Transactions on Systems, Man, and Cyber- netics, IEICE Transactions on Information & Systems, Communications of the AIS, Information Systems, DATA- BASE, Journal of Information Technology, and Interna- tional Journal of HumanComputer Studies. For more information about him, please refer to his personal website at http://www.ait.unl.edu/siau/. Hwee-Joo Kam earned her M.A. in Management Informa- tion Systems from the University of Nebraska-Lincoln. Currently, she works as a software developer in Michigan and an adjunct faculty in the Western Michigan University. Appendix A1. Teaching notes e-Healthcare in ABCCHD Trade-offs Analysis and Evaluation Objectives This case accentuates the issue of trade-off between privacy and cost. It presents the privacy issue encountered during information system planning and presents three alterna- tives. Students are encouraged to analyze the issue and to address the problem while keeping in mind the limitations and constraints of ABCCHD, which is a public health department. After completing an analysis of this case, the students will appreciate: (i) Privacy issues in information systems. (ii) Trade-offs decisions that need to be made. Methodology The case of ABCCHD, a real-life scenario, exemplifies a privacy issue encountered by a government institution during system planning. This case is developed based on an interns experience in ABCCHD. The intern had partici- pated in system planning and realized its complexity, especially in the planning of STD/HIV system. Teaching suggestions The case is written to foster the understanding of systems analysis and design for senior undergraduate and graduate students. This case allows students to analyze each possible solution by taking several factors into consideration: the issue of privacy, the systems requirements, and the cost. The ABCCHD case could be covered within the time span of a single 6090 min session. This case is suitable for students who are taking a System Analysis and Design class, or a module related to Privacy in an Introduction to MIS class. The case could be used in conjunction with topics such as information privacy, information security, project management, alternatives evaluation, and information systems development. This is an interesting case on system planning, and it covers the analysis and evaluation of each alternative, while simultaneously dealing with the privacy, system efficiency, and cost issues. The case should be distributed at least 1 week prior to class time. The instructor could begin the discussion by having the students describe the ABCCHD as an organization. The discussion should take about 510 min and would serve to introduce the ABCCHD. For an actual case discussion, it is useful to begin with the STD/HIV system. The instructor could pose the following questions: What was the STD/HIV system in the case? or What were the system requirements for the new STD/HIV system? Students would then realize the shortcomings of the existing system and begin thinking about the changes that should be considered to establish a more efficient system. A follow-up question could be What kind of constraints were ABCCHD facing? In this section, the instructor could spend another 1520 min to discuss the constraints that ABCCHD faced, and then relate the constraints to the planning of STD/HIV system. ABCCHD was a government institution that had a tight budget and limited computer resources. For the next 2025 min, the instructor could discuss the trade-off between privacy concerns and system efficiency, as well as privacy concerns and cost. Some system users such as nurses would prefer to incorporate the STD/HIV system into the main system as such system integration facilitated easy retrieval of patients data. Nevertheless, the epidemiologists believed otherwise. They strongly insisted that the privacy of STD/HIV patients was paramount, and they demanded that the Info-Health should isolate the STD/ HIV system from the main system. However, building another similar system was redundant because the STD/ HIV system was basically the main system in a smaller scale. Having a separate system adds to the cost of development. These different perspectives should be made known to the students. The instructor could spend the next 2025 min discuss- ing the three alternatives available to ABCCHD. In this section, the instructor should ask the students to highlight the advantages and disadvantages of each alternative. After a thorough analysis of these three alternatives, the e-Healthcare in ABCCHD K Siau and H-J Kam 70 instructor could then ask the students to recommend the best option. There are no right or wrong answers as the choice of the best alternative would depend on the value and cost associated to privacy. And that is the strength of this case as it allows for arguments and counter-arguments. If there is time remaining, the instructor could discuss the health information system in general. For example, the instructor could also briefly mention the prospects of the health information system and the adoption of information systems in the healthcare industry in general. e-Healthcare in ABCCHD K Siau and H-J Kam 71