PHI Meets PST: A PST Framework for Personal Health Information
Summary of a talk by David A. Townsend (Professor of Law, UNB) at the IFIPTMA Conference in Moncton.
Legislation tends to form in a pyramid state, with the statute at the top, with subordinate legislation (standards, rules, orders). They both have the status of law.
Now I'm going to talk about the normativity, the values in Personal Health Information (PHI). PHI, imbued with PST values - what would it look like? What would it look like if we took our values and put them into legislation?
We are in a period of reform on this issue, with a task force, and are expecting a comprehensive report some time next month. Most people want and expect that the report will be harmonized with the PHI legislation in other provinces.
I don't want to see us harmonized.
Here's an example of two recent controversies. One, where a passing driver accidentally intercepted a (wirelessly transmitted) video of a person providing a urine sample in a washroom - the client had agreed to be videoed, and a company provided the tech. The second, a laptop was stolen with personal information from the Hospital for Sick Children.
The thesis of the presentation is:
- the current legal framework for safeguarding PHI is about 10 years old now.
- But PHI has evolved from physical records to digital data
- the needs and the risks have change considerably
- modern PST must inform any such policy for protecting personal health information.
Healthcare in Transition
Today, health care is provided by teams of specialists. NB was a leader in this, for example, the idea of moving sub-acute care out of the hospital, other health care being provided by public and private health care providers (there are many private sector providers all integrated into the public system).
Medical devices are being networked with other devices, teams, other health data.
The management of health care is getting smarter and smarter. All the provinces and territories are working on electronic health record (EHR) systems.
Advances in health science are creating more and more varied information, eg. genetic coding. The Globe and Mail wrote about the genetic marker for MS. his is private information, think of what happens if it becomes known.
Many health care providers are using wireless technologies. Eg. a camera that you swallow that sends its images wirelessly.
Health care providers are more frequently require to report data - from child abuse to gunshot wounds to certain head trauma injuries - to external agencies. We have more and more providers and players in the health care industry, more and more private companies all getting access to people's health care data.
We still have physical records, but that is the exception rather than the norm. We used to do a lousy job protecting the records from physical access. Now most personal health information is in digital format. Now clinical data is being merged with management data, reporting data, research data - all various players.
The idea of 'one-patient one-record' has always made me uncomfortable. It seems that it's one-patient all-records. But it shouldn't be all records.
Status of PHI Legislation
Four provinces (Alberta, Manitoba, Saskatchewan, Ontario) have dedicated PHI legislation.
Quebec has extensive PHI sections in the Health Services and Social Services Act (not separate legilsation). They are the closest to the PST legislation I would want.
The remaining provinces are using a mix of the federal PIPEDA and their own privacy and access statues.
New Brunswick and Newfoundland are currently involved in PHE reform.
The basic framework was cast 10 years ago. It has been shared by the provinces extensively, a model act that was supported by some companies. They are preoccupied with unauthorized disclosures, but mostly concerned with doctors, thus de-emphasizing sanctions, very little dedicated to oversight. And no anticipation of wireless being deployed.
Privacy Defined
The important part is that we give the individual control over the collection, use, disclosure, excahnge, retention, accuracy, etc., of personal data.
Privacy in PHI
The statue must be patient-focused. Individual dignity and personhood are paramount. Manitoba has a patient-focus in its preamble - I'd love to see NB adopt that.
The Supreme Court (1992) ruled, the record may belong to the caregiver, but the information belongs to the patient.
So the individual must be given direct control over use, disclosure, exchange, retention and accuracy.
All consents must be knowledgeable - even if they are implied (who would they reasonably be expected o share it with - a knowledgeable extension of the first consent). There must be an option to opt-out or hold back parts. Someone said this, the right to opt out ios a basic dignity.
And there should be an inclusive definition of 'health care custodian'. I am concerned about people who aren't poviding health care that hold quite a bit of PHI - for example, your employer.
Security Defined
The main point: the confidentiality, integrity and availability of the data.
Security in PHI
Everybody recognizes that PHI is probably the most sensitive information you can hold about a person. The custodians have to be responsible for the privacy, security and integrity of PHI - and again, we need to have the two levels of 'custodian'.
We need to shift from the old notion of computer security and move to health informatics.
We have to move from 'non-disclosure' to 'managed exchanges' - in order to support this network of service delivery. These exchanges will be increasingly national and international - eg. someone in the Yukon might consult with someone in the United States. And we have a mobile population these days.
An amended scheme should put legal responsibilities on the requester - to request only those things they need and have a right to. And to put penalties on them if they exceed that. And there should be legal requirements of service and equipment providers.
The reason I like Quebec's model the best so far is that it includes enabling provisions - ways to implement, enforce, standards, rules and protocols. International ISO standards are currently created, about 35 of them. A security-enabled model would include security provisions much the way we enforce communication standards.
It has to have serious compliance elements to it - there are so many people with their hands on the data. People probably don't mind.
Trust Defined
Trust involves a willingness to be vulnerable. To achieve trust, privacy and security needs to be reasonably safeguarded and process need to be transparent.
Trust in Healthcare
Trust is a fundamental precondition for successful health outcomes. People often have to divulge very personal information. The Hippocratic Oath mentions it.
You're going to have to have transparency, you're going to have to have comprehension of privacy rights - regular people must be able to know and understand their rights and custodian obligations.
There has to be sufficient resources for an independent complaint mechanism. We have ombudsmen - the people are great choices - but they work with minimal resources. NB spends the second-least per capita for ombuds offices. We spend 14 cents per capital - Manitoba spends 88 cents, Alberta $1.35.
Consent forms have to be comprehensible. When requirements first came out, providers created this super-complex form. "As long as we get a signature somewhere." But that's not what consent is about. The average NBer reads at a grade 6 level. How do you get a knowledgable consent with this user base? And the literacy rate in NB is not much less than the national average.
There needs to be a legal requirement to disclose all breaches. Right now only Ontario has that requirement. There should be a private right-of-action so people who have been harmed can bring their own suit, because prosecutions are not always likely. There need to be impact statements and reporting statutes.
Example - Checklist for Video Surveillance
- conduct a privacy assessment
- confirm that privacy and security requirements are explicit in procurement precesses
- confirm that the signal cannot be received.
I looked at the four existing statutes - they all required some sort of recordation - if it wasn't recorded it wasn't PHI. But the wireless system isn't recorded. Is it? But still you have all kinds of systems where it's just a sensor and transmitter. We're not covering these, and we should.
A disclosure should be by any means, including interception. Manitoba had it, but you had to stretch it. Ontario, it was only when they were services that were custodian to custodian.
Outsourcing contracts with 3rd parties do not anticipate wireless deployments.
Right now, wireless standards are a low priority for standards authors. We looked at existing standards - we found many problems. There aren't good models for wireless standards yet.
Concluding Comments
The existing framework that people think we should use is seriously out of date. It doesn't address current needs. NB and Newfoundland are in a position to do something bolder.
--
Comment - supportive of the idea of notification regarding the transfer of personal information, or even requiring permission - the point here though is to ensure patients can be knowledgeable about permissions given.
also - If you're an active patient, the information isn't in one place any more, it's all over the place - and I don't think I'd want it in one place.
Legislation tends to form in a pyramid state, with the statute at the top, with subordinate legislation (standards, rules, orders). They both have the status of law.
Now I'm going to talk about the normativity, the values in Personal Health Information (PHI). PHI, imbued with PST values - what would it look like? What would it look like if we took our values and put them into legislation?
We are in a period of reform on this issue, with a task force, and are expecting a comprehensive report some time next month. Most people want and expect that the report will be harmonized with the PHI legislation in other provinces.
I don't want to see us harmonized.
Here's an example of two recent controversies. One, where a passing driver accidentally intercepted a (wirelessly transmitted) video of a person providing a urine sample in a washroom - the client had agreed to be videoed, and a company provided the tech. The second, a laptop was stolen with personal information from the Hospital for Sick Children.
The thesis of the presentation is:
- the current legal framework for safeguarding PHI is about 10 years old now.
- But PHI has evolved from physical records to digital data
- the needs and the risks have change considerably
- modern PST must inform any such policy for protecting personal health information.
Healthcare in Transition
Today, health care is provided by teams of specialists. NB was a leader in this, for example, the idea of moving sub-acute care out of the hospital, other health care being provided by public and private health care providers (there are many private sector providers all integrated into the public system).
Medical devices are being networked with other devices, teams, other health data.
The management of health care is getting smarter and smarter. All the provinces and territories are working on electronic health record (EHR) systems.
Advances in health science are creating more and more varied information, eg. genetic coding. The Globe and Mail wrote about the genetic marker for MS. his is private information, think of what happens if it becomes known.
Many health care providers are using wireless technologies. Eg. a camera that you swallow that sends its images wirelessly.
Health care providers are more frequently require to report data - from child abuse to gunshot wounds to certain head trauma injuries - to external agencies. We have more and more providers and players in the health care industry, more and more private companies all getting access to people's health care data.
We still have physical records, but that is the exception rather than the norm. We used to do a lousy job protecting the records from physical access. Now most personal health information is in digital format. Now clinical data is being merged with management data, reporting data, research data - all various players.
The idea of 'one-patient one-record' has always made me uncomfortable. It seems that it's one-patient all-records. But it shouldn't be all records.
Status of PHI Legislation
Four provinces (Alberta, Manitoba, Saskatchewan, Ontario) have dedicated PHI legislation.
Quebec has extensive PHI sections in the Health Services and Social Services Act (not separate legilsation). They are the closest to the PST legislation I would want.
The remaining provinces are using a mix of the federal PIPEDA and their own privacy and access statues.
New Brunswick and Newfoundland are currently involved in PHE reform.
The basic framework was cast 10 years ago. It has been shared by the provinces extensively, a model act that was supported by some companies. They are preoccupied with unauthorized disclosures, but mostly concerned with doctors, thus de-emphasizing sanctions, very little dedicated to oversight. And no anticipation of wireless being deployed.
Privacy Defined
The important part is that we give the individual control over the collection, use, disclosure, excahnge, retention, accuracy, etc., of personal data.
Privacy in PHI
The statue must be patient-focused. Individual dignity and personhood are paramount. Manitoba has a patient-focus in its preamble - I'd love to see NB adopt that.
The Supreme Court (1992) ruled, the record may belong to the caregiver, but the information belongs to the patient.
So the individual must be given direct control over use, disclosure, exchange, retention and accuracy.
All consents must be knowledgeable - even if they are implied (who would they reasonably be expected o share it with - a knowledgeable extension of the first consent). There must be an option to opt-out or hold back parts. Someone said this, the right to opt out ios a basic dignity.
And there should be an inclusive definition of 'health care custodian'. I am concerned about people who aren't poviding health care that hold quite a bit of PHI - for example, your employer.
Security Defined
The main point: the confidentiality, integrity and availability of the data.
Security in PHI
Everybody recognizes that PHI is probably the most sensitive information you can hold about a person. The custodians have to be responsible for the privacy, security and integrity of PHI - and again, we need to have the two levels of 'custodian'.
We need to shift from the old notion of computer security and move to health informatics.
We have to move from 'non-disclosure' to 'managed exchanges' - in order to support this network of service delivery. These exchanges will be increasingly national and international - eg. someone in the Yukon might consult with someone in the United States. And we have a mobile population these days.
An amended scheme should put legal responsibilities on the requester - to request only those things they need and have a right to. And to put penalties on them if they exceed that. And there should be legal requirements of service and equipment providers.
The reason I like Quebec's model the best so far is that it includes enabling provisions - ways to implement, enforce, standards, rules and protocols. International ISO standards are currently created, about 35 of them. A security-enabled model would include security provisions much the way we enforce communication standards.
It has to have serious compliance elements to it - there are so many people with their hands on the data. People probably don't mind.
Trust Defined
Trust involves a willingness to be vulnerable. To achieve trust, privacy and security needs to be reasonably safeguarded and process need to be transparent.
Trust in Healthcare
Trust is a fundamental precondition for successful health outcomes. People often have to divulge very personal information. The Hippocratic Oath mentions it.
You're going to have to have transparency, you're going to have to have comprehension of privacy rights - regular people must be able to know and understand their rights and custodian obligations.
There has to be sufficient resources for an independent complaint mechanism. We have ombudsmen - the people are great choices - but they work with minimal resources. NB spends the second-least per capita for ombuds offices. We spend 14 cents per capital - Manitoba spends 88 cents, Alberta $1.35.
Consent forms have to be comprehensible. When requirements first came out, providers created this super-complex form. "As long as we get a signature somewhere." But that's not what consent is about. The average NBer reads at a grade 6 level. How do you get a knowledgable consent with this user base? And the literacy rate in NB is not much less than the national average.
There needs to be a legal requirement to disclose all breaches. Right now only Ontario has that requirement. There should be a private right-of-action so people who have been harmed can bring their own suit, because prosecutions are not always likely. There need to be impact statements and reporting statutes.
Example - Checklist for Video Surveillance
- conduct a privacy assessment
- confirm that privacy and security requirements are explicit in procurement precesses
- confirm that the signal cannot be received.
I looked at the four existing statutes - they all required some sort of recordation - if it wasn't recorded it wasn't PHI. But the wireless system isn't recorded. Is it? But still you have all kinds of systems where it's just a sensor and transmitter. We're not covering these, and we should.
A disclosure should be by any means, including interception. Manitoba had it, but you had to stretch it. Ontario, it was only when they were services that were custodian to custodian.
Outsourcing contracts with 3rd parties do not anticipate wireless deployments.
Right now, wireless standards are a low priority for standards authors. We looked at existing standards - we found many problems. There aren't good models for wireless standards yet.
Concluding Comments
The existing framework that people think we should use is seriously out of date. It doesn't address current needs. NB and Newfoundland are in a position to do something bolder.
--
Comment - supportive of the idea of notification regarding the transfer of personal information, or even requiring permission - the point here though is to ensure patients can be knowledgeable about permissions given.
also - If you're an active patient, the information isn't in one place any more, it's all over the place - and I don't think I'd want it in one place.
Comments
Post a Comment
Your comments will be moderated. Sorry, but it's not a nice world out there.