Health Information Privacy and Research

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Atlantic Symposium on Privacy in Health Services and Policy Research

St. John’s, Newfoundland and Labrador
April 20, 2009

Address by Sandy Hounsell
Senior Research and Outreach Advisor

(Check against delivery)


Introduction

I am honoured to speak to you today on an extremely important topic; a topic that is integral to the psyche of all Canadians, regardless of background, ethnicity, social and economic status, religion and yes, even political views. The topic I am referring to is of course our personal health information. As George William Curtis once said, “Happiness lies, first of all, in health.” While many of us, particularly youth and young adults, may not think about our health on a daily basis there is no doubt that each and every one of us has interacted in some way with the health care system. There is also no doubt that in today’s technological world our health information is becoming more ubiquitous, more transferrable, more accessible and, as a result, more vulnerable. It is for this reason that I would like to share some thoughts on the security and confidentiality of health information, particularly in light of the rapid growth and popularity of electronic health records.

Before I do so, however, I would like to take this opportunity to thank the Atlantic Regional Training Centre for initiating and planning this inaugural event, with a special thank-you to Cathy Peyton who I know has worked tirelessly on this very worthwhile project. It is obvious from the Agenda that the Centre has put together an extremely knowledgeable and respected group of individuals to speak on a variety of health related topics.

Privacy in a Broader Context

In October of last year, our Assistant Commissioner, Elizabeth Denham, spoke at a Conference in New Brunswick on Privacy, Security and Trust, which some of you may have attended. During her speech Ms. Denham referred to a book by Ronald Wright entitled “A Short History of Progress.” In his book, Mr. Wright reminds us that the Old Stone Age lasted from the appearance of tool making hominids nearly 3 million years ago until the end of the Ice Age about 12,000 years ago, spanning more that 99.5 percent of human existence. During that period, the pace of change was so slow that entire cultural traditions replicated themselves, generation after generation, almost identically. A new style or technique may have taken 100,000 years to develop. This pace eventually quickened to 10,000 years, thousands of years and the blistering speed of mere centuries! Essentially, the world you died in was almost exactly the same as the world you were born into.

Now, let’s think about today. Is the world today the same as it was when you were born? Absolutely not! Most of us were born before the Internet, and you certainly could not store the medical records of several thousand people on a device the size of a keychain. Can you imagine yourself 20 years ago having your entire medical history instantly transferrable to anywhere in the Country, or showing up at a pharmacy to fill a prescription and watch the pharmacist log into your medical file on a desktop computer?

The fact is, technology is driving change at lightning speed and we simply cannot keep up.

I do, however, want to be clear that I am in no way suggesting that we return to the Stone Age. In fact, our Office very much supports technological advances in general, and within the health care setting in particular. Our role, however, is to ensure that privacy remains at the forefront and becomes an important component of these technologies as they are developed. To quote our Assistant Commissioner: “We can’t lose our privacy souls in the process.”

Nowhere is this more important than in the development of Electronic Health Records (or EHR’s). While, somewhat ironically, the switch from paper to electronic records has been ongoing for a number of years now, it is none the less a reality. Our Office recognizes that EHR’s can enhance health care and introduce new efficiencies into the health care system, but they also raise some very significant privacy issues. The Final Report of the Advisory Council on Health Infostructure stated a decade ago that without “basic respect for the privacy of individuals’ health data, the public will lose confidence in the health information system.” This clearly remains an issue today. In March of 2007 our Office commissioned an EKOS poll on attitudes towards privacy issues. Some 60% of those polled agreed that health information is one of the most important types of personal information that needs protection through privacy laws. Yet only a small proportion of Canadians – 17% – believe that the government takes protecting personal information very seriously. The level of confidence that business was taking privacy very seriously was even lower – 13%. It is obvious that health information is the most sensitive, the most revealing of the core of who we are.

Federal Privacy Legislation

As I am sure you all know, the legislative landscape in Canada is anything but straight forward. With 10 provinces, three territories and a federal government, the only thing consistent about Canada’s privacy laws is the inconsistency.

From a federal perspective, our Office oversees compliance with two statutes; the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act (which applies to the federal public sector) was written when civil servants were still using typewriters and, unfortunately, is not equipped to deal with technological change. You can imagine then that this much-outdated legislation creates significant challenges as certain federal departments, those that provide health care services to groups such as First Nations, Veterans, Canadian Forces personnel and the RCMP, move toward EHR’s. Despite these legislative shortcomings, our Office continues to monitor the situation and will continue to ensure that privacy is a priority.

On the private sector side, PIPEDA applies throughout the country, with the exception of those provinces which have their own private sector privacy legislation, which has been deemed substantially similar to PIPEDA. To date, this includes BC, Alberta, Quebec and Ontario (health information only). With respect to healthcare in the private sector, PIPEDA applies to personal information collected, used and disclosed by physicians, laboratories, pharmacies and other health care providers, in the course of commercial activity. Here in NL, the Personal Health Information Act has been passed in the legislature but is not yet proclaimed. Once proclaimed into force, and, if and when it has been deemed substantially similar to PIPEDA, this information will be carved out of PIPEDA and will fall under the provincial statute. It is also important to note, however, that any time an organization discloses personal information in the course of a commercial activity across a provincial or national border, PIPEDA will apply, notwithstanding any provincial privacy legislation that may exist.

Now that you have that perfectly clear in your minds, I would like to make some general comments about PIPEDA and its implications in the healthcare field. First and foremost, we believe that PIPEDA does not pose a barrier to information flowing for patient care and treatment, provided the information is handled appropriately. Furthermore, we generally support the notion of implied consent within the circle of care based on notice. We are concerned, however, about the outstanding questions around inter-jurisdictional flows of patient information and the inconsistent protection for patients across the Country. Much more needs to be done around this issue.

Returning to the EHR, our Office also believes that more needs to be done with respect to accountability, transparency for patients, unauthorized access, patient portals and, of course, secondary uses. I am sure this last issue is of great interest to many of you. Essentially, our Office believes that patients deserve to be given a clear understanding of what is happening with their personal health information in the EHR Infostructure, as well as their options to control who gets access to it. We know that passions run high on both sides of this issue. Earlier this month, for example, the British Columbia Civil Liberties Association said that the push toward EHRs represents a “serious threat” to health privacy and patients’ rights, while the Ministry of Health insists that electronic records will be more protected than paper records. The debate is also quite active in the United States, where the recent stimulus bill gives financial incentives to doctors and hospitals to digitize medical records by 2014. This bill also allows for medical records to be sold for public health and research purposes. On February 24, President Obama told members of Congress, and I quote, “our recovery plan will invest in electronic health records and new technology that will reduce errors, bring down costs, ensure privacy, and save lives.” The institute for Health Freedom, on the other hand, has said in response that “the economic stimulus law does not guarantee that individuals own and control their genetic and other personal health data. Thus, Congress should act soon to make sure Americans have individual ownership rights and full control over their personal health data as we move toward adopting EHR systems.”

Notwithstanding these debates, I hope that we can at least agree that considerable effort needs to be invested in determining the most appropriate balance between patient privacy and access to patient information for secondary uses.

While our Office cannot compromise our independence by taking an active role in the formal government policy-making process around these issues, we welcome opportunities to provide feedback through our advocacy role as well as funding health-related privacy research under our Contributions Program.

For example, our program supported some of the recent research Don Willison has done to look at key developments in secondary uses of personal information held in EHRs. In his analysis, Professor Willison has framed both observational health research and privacy protection as public goods. However, given the tension and challenges inherent in the successful co-existence of these two, he concludes that “changes at the margin are not sufficient.”

We funded Memorial University here in this province to examine technology choices and privacy policy in health care. This report, together with many others, is available on our web site.

We also funded the Centre for Innovation Law and Policy at the University of Toronto to look at how public interests in medical research are evaluated and measured against the interest of individuals in protecting privacy in the context of access to genetic research data. We are looking forward to the results of this study.

Research and Privacy

At this point I would like to turn to the specific issue of research and, in particular, access to personal health information for research purposes. It is important to note that the Advisory Council, which I referenced earlier, envisioned from the beginning that EHR systems would support both health care and health research. I appreciate as well as anyone that an interoperable EHR will provide incredible opportunities for medical research and, given the potential for increases in speed and efficiency, this can be very valuable to Canadians. It is equally important to appreciate, however, that our health care system is built on trust. Patients freely provide sensitive medical information to their health care providers because they trust that the information will be kept confidential and will not be shared outside their circle of care. In a recent BBC World News America/Harris Poll, people were asked to rate their level of trust in various sectors. At the top of the list; health providers, such as doctors and hospitals. We must all continue to nurture that trust regardless of what our intentions are. Failure to do so may reduce the quantity and accuracy of health information provided by patients and this, in turn, may adversely affect the quality of health care.

Incidentally, at the bottom of that list was social networking sites.

Again, I see the value in research and I believe that the public sees that value. It is for this reason that I believe the majority of Canadians are willing to support medical research, particularly when they believe that it will result in some public benefit and they believe that the information is in safe hands. This does not mean, however, that Canadians are willing to forego meaningful control over their personal health information. It simply means that we must work together to encourage useful research in a manner that respects a persons right to determine how their information is used and who it is shared with. We must also pay specific attention to the safety and security of the information we are entrusted with. Otherwise, we are destined to destroy trust in the system as a whole and that is simply not an alternative.

The repercussions of this became painfully evident in January of 2007 in Ontario. A physician at the Hospital for Sick Children left the hospital with a laptop. He parked his vehicle in a downtown parking lot and left the laptop between the seats. When he returned to the vehicle the laptop was gone, together with the personal health information of nearly 3,000 current and former patients involved in several research projects. As a result, polices were tightened and revised. Six weeks later, another health-care professional at the same hospital lost a jump drive at the airport. Neither the computer nor the drive was recovered and none of the data had been encrypted.

After these breaches, the Hospital conducted audits of a selection of research databases and registries. As reported in a recent article in The Telegram newspaper, the hospital found that only two of the 52 studies examined were 100% compliant with the policies.

Other recent examples include:

  • A consultant with the Provincial Public Health Lab here in Newfoundland and Labrador brought home a laptop and inadvertently exposed confidential patient information through an open Internet connection.
  • In April of 2008 a laptop containing the medical information of 2,500 patients enrolled in a US National Institutes of Health study was stolen. Again, the information (names, medical diagnoses and heart scan results) was not encrypted.
  • In November a USB flash drive was stolen from the desk of a hospital employee in Texas. The drive contained medical and financial information of 1,200 patients with HIV, AIDS and other conditions. The drive was not encrypted, nor was it password-protected.
  • And just this month, it came to light that a doctors clinic in Alberta had closed two years ago, leaving behind 3,000 patient files. The files were simply abandoned and left in the vacant building.
  • Also this month, the Opposition in New Brunswick called for the resignation of the Health Minister after that province’s third breach of health records in just over a year. In the latest incident a health authority employee lost a notebook containing the personal information of 203 people. The Department of Health was not notified until some 5 weeks later. The other two incidents involved the loss of computer tapes and confidential health information showing up on the back of a grade 5 homework assignment.

These are but a few examples that do very little to instil trust in the health care sector. In January of this year the Canadian Medical Association reported that public opinion surveys over the last ten years consistently show 11% of respondents holding back information from their physicians because of privacy concerns. The Alberta Medical Association recently expressed similar concerns in response to Bill 52: “If patients don’t believe we can protect their privacy and that we may be forced to share the information that they confide in us, they will stop telling us everything we need to know to make the right diagnosis and provide the right care.” In a recent posting to our Blog, one lady stated that she doesn’t trust the medical system with her information and, as a result, she stays away from the doctor as much as possible, and minimizes the information she provides. She made these comments in response to the recent report from Dartmonth College in the US, telling us that “data hemorrhages” are coming from all over the health sector. Just last month, 9 families in Minnesota sued the State to prevent the collection of DNA from their infant children for research purposes.

Obviously, these are the types of situations we all want to avoid, and the last thing we need is patients withholding information from their health providers. So the question then becomes: how to we encourage and support important and worthwhile medical research while maintaining an acceptable level of patient control and privacy protection? While there is some promising work being done in this area, work I am sure you will hear about over the next two days, much more remains to be done. I do not profess to have all the answers, but our Office believes it is essential to look at issues such as consent, patient participation, technological safeguards and the use of de-identified data. Only then can we have confidence that public faith in the health care system can be maintained and that valuable research can proceed without destroying that faith.

Conclusion

In conclusion, I want to reiterate that our role as the federal privacy oversight body is to promote strong and consistent privacy standards across Canada. As the pan-Canadian EHR moves forward at a steady pace, it is very important for us to help ensure that this strength and consistency applies across the entire health care sector. In so doing, we are by no means trying to defeat or delay technological advances such as the EHR. In fact, we believe that EHRs hold the promise of helping our stressed health care system and ultimately enhancing the treatment of individuals.

We cannot ignore the fact, however, that there are simply too many examples of governments and private-sector organizations, however well-intentioned they may be, not respecting privacy. In the end, the greatest impediment to the success of EHRs in general, and research in particular, may not flow from the technology, but from the distrust caused by insufficient attention to privacy. Our Office looks forward to working with health care providers, researchers and other stakeholders toward a better, stronger and more technologically advanced health care system, while at the same time respecting this important right we call privacy.

In a recent article in the Ottawa Citizen, Ian Kerr and Valerie Steeves, with the University of Ottawa, said it best. They said that “while it is certainly true that emerging technologies, to a limited degree, shape and constrain our values, it is also true that our deeply held values ought to shape and constrain emerging technologies.”

I would like to leave you this morning with one last quote, this time from Albert Einstein, who said that “If we knew what we were doing, it wouldn’t be research.”

Thank-you and enjoy the conference.

Date modified: