Condition Critical: Health Privacy in Canada Today
Meeting New Standards for Managing Privacy of Health Information
June 18, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
You've got a formidable team before you over the next two days, including the Honourable Horace Krever, who presented a landmark report on the confidentiality of health information in Ontario, 21 years ago, as well as leading advocates and experts, some of my counterparts from the provinces, and privacy practitioners from both the private and public sector.
This assemblage of talent is fitting, given the challenge of the subject you're addressing. Health privacy is a pressing and complex issue. It raises questions that are both stubborn and delicate: questions of policy and politics, about technology and society, and about competing social needs.
Don't let the complexity of the issue overwhelm you. Underneath those thorny questions are some very simple, fundamental principles. We can manage health information in ways that respect those principles, as long as we set our minds to it. It's critical and urgent that we do so.
I'm going to talk today about what privacy is, and why it's important, especially in the context of health information. I'll outline some significant privacy challenges facing us, and make some suggestions as to how they should be addressed.
But first let me set the stage by telling you a bit about my own role and responsibilities, and how they fit into the protection of health privacy.
As the Privacy Commissioner of Canada, I am an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians.
I don't work for, or report to, the government. I work for and report directly to the people of Canada, through Parliament.
I oversee and enforce two statutes: the Privacy Act, which governs the personal information practices of Federal government institutions, and the new Personal Information Protection and Electronic Documents Act, which does the same for the private sector. This new act is going to be of great significance to the issue of health privacy.
The act applies to personal information collected, used, or disclosed in the course of commercial activities. What it says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization can collect, use or disclose personal information about someone without their consent.
It can collect, use or disclose that information only for the purpose for which they gave consent.
Even with consent, it can only collect information that a reasonable person would consider appropriate under the circumstances.
People have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if people's rights are violated.
The act is coming into effect in stages. It has applied since January of this year to personal information, other than health information, of customers or employees of federal works, undertakings, or businesses-principally banks, telecommunications, broadcasting, and interprovincial or international transportation, as well as all private sector businesses in Yukon, Nunavut, and the Northwest Territories.
It also applies to personal information-again, other than health information-in any commercial activity when the information is disclosed across provincial or national boundaries for consideration. "Disclosed for consideration" is legalese meaning that you get something in exchange for it-for example, through sale, lease, or barter.
In about six months, in January 2002, the exclusion of personal health information from the coverage of the act will end. The act will apply to personal health information about employees or customers of federal works, undertakings, or businesses, or that's disclosed across borders for consideration.
The final phase-in stage for the act is 2004. At that time, the act will extend to all commercial activities in Canada, except where provinces have passed substantially similar privacy legislation. Where that's happened, the Federal Government may exempt the province from the application of the federal legislation, and the provincial law will apply. Federally-regulated businesses in those provinces and information disclosed across borders will continue to be governed by the federal act.
In short, eventually all of the private sector in Canada will be required to comply with the federal law or a similar provincial one.
Now let me pose the question: why privacy? What's so important about privacy that Parliament has enacted this complex legislation to protect it, and appointed an independent officer to enforce and promote it?
Well, what's important about privacy is that it's a critical element of a free society-it's "at the heart of liberty in a modern state," as former Justice La Forest of the Supreme Court said.
That's because there can be no real freedom without privacy. None of us wants to go through life feeling that at any moment someone may be looking, either metaphorically or literally, over our shoulder. If we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment, we are not truly free.
Many have suggested that privacy is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, any freedom you can name.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
And that's why privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy.
This point is particularly important when we're talking about medical privacy.
It's often said that an individual's right of privacy has to yield to society's interest in better, more efficient health care.
This facile opposition between the privacy of the individual and the interests of society is fundamentally misguided. The interests of society include the privacy of individuals. When privacy is lost, the individual feels it, of course, but society is the real loser.
We cannot continue to have a free, open and democratic society, in which we all have the autonomy to fulfil ourselves, unless the right to privacy is respected.
That doesn't mean that privacy is an absolute right. Sometimes some of it has to be sacrificed to advance other crucial social objectives.
But if we make too many trade-offs, accept too many calls to give up a little privacy here, a little privacy there, soon we'll have no real privacy, and no real freedom.
So, when someone proposes a limitation, a trade-off for some other objective, we need to scrutinize it very, very carefully. Is there really a need that clearly outweighs the loss of privacy?
Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way to achieve the same objective?
Though we all value privacy, it's not always clear what people mean by it. How you define it is important to understanding how it's at risk, and how to protect it.
It used to be common to think of privacy as the right to be let alone, and that's still how a lot of people understand it. It's that gut-level concern that people have about wanting to go about their peaceable, lawful business without being monitored or bothered.
But there's another kind of privacy invasion that's less obvious, and that's the collection and compiling of information about us without our knowledge or consent.
That's why I define privacy as the right to control access to one's person and to information about oneself.
And it's this broader, informational concept of privacy that leads me to believe that privacy will be the defining issue of this decade.
That's because we are at a crossroads.
Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have to go to a lot of trouble to compile a detailed dossier on any individual.
But now the move to electronic record-keeping is eating away at the barriers of time, distance, and cost that once guarded our privacy.
Now some stranger at a computer keyboard can compile an amazingly detailed dossier on your whole life, literally in minutes.
The choices we make in confronting this threat to privacy will determine what kind of world we leave for our children and grandchildren.
This is particularly the case when it comes to personal health information. Nothing is as personal or as private as the intimate details about the state of our own minds and bodies.
This information belongs to the individual-not to anyone else. The individual has the right to determine who gets it, and for what purpose.
When we take someone into our confidence and share something personal about ourselves, we do so in the belief that we can trust that person not to divulge the secret to anyone else.
This concept of trust is at the very heart of the doctor-patient relationship. We tell our doctors things about ourselves we might not share even with our spouses-let alone our employers, our bankers, casual acquaintances or the government.
Patients have a right to expect and be confident that their personal health information will not be collected beyond what is necessary for their care. They must be confident that the information will not be used or disclosed for any reason other than their care. Certainly they must be confident it will not be put to any use that could do them harm.
The Hippocratic Oath is rooted in the recognition that there can be no effective physician-patient relationship unless patients can be totally open and candid about their symptoms, habits, lifestyles, and concerns.
Doctors cannot provide good diagnosis and treatment without full information, and people are not likely to surrender full information if they fear it might somehow be used against them.
If the privacy of health information is not protected by the systems we build, it will be at a dramatic social cost.
We all have a stake in the health care system. We all benefit when health care costs are kept down through early diagnosis, treatment and prevention programs; when contagious ailments are identified as early as possible; and when conditions that might cause accidents in the workplace or on the roads are diagnosed and treated before harm is done.
But this intimate and sensitive information is increasingly being collected, stored, and shared electronically. And as electronic networks, health surveillance systems, and new information and communication technologies advance, the possibilities for violations of privacy multiply. We're approaching a point where patient privacy and any real expectation of confidentiality could well vanish. And it's no exaggeration to fear that lack of confidence in the privacy of health information could lead people to avoid seeking treatment.
The potential consequences of that are staggering-for ourselves as individuals, for the health care system, for society as a whole.
So: the condition of health privacy is critical, and with it the condition of the health care system.
If that's the diagnosis, what do we do next?
There have been a number of different answers to that.
Physicians themselves have come up with one part of the answer. No one knows better than physicians how important this issue is. No one is more aware of the sensitive nature of health information and the duty of trust regarding that information.
And so physicians have taken a leading role in protecting health privacy. The Canadian Medical Association's Health Information Privacy Code is an affirmation of the importance of privacy and confidentiality at the heart of the doctor-patient relationship. It might be described as the Hippocratic Oath for the Information Age.
The CMA code is a stronger standard than the new federal privacy legislation, and that's perfectly appropriate. The federal legislation is intended to set a benchmark for the protection of privacy. It's a floor, not a ceiling. There are good arguments for imposing even stricter standards on the privacy of health information.
But, apart from the CMA code, is that happening in Canada today?
The federal Minister of Health's own Advisory Council on Health Infostructure said in February, 1999, in its Final Report that harmonization of federal, provincial, and territorial legislation governing health information has to be to the highest common denominator. That was promising. What it means today is that legislation has to be harmonized upward from the baseline provided by the federal legislation.
It looks to me as though the Council's observations haven't been taken seriously enough.
You will have heard about the proposed Federal/Provincial/Territorial harmonization resolution for the protection of personal health information.
We've looked at this proposal in my Office, though it's not been released publicly. I'm sorry to say that our assessment is that it would do little to prevent the lowest common denominator from becoming the standard for health privacy protection across the country.
It makes use of the Canadian Standards Association's Model Code for the Protection of Personal Information, which is at the center of the new federal privacy legislation. But it would override the Code wherever there is a conflict with it. And that doesn't mean a higher level of protection than the Code. It may well be lower. Important issues remain unresolved, such as exceptions to the requirement for informed consent, and whether there will be a requirement for oversight.
Yet this resolution appears to be in the process of being adopted, without the benefit of a full public airing beforehand. With something so important, I would have expected to see opinions solicited from a full range of interested parties before it's adopted, not after. I am very concerned about this.
I was pleased to learn that Duncan Sinclair, a founding director of the new Canada Health Infoway Corporation, recently described privacy as "the showstopper." I hope that the new Board follows up on that and makes achieving a high standard of privacy protection part of the Corporation's action plan for its first year. I know that creating electronic health records is one of this new corporation's main goals, but patients won't be satisfied without control over their personal information.
And we already have models that incorporate some degree of patient control. Saskatchewan's Health Information Protection Act, for example, is a significant achievement. The act, at least in its present form, upholds patient autonomy and consent. Patients can choose not to have personal information that they confided to their physicians stored on the health information network. Patients control where their information is kept and who has access to it.
So I take some encouragement from that-or rather, I did until recently, when the Chief Executive Officer for Saskatchewan's health information network said at a conference that her government is reconsidering some of the privacy provisions of its legislation. That, in my view, would be regrettable.
I'll be watching Alberta with interest. Its Health Information Act was proclaimed in April, although Privacy and Information Commissioner Bob Clark has created a 6-month implementation period to give organizations more time to comply. I'm pleased to see that Frank Work, who will be on a panel with you this morning, has been appointed Assistant Commissioner for Health Information.
You'll be hearing later today about Ontario's plans to protect personal health information. You probably know that the Personal Health Information Privacy Act, Bill 159, died on the order paper, so I won't belabour the points that I made when I discussed it before a Committee of the Legislative Assembly. Suffice it to say that I told the Committee that the proposed legislation was an assault on health privacy rights, not a defence of them, and that it fell fundamentally short of meeting the test for "substantial similarity" with the new federal privacy legislation. I'll be interested to see what they come up with next.
If I'm reserved in my enthusiasm for many of the responses to the critical situation of the privacy of health information, what do I suggest?
Let me give the architects of health information management systems three pieces of advice.
The first is this: build privacy into the system, as an essential component. Technology, science, and information management should serve our values, and be determined by them-not the other way around. Privacy should determine the architecture of the system.
So, what does that mean: building privacy into the system?
Well, for example, the system has to limit use of the information. Systems have to prevent the use of personal health information for purposes that go beyond patient care, and beyond what patients have consented to.
Another example: a health network must allow patients to opt out without compromising their access to health care. The system has to allow patients to control where their information is kept and who has access to it, and choose not to have personal information stored.
Though some people object that controls like these would jeopardize care for the patient in a life-threatening situation or emergency, that obstacle that can be overcome. A patient could decide to permit access to some of their personal health information in an emergency situation. If necessary, a clear and limited power to override their opt-out in emergencies, if consent could not be obtained, could be developed.
My second piece of advice is to do Privacy Impact Assessments on all projects or proposals.
A Privacy Impact Assessment is a tool that allows you to forecast a proposal's impacts on privacy, assess its compliance with legislation and principles, and determine what's required to fix any problems there may be. It helps you avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy. And you can use it to tell Canadians what you're proposing, and involve them in the design and implementation.
You need to do Privacy Impact Assessments at the earliest point in your projects. Get someone who knows privacy to have a look at them and give you an impartial review. In my Office, we're looking at a process for government departments where we can review at least some of their Privacy Impact Assessments and offer comments at an early stage.
Allocating time and resources to a Privacy Impact Assessment may be a real challenge, but I would encourage it as a means of avoiding future problems, such as unexpected criticism by a Privacy Commissioner.
That brings me to my final piece of advice: consult with the privacy commissioners and ombuds offices in your jurisdiction. Establish a dialogue early in the game. You'll save yourself a lot of problems.
Too often, the privacy problems are built right into proposals by the time we see them. When that happens, our ability to provide constructive comments is limited. So, bring us your plans, projects, and Privacy Impact Assessments; we'll help where we can.
Some people might argue that what I'm saying flies in the face of the need to improve health care and reduce inefficiency in the health care system.
But I want to leave you today with the thought that what I am arguing for truly serves our society's interests in improved health care, and is truly efficient.
Removing control of personal health information from the hands of the people it belongs to will hurt health care, not help it. If people avoid treatment, lie to their caregivers, fail to report frankly and openly, and fail to follow prescribed treatments, all because they are afraid of their information being used and disclosed without their consent, we will see severe damage to our health care overall.
As for efficiency, that word refers to a relation between ends and means. It refers to choosing the best use of resources to achieve defined goals.
What's critical is how we define the goals.
And what I'm saying to you is that respecting the fundamental human right of privacy is a goal that is critical to the success of any regime for the management of health information.
Respect that fundamental human right of privacy. Build systems that respect it, that recognize the right of individuals to control their information, and that preserve the sacred confidentiality between patient and caregiver.
You know, the greatest threats to privacy seldom come from those who want to do harm.
They come from well-intentioned people who say that privacy needs to be sacrificed for some greater good-customer service, prevention of crime, the advancement of science, efficiency.
I believe that it is possible to support our health care system, and provide services efficiently and conveniently, without sacrificing privacy.
I believe that protecting privacy, and winning the trust of Canadians, is the way to ensure successful management of personal health information. I will continue working and fighting for that, and I hope that you will join me.