Media Centre

The Convenience of Technology and Reality of Privacy

Remarks for the Conference on Harnessing the Power of Information

September 20, 2006
St. John's, Newfoundland

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

The metaphor at the heart of this conference – harnessing the power of information – is particularly apt. The potential for information contained in electronic health records to help patients, researchers, health care providers and governments very much depends on how it is harnessed and, in particular, how EHR systems respond to privacy concerns.   Perhaps another metaphor is equally fitting – that of the Roman god Janus, whose name is invoked to symbolize transitions, such as the transition from past to future or the shift from one vision to another. EHRs clearly symbolize a Janus-like shift from one vision of health care to another.

For all their promise, EHR systems bring together some of the most sensitive personal information about individuals, and in a digital form that can facilitate losses of privacy on a massive scale. In a paper-based world, breaches of confidentiality could be serious.  In a digital world, where the confidential information of thousands can be released at the stroke of a key or with the loss of an unguarded laptop, breaches can be disastrous both for the individuals directly affected and for the health care system that is being built around EHRs. Once lost, health privacy for an individual can never be regained, and the trust in the institution is irreparably eroded.

Several reviews of the Canadian health care system in recent years have highlighted the pivotal role of EHRs in a national health infostructure. Pan-Canadian, interoperable EHR systems offer a great opportunity for efficiency and effectiveness to meet the challenges facing health care in Canada. The potential advantages are especially tantalizing in light of current debates about the financial limits governments face in delivering health care.

Contributions Program

But progress, particularly progress in the digital world, can carry a price in terms of privacy. In recent years, my Office has become increasingly concerned about the privacy implications of EHR systems. The world of EHRs is complex and infused with technology. It is a challenge just to understand the architecture of EHR systems, let alone the privacy implications that flow from their design. Because of this, my Office has devoted considerable resources to the issue. As some of you may know, my Office sponsors a research contributions program. This year, we directed more than one-quarter of the funds under the program to better understanding health care privacy issues.

Many of you will be aware of our $45,000 contribution to Memorial University to deal with privacy in the health care sector. This funding will help Memorial examine the influence of technology choices on policy development, as well as the influence of policy choices on technology development.

This project will first involve a survey of privacy-related technologies relevant to the health care sector. A second phase will involve examining the legislative and regulatory regime to determine technology models or assumptions that are inherent in existing regulatory structures. The final phase will look at the deployment of privacy technologies in the health care information sector.

In addition to funding research projects, we have closely monitored the development of the Canada Health Infoway privacy and security architecture. We have commented on the privacy requirements of this architecture, as well as on the overall governance of this initiative.

Attitudes towards privacy in health care

In our enthusiasm about the potential benefits of EHR systems, we must remember that these systems may well stand – or fall – on how they respond to privacy concerns. Professor Alan Westin, one of the leading voices on privacy in the United States, has worked on issues of health care, technology and privacy for more than 40 years. Last year, he testified at a hearing in Washington on medical privacy issues. “I am convinced,” he said, “that how the public sees the privacy risks and responding actions in any EMR [electronic medical record] system will be absolutely critical to this program’s success – or will be a major factor in its failure.” At that same hearing, he reported the findings of his 2005 survey on American health care and privacy. The survey found that “a solid two-thirds of the current American public” share concerns about adverse privacy and data security consequences of an Electronic Medical Record system.

In 2005, my Office commissioned a national public opinion survey to get a snapshot of Canadian attitudes about privacy issues. Two-thirds of those surveyed agreed that the protection of personal information will be one of the most important issues facing Canada in the next ten years. In both that survey and an earlier 2001 survey that we commissioned, about 60 per cent of the respondents agreed that few types of personal information are more important for privacy laws to protect than personal health information.

One question in Alan Westin’s American survey bears specific mention because of the public ambivalence it reveals about EHRs. The question read as follows: “Overall, do you feel that the expected benefits to patients and society of this patient Electronic Health Record system outweigh potential risks to privacy, or do you feel that the privacy risks outweigh the expected benefits?” The American public was equally divided on this fundamental question – 48 per cent saying the benefits outweigh risks to privacy, and 47 per cent saying the privacy risks outweigh the expected benefits. I don’t know how Canadians would respond to a similar question. We do have a more robust privacy framework in Canada on many fronts, and that might make Canadians less worried about the handling of their personal health information. However, if Canadian attitudes about EHRs are even remotely similar to those south of the border, the proponents of EHRs in Canada will face two important tasks – first, ensuring that EHR systems provide a gold standard of privacy protection; and second, communicating this to the public.

In short, any EHR system cannot afford to ignore, or even downplay, privacy. Unless we pay sufficient attention to the privacy issues surrounding electronic health records -- including security of the information contained in the records and placing effective limits on secondary uses -- we risk undermining the promise that such records hold both for the Canadian healthcare system and for the individuals who use the system.

Secondary uses

We must in particular address secondary uses of personal health information. Information used initially for individual patient care may also have important uses for society in general, including health surveillance, health research and management of the health system. But these secondary uses must be identified at the time of collection if we are to maintain public trust in the system. Some of you may be familiar with an Ontario study of patient consent conducted a few years back by Dr. Donald Willison and his colleagues at McMaster University. The study, which examined family practices that used electronic health records, concluded that patients are willing to allow their information to be used for research purposes, but that most wanted to be consulted first.

It is a significant challenge to identify possible secondary uses in advance, and to avoid simply seeking a broad consent to any and all further uses of the information, but it is a challenge that proponents of EHRs cannot ignore. To do otherwise makes a mockery of a core privacy principle – free and informed consent concerning the use of one’s personal information. The principle of consent is distorted if we try to “retrofit” it to permit unforeseen secondary uses, or if we try to sidestep the issue by employing a wide-open, blanket consent up front.

It is also important that we be more transparent about the benefits of EHRs, and about whose interests are being served.  Governments are selling the system in large part because of its presumed benefits for individual patients. But the main benefits may not be in direct care as much as in the potential flowing from secondary uses of the information for research and analysis of the health care system as a whole.

Anonymization

We would perhaps like to think that anonymization is the answer to some of our privacy concerns, particularly those relating to secondary uses. But often it is not. Is information every truly anonymous? Basic information from telephone directories, Statistics Canada and postal codes can sometimes be used to re-identify so-called “anonymous” information. There is a growing body of research that demonstrates that re-identification is technologically feasible and relatively easy to do if the right tools are used. And we must also face up to a simple truth. Anonymization robs health information of much of its research value. Effective epidemiological research may require identifying information – for example, to conduct a quality of life survey as part of a research program looking at the benefits  of a particular type of heart surgery.  

Where anonymization is not practical or possible, identifying secondary uses up front becomes all the more important.

Limits on collection

Researchers, health care administrators, commercial organizations and governments sometimes see personal health information with the same glowing eyes that a child sees the goods in a candy shop. The possibilities seem endless at the time, and the negative effects become apparent only later. However, it should be a fundamental precept, for all those who form part of the health care spectrum, that one collects only the personal information necessary for appropriate and reasonable purposes. The existence of an interoperable EHR system does not represent a justification for the wholesale collection of personal health or other information that may be of interest.

Security

We are all aware of the need to build security into EHR systems. Technology is important, but we also need to take into account how human nature can defeat security. A recent Ontario complaint under the Personal Health Information Protection Act, 2004 highlights the point.

The complainant was being treated at an Ottawa hospital. She complained that her personal health information had been illegally accessed at least ten times, both before and after her treatment. Some of that information was disclosed to her estranged husband, with whom she was in the midst of divorce proceedings. And this mishandling of her information occurred despite her warnings to staff when she entered the hospital that she did not want her estranged husband, who worked at the hospital, or his girlfriend, a nurse at the same hospital, to learn that the complainant had been admitted.

However, her husband did learn that she had been admitted, and he also learned details of her treatment. She complained to the hospital, which determined that the husband’s girlfriend, the nurse, had obtained unauthorized access to the complainant’s file. Even so, the hospital did not immediately take steps to prevent the nurse from getting further access to the information. The nurse inappropriately accessed the complainant’s EHR on three further occasions after the patient had complained to the hospital.

This is certainly the stuff of Oprah here, but real life, just the same. This kind of situation send shivers up the spines of patients, and it should send shivers up the spines of hospital administrators and those who are promoting EHRs. In this case, the Ontario Information and Privacy Commissioner didn’t let the hospital off the hook. She found that the nurse was acting as an agent of the hospital, and found for the complainant. The hospital was ordered to review and revise its practices and procedures to ensure that they comply with the Personal Health Information Protection Act, 2004. The hospital was also ordered to implement a protocol to ensure that reasonable and immediate steps were taken, upon being notified of an actual or potential breach of an individual’s privacy, to prevent further unauthorized use or disclosure of personal health information.

If we are serious about EHRs, we must also be serious about protecting information in those records. Cases such as this show how deficiencies in the procedures of institutions can too easily permit abuses of EHRs. As the Ontario Information and Privacy Commissioner noted, healthcare institutions need to foster a culture of respect for privacy. Otherwise, it becomes too easy to sidestep even some of the most well-intentioned privacy technologies.

The role of health professions

That is where the regulated health professions enter the picture. Privacy commissioners across Canada can wave the banner of privacy before you, and legislators can enact standards, but we know that this is still not enough. Health care professions have a long history of respect for confidentiality. They need to embed that respect even more deeply into the souls of those they regulate. Privacy is not just about intelligent security measures and identifying secondary uses. Better privacy protection will result from keeping privacy in the fore of the minds of health care professionals as they go about their work.  Each profession has a responsibility to make privacy part of its training, its continuing education, and its ethics. And each profession has to find a way to enforce its standards. If you regulate yourselves effectively, you can be spared from the prying gaze of privacy commissioners and ombudsmen. And you will avoid the types of privacy disasters that can discredit legitimate efforts to improve health care through the use of EHRs, as well as prevent the trauma and stigma of health privacy loss to your patients.

Infoway

Joan Roch will make an important presentation later today when she discusses the Infoway White Paper on EHR Governance. One of Infoway’s stated core values is respect for privacy – and that is music to the ears of any Privacy Commissioner and anyone concerned about individual privacy.  Infoway has been responsive to the concerns that provincial Commissioners and my Office have voiced about standards and governance in personal information protection matters. That is an institutional attitude worth emulating.

We are not there yet

We have not yet encountered the full panoply of privacy issues associated with EHRs. All EHR initiatives to date have been enclosed within specific regions. We have yet to experience interoperable systems at a significant scale to respond to the technological and jurisdictional challenges they will bring. An interoperable pan-Canadian EHR system imports privacy risks on a larger scale. The impact of mistakes will be amplified because of the sheer magnitude of the system. We all need to understand these implications of EHRs. For its part, my Office is examining several possible scenarios involving EHR information flows to get a better sense of the possible privacy implications. We are doing this in partnership with other jurisdictions.

A truly interoperable EHR system may no longer fall under the privacy laws of just one jurisdiction. As in other areas of activity, the most effective solution to the jurisdictional issue is to work to the highest common denominator. In other words, the system should respect the privacy standard of the jurisdiction that has the most stringent standard. This will promote uniformity of privacy protection across Canada while avoiding a race to the bottom in terms of standards. There is no reason why someone in one province whose personal health information is maintained in a pan-Canadian, interoperable system, should have any less privacy protection than someone from another province.

The legal requirements are sometimes consistent and compatible with one another but there are important differences around consent and secondary use, for example. And if a health privacy complaint is brought to both the provincial and federal oversight offices in respect of the same transaction, the offices will seek to collaborate in investigating and making findings.

Conclusion

I urge you not to look at the protection of personal information as an impediment in moving forward with EHRs. Far from presenting technical or legal roadblocks, genuine respect for privacy will help pave the way towards enhanced public trust in EHRs.  At the end of the day, we all want to find a way of using information that is better for health care, better for researchers, better for distributing our limited resources within the healthcare system, and better for the health of patients and their privacy.

I would like to see us live up to the definition of EHRs provided in the 2005 Infoway Annual Report. It speaks of EHRs as providing each individual in Canada with a secure and private lifetime record of their key health history and care within the healthcare system. It speaks of EHR systems as providing authorized healthcare professionals with rapid access to complete and accurate patient information, enabling better decisions about treatment and diagnosis. The result, continues the definition, is a sustainable healthcare system offering improved quality, accessibility and productivity.

If we pay attention to privacy, we can make this definition a reality. Building on the initial metaphor of harnessing the power of technology, I would only add that we need to “design privacy in” at all levels of the technology to fully reap the benefits of EHRs.