CIA-backed firm given all-clear to handle health data

A report from Ontario’s Information and Privacy Commissioner showed that a Chicago-based company providing software to an electronic health record application in the province does not release information to the CIA and therefore is not in violation of its health-care privacy law.

The Commissioner’s Office commenced an investigation into the matter earlier this month, three days prior to the publication of an article on Government Health IT, a Virginia-based health-care Web site, that cited privacy fears following a March 2006 investment from In-Q-Tel, the venture capital arm of the Central Intelligence Agency. Initiate Systems is the maker of client management software used in provincial electronic health record applications across Canada under an agreement with Canada Health Infoway.

The story, published on August 14, was brought to Ann Cavoukian’s attention by the CIO and vice-president of Cancer Care Ontario (CCO). CCO selected Initiate’s application, the Enterprise Master Patient Index (EMPI), to manage patient information for the Ministry of Health and Long Term Care prior to In-Q-Tel’s investment in March following a thorough Privacy Impact Assessment. The EMPI contains health card numbers and other identifying information such as demographics but does not include diagnoses, prognoses or other clinical information shared between health care providers and their patients.

In her report, which was released to the parties involved on Friday and made public on Monday, Cavoukian said CCO allows Initiate System, “extremely narrow, on-site access to personal health information, under tightly controlled and limited conditions.” Further, the report went on to say that In-Q-Tel’s investment in Initiate Systems does not allow the venture capital firm to access any health information contained in the Ontario EMPI.

“The major concern was ensuring that only authorized individuals in the health care field access this data,” said Cavouikian in an interview with on Monday, adding that no information was found to flow outside of Ontario in this case. “The contract and the protections of the record were very robust.”

Sarah Kramer, CIO and vice-president of Cancer Care Ontario, was responsible for procuring the software for the Ministry. Kramer said CCO went through a very rigorous procurement process and selected Initiate Systems.

“I didn’t have any worries about it,” said Kramer. “I’m always concerned about privacy and security so we put a lot of provisions in both our contract and our operational processes to ensure that this information is held private and secure.”

Initiate Systems, for example, does not have any remote access to EMPI data and performs all technical support for the system in Ontario. The latter was one of several recommendations the Commissioner made in her report. Cavoukian also recommended that she should be consulted concerning any proposed amendments or changes to the confidentiality or privacy obligations contained in the agreement between CCO and Initiate Systems.

CCO’s Kramer said her organization’s contract with Initiate Systems has such provisions already in place.

“There’s no way they can get the information across the order,” she said. “We ensure that there’s no back door software access where it’s being snuck out of the back of the system.”

Privacy expert and president of Nymity Inc., Terry McQua, said there’s a lot of concern about personal information being transferred to the U.S.

“You’ve got to make sure there’s an adequate amount of safeguards in the U.S. locations as there would be here,” he said.

Nymity has a list of considerations it gives to its customers when they are developing their privacy policies around securing their data. Some of these include determining what information is being collected, how it is being stored, who has access and how it’s being disposed of. The list also tells companies to ensure personal information is restricted only to employees who need to know or access the information to perform assigned duties and have the responsibility of duty to protect it such as signed confidentiality agreements.


Share on LinkedIn Share with Google+