Tuesday, October 15, 2013

The Privacy Commissioner Releases Some Invaluable Research On Public Attitudes To Health Information Privacy.

This report appeared a few days ago.

Social media poses greatest privacy risk: OAIC survey

Only 9 per cent of respondents considered social media websites trustworthy
Nearly half of Australians surveyed by the Office of the Australian Information Commissioner (OAIC) cited social media websites as the greatest risk to their privacy.
The Community Attitudes to Privacy survey was conducted in June 2013 with 1000 Australians by Wallis Consulting Group.
It found that 48 per cent of Australians believe online services, including social media, pose a privacy risk while only 9 per cent of respondents considered social media websites to be trustworthy when it came to protecting their privacy.
Australian Information Commissioner, Professor John McMillan, said the survey results confirm there's a growing concern in the community about privacy risks associated with social media since the survey was last conducted in 2007.
The survey also found that consumers want data security protection to be similar in both the public and private sectors. For example, 96 per cent of survey participants expect to be informed if their information is lost by a government agency or public company.
…..
 “The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 which comes into law in March 2014 will increase protection around the handling of Australian information that is transferred off-shore, and it will be interesting to see how attitudes change as a result of this,” he said.
Lastly, survey participants were asked whether certain industries were trustworthy. The three most trustworthy industries were health service providers, trusted by 90 per cent of participants; financial institutions, trusted by 74 per cent (up from 58 per cent in 2007); and government, trusted by 69 per cent of respondents.
The full article is here:
That health providers are pretty trusted is important. That news laws are coming is under recognised I suspect - there are some pretty big changes happening in just a few months.
Here are the relevant links:

OAIC Community Attitudes to Privacy survey Research Report 2013

On health information privacy there are some very interesting findings.

Medical and health information

Health professionals sharing patient information

Respondents were asked to nominate which of four options best described their views on access to health information (multiple responses had been allowed previously).
Q22 Which of the following four options best describes when you think it would be ok for your doctor to share your health information with other health professionals?
Australians displayed quite different opinions with one in three saying that: such information could be transferred without their consent to treat the specific problem at hand (31%); or that consent should always be sought (31%). A quarter of people (25%) take a more relaxed approach, saying that they are happy for information to be shared between health providers for anything to do with their health. A further one in eight (13%) are happy for information to be transferred in serious or life-threatening cases. While the question was asked differently in previous surveys, the pattern of response is similar to the past.
In 2007, just over one in three people (35%) felt that the transfer of health information is appropriate when the purpose is related to the condition being treated. A similar proportion (25%) stated health information should not be transferred unless they ask the patient for their consent. One in four people were happy for their information to be transferred if it had to do with their health, while less than two in ten respondents (17%) said it would be acceptable if they had a serious or life threatening condition. There was no variation in gender or age.

Health professionals discussing patient information

Chart 11 shows that the number of Australians prepared to accept their doctor discussing personal health details with other professionals without consent has increased over time from six in ten (59%) in 2007, to two thirds (66%) in 2013.
This shift has been driven by a large difference in the views of people at both ends of the working spectrum. Whereas in 2007, half (53%) of white collar and six in ten (59%) of blue collar workers agreed with this proposition, in 2013 the proportions are six in ten (63%) and three quarters (76%). People living in blue collar households remain the most accepting of this, but all other sectors of society have drawn closer in their opinions.
Women and men continue to hold slightly different views with seven in ten men (72%) and six in ten women (60%) now supporting their doctors discussing their health details without consent. This support has increased amongst both sexes since 2007 (64% and 55% respectively then).
Q23 To what extent do you think your doctor should be able to discuss your personal medical details with other health professionals in a way that identifies you without your consent if they believe this will assist your treatment?
Age does not seem to have a strong impact on this relationship. However, older people (aged 35+ years) were more likely to be accepting of their doctor discussing personal health details with other professionals without their consent (68%) in comparison to younger people (aged 18-34 years) (60%).
Here is the direct link to the material and charts:
I think there is a real warning in these results regarding the need to have consent when transferring health information. I suspect this is going to force considerable workface change over the coming years.
A very useful survey indeed.
David.

15 comments:

Anonymous said...

Yes it is a very good survey and reflects the public sentiment about privacy, it also outlines that the public also expects that data collectors are responsible for the security of the information that the store and manage.

The survey indicates that 96% believe that be informed if their personal information has been compromised.

Something that the Mandatory Data Breach laws will address in 2014.

Time to start preparing...

Paul Fitzgerald said...

I think this is a storm coming for which few are prepared.

Dr David More MB PhD FACHI said...

"Something that the Mandatory Data Breach laws will address in 2014."

Sadly they are not law - and so who knows what will happen with this.

David.

Anonymous said...

From my mail David, they will be law before the end of the year, based on the NSA and PRISM revelations, ASIO being hacked and OAIC commissioner pushing for these laws to be in place to protect the public at large...

Additionally as the law has already received bi-partisan support in the Senate by a select committee, it will be passed without further significant debate.

From a legal and market perspective a point that does need clarification is the interpretation of "risk of serious harm".

Interesting times ahead, but at some point in 2014, businesses will have to report data breaches and the public will be told of such breaches which will have an impact of reputation and brand, especially in health.

K said...

> based on the NSA and PRISM revelations

NSA will have to do mandatory reporting when it breaks into organisations?

Like the sound of that...

Bernard Robertson-Dunn said...

Oh dear.

Mandatory reporting of data breaches.

Have they read the literature on mandatory reporting of child abuse?

In the past, mandatory reporting has had unintended consequences that actually make things worse.

Quote from "Mandated reporting: a policy without reason", Gary B. Melton, 2004
http://blstrumm.weebly.com/uploads/3/7/4/7/3747740/melton_gary.pdf

"No one can reasonably question that the pioneers in the modern child protection system acted with good intentions and even a certain measure of courage. Notwithstanding the charitable motives of the system’s founders, however, the evidence is overwhelming that many of the catastrophic problems in contemporary child protection work in the United States are a direct product of the system’s design.

Analogous problems have appeared in other jurisdictions with mandated reporting (e.g., most of the Australian states; see Ainsworth, 2002; Harries & Clare, 2002; Scott, 2002). Later in this article, I will
elaborate this point about the system’s unintended effects.

For now, though, it is important to recognize that experience has shown that the assumptions that guided the enactment of mandated reporting laws were largely erroneous."


This prompts two questions:

1. Are the people who are promoting mandatory reporting of data breaches aware of this unintended consequence effect?

2. What have they done to mitigate unintended consequences?

It's called a wicked problem.

Dr David More MB PhD FACHI said...

Bernard,

Funny that such legislation is working well in the US with HIPAA. Has been working for a few years.

Warning people their personal data has been compromised and that they are at risk of ID theft seems sensible to me.

Mandatory abuse reporting is a different issue I reckon.

David.

Bernard Robertson-Dunn said...

David,

I don't think the HIPAA is without its critics.

I have not researched the HIPAA very much but a quick Google threw up, inter alia, these:

http://www.ihealthbeat.org/articles/2013/4/29/witnesses-voice-hipaa-concerns-during-congressional-hearing
During a congressional hearing Friday, witnesses expressed concern that the HIPAA privacy rule could lead to unintended consequences by preventing health care providers from sharing critical medical information with family, caregivers and law enforcement officials, MedPage Today reports

http://health-information.advanceweb.com/Article/The-Unintended-Consequences-of-HIPAA-2.aspx
While acknowledging that HIPAA has had unintended consequences, Gellman defended its intentions, saying there was a need to stop people such as private investigators and insurance companies from getting patient information. "HIPAA got a lot of things wrong, but it also got a lot of things right," he said.

http://www.quora.com/Health-Insurance-Portability-and-Accountability-Act/What-are-the-unintended-consequences-of-HIPAA
The unintended consequence is that HIPAA became the rule - instead of the exception that it was designed to cover.


And I'm not accusing Australian legislators of getting it wrong, I would simply like to know if they have at least recognised the potential for unintended consequences and what they have done to avoid or minimise their effects.

Dr David More MB PhD FACHI said...

Bernard.

Review this and tell me why I am wrong:

In the United States there is what is called a mandatory data breach law which is part of the HIPAA mentioned above. Here is the relevant text.
Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary. The following breaches have been reported to the Secretary:
Here is the relevant link:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

David.

Bernard Robertson-Dunn said...

David,

I don't know what you mean by "wrong".

What you have quoted is the legislation.

I am not questioning the legislation or its intent. What I am pointing out is that when you mandate reporting of certain data, then the people involved may behave differently.

For example, in the case of child abuse, a parent may worry that their occasional smacking of a child, or an innocent accident may be reported as abuse by a health worker. That parent may be reluctant to take their child to the doctor and so their health may suffer. An unintended consequence. The intent being to protect children, however the behavioural change brought about by mandatory reporting may actually reduce the health care available to the child.

In the case of the HIPAA, below are some reported unintended consequences. I make no claim for their truth or veracity, however the fact that these claims exist should be seen as a warning sign to Australian legislators that these types of claims and behaviours - valid or not - need to be either managed before the laws come into effect or dealt with later, but quickly and efficiently.

http://www.cfif.org/htdocs/freedomline/current/in_our_opinion/HIPAA.htm

Churchgoers in a small New England town were astonished by an announcement from the pulpit last Sunday that due to new federal medical privacy legislation there no longer would be a prayer list or mention of ailing parishioners or family members in church. According to the pastor, those in need would remain anonymous and be assigned a random number for which the congregation could offer prayer.

At a hospital in New York, the anxious parents of a 26-year-old comatose patient in severe liver failure were unable to find out important details about his condition and treatment because he had not yet signed a release form required under the new federal privacy legislation.

In some offices, memos are no longer being circulated for co-worker baby showers, nor are "Get Well Soon" cards for sick employees, as they are seen as violating an employee's personal medical privacy.

Doctor's offices are removing sign-in sheets and are no longer calling out patient names in their waiting rooms.

At most businesses, employees must sign authorization forms before a human resources person can discuss medical benefits, including helping to decipher complicated medical claim forms. And, before a human resources person can talk to an employee about his or her family member's medical problem, that family member must sign his or her own disclosure form.

Pharmacies around the country have installed private rooms for customers to ask questions about prescriptions, as well as glass barriers to muffle their chatter behind the counter.Ê To pick up a prescription for a family member one has to be able to recite the specific drug's name and what it has been prescribed for.

Hospitals, doctor's offices and pharmacies have spent millions training staff on the new provisions (including custodians, valets, even candy stripers), printing privacy procedure manuals and customer consent forms, and updating computers and filing procedures.

At hospitals, before patients are admitted they must read five-to-seven page manuals detailing their privacy rights and sign a form acknowledging that they've read them. Patients must then sign another form granting the hospital the right to list them on its patient directory before any information can be given out to someone calling or wishing to visit the patient, including family members and clergy.

Separate express authorization forms for the release of information in hospitals are needed for every provider consulted down the line, including the anesthesiologist, lab technician, etc. This gets a little tricky if the patient comes into the hospital incapacitated or is comatose.

Dr David More MB PhD FACHI said...

Bernard,

The laws are working - we know who is messing up and people are being protected from ID theft consequences.

Like it..sorry.

Remember no individual is named in the reporting - just that an organisation has messed up.

David.

Dr David More MB PhD FACHI said...

Bernard,

HIPAA is an astonishingly complex piece legislation for a US Medical System that is just amazingly complex and hopeless.

This breach rule would be lucky to be 1% of the total Act.

People in the US find their health information going all over the place to enable a zillion people to bill them - and they have no idea this is happening.

Sadly people keep taking huge data files around on unencrypted CDs etc and having them stolen - as keeps happening to laptops with the same data.

Health ID Theft is a bankrupting disaster in the US so people want these incompetents named and shamed and want protection from bankruptcy by criminals.

It is all as simple as that and breach disclosure is a great idea!

David.

Bernard Robertson-Dunn said...

David,

I think we are talking about different things.

I'm talking about mandatory reporting of individual cases of data breaches. Which is why I tried to cite cases where individuals had changed their behaviour in response to the laws in ways not foreseen my the law makers.

I'm not talking about data protection and I'm not talking about corporations reporting when they have experienced or caused a data breach, and I'm not talking about ID theft.

Dr David More MB PhD FACHI said...

No we are not.

I have been talking all along about breaches of personal data by data custodians and wanting those custodians to fess up. It really is not that hard.

What you have been talking about is a different issue - which I believe is much, much harder and about which I believe there needs to be very, very careful management.

Reporting individuals being at risk is very different to reporting careless and irresponsible organisations.

Cheers

David.

Anonymous said...

Whether the law is good or bad, the cost to remedy a data breach where mandatory reporting is required is extensive..

Healthcare professionals that have 10,000 patients that have a data breach (even a lost laptop), the average cost to remedy will be in excess of $1 million dollars to remedy.

Additionally the could be civil penalties and class actions on top of this cost.

As Paul F mentioned the storm is coming...and in my experience not many people in health are prepared for this...

Privacy Paul