Privacy, Quality and Electronic Health Information

1. Privacy, Quality and Electronic Health Information Privacy, Quality and Electronic Health Information Royal New Zealand College of GPs Quality Forum 14 February 2009 Sebastian Morgan-Lynch sml@privacy.org.nz Policy Adviser (Health) Office of the Privacy Commissioner

2. Health Information Privacy Code 1994: Summary • Only collect the information you need • Get it from the person concerned • Tell them what you're doing • Be nice when you're doing it • Take care of the information once you've got it • They can see it if they want to • They can correct it if it's wrong • Make sure it's accurate before you use it • Get rid of it when you're done with it • Only use it for the purpose you got it for • Only disclose it if that's why you got it • Be careful with unique identifiers

3. Health Information Privacy Code 1994:Summary of the Summary • Purpose • Openness

4. Paper Records • Traditional, convenient and familiar • Vulnerable to fire, water, theft • Likely to be limited number of copies • No way to tell if someone has looked at (or copied) a record • Physically bulky

5. Electronic Records • A lot of information can be stored in a small (=>tiny=>miniscule) unit • A lot of information can be lost very quickly • Complex range of potential access – anonymised, pseudonymised etc • Much easier to collate and analyse data, once collected • Much, much more accessible over distance • People don't necessarily understand them • Easy to track access, if system set up with appropriate safeguards

6. The Situation • Most GPs with computerised practices • Public awareness of electronic health information low • Increasing awareness of deaths due to medical error - DHB serious and sentinel events reports, ~100,000 per year in US • Multiple regional and national projects to develop EHRs or electronic health systems • Growing concern in sector over risks arising from expansion of electronic health records • No compulsory data breach disclosure • Potential for huge data breach – sweeping change in public perception – baby/bathwater

7. Privacy Protections for Electronic Health Records • No legal distinction between privacy of health information stored on paper and electronically • Practical issues around purpose and openness with electronic information – “gatekeepers” • How many people know how their information is actually going to be used? • Whose job is it to tell them?

8. Rule 3 Paraphrase • As the ‘front line’, GPs need to make sure their patients know why their information is being collected and who is going to see it • Therefore, GPs need to know where the information they collect is going to go, and why • Currently this is not always the case

9. Testsafe • Testsafe created as regional results repository in Auckland region (CMDHB, WDHB, ADHB) • Privacy framework, opt off, ability for patients to ‘blank’ date ranges • Harbour Health unhappy with various aspects of programme, particularly privacy, recommended its GPs not participate • Meeting end 2008, agreed that Testsafe needed to help ensure patients and GPs knew how, where and why the results were being stored

10. Benefits, Risks, Opportunities • Benefits • National access to health information – servicing increasingly transient population • Potentially more efficient use of resources • Lessen medical errors from transmission, transcription, lost referrals, incorrect medication etc • Risks • More potential for large scale data breaches • Loss of consumer trust if improperly managed • Large collections of identified clinical data very tempting for secondary uses – commercial, clinical, employment • Opportunities • Ensuring good information management practices generally good clinical sense • GPs in position to play key role as advocates for their patients’ interests

11. Contact Telephone: Wellington (04) 474 7590 Auckland (09) 302 8680 Enquiries hotline: 0800 803 909 Email: sml@privacy.org.nz Internet address: http://www.privacy.org.nz