Friday, February 16, 2007

How Serious is Privacy Risk?

It’s important to keep things in perspective. I have spent much of the past few years addressing privacy risks associated with eHealth systems. But how pervasive and how serious are the risks to privacy in Canadian health care.

When dealing with health care the numbers are very big: 30 million potential patients, 1.5 million people working in the health care system, hundreds of millions of health care transactions each year. When dealing with privacy breaches in health the numbers are very small.

A review of the most recent Information and Privacy Commissioner annual reports from those provinces with health privacy legislation is most revealing. In Ontario in 2005 (first full year of the Personal Health Information Protection Act) there were 177 privacy complaints . In Alberta in fiscal year 2004-2005 97 cases were opened under the Health Information Act (note that this number excludes 217 PIAs submitted to the OIPC for review). In Manitoba in 2005 9 new cases were opened under the Personal Health Information Act. In Saskatchewan 88 cases were opened of which 13% related to the Health Information Protection Act (although the report does note that many cases may have been referred to Professional colleges for review and disposition). Of these cases, only a handful resulted in orders issues by the Information and Privacy Commissioners. My guess is that there are fewer than 1000 significant health privacy issues across Canada each year.

Compare the number of privacy issues with the current estimate by CIHI that somewhere between 9,250 to 23,750 deaths occurred in Canadian health care in 2000-2001 due to “adverse events” . In 2003, 5.2 million Canadians reported that they or a family member had experienced a preventable adverse event related to their health care.

I don’t want to suggest for a moment that privacy issues are not important. The reputational damage to patients, health care providers and organizations as a result of infrequent privacy breaches can be considerable. I only suggest that we keep privacy in perspective. Canadian health care workers and organizations do an AMAZING job protecting the privacy interests of patients. They should be lauded for that.

In fact, I am concerned that the most serious threat to privacy, that of government intrusion into our lives permitted as a result of law enforcement and anti-terrorism legislation is not really addressed at all in our privacy control systems. I also think we are pretty weak on addressing the issue of identity theft associated with health information systems, which is more of a security issue.

With an over-emphasis on the privacy issue, there is a concern that resources are diverted from other issues such as system availability (security) and safety, which may be more serious risks for patients. I have seen projects where hundreds of thousands of dollars were spent on privacy impact assessments, but not a penny on an analysis of safety risk. Balance is the operative word here. We need to balance privacy concerns with our mandate to provide safe and effective health services.


1. Information and Privacy Commissioner/Ontario, Annual Report 2005, Toronto, p.59
2. Office of the Information and Privacy Commissioner for Alberta, 2004/2005 Annual Report, Edmonton, p.43
3. Manitoba Ombudsman, 2005 Annual Report: Access and Privacy, Winnipeg, p.16
4. Office of the Information and Privacy Commissioner for Saskatchewan, 2005-2006 Annual Report, Regina, p.7
5. Office of the Information and Privacy Commissioner for Saskatchewan, 2005-2006 Annual Report, Regina, p.41
6. Canadian Institute for Health Information, Health Care In Canada, CIHI Website,

No comments: