Privacy Law and Policy Reporter
As we move into the electronic age, there is an increasing emphasis on the development of systems able to electronically link and integrate personal health records. These developments should promote more comprehensive, co-ordinated and safer health care for individuals and promote better health monitoring and planning for the community. However, along with the exciting potential for improved health care, such developments also carry significant privacy risks for consumers.
In a paper-based world, a security breach can lead to a serious invasion of privacy for an individual. One of the particular concerns generated by a shift to electronic management of personal health information is that a minor security breach can lead to an invasion of privacy affecting any number of individuals at the same time. For example, a recent glitch in the system at the University of Michigan Medical Centre reportedly left thousands of consumers’ personal health records on public internet sites for two months. This situation was not rectified until a reporter alerted the Medical Centre.
These records, like most health records, contained extensive personal information including social security numbers, employment status, phone numbers and other contact details.
The breadth of information contained in many health records can provide a much more detailed picture of the individuals concerned than may be commonly realised. Indeed, once compiled as an integrated, longitudinal record, these records are likely to be of interest to many other parties, quite outside those who might be considered to have legitimate public health interests. The Independent Commission Against Corruption found that interested parties range from health care providers to agencies such as pharmaceutical companies and agencies that have no health care role at all, such as employers, banks and superannuation companies.
Fundamental to the efficacy of electronic information systems is the capacity to deliver information to third parties that can be reliably traced back to an identifiable individual. A recent review of New Zealand’s attempt to introduce electronic integration of health records notes:
The substantial changes to existing medical record systems will place a vast amount of additional information about the health care of identifiable individuals in the hands of various agencies which have not previously had such information in any useable form.
For example, a recent item in the Courier Mail claimed that at least three global pharmaceutical companies have been compiling profiles on doctors to inform their marketing practices. It seems only a short step to profiling the patients of these doctors in order to target marketing direct to them (an increasingly common practice inthe US).
Traditionally, consumers’ interests in their health records were considered adequately protected by the doctrine of medical confidentiality. Under this doctrine doctors decided who should have access to their patients’ records. However, in a world where the one consumer can be treated by a plethora of practitioners across a diverse range of settings and their records can be electronically mixed and matched with all sorts of other data, the traditional approach to privacy is increasingly inadequate. The legislative activity which is beginning to occur in some states and territories and which has now also been proposed by the Federal Government may provide more comprehensive consumer protection.
In most First World countries, basic privacy protection is considered to require a focus on consumer consent. Consent is required before personal details can be collected and before such details can be used for purposes other than those for which they were collected. Measures must also be in place to ensure the data is correct when collected, that its accuracy is maintained, that it is kept securely and that it is not disclosed to any other person without the consent of the consumer. A fundamental requirement is that consumers themselves can have access to personal information collected about them. In addition, consumers are entitled to compensation if these privacy principles are abused.
These principles are taken seriously by many countries. For example, all the members of the European Union have legislation in place to prohibit the transfer of personal data to countries which do not have similar levels of consumer privacy protection in both the public and private sectors. Australia has national privacy legislation but it covers only the Commonwealth public sector. As most health care is provided in state hospitals or by private sector practitioners, consumers in this country have very little ability to control the flow of their personal health records around the health system and beyond it.
Groundbreaking legislation has given consumers in the ACT a generic right of access to their personal health records regardless of whether the records were created by a private GP or in a public hospital. Elsewhere in Australia, a right of access to health records is largely restricted to the public sector, such as public hospital records, under Freedom of Information (FOI) legislation. In some states, such as Victoria, there is concern that even this level of access is diminishing.
The distinction between public and private sector records creates real problems for consumers in other states and territories. A recent case involving the Mater Hospitals groupin Queensland demonstrates some of the attitudes consumers are up against — until significant public pressure and media exposure caused a back down, the group refused to provide at least one consumer access to her records, saying it was ‘not legally obliged to provide such assistance’. The basis for this view was that although the specific hospital concerned is funded by the Queensland Health Department to provide public hospital services and is listed in the current Australian Health Care Agreement as a public hospital, the Mater group is a private sector (religious) organisation. As such they claimed that FOI obligations were not applicable.
At the same time, the development of the capacity to link records electronically and the use of consumer records for various purposes, with or without consumer consent or even notification, has expanded dramatically within the health sector. Western Australia has developed the WA Health Services Research Linked Database, a register of more than seven million personal health records. The register links six core data sets — birth records, death records, midwives’ notifications, cancer registrations, inpatient hospital morbidity (diseases) and public inpatient and outpatient mental health records. A committee appointed by the WA Minister of Health governs access to identifiable records on the database. The Committee determines applications on the basis of its view as to whether access would be in the public interest.
Though the Committee claims it is cautious about granting access, there is no legislative framework governing either this database or more general research in WA. This means consumers themselves have no opportunity to contribute to the debate about when the public interest in a particular research proposal is such that the public interest in consumers’ right to control the dissemination of their personal health information should be overridden. Consumers are also left pretty much unprotected in the event of any privacy breach related to either this database or more generally within the health system.
Other states such as NSW and Victoria are keen to institute similar databases but are also finding they have limited legislative capacity either to facilitate such research or to ensure consumer privacy protection. NSW has recently passed generic privacy legislation but this is intended to govern only public sector activities. Victoria has proposed legislation to cover both the public and private sectors. To date, neither state has proposed legislation specific to the concerns consumers and others have raised in the health sector. The Victorian Minister for Health has, however, indicated he is prepared to consider the appropriateness of health specific data protection legislation, including a general right of consumer access to their health records.
Not surprisingly, all this activity has caught the eye of the Commonwealth Privacy Commissioner. Following a series of somersaults on the issue of whether the privacy regime binding public sector agencies should be extended to the private sector, the Federal Government has agreed to expand the role of the Privacy Commissioner. It has agreed that legislation is required in the private sector but it should be different to that applicable to the public sector and should be ‘light touch’ legislation. This means that rather than detailed legislation, general ‘high level’ principles that can apply to as many sectors of industry as possible are proposed. These high level principles can be supplemented by industry specific codes where the industry can agree on what the code should look like and the Privacy Commissioner is satisfied that the code offers consumers adequate protection.
The Privacy Commissioner has been asked to make recommendations to the Attorney-General as to whether more detailed provisions are required to cover the health sector. A whirlwind consultation on this issue was held during June 1999 and the Commissioner’s views are expected to be made public in the near future. A particular concern is that the regime is proposed to be complaints-based. In the health sector the most vulnerable consumers are unlikely to make complaints because of the potential to prejudice their ongoing treatment. In addition, in an electronic environment individual consumers may not even know that their privacy has been abused. Consumer groups have particularly urged that the Commissioner must have the power not only to hear complaints but also adequate capacity to monitor developments, conduct audits and investigate complaints of his or her own motion. In particular, if the new regime is to have credibility as a consumer protection mechanism, the Commissioner must have the power to develop binding guidelines to govern electronic data linkage and matching in the health sector. These proposals recognise that it is one thing to have privacy policies, but it is another to ensure that they are followed. Given the previous experience of the Privacy Commission with voluntary guidelines, anything less than compulsory compliance is unlikely to be effective.
The consumer movement and health professionals alike eagerly await a national regime for fair dealing in personal health information, covering both the public and private sectors. It remains to be seen whether current legislative proposals will deliver it.
Meredith Carter is Executive Director of Health Issues Centre, an independent group which analyses health policy from a consumer perspective. Her Master of Law thesis deals with the impact of information technology in the health sector on consumer privacy.
You can access the Health Issues Centre’s submission to the Privacy Commissioner at <http://www.vicnet.net.au/~hissues>.
This article, which first appeared in the journal Australian Health Consumer Issue 3, 1999, is republished with permission of the Consumers’ Health Forum.