Technology Choices and Privacy Policy in Health Care

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Organization

Memorial University

Published

2007

Summary

This report critiques privacy and security-related technologies and the assumptions and biases available technologies may have on legislative and policy choices in Canada’s health care field. It is based on extensive research and numerous interviews with academics and health care, information technology and privacy professionals.

The authors find a strong bias towards data security technologies or a perimeter model designed to prevent unauthorized access, to the detriment of considering alternative approaches to privacy technologies. Even privacy technologies such as consent management, which reach beyond security as they are designed to restrict the actual purposes for which personal data are used, can be viewed as more sophisticated access controls within the same model. Patients’ actual control of their PHI is imperfect at best since their consent can be implied, there are so many exceptions to consent, and they cannot withdraw their personal health information (PHI) from the health care system. They must trust others and rely on oversight and other enforcement mechanisms.

The authors are concerned about over-reliance on the perimeter model for Canada’s health care system. Role based access control, consent management and privacy rights management technologies require engineering that are essentially policy choices about information access. These can create a legacy infrastructure that is difficult and expensive to alter when more fluidity in sharing PHI is essential to quality patient care.

The report examines privacy legislation in Canada and, in particular, four provincial health-sector laws and the notion of data protection as a form of privacy. It describes the creation of custodians or trustees of PHI, with rules enabling data sharing, which has lead to a patchwork of disclosure provisions, consent exceptions and contractual obligations involving primary care professionals, IT companies, administrators, oversight and other agencies. Also included is a review of regulations under health information privacy laws and the role of privacy impact assessments in the healthcare environment.

The authors recommend more discussion concerning which rules will be enforced or monitored by technology vs. non-technology (human) approaches. Both doctors and patients do not fully understand the infrastructure protecting their information, yet they are required to accept them. Safeguards can create an illusion of protection while simply shifting vulnerability and decision-making from one set of humans to another, and even away from the “circle of care” – those directly involved with patient-care delivery– to service providers and administrators.

The report includes interviews with stakeholders, confirming concerns about the risks inherent in automated PHI, the immaturity of some security and privacy technologies, limitations of the role-based conception of access control, and whether there is any really meaningful patient control offered through consent mechanisms (both legislative and technological). It concludes that privacy extends well beyond data protection to issues of dignity and trust, for which technological solutions have yet to be created.

This document is available in the following language(s):

English only

• English (PDF document)

OPC Funded Project

This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.

Contact Information

Memorial University of Newfoundland
St. John's, NL A1C 5S7
P.O. Box 4200
CANADA

Website: www.mun.ca
Tel: (709) 864-8000
Fax: (709) 709-864-4569