Thursday, July 28, 2011

A Clearly Written And Useful Review of Medical Record Privacy. It Is Not Utterly Straightforward!

This useful article appeared a little while ago.

An unhealthy obsession

Beth Wilson

July 18, 2011

Opinion

Britain's media scandal is a timely reminder that medical records are sacrosanct.

WHY is health privacy so important to people? Britons are reportedly shocked by the invasion of former prime minister Gordon Brown's privacy when his son's health information was allegedly ''blagged'' and published. The Sun has denied accessing the family's medical records without consent and says the story came from a member of the public whose own son has cystic fibrosis and who merely wanted to raise awareness. The Cystic Fibrosis Trust, correctly in my opinion, questioned the decision to publish the information regardless of motivation, saying: ''The release of any medical information to the media or anyone else is a decision for patients or, in the case of children, their parents to make.''

In Victoria we have two separate laws governing information privacy, the Information Privacy Act and the Health Records Act. These laws work concurrently. The Information Privacy Act is administered by the Privacy Commissioner and protects information in the public sector and the Health Records Act is administered by the Health Services Commissioner and protects health information.

When the legislation was passed, the Parliament of the day took the view that our health information is different from other information because it can be extremely sensitive, intimate and prone to misuse for discriminatory purposes. People should be able to reveal intimate details to their health service providers and other organisations trusting their confidentiality will be respected.

Health records are owned by the doctor who created them or to the organisation they work for depending on the contractual agreement, but people do have a legal right to get copies of or inspect records which contain their health information. Organisations that collect our health information must ensure the information is secure, up to date and accurate and is not disclosed without the consent of the person it is about.

It is also important that health information is disposed of securely. In one disturbing case, my office had reports of medical records containing people's names and revealing HIV and hepatitis C status found blowing in the wind in a supermarket car park. A doctor who had taken the files home nipped into the supermarket on the way home. His children thought the records would make good paper planes, and so they did. The hospital is now much more careful about protecting the security of the sensitive information of which it is the custodian.

Many people also don't realise that the media are exempt from privacy laws in connection with their news activities. Privacy is not absolute and there is a balancing act between making sure the right information gets to the right people at the right time, hence the importance of press freedom. The public has a right to be told what is going on in government and society and accountability is, in some cases, more important than individual rights to privacy.

While the media are exempt from privacy laws, they have a corresponding ethical obligation to treat people's health information sensitively. The media are not exempt from receiving information unlawfully. Privacy is a legal concept whereas confidentiality is an ethical obligation which involves making moral judgments. This has been the case at least since the 5th century BC, when Hippocrates included in his Oath: ''All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.''

More here:

http://www.smh.com.au/opinion/contributors/an-unhealthy-obsession-20110717-1hk0t.html

Beth Wilson is the Health Services Commissioner for Victoria.

Ms Wilson rightly notes that there is no real protection for health information if it is disclosed maliciously or for profit as we lack legal protections against public disclosure by media. This really is not a satisfactory situation with respect to private health information - and the only legitimate disclosure I see is that based on direct consent from an individual (e.g. a politician admitting and disclosing treatment for depression etc.).

While Ms Wilson did not mention it, I believe politicians are also exempt from the Privacy Act as are some Small Businesses and Employee Records held by an employer (for reasons I don’t understand).

There was a review of the Privacy Act in 2008. You can read all about it here:

http://www.alrc.gov.au/publications/report-108

There is a lot on EHRs and Health Information but to date there has not been any real decisions taken in this area.

The following sections are the most relevant:

· 60. Regulatory Framework for Health Information

· 61. Electronic Health Information Systems

· 62. The Privacy Act and Health Information

· 63. Privacy (Health Information) Regulations

· 64. Research: Current Arrangements

· 65. Research: Recommendations for Reform

· 66. Research: Databases and Data Linkage

There is also more information here:

http://www.privacy.gov.au/business/health

The impression one gets looking at these various sources is that we still have a regulatory patchwork (for example State Government Health Facilities are exempt from the Commonwealth Privacy Act) and that with the plans for the PCEHR seemingly steaming ahead a nationally consistent and agreed set of laws and regulations is vital.

It is interesting that the Government has announced some interest in a review of Media and Privacy some three years after the Law Reform Commission recommended a statutory right to privacy be created. Maybe Health Information Privacy could have a similar kick along!

Those who are interested may wish to visit here:

http://www.yourhealth.gov.au/internet/yourhealth/publishing.nsf/Content/pcehr-legals

and provide their view on the proposed legal framework for the PCEHR (Submissions close August 3rd, 2011.)

The bottom line to all this unless we have a complete and clear privacy framework that is formally agreed by all major stakeholders we will really doom the PCEHR or anything similar.

It seems to me there are formidable obstacles in getting to that state with differing approaches in a number of the States and the Commonwealth yet to really declare its full hand - and legislate it - on Health Information Privacy and protection.

Have a look here to see the proportion of the US public that are really worried about their health information privacy.

http://www.fierceemr.com/story/your-emr-privacy-policy-first-and-foremost-should-be-practical/2011-07-20

I would expect a similar breakdown in Australia at a slightly lower level.

David.

No comments: