Monday, October 29, 2007

Westin Speaks on Health Research

US Privacy Guru Alan Westin has recently undertaken a study on behalf of the US Institute of Medicine on public attitudes concerning privacy and health research. Modern Healthcare Online has published a two part article on his findings (for part 1 click here - for part 2 click here). From the article:
"The good news for the research community is, despite a plethora of media reports on privacy and security breaches in the healthcare industry, most people still respect the aims of researchers and are willing to support their work.

The bad news is, perhaps because of these highly publicized privacy failures, people need more assurance than in the past that their healthcare information will be protected and, particularly, not end up being misused in ways that could hurt them. This new reality will necessitate some consciousness-raising on the part of researchers, who historically have seen themselves as the guys in white hats who should be above suspicion, according to Westin."

Friday, October 26, 2007

Remote Access to PHI

Health care organizations are under significant stress to allow remote access to personal health information in the field or from the homes of health care workers. The Ontario Information and Privacy Commissioner issued her Order HO-004 which addressed the issue of PHI stored on laptop computers and directed Ontario health information custodians to employ measures such as encryption to protect PHI on laptops and other portable devices. I know that many Ontario health care organizations are struggling to implement this order while not interfering with the need to allow remote access to PHI for legitimate and important health care delivery and research purposes.

I found an excellent reference guideline on the security considerations for remote access published by the US Department of Health and Human Services titled Security Guidance for Remote Use. This is published under the auspices of the HIPAA Security Rule. What I really like about this document is that it takes a risk management approach to considering the problem of remote access. The document looks at the risks of allowing remote access and suggests possible risk mitigation strategies.

This document is HIGHLY Recommended.

Friday, October 19, 2007

10 Years Late

I was having breakfast a few mornings ago with a colleague. We were discussing the current state of privacy laws and what I perceived to be the major threats to privacy. I was bemoaning the fact that our current privacy regimes are inadequate to deal with these new threats- that of government "function creep" (with the many unfortunate but legal uses being made of our personal information by government agencies in the name of national security and law enforcement), and identity theft. With respect to the former, he commented that while the checks and balances of our modern democratic systems may appear to have broken down, they are actually still in play. We'll see the pendulum swing back in the next few years.

It dawned on me that our current privacy laws were made for our world as it existed 10 years ago when we were at the height of the dot.com boom. Way back then, in 1997, everyone was worried about the potential abuses by information entrepreneurs who wanted to capture our eyeballs and data mine our personal information. The laws we built succeeded in tempering the ambitious aspirations of the entrepreneurs, but didn't anticipate the threat to privacy in the post 9/11 world.

Maybe thats the pattern. 10 years from now we will have come to a consensus on how to protect personal information from over-zealous bureaucrats and law enforcement officials. But who knows what new threats to privacy will emerge in 2017. We can predict, for example, that our genetic code will be a prominent feature of our electronic health records. Who will be trying to exploit that information for power or profit? We can also predict that our privacy laws won't be able to fully protect us from these new perils.

Unfortunately, we don't have a crystal ball.

Thursday, October 18, 2007

EHR's for Sale

I wonder how Canada Health Infoway will feel about banner ads on its nation-wide Electronic Health Record?

After reading a couple of articles over the past few days (Advertising, data sales subsidize EMR products and Google Health Wants to Digitize your Medical Records), it crossed my mind that the EHR, EMR and EPR marketplace is moving way faster than our eHealth policy makers. We've seen it in other sectors, particularly in education where cash-strapped schools and school boards rent out advertising space to soft drink and confectionery companies. Already in the United States banner ads and sales of aggregated and anonymized data (if there really is such a thing any more) are seen as integral parts of the EMR/EHR business model.

There are a raft of ethical issues that must be addressed as market forces worm their way into our eHealth systems. Its one thing for big Pharma to market their products to physicians through sales reps, but what happens when the marketing happens in real time... When the drug in the banner ad is tied to the patient's diagnosis and conveniently displayed on the doctor's screen?

I'm beyond worrying about whether this is a good thing or a bad thing. What worries me is that this stuff is happening without debate. Maybe the benefits of improved health care through eHealth are worth a little manipulation by big corporate interests if thats what it takes to fund an eHealth infrastructure. But can we at least think about it before it happens?

Wednesday, October 17, 2007

Health Privacy Resource

Anyone looking for a good source of health privacy resources should look at the Privacy Commissioner of Canada's website. Her health page links to most of the key resources of interest to Canadians, and has links to international resources as well.

My favorite link is to the 1992 Supreme Court decision McInerney v. MacDonald. This is the decision that enshrined the principle that while a health care provider owns the health record, the patient has nearly absolute rights to the data contained in the record (for clarification on the "nearly" check out the decision).

Friday, October 12, 2007

SPAM spam spam spam.....

Alex Jadad and Peter Gernburd of the Centre for Global eHealth Innovation in Toronto, Canada, have recently published a unique study titled Will Spam Overwhelm Our Defenses? Evaluating Offerings for Drugs and Natural Health Products. They found that 32% of the spam we receive is health related, usually associated with products for erectile dysfunction, killing pain and anti-obesity.

Armed with a low-limit VISA card, a post office box and, I suspect, a healthy sense of mischief, the researchers went in search of online health products.

The paper includes the following summary points:
  • Spam, or unsolicited e-mail received from an unknown sender, now accounts for the largest proportion of all messages delivered online.
  • Little is known about health-related spam and the spammers behind it.
  • This study shows that it is possible to purchase products purported to be prescription drugs and controlled substances, across traditional national and legal boundaries, with one-third of our attempts to do so being successful.
  • Buyers should be fully aware that it may not be possible for them to hold spammers accountable for any claims made in their messages, or to get protection from illegal activities resulting from disclosure of personal or financial information to spammers.
  • Spammers are challenging our traditional regulatory, licensing, and law enforcement frameworks, and even threatening their relevance.
For a summary of the study and comments from the researchers, check out the Globe and Mail article titled No prescription, no problem.

Thursday, October 11, 2007

A Public Hanging

Its often said that there's nothing like a public hanging to get peoples' attention. Evidence that there are serious consequences to one's actions is a powerful motivator to behave appropriately.

Witness the response of Palisades Medical Centre in North Bergen, New Jersey, that played host to actor George Clooney and his girlfriend, Sarah Larson, following their motorcycle accident last month.

The hospital suspended 27 employees for looking at Clooney's medical records without authorization following an audit of the hospital's systems.

Clooney didn't seem too distressed about the situation. Associated Press quoted him as saying, "While I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers."

Clooney's feelings aside, this situation can be used as a vivid and very public example of the possible consequences of browsing patient medical records.

Wednesday, October 10, 2007

Privacy Best Practices in Research

While most of the business case arguments for eHealth are associated with the treatment and care of individuals, there are tremendous societal benefits to be gained through health research. I sometimes get the feeling that we have to be apologetic about using health databases for legitimate research purposes. Only through research will we master the medical and social challenges facing humanity.

A couple of years ago (in 2005 to be exact), the Canadian Institutes of Health Research published a document titled CIHR Best Practices for Protecting Privacy in Health Research. This document defines 10 elements that should be considered in the design, conduct and evaluation of health research to address privacy and confidentiality concerns. These elements are:

  • Element #1 - Determining the research objectives and justifying the data needed to fulfill these objectives
  • Element #2 - Limiting the collection of personal data
  • Element #3 - Determining if consent from individuals is required
  • Element #4 - Managing and documenting consent
  • Element #5 - Informing prospective research participants about the research
  • Element #6 - Recruiting prospective research participants
  • Element #7 - Safeguarding personal data
  • Element #8 - Controlling access and disclosure of personal data
  • Element #9 - Setting reasonable limits on retention of personal data
  • Element #10 - Ensuring accountability and transparency in the management of personal data
This is a comprehensive guide (169 pages) for anyone involved in health research who is interested in applying best practices for protecting the privacy rights of individuals.

Tuesday, October 9, 2007

Holy Hard Drives, Batman!

Researchers at the Children's Hospital of Eastern Ontario (CHEO) Research Institute have just published a paper titled An Evaluation of Personal Health Information Remnants in Second-Hand Personal Computer Disk Drives. Bottom Line: They bought 60 hard drives from second-hand dealers. They were able to recover personal information from 65% of the drives and personal health information from 10% of the drives. "Some of the PHI included very sensitive mental health information on a large number of people".

From the abstract:
Background: The public is concerned about the privacy of their health information, especially as more of it is collected, stored, and exchanged electronically. But we do not know the extent of leakage of personal health information (PHI) from data custodians. One form of data leakage is through computer equipment that is sold, donated, lost, or stolen from health care facilities or individuals who work at these facilities. Previous studies have shown that it is possible to get sensitive personal information (PI) from second-hand disk drives. However, there have been no studies investigating the leakage of PHI in this way.
Objectives: The aim of the study was to determine the extent to which PHI can be obtained from second-hand computer disk drives.
Methods: A list of Canadian vendors selling second-hand computer equipment was constructed, and we systematically went through the shuffled list and attempted to purchase used disk drives from the vendors. Sixty functional disk drives were purchased and analyzed for data remnants containing PHI using computer forensic tools.
Results: It was possible to recover PI from 65% (95% CI: 52%-76%) of the drives. In total, 10% (95% CI: 5%-20%) had PHI on people other than the owner(s) of the drive, and 8% (95% CI: 7%-24%) had PHI on the owner(s) of the drive. Some of the PHI included very sensitive mental health information on a large number of people.
Conclusions: There is a strong need for health care data custodians to either encrypt all computers that can hold PHI on their clients or patients, including those used by employees and subcontractors in their homes, or to ensure that their computers are destroyed rather than finding a second life in the used computer market.

So much for those who say "It couldn't happen here"!

Friday, October 5, 2007

eHealthRisk Wiki

To complement this blog and the eHealthRisk Workshops I teach at the Waterloo Institute for Health Informatics Research, I have established an eHealthRisk Wiki to be a resource for everyone interested in the subject of eHealth risk.

Bookmark the URL http://ehealthrisk.wikispaces.com

Subject areas to be covered on the Wiki include:
  • Risk Management
  • Benefits Realization
  • Privacy Risk
  • Security Risk
  • Safety Risk
  • Project Risk
  • Operations Risk
  • Business Risk
  • eHealth Standards
I believe that wiki's are very powerful tools that provide an intuitive and direct path to information (it works just like Wikipedia). They also provide an opportunity for collaborative development. Anyone interested in contributing to the eHealthRisk Wiki is welcome to contact me with your ideas.

The eHealthRisk Wiki in a very early state of development. Some of the pages are still blank and there is much more to add. Still, you will find it a useful reference.

I will be posting updates on the progress of the eHealthRisk Wiki on this blog from time to time.

Tuesday, October 2, 2007

KatrinaHealth

Lessons from KatrinaHealth - This report has been around for a while (published in June 2006). For those of you who haven't read it it makes an excellent case study for the use of ICTs in a disaster.
From the Introduction:
KatrinaHealth was an online service that was established to help individuals affected by Hurricane Katrina work with their health professionals to gain access to their own electronic prescription medication records. Through a single portal, KatrinaHealth.org, authorized pharmacists and doctors were able to get records of medications evacuees were using before the storm hit, including the specific dosages. Having this information helped evacuees renew their medications, and helped healthcare professionals avoid harmful prescription errors and coordinate care.

From the body of the report:

To design, construct, test, and prepare KatrinaHealth for use in less than three weeks, the project team confronted numerous technical, policy, and organizational hurdles. The specifics of the team’s process are described in some detail at the end of this report. Many of the hurdles were overcome, some were not, but did not derail the project, and others remained sticking points. Contrary to expectations, the technical hurdles, although significant, were easier to work around, and sometimes solve, than were some of the policy, business, and
organizational issues.

This report was published by the Markle Foundation. It provides excellent evidence to support the business case for eHealth.

Monday, October 1, 2007

EC Report - eHealth for Safety

The European Commission has released a comprehensive report titled eHealth for Safety: Impact of ICT on Patient Safety and Risk Management. Not surprisingly the report is consistent with the CHI Report The relationship between Electronic Health Records and Patient Safety.

The report provides relevant definitions, a discussion of patient risk and safety in practice, ICT applications in healthcare and a summary of research from expert workshops.

This is another important reference for those interested in eHealth and patient safety.