Electronic health records (EHRs)
“Privacy by Design” (PbD) = embedding privacy into the architecture of services and records management
Dr. Cavoukian does not necessarily favour privacy over healthcare; she has had multiple neurosurgeries and knows what it is like to be in emergency needing immediate healthcare and not worrying about privacy. The most important thing is the right healthcare service at the right time. However, you can embed a cloak of security around this.
Privacy = Control
People want to feel they are in control of their health information. If you keep the user in mind, it is giving them freedom to control their information that is important. Germans have a concept called “informational self-determination” and they have some of the strongest controls. After loss of control with the Third Reich, Germans are very protective of the control over their own information. Privacy is absolutely essential to freedom and society.
"Give me Real Privacy now, not privacy theatre" - See: RealPrivacy.ca
She is releasing a paper she co-authored with Canada Health Infoway: Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities - Win/Win (March 2, 2012):
• It is not privacy or EHRs; it is both
• If you are not interested in privacy, you have no business being in health; you have to have privacy top of mind; it can’t be something you get to “eventually”; it is way too late if you look at it at the end
• Privacy has to be an integral component in all that you do; do not take a silo'ed approach. If you do, you will fail and have a privacy breach.
• Privacy by Design means taking an holistic approach. If you are in HR or e-health businesses, this is what you have to do.
Legislation - PHIPA
Personal Health Information Protection Act, 2004 (Ontario)
• Was used as a framework for the United States' HIPAA legislation
• Came into effect November 1, 2004
• Not the only driving principle but is paramount and drives the privacy activities in this area
• It is a consent-based statute but can sometimes rely on implied consent
Everything is moving to the cloud, and there is so much extreme sensitivity around personal health – we need to feel trust in the systems we are building.
“Give me electronic health records now”
She has been ranting for years: “Give me electronic health records now”
• reduces delays in healthcare: she has first-hand experience with a painful12 hour delay of surgery because records not accessible.
• She is a real advocate in favour of e-health records
• Design of systems is critical – maximize the privacy with strong encryption, strong audit logs that set alarms when unauthorized access help to alleviate concerns, but there will still be concerns
• Have expanded dramatically
• We live on our mobile devices
• Some of the orders she has had to give have been around the transfer of data to mobile devices that are unprotected
• In our zeal for electronic, we are not taking the necessary precautions that we should be
• There are problems with paper-based records also, but portable devices present a unique set of problems
One of the most vulnerable times is when records are being transferred from paper to electronic records
• See paper: A Practical Tool for Physicians Transitioning to Electronic Records [pdf - May 21, 2009]
Beware of unintended consequences
• See U.S. report - Dr. Larry Ponemon's “Benchmark Study on Patient Privacy and Data Security”
o Almost all practitioners in the U.S. have had data breaches in the past year – lost or stolen records
o Increased from the year before
o 81% of healthcare services used mobile devices, most not secured (no encryption, etc.)
• if you don’t make privacy a priority, it will come back to bite you
• unfortunately it also comes back to bite the patients – patients now not seeking treatment because they don’t want their conditions known – they go to great lengths to conceal information; they may also falsify information
• also creates loss of trust on the part of patients
• will have to consider privacy at the front end from the senior management level
Cost of data breaches
• U.S. - Cost of data breach $202 per record on average; in U.S. between 2006 and 2007, 1.5 million data breaches
• In Canada - $100 - $200 cost of data breach per individual
• December 2009 in Durham – nurse lost a USB key, unencrypted – she did not follow protocol - $40 million law suit currently in the discovery stage – was not in compliance with PHIPA
• Numerous fines in the U.S. by Health and Human Services
• She is more concerned about the affect on patients
She is dismayed by the approach of having privacy seen as some soft policy looked at the end.
Privacy by Design
Adoption of “Privacy by Design” Resolution [pdf]
• Passed in Jerusalem, December 2010
7 principles of Privacy by Design
- Proactive, not reactive
- Privacy is the default setting
- Privacy embedded into design
- Full functionality: positive sum, not zero sum
- End-to-end security; full lifecycle protection
- Visibility and transparency; keep it open
- Respect to user privacy; keep it user-centric
She believes in a win-win solution where we can have both openness and privacy. It’s very difficult, but “you can do this.” Need to have it security from the time of taking in the information to the time of destruction of the information.
You have to have senior privacy people as part of your senior executive team. When the top gets to the privacy message, then the messaging flows through the entire organization.
Consent is fundamental to privacy. PHIPA is a consent-based statute. Consent can be implied at times; you don’t want your time with your doctor “whittled away” by spending time talking about privacy. Implied consent within your immediate healthcare circle. The moment you step out of that circle, you need explicit consent.
PbD - Privacy by Design
• use the information de-identified for research
o the privacy resides in the identifiability of the data
o build de-identification processes into the system
• the benefits of “big data” are enormous but we need privacy to go with it – “We can’t have big data without big privacy.”
• Paper with Dr. Khaled El Emam, Canadian Research Chair in Electronic Health Information - The Case for De-identifying Personal Health Information
• Re-identification is very very difficult to do – do not avoid de-identification with the reasoning that someone can re-identify – Dr. Khaled El Emam’s tool can help with de-identification
• Her concern is with the healthcare providers who think that her information (as a patient) is their information. The healthcare provider has custody of the data but it does not belong to them – belongs to the patient.
• What about the patient? Different efforts with EHRs leaves the patient out of the equation
o Need to do more to empower patients, especially those who have chronic conditions
o Need to put the information into the patients’ hands, not just the healthcare provider
o She goes to great lengths to get copies of all her own records and she likes to manage those herself
- If you have multiple healthcare practitioners, it is hard for one to know what the other is doing
• Moving away from a central model of healthcare systems – just not working – regionalization instead
o Locally: Connect GTA – health information to be shared across the continuum of care to be shared within the GTA
o Within Toronto the hospitals are not all connected although there are successful models outside Toronto
o It is a challenging task – “We can get people onto the moon, surely we can connect these systems.” “The hospitals aren’t that far from each other.” “The challenge is well worth it.”
Outsourcing data work
• you remain accountable just as if you handle the information
• outsourcing to the US: the USA PATRIOT Act is a red herring – there are so many legal instruments in place before the USA PATRIOT Act
• Privacy by Design sets a higher bar - you still need to talk with the patients and put privacy in place – you will be in compliance with any law around the world if you are on the cloud
Development of big databases and registries
• E.g. Diabetes Registry
• Consent is becoming a big issue
• you have to factor in consent, but debatable how you do it
• opt-out is the easiest to set up, but the problem is communicating the opt-out option with the public
• things that are very sensitive should not rely on the average person to be scouring the newspapers etc. to see their opt-out options – that is not on their radar, they are not thinking about that – there has to be an understanding of how data can be accessed – education of the public around this is very low
• there is an arrogance of the administrators of these systems (“it is for research”); the patients’ interests are secondary – need to challenge this attitude
• there are ways to use data and retain privacy e.g. ICES uses unique identifiers on the data that are meaningless outside of the system.
• Make privacy a priority
• We can manage the privacy risks of EHRs – “we have to”
• If risks are not successfully managed – this will set trust in the system back too far
• Much easier and cost-effective to build privacy in at the front end – “do yourself a favour if you are in this area, do it at the front end”
• Do not take a silo'ed approach to privacy
• If you leave it to the end, you will do “privacy by disaster”
See also: my blog post on Slaw.ca which discusses the report released on Friday