Patient Privacy in the Information Age
E-Health 2001: The Future of Health Care in Canada
May 29, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
I'm going to talk today about what privacy is, and why it's important. Then I'll outline some significant privacy issues with E-Health initiatives and the application of information technology to personal health information. Finally, I'll make some suggestions as to how those privacy issues should be addressed.
Privacy is a critical element of a free society-it's "at the heart of liberty in a modern state," as Justice La Forest of the Supreme Court has said.
That's because there can be no real freedom without privacy. None of us wants to go through life feeling that at any moment someone may be, either metaphorically or literally, looking over our shoulder. If we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment, we are not truly free. In fact, many have suggested that privacy is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, any freedom you can name.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies. And that's why privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy.
We need to turn around the widespread idea of the privacy of the individual being balanced against the interests of society. The interests of society include the privacy of individuals. When privacy is lost, the individual feels it of course, but society is the real loser.
We cannot continue to have the kind of society that we all want-a free, open and democratic society in which we all have the autonomy to fulfil ourselves-unless the right to privacy is respected.
That doesn't mean that privacy is an absolute right. Sometimes some of it has to be sacrificed to advance other crucial social objectives.
But if we make too many trade-offs, accept too many calls to give up a little privacy here, a little privacy there, soon we'll have no real privacy, and no real freedom.
So, when someone proposes a limitation, a trade-off for some other objective, we need to scrutinize it very, very carefully. Is there really a need that clearly outweighs the loss of privacy?
Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way to achieve the same objective?
Though we all value privacy, it's not always clear what people mean by it. I think how you define it is important to understanding how it's at risk, and how to protect it.
It used to be common to think of privacy as the right to be let alone, and that's still how a lot of people understand it. It's that gut-level concern that people have about wanting to go about their peaceable, lawful business without being monitored or bothered.
But there's another kind of privacy invasion that's less obvious, and that's the collection and compiling of information about us without our knowledge or consent.
That's why I define privacy as the right to control access to one's person and to information about oneself.
And it's this broader, informational concept of privacy that leads me to believe that privacy will be the defining issue of this new decade.
That's because we are at a crossroads.
Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have to go to a lot of trouble to compile a detailed dossier on any individual.
So unless you were very famous, or very important, or... had done something really bad, your privacy was pretty safe.
But now the move to electronic record-keeping is eating away at those barriers-barriers of time and distance and cost-that once guarded our privacy from all but the most determined of snoops.
Now some stranger at a computer keyboard can compile an amazingly detailed dossier on your whole life, literally in minutes.
The choices we make in confronting these threats to privacy will determine what kind of world we leave for our children and grandchildren.
This is particularly the case when it comes to personal health information. Nothing is as personal or as private as the intimate details about the state of our own minds and bodies. This intimate and sensitive information is increasingly being collected, stored, and shared electronically. As that process advances, the possibilities for violations of privacy multiply.
The potential consequences of violation of medical privacy are staggering-for ourselves as individuals, for the healthcare system, for society as a whole.
Personal health information belongs to the individual-not to anyone else. The individual has the right to determine who gets it, and for what purpose.
Patients have a right to expect and be entirely confident that health information about them will not be collected beyond what is necessary for their care. They must be confident that the information will not be used for any purpose other than their care, or disclosed for any reason other than their care. Certainly they must be confident it will not be put to any use that could do them harm.
So it's encouraging to see conferences like this one addressing the issue of medical privacy.
The format of conferences like this, however, can often be quite revealing.
As a Privacy Commissioner, I think it's good news that an entire conference track is dedicated to "Security, Confidentiality and Privacy".
But I often wish the terms "security," "confidentiality", and "privacy" were not so readily bundled. The problem with always talking about them this way, as a bundle, is that they tend to get used interchangeably. People think that they are talking about privacy when what they are really talking about is security or confidentiality. That, I want to emphasize, is a mistake. They're entirely separate issues.
Privacy is our right to control information about ourselves-including the collection, use, and disclosure of that information.
Confidentiality is your obligation to protect someone else's personal information in your care, to maintain its secrecy and not misuse or wrongfully disclose it.
And security is the process of assessing and countering threats and risks to information.
It's privacy that drives the duty of confidentiality and the responsibility for security. If privacy is not respected, ensuring confidentiality and security is not enough. If you collect, use, or disclose information about someone, without their consent, you've violated their privacy. That fact doesn't change just because you ensure confidentiality and security of the information.
With these ideas in mind, let's look at privacy in the context of health information.
Over the last few days, you've heard plans for electronic networks and health surveillance systems and any number of new information and communication technologies to be used in the health sector.
With the tremendous momentum that is behind these systems technologies, we're approaching a point where patient privacy and any real expectation of confidentiality could well vanish.
There is little that is more personal and private than our medical information. And yet there seems to be a readiness to sacrifice patient privacy whenever it is perceived to be in conflict with other public interests.
It's not just privacy advocates such as myself who are concerned about this. No one is more aware than physicians of the sensitive nature of health information and the duty of trust regarding that information. No one knows better than physicians that privacy and confidentiality have to be a fundamental part of any health information system.
Dr. Hugh Scully, the former President of the Canadian Medical Association, put it this way: "The right of privacy and consent are essential to the trust and integrity of the patient physician relationship. The right of privacy is worthy of protection not just for the good of society's individuals, but also for the good of society itself."
The CMA is a recognized leader in protecting patient privacy. If you aren't familiar with the CMA's Health Information Privacy Code, I urge you to look it up. It's an elegant update of the doctor-patient relationship. It's the Hippocratic Oath for the Information Age.
I'm going to expand on the importance of privacy in the doctor-patient relationship in a minute, but first, let me tell you about my own role and responsibilities.
As the Privacy Commissioner of Canada, I am an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians.
I don't work for, or report to, the government. I work for and report directly to the people of Canada, through our national Parliament.
I am mandated to oversee and enforce two critical pieces of federal privacy legislation: the Privacy Act, which governs the personal information practices of Federal government institutions, and the new Personal Information Protection and Electronic Documents Act, which does the same for the private sector. The first phase of this new act came into effect in January 2001.
What the new act says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization covered under the law can collect, use or disclose personal information about someone without their consent.
It can collect, use or disclose that information only for the purpose for which they gave consent.
And even with consent, it can only collect information that a reasonable person would consider appropriate under the circumstances.
People have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if their rights are violated.
The act applies since January 1st, 2001, to the federally regulated private sector - banks, telecommunications, broadcasting, and transportation - and to the sale of personal information across provincial or federal borders. It also applies to the territories where the whole private sector is a federal work under the constitution.
It also gives me and my office a legislative mandate to raise public awareness and understanding about everything pertaining to privacy, and to research privacy issues and provide independent advice to Parliament and the government.
In about seven months from now, in January 2002, this new legislation will extend to cover personal health information in the sectors already covered.
The story behind that is interesting.
Parliament delayed application of the law to personal health information for one year following its coming into force, because players in the healthcare community were an exception to the broad consensus supporting Bill C-6. Some of them recommended tougher provisions on patient consent and subsequent uses of personal health information. Others argued that the bill would constrain operational activities in health care.
The one year was to give them time to prepare for the new rules. There weren't any fundamental problems or obstacles to overcome; everyone recognized that personal health information had to be protected.
In fact, the Deputy Minister of Health Canada at the time, David Dodge, made an interesting comment to the Senate Committee, which bears quoting. He said,
"I have been asking for about six months for some specific examples of things that would really go wrong if the bill comes into effect."
Mr. Dodge went on to say,
"Frankly I have been surprised that despite the general criticism and uncertainty I have not been given examples of things that would go wrong."
Over the past year, we've met with health stakeholders, such as Health Canada, the Canadian Institutes of Health Research, and the Health Charities Council of Canada, to ensure a smooth implementation of the act. We've worked with them in developing documents to help health researchers understand their obligations under the new legislation.
Over the coming months, healthcare players will be appearing before that same Senate Committee. They may well try to get further delays. I would be strongly opposed to that. The healthcare players had a lot of time. Any further delay will simply deprive Canadians of an important right, and leave a gaping hole in the effectiveness of the new legislation.
The final phase-in stage for the act is 2004. At that time, the federal law will apply to all commercial activities in Canada, except where provinces have passed substantially similar privacy legislation. Where substantially similar legislation has been passed, the Federal Government may, by Order in Council, exempt the province from the jurisdiction of the federal legislation, and the provincial law will apply.
In other words, eventually all of the private sector in Canada will be required to comply with the federal law or a similar provincial one.
One of the great advantages of the new law is therefore that it sets a benchmark for the harmonization of privacy legislation. You should consider it a floor for privacy protection, not a ceiling.
That's proving to be a useful tool in arguing for stronger protection for personal health information in proposed legislation.
Let's take Ontario's proposed Personal Health Information Privacy Act as an example.
The Ontario Ministry of Health asked for comments on its consultation paper last fall. I told them that if the proposed rules did not meet the standard of fair information practices, the legislation would not be considered substantially similar to the new federal law. In the absence of an adequate provincial law, the federal law would apply.
I suggested, among other things, that the health sector privacy rules should establish a right to privacy and make informed consent a priority. I also recommended that the rules include a "reasonable person" test, and that the oversight authority should be advised of any research involving personal information.
Some months later, after Bill 159 was introduced, I was asked to appear before a Committee of Ontario's Legislative Assembly to discuss it. At that time I stated that the proposed legislation was an assault on health privacy rights, not a defence of them. It appeared to be designed to give the government of Ontario, and a potentially unlimited number of other organizations and individuals, unrestricted access to the most private health information of every person in Ontario. I told them that the bill fell fundamentally short of meeting the test for "substantial similarity" with the new federal privacy legislation. I recommended that they withdraw it, and start again from square one.
That bill was allowed to die on the order paper. It will be interesting to see what impact my observations have on the rules that eventually emerge for personal health information in Ontario. My point is that the standard set by the new law was an important point of reference in that case.
While the new federal privacy law serves as a baseline, it is, as I said, a floor rather than a
ceiling. Privacy protection for health information should be harmonized to a higher common denominator.
Again, this is not just me speaking. The federal Minister of Health's own Advisory Council on Health Infostructure says the same thing in its Final Report. Let me quote from the report:
"Different jurisdictions now take different approaches to the protection of personal health information. We wish to emphasize that harmonization should not aim at some lowest common denominator with respect to privacy, but toward full, effective and enforceable privacy protection."
The Advisory Council was absolutely right on this. But it looks to me as though its observations haven't been taken seriously enough.You may have heard about the proposed Federal/Provincial/Territorial harmonization resolution for the protection of personal health information. I and my Office have looked at this proposal, though it's not been released publicly. I can tell you that our assessment is that it would do little to prevent the lowest common denominator from becoming the standard for health privacy protection across the country.
It makes use of the CSA Standard, but would override it wherever there is a conflict with it. And that doesn't mean that it will provide a higher level of protection than the Standard. It may well be lower. Important issues remain unresolved, such as exceptions to the requirement for informed consent, and whether there will be a requirement for oversight.
Yet this resolution appears to be in the process of being adopted-and without the benefit of a full public airing beforehand. There is provision for public discussion of measures flowing from it, but only after the resolution is adopted. Public engagement-patient involvement-in the standards developed to protect personal health information is critical. With something so critically important, I would have expected to see opinions solicited from a full range of interested parties before it's adopted, not after. I am very concerned about this.
What are E-Health initiatives trying to achieve? They are trying to improve health care. That's the goal.
Well, that goal must not come at the expense of privacy.
Moreover, it cannot come at the expense of privacy. Strategies for improving health care will be compromised, needlessly, if they come at the expense of patient privacy and autonomy. Let me explain why.
Patient privacy and patient autonomy are basic human rights.
I can think of few other areas of our lives where we would want greater control than over our health information.
When we talk about confidentiality, we are talking about trust. When we take someone into our confidence and share something personal about ourselves, we do so in the belief that we can trust that person not to divulge the secret to anyone else.
This concept of trust is at the very heart of the doctor-patient relationship.
As far back as the days when the Hippocratic Oath was first conceived, it was understood that there can be no effective physician-patient relationship unless patients can feel free to be totally open and candid about their symptoms, habits, lifestyles and concerns.
Doctors cannot provide good diagnosis and treatment without full information, and people are not likely to surrender full information if they fear it might somehow be used against them.
Even though we may not know our physicians especially well on a personal level, we know they have taken an oath to respect our privacy. We trust them to respect that oath. We tell our doctors things about ourselves we might not share even with our spouses-let alone our employers, our bankers, casual acquaintances or the government.
This privacy of personal health information is not only a fundamental human right. It is also a very important social good.
We all have a stake in ensuring that our society as a whole is as healthy as possible. We all benefit when health care costs are kept down through early diagnosis, treatment and prevention programs; when contagious ailments are identified as early as possible; and when people with conditions that might cause accidents in the workplace or on the roads have them diagnosed and treated before harm is done.
And yet it is no exaggeration to fear that lack of confidence in the privacy of health information could lead people to avoid seeking treatment. Not only would individuals suffer needlessly from this- so would society as a whole.
So, to help maintain that confidence in health privacy, let me give three pieces of advice to the architects of the Health Infoway.
The first is this: any health network needs privacy protection built in. Privacy must be an essential component. The fundamental right of privacy should determine the architecture of the system. Technology should serve our values, and be determined by them-not the other way around.
The application of modern information and communication technology in health care holds the promise of improved health care services and greater efficiencies. We all want these improvements.
But they must not come at the expense of patient autonomy and the right to privacy.
There seems to be great momentum to move to Electronic Health Records. I think it's very revealing that one of the strategic documents responsible for creating this momentum, the Advisory Committee on Health Infostructure's Blueprint and Tactical Plan, talks about privacy and confidentiality, but then omits the words in its actual recommendation. Privacy considerations are subsumed under the objective of implementing the Electronic Health Record.
So, what does that mean: building privacy into the system?
Well, for example you've got to build the system to limit use of the information. The term "confidentiality" is being used more and more loosely in health information systems, to include more people than a patient ever would imagine. Putting personal health information into an electronic system will increase the temptation to use it for purposes that go far beyond patient care, and far beyond what patients have consented to.
This is what privacy advocates call "function creep." We've seen countless examples of it. Perhaps the best-known Canadian case is the Social Insurance Number, which began as a simple file number for social benefits and has expanded ever since, to the point that it threatens to become a national identifier. Other countries provide starker examples. Targeted security cameras become generalized surveillance systems. Forensic DNA identification schemes become population registries. Roadblocks to stop impaired drivers become warrantless searches for drugs.
We must not allow this to happen with personal health information. Systems have to be built in ways that do not allow it.
Another example: a health network must allow patients to opt out without compromising their access to health care.
Saskatchewan's Health Information Protection Act is a good model in this respect. It upholds patient autonomy and consent. Patients can choose not to have personal information that they confided to their physicians stored on the Saskatchewan Health Information Network or any prescribed network. Patients control where their information is kept and who has access to it.
This is commonly referred to as a "lock box" provision.
It's sometimes objected that this would jeopardize care for the patient in a life-threatening or situation or emergency. That's an obstacle that can be overcome, in my opinion. A patient should have the right to make an informed decision about permitting access to some of the information contained in a lock box in an emergency situation. If necessary, a clear and limited power to override the lock box in the case of emergencies when consent cannot be obtained could be developed.
Patients must have their rights respected, irrespective of the methods by which access to medical data is obtained.
My second piece of advice to systems architects is that the way to ensure that privacy is built in, when you're designing these Health Infoway projects, is to do a Privacy Impact Assessment.
A Privacy Impact Assessment is a risk assessment tool that has been adapted from the Environmental Impact Assessment process.
It allows you to forecast a proposal's impacts on privacy, assess its compliance with legislation and principles, and determine what's required to fix any problems there may be. It helps you avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy. And you can use it to tell Canadians what you're proposing, and involve them in the design and implementation.
You need to do Privacy Impact Assessments at the earliest point in your projects. Try to get an impartial review of them. Get someone who knows privacy to have a look at them. In my Office, we're looking at setting up a process for government departments where we can review at least some of their Privacy Impact Assessments and offer comments at an early stage.
If done properly-and on a routine basis when any changes are made to a project-Privacy Impact Assessments will often reveal problem areas that will require the attention of the project architects.
Allocating time and resources to conducting a Privacy Impact Assessment may be a real challenge, but I would encourage it as a means of avoiding future problems, such as unexpected criticism by a Privacy Commissioner.
That brings me to my final piece of advice: I urge system designers to consult with the commissioners and ombuds offices concerned with privacy matters in your jurisdiction. If you establish a dialogue early in the game, you can save yourself a lot of problems.
Often times, we're not brought in to comment on these projects during their development, and by the time we see them, the privacy problems are built right in. When that happens, our ability to provide constructive comments is limited.
Let me extend an invitation right now to the architects of the Health Infoway: bring us your plans, projects, and privacy impact assessments; we'll help where we can.
Some people, listening to us today, might argue that what I'm saying flies in the face of the whole rationale for E-Health: to reduce inefficiency.
But I want to leave you today with the thought that what I am arguing for is truly efficient.
"Efficiency" refers to a relation between ends and means. It refers to choosing the best use of resources to achieve defined goals.
What's critical is how we define the goals.
And what I'm saying to you is that respecting the fundamental human right of privacy is a goal that is critical to the success of any E-Health system.
So build it into your system.
Respect that fundamental human right of privacy-build a system that respects it,
that recognizes the right of individuals to control their information, and preserves the sacred confidentiality between patient and caregiver-and you'll win the trust of Canadians.
You know, the greatest threats to privacy seldom come from those who want to do harm.
They come from well-intentioned people who say that privacy needs to be sacrificed for some greater good-customer service, prevention of crime, efficiency.
I believe that it is possible to run a business or a country, and provide services efficiently and conveniently, without sacrificing privacy.
If you recognize how important privacy is to our society and to our freedom-if you recognize how concerned Canadians are about it, and build your system accordingly-you'll have Canadians behind you all the way.
I firmly believe that protecting privacy, and winning the trust of Canadians, is the way to ensure a successful E-Health systems design. My Office is here to provide advice and support in helping you build privacy-friendly systems. I'm looking forward to working with you.