When Microsoft, Google, and Apple latch on to a trend, you can be sure it’s going to be a monster.
That’s why in-house counsel at governments and health agencies across the country are ratcheting up their efforts to ensure the proper security and storage systems are in place to protect against electronic health and medical data of Canadians from getting into the wrong hands.
Even though it’s still in its infancy, the so-called “e-health” sector is already a multi-billion-dollar industry. With paper records increasingly being phased out and electronic versions quickly replacing them, nobody really knows how big it will ultimately become.
Several Canadian provinces have launched e-health programs with varied levels of success. Ontario’s program has been bereft with challenges, including allegations of mismanagement and cost overruns since the program was launched last September.
Despite Ontario’s challenges, Mark Johnson, legal counsel at eHealth Ontario, a Crown corporation of the Ontario provincial government, says electronic health records are the “wave of the future.”
“The adoption of [e-health] by doctors is growing. Even big companies are getting into it,” he says. “Apple has certain applications for e-health on its iPhone. You can e-mail your health data to your doctor from your [mobile device]. That’s the wave of the future. Pretty soon you’ll be able to access health data online in the same way you access banking information today.”
The ease of access to information means a committed effort to ensuring the safety and security of that information. For eHealth Ontario that means an entire department has been set up dedicated to security and privacy. Johnson says eHealth Ontario also has “very rigourous” contractual requirements with software and network suppliers to ensure patient information is kept private and can’t be hacked into.
Recent polls have shown Canadians are continuing to be aware of, and concerned with, the privacy of their health records, says Heather McLaren, chief privacy and risk officer for Manitoba eHealth. Clearly, Canadians don’t want potentially embarrassing information about them — such as having a sexually transmitted disease — to become known to anybody outside of their physician. “There’s a fear that it’s more vulnerable in a computer system.”
While electronic systems aren’t foolproof, McLaren says health authorities have the ability to make patient information not only very difficult to access, but they can also find out who has been looking at it and why. That’s a quantum leap from security in a paper-based system. “If you think of the last time you were in a doctor’s office, most patients’ files are in a filing cabinet. When the nurse goes to change the paper on the examining table, there’s nothing to prevent somebody from pulling out a file, looking at it, and putting it back.”
There have been a number of high-profile cases in both Canada and the U.S. where hospital staff members have gone online and looked at the medical records of celebrities and other people of note. McLaren says systems can be programmed with a VIP alert that sends a note to the hospital’s privacy officer if anybody accesses that person’s records. “Those kinds of things are possible in an electronic system, they’re not practically possible in a paper system.”
British Columbia was the first Canadian province to adopt an e-health program. A spokesman with the B.C. Ministry of Health Services says another safeguard to protect patient data is that the systems are designed to only provide health record access to authorized medical professionals.
“A health professional’s role will determine what information they can access in the electronic health record and what action they are permitted to take on that information,” says Ryan Jabs, adding patients may also request a report about who has viewed their health data.
Because the industry and its technology are growing so quickly, Johnson says in-house counsel are challenged on an ongoing basis to ensure its security processes and procedures aren’t left in the dust.
One of the key players in keeping the battle as proactive as possible is its strategy department. “They have their finger on the pulse of where things are going. But it drives things as well. We fund a lot of projects and create software solutions for doctors in hospitals,” Johnson says.
Despite technology’s checks and balances, the occasional privacy breach has cropped up. For example, a computer hacker broke through the defences of the Alberta Health Services system in May and had a chance to view and photograph the files of nearly 11,600 people.
“That’s our worst nightmare,” Johnson says. “We dedicate so much time and effort to avoiding that. It would be a gross violation of a patient’s rights.”
McLaren says illegally obtained medical information could be used to embarrass somebody, such as an ex-spouse in a custody battle. The husband, for example, may want to know if his former wife is on medication for depression or anxiety and could use the information to bolster his case in court.
She says medical personnel who fail to uphold their professional obligation to protect patient data could face charges under the Personal Health Information Act. The provincial ombudsman has the power to investigate the breach and make recommendations to prevent further incidents but can’t award financial damages, she says. Repeated offences could see the matter brought before the provincial College of Physicians and Surgeons, which could result in outright dismissal, she says.
But e-health is more than just protecting the privacy of a patient’s medical history. It’s also playing a growing role in the provision of better health services. For example, because it shows the complete health picture of a patient, doctors are able to take action more quickly, accurately, and avoid prescribing medication that may interact negatively with a previously prescribed drug.
“E-health compares the drug to other drugs dispensed to you over the past six months from any pharmacy in the province. If there is any potential interaction between the current drug and another one, [the system] will pop up an alert to the pharmacist,” says McLaren.
Another benefit is better control of health-care costs. If the results of all lab tests done in each province are computerized, duplicate testing can be prevented.
“If you go to a walk-in clinic because your doctor is on vacation and the [clinic] doctor didn’t know you’d recently had a lab test for hemoglobin, they’d order another one and you’d have to give blood again. With a computerized lab information system, doctors can look and see that you’d had that test a month ago and there’s no reason to do it again. The system makes the right information available to providers at the right time,” she says.
McLaren says one of her roles is to conduct privacy impact assessments on electronic systems under development. She looks at the impact on the privacy of the individual, how much information is being collected, and whether it’s excessive.
“Over the years, the ‘nice to have’ principle has ruled. It said, ‘Let’s collect all sorts of data we might need down the road.’ That went out the window when the Personal Health Information Act was passed in 1997,” she says.
Her team is starting to conduct the assessments early in the planning stages of a project and she says the goal is to have a list of a patient’s prescriptions, lab results, immunizations, MRI results, and X-rays in an electronic format in two years.
Jabs says in-house lawyers have played a vital role as the e-health sector has grown, in particular with the legal framework created by Bill 24, the E-Health Act, which governs personal health information access and the protection of privacy. “The E-Health Act is another step towards faster, safer health care in a secure electronic environment. It provides a legislative framework for governing the collection, use, and disclosure of personal health information in electronic health records.”