Ontario Privacy Commissioner: Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities
Ontario Privacy Commissioner Ann Cavoukian has released a new report concerning medical and patient privacy, “Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities – Win/Win” (OPC pdf; archive pdf). Here’s information from the introduction:
Personal health information comprises some of the most sensitive and intimate details of one’s life, such as those relating to one’s physical or mental health and the health history of one’s family. As such, it requires strong protections to ensure the privacy of the individual to whom it relates. Personal health information must also be accurate, complete, and accessible to healthcare providers in order to deliver necessary health care to individuals. At the same time, health information has long been used for invaluable secondary purposes that go beyond the care and treatment of the individual, for uses that are seen to benefit society as a whole. This includes such varied uses as population health monitoring, quality improvement, health research, and the management of Canada’s publicly-funded healthcare system.
The question of how to maximize both personal privacy and the benefits that may be derived from secondary use becomes more challenging as information technologies like electronic health records (EHRs) become more prevalent in the health sector. […]
The transition from paper-based records to EHRs raises a number of questions in relation to secondary use. How and by whom will decisions about secondary uses in the EHR environment be made? What safeguards are and should be in place to promote privacy and security? How do we promote transparency about uses and disclosures for secondary purposes? How do we maintain public trust and confidence in the ability of electronic systems to protect privacy, particularly given the growth of EHRs and the potential expansion in secondary use? Without public trust in the ability of these systems to safeguard our most sensitive information, we may be deprived of the rich stores of information that are essential, not only for vital secondary purposes but, even more importantly, for the primary care uses that keep our population safe and in good health.
This paper begins with an overview of some of the elements already in place or under development, which form the basis of a framework to govern secondary use in the EHR environment. These existing measures include statutory safeguards, independent privacy oversight, and principles set out in a statement of Common Understandings developed by the Pan-Canadian Health Information Privacy Group. We propose that secondary use should continue in the EHR environment as it did with paper-based records, and that it may be done in a way that respects both individual rights to privacy and broader societal interests.
We endorse an approach to secondary uses in the EHR environment that incorporates Privacy by Design (PbD). PbD not only accommodates the values of individual privacy and confidentiality, but actually enables stronger privacy protections, thereby helping to ensure the continued availability of information for secondary purposes that benefit us all. This approach is premised on the view that the default condition should be one of de-identification: de-identified information should be used or disclosed for secondary purposes and, where de-identified information is insufficient for the purpose, additional safeguards must be introduced prior to the use and disclosure of personal health information for secondary purposes. In this paper, a distinction is drawn between personal health information, which refers to identifying information about the health and the provision of health care to an individual, and health information, which refers to de-identified information.