Monday, February 19, 2007

Legally eHealth

A study in the European Union is looking at the legal aspects of eHealth. Titled Legally eHealth it will look at a range of legal issues, albeit from an european point of view. The study will be completed in the spring and may provide useful guidance for other countries on the right legal questions to ask about eHealth.

Friday, February 16, 2007

eHealth Project Risk Challenges

Check this out from the eHealth-Insider

"A senior executive from local service provider to the Southern cluster, Fujitsu, has said that the intense pressure suppliers are under to deliver short-terms risks the wider aims of the NHS National Programme for IT systems, resulting in a danger of it delivering 'a camel, and not the racehorse that we might try to produce.'"

How Serious is Privacy Risk?

It’s important to keep things in perspective. I have spent much of the past few years addressing privacy risks associated with eHealth systems. But how pervasive and how serious are the risks to privacy in Canadian health care.

When dealing with health care the numbers are very big: 30 million potential patients, 1.5 million people working in the health care system, hundreds of millions of health care transactions each year. When dealing with privacy breaches in health the numbers are very small.

A review of the most recent Information and Privacy Commissioner annual reports from those provinces with health privacy legislation is most revealing. In Ontario in 2005 (first full year of the Personal Health Information Protection Act) there were 177 privacy complaints . In Alberta in fiscal year 2004-2005 97 cases were opened under the Health Information Act (note that this number excludes 217 PIAs submitted to the OIPC for review). In Manitoba in 2005 9 new cases were opened under the Personal Health Information Act. In Saskatchewan 88 cases were opened of which 13% related to the Health Information Protection Act (although the report does note that many cases may have been referred to Professional colleges for review and disposition). Of these cases, only a handful resulted in orders issues by the Information and Privacy Commissioners. My guess is that there are fewer than 1000 significant health privacy issues across Canada each year.

Compare the number of privacy issues with the current estimate by CIHI that somewhere between 9,250 to 23,750 deaths occurred in Canadian health care in 2000-2001 due to “adverse events” . In 2003, 5.2 million Canadians reported that they or a family member had experienced a preventable adverse event related to their health care.

I don’t want to suggest for a moment that privacy issues are not important. The reputational damage to patients, health care providers and organizations as a result of infrequent privacy breaches can be considerable. I only suggest that we keep privacy in perspective. Canadian health care workers and organizations do an AMAZING job protecting the privacy interests of patients. They should be lauded for that.

In fact, I am concerned that the most serious threat to privacy, that of government intrusion into our lives permitted as a result of law enforcement and anti-terrorism legislation is not really addressed at all in our privacy control systems. I also think we are pretty weak on addressing the issue of identity theft associated with health information systems, which is more of a security issue.

With an over-emphasis on the privacy issue, there is a concern that resources are diverted from other issues such as system availability (security) and safety, which may be more serious risks for patients. I have seen projects where hundreds of thousands of dollars were spent on privacy impact assessments, but not a penny on an analysis of safety risk. Balance is the operative word here. We need to balance privacy concerns with our mandate to provide safe and effective health services.

References

1. Information and Privacy Commissioner/Ontario, Annual Report 2005, Toronto, p.59
2. Office of the Information and Privacy Commissioner for Alberta, 2004/2005 Annual Report, Edmonton, p.43
3. Manitoba Ombudsman, 2005 Annual Report: Access and Privacy, Winnipeg, p.16
4. Office of the Information and Privacy Commissioner for Saskatchewan, 2005-2006 Annual Report, Regina, p.7
5. Office of the Information and Privacy Commissioner for Saskatchewan, 2005-2006 Annual Report, Regina, p.41
6. Canadian Institute for Health Information, Health Care In Canada, CIHI Website,

Monday, February 5, 2007

HIMSS and the Clinical Engineer (CE)

24x7 just published an article discussing the value of HIMSS to the CE (clinical engineer).

You can read it at: http://www.24x7mag.com/issues/articles/2007-01_07.asp .

For more information about the IHE and how it is advancing the cause of healthcare, you can follow up at http://www.ihe.net .

What does this have to do with risk management and eHealth?
The IHE recently published a risk management whitepaper that encourages CIOs and standards developpers within the IHE community to use risk management concepts when planning their eHealth solutions.
The intent was to send out the "old" method of planning technological solutions based on what vendors were selling and to bring in the "new" method of planning, identifying actual needs and opportunities (ie: positive risks) to meet those needs, and then prioritizing according to cost, impact (positive and negative impact to the community), and likelihood of success.

Hopefully once the IHE has operationalized this method of risk-aware planning, it will share it's lessons with the rest of the eHealth community. In the meantime, the IHE is an excellent place to begin eHealth project due to the maturity of it's processes and documentation.

Thursday, February 1, 2007

eHealthRisk Workshop

The Waterloo Institute for Health Informatics Research (WIHIR) is presenting an intensive one day workshop on eHealth risk management on April 18, 2007 at the University of Waterloo. It is based on the eHealthRisk Report Card methodology which will be discussed in depth in this blog. The following day (April 19, 2007) an intensive one day Privacy Professional Workshop will be presented. Attendance is limited. Sign up now.