Friday, January 4, 2008

How Solid are your Privacy Rights?

The US-based Electronic Privacy Information Centre and the UK-based Privacy International have released a comprehensive report on the state of privacy around the world. How solid are your privacy rights?

If you live in the US or UK you are in the same class as those living in Malaysia, Russia and China. People living in Greece, Romania (go figure, given where Romania was a couple of decades ago), and Canada fair the best, though Canada's ranking slipped two levels from "Significant protections and safeguards" to "Some safeguards but weakened protections". Among the other findings:
The study is well worth a look.

Thursday, January 3, 2008

Do We Know What We're Doing?

One of the business risks that come up time and time again in discussions about eHealth is the supply of people knowledgeable about both IT and health care. It seems that there are lots of one or the other, but few who understand both dimensions of a very complex business. Yet there is little effort being applied to increasing the pool of talent needed to address the demand for skilled human resources.

There are a number of university and college programs across the country (link here for a survey of HI programs across Canada published by the Waterloo Institute for Health Informatics Research (WIHIR), but they graduate relatively few health IT practitioners... certainly not enough to fill the demand.

COACH, Canada's Health Informatics Association, has recently published a list of core competencies needed by Health Informatics Professionals (unfortunately its only available to COACH members), but again, there is no strategy to provide educational opportunities for those who need it.

The Healthcare Information Management and Systems Society (HIMSS) has recently implemented a certification program (Certified Professional in Healthcare Information and Management Systems (CPHIMS)) that is taking us in the right direction.

The University of Waterloo's Health Informatics Bootcamp program developed and delivered by WIHIR is highly recommended because it addresses a critical need to quickly educate health care and IT professionals on the intricacies of health informatics.

If we are to succeed in driving out eHealth at the pace promoted by politicians and their instruments such as Canada Health Infoway (and other national equivalents), more investment is needed in the educational programs necessary to develop a competent health informatics workforce.

Wednesday, January 2, 2008

Welcome Back!

After a hiatus of a couple of months, I'm finally back to eHealthRisk. I have two announcements for those who are interested:
  1. Starting today I have taken on the position of President of the Canadian Health Information Technology Trade Association (CHITTA), the health care division of the Information Technology Association of Canada (ITAC). This will get me back into the game following my year long sabbatical studying all dimensions of eHealth risk.
  2. The Waterloo Institute for Health Informatics Research has posted the next series of eHealthRisk Workshops. New this year is the eHealth Information Security Workshop whose inaugural run will be from March 26 to 28, 2008 at the University of Waterloo.
And my New Year's resolution... To religiously apply myself to this eHealthRisk Blog.


Wednesday, November 21, 2007

Canadian Attitudes to EHRs and Privacy

Canada Health Infoway, Health Canada and the Privacy Commissioner of Canada commissioned and have published a comprehensive survey of Canadian attitudes towards Electronic Health Records and Privacy titled Electronic Health Information and Privacy Survey: What Canadians Think - 2007.

From the Press Release:

Almost nine in 10 Canadians (88 per cent) support the development of EHRs -- a five per cent increase since 2003. Other findings include:
  • 31 per cent of respondents reported they had experience with an electronic health record during an interaction with the health care system. When asked to how the EHR system compared to the paper system in terms of overall effectiveness for the health care system, an overwhelming majority (89 per cent) said the electronic system was better.
  • 87 per cent of Canadians believe electronic health records will make diagnosis quicker and more accurate, while 82 per cent believe they will reduce prescription errors and 84 per cent would like to be able to access their own medical records online.
  • Canadians want to ensure that privacy and security safeguards are in place to protect their health information. 77 per cent would like audit trails that document access to their health information. 74 per cent want strong penalties for unauthorized access. 66 per cent of Canadians want clear privacy policies to protect their health information. In the event of a security breach, 7 in 10 want to be informed and would like procedures in place to respond to such breaches.
  • Those who have had experience with an electronic health record showed an even stronger support for privacy and security safeguards.
  • A majority of Canadians (55 per cent) would like to be able to hide or mask sensitive information contained in their record.
  • While the poll shows strong support (84 per cent) for using anonymous information from electronic records for health research, this support drops dramatically if personal details are not removed from the record (50 per cent).

Thursday, November 15, 2007

Laptop Thefts - Again!

Alberta's Privacy Commissioner, Frank Work, is the second Canadian privacy commissioner to demand the encryption of personal health information on laptop computers following the theft of four laptop computers from a Capital Health facility. From the OIPC press release:

"The investigation outlines the following steps that must be taken to protect health information stored on a mobile device in order to meet requirements of the HIA:
  • There must be policies and procedures that users are aware of and educated on that guide proper use of the device,
  • Reasonable steps must be taken to physically secure the device,
  • There must be a business need to store health information on the device,
  • The device must be password protected, and
  • Health information stored on the device must be protected by properly implemented encryption."

Monday, October 29, 2007

Westin Speaks on Health Research

US Privacy Guru Alan Westin has recently undertaken a study on behalf of the US Institute of Medicine on public attitudes concerning privacy and health research. Modern Healthcare Online has published a two part article on his findings (for part 1 click here - for part 2 click here). From the article:
"The good news for the research community is, despite a plethora of media reports on privacy and security breaches in the healthcare industry, most people still respect the aims of researchers and are willing to support their work.

The bad news is, perhaps because of these highly publicized privacy failures, people need more assurance than in the past that their healthcare information will be protected and, particularly, not end up being misused in ways that could hurt them. This new reality will necessitate some consciousness-raising on the part of researchers, who historically have seen themselves as the guys in white hats who should be above suspicion, according to Westin."

Friday, October 26, 2007

Remote Access to PHI

Health care organizations are under significant stress to allow remote access to personal health information in the field or from the homes of health care workers. The Ontario Information and Privacy Commissioner issued her Order HO-004 which addressed the issue of PHI stored on laptop computers and directed Ontario health information custodians to employ measures such as encryption to protect PHI on laptops and other portable devices. I know that many Ontario health care organizations are struggling to implement this order while not interfering with the need to allow remote access to PHI for legitimate and important health care delivery and research purposes.

I found an excellent reference guideline on the security considerations for remote access published by the US Department of Health and Human Services titled Security Guidance for Remote Use. This is published under the auspices of the HIPAA Security Rule. What I really like about this document is that it takes a risk management approach to considering the problem of remote access. The document looks at the risks of allowing remote access and suggests possible risk mitigation strategies.

This document is HIGHLY Recommended.

Friday, October 19, 2007

10 Years Late

I was having breakfast a few mornings ago with a colleague. We were discussing the current state of privacy laws and what I perceived to be the major threats to privacy. I was bemoaning the fact that our current privacy regimes are inadequate to deal with these new threats- that of government "function creep" (with the many unfortunate but legal uses being made of our personal information by government agencies in the name of national security and law enforcement), and identity theft. With respect to the former, he commented that while the checks and balances of our modern democratic systems may appear to have broken down, they are actually still in play. We'll see the pendulum swing back in the next few years.

It dawned on me that our current privacy laws were made for our world as it existed 10 years ago when we were at the height of the boom. Way back then, in 1997, everyone was worried about the potential abuses by information entrepreneurs who wanted to capture our eyeballs and data mine our personal information. The laws we built succeeded in tempering the ambitious aspirations of the entrepreneurs, but didn't anticipate the threat to privacy in the post 9/11 world.

Maybe thats the pattern. 10 years from now we will have come to a consensus on how to protect personal information from over-zealous bureaucrats and law enforcement officials. But who knows what new threats to privacy will emerge in 2017. We can predict, for example, that our genetic code will be a prominent feature of our electronic health records. Who will be trying to exploit that information for power or profit? We can also predict that our privacy laws won't be able to fully protect us from these new perils.

Unfortunately, we don't have a crystal ball.

Thursday, October 18, 2007

EHR's for Sale

I wonder how Canada Health Infoway will feel about banner ads on its nation-wide Electronic Health Record?

After reading a couple of articles over the past few days (Advertising, data sales subsidize EMR products and Google Health Wants to Digitize your Medical Records), it crossed my mind that the EHR, EMR and EPR marketplace is moving way faster than our eHealth policy makers. We've seen it in other sectors, particularly in education where cash-strapped schools and school boards rent out advertising space to soft drink and confectionery companies. Already in the United States banner ads and sales of aggregated and anonymized data (if there really is such a thing any more) are seen as integral parts of the EMR/EHR business model.

There are a raft of ethical issues that must be addressed as market forces worm their way into our eHealth systems. Its one thing for big Pharma to market their products to physicians through sales reps, but what happens when the marketing happens in real time... When the drug in the banner ad is tied to the patient's diagnosis and conveniently displayed on the doctor's screen?

I'm beyond worrying about whether this is a good thing or a bad thing. What worries me is that this stuff is happening without debate. Maybe the benefits of improved health care through eHealth are worth a little manipulation by big corporate interests if thats what it takes to fund an eHealth infrastructure. But can we at least think about it before it happens?

Wednesday, October 17, 2007

Health Privacy Resource

Anyone looking for a good source of health privacy resources should look at the Privacy Commissioner of Canada's website. Her health page links to most of the key resources of interest to Canadians, and has links to international resources as well.

My favorite link is to the 1992 Supreme Court decision McInerney v. MacDonald. This is the decision that enshrined the principle that while a health care provider owns the health record, the patient has nearly absolute rights to the data contained in the record (for clarification on the "nearly" check out the decision).