Ontario’s Information and Privacy Commissioner: Embed Privacy Protocols By Design, Not By Chance

Dr. Ann Cavoukian, the Ontario Information and Privacy Commissioner, says that privacy is always a challenge—but if embedded by design, rather than chance, there is less risk involved that sensitive data will be compromised.

Covoukian continues about electronic health records in particular: “By incorporating the principles of Privacy by Design into the EHR environment, you can accommodate both individual privacy and access to health information for purposes that benefit society as a whole, such as research purposes — a win-win scenario.”

That win-win scenario, which aims to make your health record “one piece of information” rather than several, is outlined in a report put together by Cavoukian herself and the President of Canada Health Infoway Richard C. Alvarez. You can check that out here

Canada is behind the eight ball, as Rebecca Walberg points out in a recent article in the National Post. She says that only 8% of Canadian doctors in Canada use e-prescriptions, compared to 87% in the UK and 52% in New Zealand.

Canada also lacks in integrated IT systems, where just 14% of doctors’ offices make use of them. Cavoukian points out we are also way behind when it comes to electronic health records and that’s despite years of investment in eHealth in the province of Ontario, where few patients have actually seen the beneifts. Further, the Ontario Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian says that Ontario is also way behind the ball on electronic health compared to other provinces.

But at least Ontario has the University Health Network, which connects GTA hospitals for the transmission of patient information to better serve patients. It’s similar to models in countries like the Netherlands, Denmark, Singapore, and Australia, which have gone with regional record despositories—much like you would keep your sensitive financial information in a safety deposit box at your local bank. Cavoukian continued in saying that the United Kingdom has also gone away from attempting to centralize data and is rather “connecting local systems” much like the UHN.

Cavoukian further recommends that all senior executive teams at hospitals involved in eHealth should be adding senior privacy executives to their teams rather than keeping them off the teams. That won’t mean that hospitals can’t outsource their critical information data infrastructure. But the privacy commissioner did say that it won’t be IT teams that will be held accountable—it will be the senior teams, doctors, or employees and hospitals that will be accountable for any data breach with a zero tolerance party. 

Data breaches have been a major problem and most particularly in the United States, where 96% of hospitals have experienced at least one in the last two years. A hospital’s brand reputation suffers on average 12% when this happens. And it takes nearly a year to restore the reputation of said hospital should a data breach happen.

But Cavoukian believes that the benefits still outweigh the risks. That’s because electronic health records are more efficient, accessible, complete, readable, and locatable and could possibly be more secure in the end. 

Still, in a world that’s always struggling to combat the most sophisticated hackers it’s hard for the general public to believe that anything can truly be secure with groups like Anonymous constantly trolling around. 

Yet Cavoukian says that hackers aren’t always the biggest threat—sometimes it is hospital employees themselves saying that 49% had no kind of security to protect their mobile devices that handled sensitive patient information in the United States leading to data breach at times as we’ve seen doctors use smartphones and tablets in hospitals on a more frequent basis over the last number of years. 

She continued in saying that if privacy is not a concern for doctors and other related medical staff that handle sensitive privacy information electronic health records could result in economic and psychological harm towards the patient. Further a loss of trust in eHealth from the general public may be of consequence further pushing any electronic health mandate further away from actually happening. 

Walberg also says in her National Post article: “The biggest barrier, according to Infoway’s Richard Alvarez, isn’t the financial burden of IT, but rather the work habits and attitudes of doctors who are reluctant to change their relationships with patients and colleagues by integrating IT into how they diagnose, prescribe, document and communicate.”

Cavoukian says that cost of IT will be less if privacy is embedded by design rather than by chance and further cited a December 2009 incident where a nurse lost a USB key containing over 80,000 records of the H1N1 virus resulting in a $40 million lawsuit. 

The bottom line according to the information and privacy commissioner is that people want electronic health record care and their information only accessed by the doctor or medical staff assisting and those people only.  Yet Cavoukian says that she won’t stand in favour of “opting out” of a record of medical information as people who wish to do so aren’t thinking towards when they will be in a state of medical emergency when that information is most needed. 

You can check out additional info at Privacy By Design which includes much further information including near-field communications for medical use. 

Photo: Financial Post