Click Here!

  eMJA     The Medical Journal of Australia

Home | Issues | eMJA shop | Classifieds | Contact | More... | Topics | Search | Login | Buy full access   
For Debate

Integrated electronic health records and patient privacy: possible benefits but real dangers

Strategies to develop integrated electronic health records must address consumer concerns, not dismiss them with claims of the "public good"

Meredith Carter

MJA 2000; 172: 28-30
 

Introduction - Newspeak - Global claims - New uses of data - Attention to consumer and community - References - Authors' details
Make a comment - Register to be notified of new articles by e-mail - Current contents list - More articles on Informatics and computers

Introduction Integrated electronic health records are increasingly seen as the way to achieve quality and continuity in treatment, fill the gaps in public health research and contain costs.1,2 However, such systems run the risk of foundering in the wake of community concerns, as has been the UK experience.3,4 Successful implementation of proposals for electronic record systems must learn from such experiences and demonstrate keen attention to delivering information useful to both citizens and clinicians, while ensuring privacy protection and promoting public accountability for secondary use of personal information.

Newspeak Proposals for integrated electronic health record systems have emerged in Australia, New Zealand, the United Kingdom and Canada. In an interesting example of what George Orwell famously termed "newspeak", proponents almost universally describe these proposals as facilitating an "individual" or "consumer" focus in healthcare. Yet the primary purpose of this new consumer focus is not necessarily benefit to the individual consumer at all (though this is often assumed to be an obvious ancillary benefit). Indeed, the latest version of the National Health Service (NHS) Information Strategy in the United Kingdom acknowledges that, to date, it "has not been a success story" precisely because its focus was not on patients but on the collection of financial data to support the NHS internal market.5

The primary purpose of integrated electronic health record systems is to deliver to third parties information that can be reliably traced to an identifiable individual. A recent review of the New Zealand attempt to introduce electronic integration of health records warns:

The substantial changes to existing medical record systems will place a vast amount of additional information about the health care of identifiable individuals in the hands of various agencies which have not previously had such information in any useable form.6

More colourfully, the Canadian Privacy Commissioner described similar efforts to create a national health information system as promising

. . . to make available the health information of virtually the entire population on line for armies of health professionals, bureaucrats and researchers. A leak from a doctor's office is damaging enough; maintaining a trusted relationship with the health system's cast of thousands is quite another.7

The UK National Health Service is starting its information technology program all over again. An information strategy for the modern NHS aims to identify ways electronic record systems could directly benefit patients, and to help rather than hinder clinicians in their work. Development of the strategy promises extensive professional and patient consultation to establish nationally agreed goals and infrastructure, which will support local initiatives.5

Global claims

The decision to facilitate local initiatives highlights another criticism of proposals for comprehensive systems linking health records. Too often global solutions to multiple problems are claimed. Information technology could facilitate a range of activities, but is most likely to be effective where the specific problems and the range of possible responses have been evaluated in detail.8,9

Even at a basic level, assessing the intrinsic benefit of computer-based records is difficult. For example, the US Department of Veterans Affairs Decentralised Hospital Computer Program is considered a good model of its type. However, its deficiencies are considerable, ranging from lack of clinical context to only one set of results per screen. As Wyatt (of University College, London) and his colleagues caution:

. . . computer-based records will be efficient clinical tools only if more time is saved in record review and report-writing than is taken in entering structured, coded data and operating the record system itself.10

Lack of recognition of the complexities involved can mean that strategies touted as likely to deliver better care sometimes eventuate as little more than systems to vet eligibility. For example, the Australian Getting connected project creates electronic linkages between the Health Insurance Commission, medical practitioners and pharmacists. Its original promise was to minimise adverse events due to inappropriate prescribing. Over 50 pharmacies are participating across Australia, but, to date, the project's major activity has been electronic checking of consumer entitlements to medications at concession rates.11

Smart cards, unique lifetime identifier systems and a massive database to back up an Australia-wide system were supported as the building blocks of a national information strategy by the House of Representatives' Health on line report.2 Similar proposals generated the Australia Card debate, which led to the introduction of the Commonwealth Privacy Act 1988. Undaunted, the Health on Line Committee considered privacy issues and other barriers were overrated in the face of the global benefits such a system might produce. Once again, however, realisation of this potential is not straightforward.

Smart cards, for example, have been touted as a panacea to diverse problems, from continuity of care to identification of unconscious patients in an emergency. Yet various commentators have noted the limitations of such systems in an emergency. In addition, smart cards typically have relatively small storage capacity and will therefore link only part of an individual's health record at any one time. Once information is no longer required for immediate healthcare purposes it will need to be deleted.12 Creation of a comprehensive record is likely to require the development of huge centralised databases of longitudinal records stored well away from consumers' treating practitioners. While this may be useful for research and other purposes, it poses both major privacy concerns and practical problems. As a result, many in the health sector support the development of electronic communication networks as an alternative rather than a mere adjunct to such proposals.13

The New Zealand experience of global information technology initiatives in healthcare is instructive. The women's health movement has complained to the Privacy Commissioner14 about attempts to introduce population-wide, electronic medical warning systems and integrated patient records.6 A major review concluded that

. . . interconnection and collation of health information may be very useful for the planning and co-ordination of health care, and may be of benefit to the individuals concerned, but this is not something that should be simply assumed without investigation and informed debate.6

Heeding this advice, the New Zealand Health Service commissioned a Privacy Impact Assessment for the Health Intranet project, a key component of the government's Health Information Strategy. It found a

. . . general lack of awareness of the types of security and storage safeguards . . . As a consequence, these information systems are vulnerable to internal misuse and external attack.15

New uses of data

Denigrating consumer and community concerns as merely the paranoia of civil libertarians and unrepresentative consumer advocates is certainly not helpful. The various dangers of large databases are not hard to find. In a recent example, at the University of Michigan Medical Center, a glitch in the system left thousands of patient records on public Internet sites for two months. Public access was only terminated after a news reporter notified the medical centre. These records contained extensive personal information, including Social Security numbers, employment status, phone numbers and other contact details.16 This kind of information gives a much more detailed picture of the individual than the "health record" is generally understood to contain. Indeed, once compiled as an integrated, longitudinal record, electronic records are likely to provide a breadth of data about individuals useful to many other parties, quite outside those which may be considered legitimate public health interests.

Similarly, the New Zealand Health Intranet Privacy Impact Assessment warns that any identifiable information in electronic form is capable of being used, indexed, linked, profiled and compiled in ways which have not been possible with paper records. It concludes that significant controls will be required to prevent the development of inappropriate uses of information with potential economic value to third parties.15

It is naive to suggest concerns about misuse can be readily overcome through the use of technology. A series of Australian inquiries, including the Independent Commission Against Corruption (ICAC),17-19 have revealed that abuse of personal health information is not uncommon, often by offenders (such as banks) who should know better. A UK survey of health establishments found that over 45% had experienced security incidents during the previous three years, and other European studies have uncovered both poor attention to staff training in security practices, and security problems, including attempted "hacking" by staff.20

The Australian Institute of Health and Welfare (AIHW) has found it necessary to exercise close scrutiny of applications made to access its personal health and other data holdings. Though applications may ostensibly be made for public health research purposes, whether particular researchers can be trusted may vary depending on the consultancy they are conducting (AIHW Information Privacy Review Discussion Paper, unpublished, 1998).

An example of likely misuse already proliferating in the US is the sale of consumer information to pharmaceutical companies. Thus, when individuals have prescriptions filled, they may find themselves receiving mail from companies promoting different medications, treatment or equipment.21 Research by the Health Issues Centre and others with consumers suggests that many Australians particularly oppose this kind of commercial use of personal health data.22

Attention to consumer concerns and community accountability

Too often, responses to consumer concerns rely on the mantra that "privacy is not an absolute right", concentrating the focus of the health information technology industry on how to redefine personal information as a "public good". Recent debate of these issues in the US journal Health Affairs23 demonstrates increasing recognition that if public support is to be garnered there must be greater exploration of how the potential of the electronic era can be harnessed to better meet consumer information needs. The Internet itself supports a "ubiquitous delivery system"24 in a range of settings well beyond the clinical encounter. This includes a whole raft of possible consumer health information applications that are not necessarily linked to such encounters. It is also important to remember that health status is the product of multiple factors, particularly social and economic factors. The optimal strategies for prevention and control of ill health are likely to extend well beyond clinical treatment strategies.

Recognition of such factors sets the latest Canadian strategy apart from many other proposals for electronic health information management. Like the new British approach, Canada Health Infoway: Pathways to Better Health does not propose "a single massive structure".25 Instead, the aim is to build on diverse federal, provincial and territorial initiatives in a complementary way, with a strong focus on harmonising privacy protection upwards, across the nation.

This project also talks about having a consumer focus. However, this time the focus is about direct benefits to consumers. In particular, it aims to meet the information requirements of consumers as patients, informal caregivers, or citizens, as well as the needs of other participants in the health sector. There is also a focus on accountability to communities, with communities identified as ranging from local and aboriginal communities to organisations and geographically dispersed communities of interest. Crucially, the strategy highlights the need to provide resources for community involvement in processes to hold the health system accountable and provide input to healthcare policymaking.

The Canadian approach adopts a framework based in partnerships, with fairness and compassion as its guiding principles. It legitimates consumer concerns and interests rather than attempting to subjugate them to notions of some higher public good. This approach suggests a way forward into the electronic era that is far more likely to retain public goodwill and confidence in the health system than strategies which do not address these issues as an integral part of their development. Australian policymakers would do well to take note.

References
  1. Laires M, Ladeira M, Christensen J, editors. Health in the new communications age. Amsterdam: IOS Press, 1995.
  2. House of Representatives Standing Committee on Family and Community Affairs. Health on line. Report into health information management and telemedicine. Canberra: Commonwealth of Australia, 1997. Available at <http://www. aph.gov.au/house/committee/fca/tmreport.pdf>.
  3. The Caldicott Committee. Report on the review of patient-identifiable information -- December 1997. London: NHS Executive, 1997. Available at <http://www. doh.gov.uk/confiden/crep.htm>.
  4. Smith PF. Privacy, confidentiality and safety of healthcare information systems: better information is needed. Health Informatics J 1998; 4: 124-127.
  5. National Health Service Executive. Information for health: an information strategy for the modern NHS 1998-2005. NHS, 1998.
  6. Stevens R. Medical record databases. Just what you need? Report prepared for the Privacy Commissioner. New Zealand. April 1998. <http://www.privacy.org.nz/ people/mrdrep.html>. Accessed 11 November 1999.
  7. Privacy Commissioner of Canada. 1997-98 Annual Report. Ottawa: Minister of Public Works and Government Services Canada, 1998. Available at <http://www. privcom.gc.ca/02_04_06_e.htm>.
  8. Roberts M, Stokes J. Prescriptions, practitioners and pharmacists. Med J Aust 1998; 168: 317-318.
  9. Nygren E, Wyatt J, Wright P. Medical records: helping clinicians to find data and avoid delays. Lancet 1998; 352: 1462-1466.
  10. Powsner S, Wyatt J, Wright P. Medical records: opportunities for and challenges of computerisation. Lancet 1998; 352: 1617-1622.
  11. National Pharmacy Intranet Demonstration Project. Getting connected. Discussion paper. September 1998.
  12. Anderson RJ. Safety and privacy in clinical systems: the state of play. Health Informatics J 1998; 4: 121-123.
  13. Anthony D, Mandeville T, Hearn G, Holman L. Demand for broadband services in the health sector. Brisbane: Communication Centre Queensland University of Technology, 1994.
  14. Centralised data system worries. News from the Office of the Privacy Commissioner 1998: 29.
  15. Harding E. Privacy impact assessment and commentary on the health intranet project for New Zealand Health Information Service. Wellington: Ministry of Health, 1996; finding 6.
  16. Wahlberg D. Patient records on Web 2 months. The Ann Arbor News 1999; February 11. <http://aa.mlive.com/news/index.ssf?/news/stories/records2.frm>. Accessed 11 November 1999.
  17. New South Wales Independent Commission Against Corruption. Report of inquiry into unauthorised release of government information. Sydney: ICAC, 1992.
  18. House of Representatives Standing Committee on Legal and Constitutional Affairs (the Melham Committee). Canberra: Commonwealth of Australia, 1995.
  19. Walsh G. Review of policy relating to encryption technologies (the Walsh Report). <http://www.efa.org.au/Issues/Crypto/Walsh/walsh.htm>. Accessed 11 November 1999.
  20. The Ishtar Guidelines for healthcare security. Health Informatics J 1998; 4: 179-180.
  21. Aiken J. Proposed bills would restrict access to medical records. CNN Interactive. 1999; April 27.<http://cnn.com/ALLPOLITICS/stories/1999/04/27/medical.records/>. Accessed 11 November 1999.
  22. Carter M, et al. The information society in general practice: consumer perspectives: a report to the Department of Health and Aged Care General Practice Evaluation Program. Melbourne: Health Issues Centre, 1998.
  23. Debating health information technology [letter]. Health Affairs 1999; 18: 255.
  24. Detmer D, Deering M. Health information: a broader view. Health Affairs 1999; 18: 256-257.
  25. Advisory Council on Health Infostructure. Canada Health Infoway: Pathways to better health. Final report. Ottawa: Minister of Public Works and Government Services, 1999. Available at <http://www.hc-sc.gc.ca/ohih-bsi/achis/fin-rpt_e.html>.

Author's details Health Issues Centre, Melbourne, VIC.
Meredith Carter, BA, LLM, Executive Director.
Reprints will not be available from the authors.
Correspondence: Ms M Carter, Executive Director, Health Issues Centre, Level 11, 300 Flinders Street, Melbourne, VIC 3000.
hicjmcATmail.vicnet.net.au

©MJA 2000
Make a comment

Home | Issues | eMJA shop | Terms of use | Classifieds | More... | Contact | Topics | Search

The Medical Journal of Australia    eMJA  


Readers may print a single copy for personal use. No further reproduction or distribution of the articles should proceed without the permission of the publisher. For permission, contact the Australasian Medical Publishing Company.
Journalists are welcome to write news stories based on what they read here, but should acknowledge their source as "an article published on the Internet by The Medical Journal of Australia <http://www.mja.com.au>".
<URL: http://www.mja.com.au/> © 2000 Medical Journal of Australia.
We appreciate your comments.