What’s a post on privacy doing in a bioethics blog? You might be surprised to find out how much – or how little – privacy protection is granted to patients’ health and medical information.
In the US, for example:
for almost 10 years, your video-rental records had stronger privacy protection than either your financial or your medical records.”(1)
This is due to legislation, passed back in 1998, to protect information concerning Americans’ rentals of videos. Individuals’ medical data, however, wasn’t protected by US law until the 1996 passage of the Health Insurance Portability and Accountability Act (HIPAA).
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was approved in 2000, when it received Royal Assent following its Parliamentary approval. PIPEDA is general privacy legislation, not specific to personal health information (PHI).
Given that our provincial and territorial governments are responsible for the provision of health services to Canadians, the protection of patients’ PHI falls to them. Parliament must be cognizant of this while crafting legislation, often by allowing these local governments to draft their own laws.
As an aside, this multiplication of work – within these different levels of government – is funded by Canadian taxpayers. My perspective is that these funds could be better spent elsewhere; education, public health, services to our indigenous communities (many of which lack potable water and appropriate sanitation infrastructures), or even tax breaks to individuals.
That being said, any territory or province which fails to enact legislation covering PHI, which must be deemed to be ‘substantially similar’ to PIPEDA, remains subject to this federal law. Some provinces have opted to draft their own legislation, while others have chosen the more cost-effective option of implementing PIPEDA.
There remain some Canadians who aren’t covered by either PIPEDA or provincial/territorial PHI protection; two commonly cited examples are members of the Canadian Forces (our military), and individuals housed in federal prisons. In these situations, the federal Privacy Act applies. Once again, we find ourselves with something of a patchwork approach to legislation in this country.
Most Canadians would expect that their PHI is now fully protected by legislation, and that any medical information that can legally be shared has been anonymized. Those would be false assumptions. In 1990, a researcher:
reidentified someone in a putatively anonymous database of private medical information. The system had worked, yet data had leaked.”(1)
How was this done? By linking data, from different databases. These databases can be public, private, or even commercial. Many academic datasets are shared among researchers, with agreements in place regarding their use, credit for future publication of results, etc. The commercial databases can be purchased, sometimes at a fairly low cost.
By using information from different – legally available – databases, it has proven possible to re-identify an individual from an anonymized dataset or database. This is a concern for all of us in bioethics, however I’ll touch on only two distinct areas.
I’ll begin with my primary area of interest; clinical research ethics. My first thought, in reading about the re-identification of anonymized PHI, was the informed consent process for research involving humans. How many informed consent forms (ICFs) or discussions promise anonymity of participants’ PHI which is collected solely for research purposes?
What would be the impact on public trust in clinical research, if we can no longer provide assurances of this anonymity? If the data, which we had assured people was protected, really wasn’t protected; or could no longer be considered protected?
Which led very quickly to my second thought… that this concern isn’t limited to research data; it also applies to any PHI collected about an individual or community. At the foundation of medicine – of healthcare – is trust. This is true at an individual patient level, for one-on-one interactions with front-line healthcare professionals.
But trust in medicine, as in all sciences, must be considered on a larger scale. A recent report, commissioned by the Canadian Research Integrity Committee, noted that:
public trust in science… is important both for the funding of science and for accepting the role of scientific evidence in public policy making.”(2)
In a speech earlier this year, the Senior Research and Outreach Advisor of the Privacy Commissioner of Canada (OPC) specifically referred to the protection of PHI in terms of patient and public trust:
our health care system is built on trust. Patients freely provide sensitive medical information to their health care providers because they trust that the information will be kept confidential and will not be shared outside their circle of care…
We must all continue to nurture that trust regardless of what our intentions are. Failure to do so may reduce the quantity and accuracy of health information provided by patients and this, in turn, may adversely affect the quality of health care”(3)
You might view this post somewhat as fear-mongering, which is understandable. I’ve taken a true interest in patient privacy protection, which seem to fall outside the more common areas of bioethics specialization, so I’ve been following these topics for some time now.
And I can assure you that they’re going to have an enormous impact on bioethics as technology advances. These concerns are a reflection of our current reality. The level of public trust in healthcare, even here in Canada, seems to be diminishing. The OPC provided several recent Canadian examples of this, including:
In January of this year the Canadian Medical Association reported that public opinion surveys over the last ten years consistently show 11% of respondents holding back information from their physicians because of privacy concerns…
In a recent posting to our Blog, one lady stated that she doesn’t trust the medical system with her information and, as a result, she stays away from the doctor as much as possible, and minimizes the information she provides. She made these comments in response to the recent report from Dartmouth College in the US, telling us that “data hemorrhages” are coming from all over the health sector”(3)
I hope you’ll agree that the negative impact of greater numbers of patients “holding back information from their physicians because of privacy concerns”(3), as noted above, would be incalculable. This is an issue which merits significantly more coverage, within our field of biomedical ethics.
References:
(1) Jonathan Shaw. The erosion of privacy in the Internet era. Harvard Magazine. Online. Sep-Oct 2009. Accessed 30 October 2009. Web:
https://harvardmagazine.com/2009/09/privacy-erosion-in-internet-era
(2) Tijs Creutzberg, for the Canadian Research Integrity Committee. The State of Research Integrity and Misconduct Policies in Canada. Canadian Research Integrity Committee; prepared by Hickling Arthurs Low (HAL) Corporation; Innovation Policy Economics. Ottawa. Oct 2009. Accessed 30 October 2009. Web (PDF):
http://www.nserc-crsng.gc.ca/_doc/NSERC-CRSNG/HAL_Report_e.pdf
(3) Sandy Hounsell, Senior Research and Outreach Advisor, Officer of the Privacy Commissioner of Canada (OPC). Privacy Commissioner of Canada (OPC). Remarks at the Atlantic Symposium on Privacy in Health Services and Policy Research. St. John’s, Newfoundland and Labrador. 20 Apr 2009. Accessed 30 October 2009. Web:
https://www.priv.gc.ca/en/opc-news/speeches/2009/sp-d_090420_sh/