TORONTO — Ontario’s information and privacy commissioner pulled no punches Monday when discussing privacy issues surrounding health information.
At the e-Health 2001: The Future of Health Care conference, Ann Cavoukian told a standing-room-only audience the need for privacy has never been greater. “This is literally life and death,” she said.
Privacy, however, should not be confused with security. Cavoukian said there are four tenets of security –authentication, data integrity, confidentiality and non-repudiation. She added data integrity is “the most important area that has been perhaps overlooked somewhat in the context of online transmissions of health information.
“You could have someone intercept the communication online, a hacker if you wish, and they could change one tiny field, a positive to a negative: this person has this condition, this person does not have this condition. They could alter the data and that could be life threatening,” Cavoukian said.
Yet even if all four pillars were functioning properly it would still be possible not to have privacy. Cavoukian said so much easily accessible information amounts to forbidden fruit for those who have it within their reach.
“They must ensure that the data that they collect are used only for the purpose identified to the data subject, in this case the patient. They must then restrict their use of the information to that primary purpose, unless they have the consent of the data subject for a secondary purpose,” Cavoukian said.
“That principle is subject to the greatest potential for erosion in this century because it’s so tempting to use information you have in your possession for other purposes that you hadn’t thought of at the time of the data collection.”
The key to protection health information, Cavoukian said, is legislating a set of fair information practices. The practices would include accountability, consent, limiting collection and use, and safeguards, to name a few. But for an idea everyone seems to agree is good, she said it has proved surprisingly difficult to get a bill passed. This is a project she has been working on, in fact, since joining to information privacy commission 14 years ago.
In December, however, Bill 159 (Personal Health Information Privacy Act) was introduced. Cavoukian said the IPC supported the bill, but called it fundamentally flawed. While the bill died, she said it was closest it had come to its goal and hopes a revised version will be introduced this year.
“Take no comfort in the fact that we have nothing right now in terms of health information privacy,” Cavoukian said. “Every day without legislation is another day where you privacy is being potentially compromised, and this will just grow and accelerate as electronic transmissions increase.”
The hot-button topic of smart cards was also discussed. Cavoukian said smart cards will eventually replace the existing health card. The notion of the card holding the carrier’s entire medical history is unlikely, however. She said pilot programs have uncovered two major roadblocks: people and doctors.
“Invariably it would be an incomplete medical history because either the patient when they go to the medical encounter forget to take their card with them,” she said, “or the physician, being extremely busy and wanting to do valuable things such as treat his patients, forgets to update the card.”
What is more likely, she said, is a card that contains emergency information like blood type and allergies to medicine.