Your Medical Records Are Going Electronic

As top bosses at eHealth Ontario resign amidst a spending scandal, rights watchdogs are warning that B.C.'s own electronic health records system is threatening what some people value more than the public purse -- their privacy.

"What we have with eHealth, is technology driving policy, and leaving important things like rights in the dust," said Micheal Vonn, policy director of the British Columbia Civil Liberties Association.

Her organization is part of a coalition of groups called BC's Big Opt Out, which is raising the alarm about the privacy implications surrounding what Vonn calls, "the profound transformation of our healthcare system that is underway through eHealth."

While the coalition warns that everybody's health information could be at risk, records containing information about sensitive issues such as addiction, sexual health, abortion and depression could cause especially dire consequences.

"Electronic record sharing is going to seriously harm some significant portion of patients and those are usually patients who have very serious risk and vulnerability," Vonn said.

"The HIV-positive community is completely freaked out, and I for one do not consider that to be an inappropriate response."

Privacy measures undefined

Despite extensive consultation on eHealth privacy issues by the Ministry of Health Services, privacy advocates say the measures announced so far remain largely undefined. At the same time, they point to other jurisdictions where similar promises were made, and then stripped away.

Privacy advocates also express fear that patients will jeopardize their own health by withholding important information from a system they don't trust.

The Opt Out coalition, which includes the BCCLA, the B.C. Persons With AIDS Society and the Freedom of Information and Privacy Association, is not alone in its concern over the privacy implications of eHealth.

Professional regulatory bodies are also questioning the many unknowns that remain in how patient confidentiality and consent will be guaranteed.

"We haven't seen the actual details flushed out, and that's what really has us most concerned," said Heidi Oetter, registrar of the College of Physicians and Surgeons of B.C.

"If you don't design the system with privacy in mind, you may not get it right... then you run the risk of having the whole thing being something that the public will distrust and disengage from," she said.

Rights groups gave recommendations

Prior to drafting B.C.'s eHealth legislation, the Ministry of Health Services conducted extensive privacy consultations with rights groups, patient advocates and professional regulating bodies -- a total of 43 sessions over a two-year period that began in July 2006.

These recommendations were used to help draft the eHealth legislation passed in the legislature last year.

The ministry also consulted with the Office of the Information and Privacy Commissioner for B.C. and has received its support.

"The commissioner has stated publicly that he is supportive of the eHealth privacy legislation," said the office's acting executive director Catherine Tully.

Electronic reply from ministry

The Ministry of Health Services did not provide anyone to comment for this story on the privacy concerns surrounding eHealth, as spokesperson Ryan Jabs said that the recently-appointed minister Kevin Falcon had not yet been briefed on the subject.

However, a written reply was given on behalf of Falcon in response to several questions, which outlined the privacy consultation phase and the security measures designed to ensure patient confidentiality.

Beyond various technological safeguards to ensure privacy, the ministry has said role-based access will protect the whole eHealth system.

This will limit what a health care provider can view on a patient's records. For example, a pharmacist may only be able to access drug information, but be prohibited from seeing diagnostic imaging tests.

Another privacy measure that will apply to some parts of the eHealth system is a disclosure directive, which would enable patients to prevent certain parts of their health record -- such as lab results -- from being viewed.

An override to the directive would be available in certain instances, such as a patient arriving unconscious in an emergency room. But when an override is used, an audit would take place, with the information logged and forwarded to the privacy office of eHealth operations.

Only vague policies so far

While similar privacy measures were recommended during the consultation stage, the groups involved say the policies currently remain too vague to evaluate if they will adequately address their privacy concerns.

"Having seen nothing, it's hard for me to make any comment on it," said Oetter. "While the government has talked about disclosure directives, role-based access, appropriate audit trails and things like that, we haven't seen the actual details."

And with the first stages of eHealth implementation looming, there is some worry that the privacy measures could end up taking a back seat.

"The communication of it has me concerned," said Oetter. "It's kind of like cramming for a final exam. It doesn't mean that you can't get it done but it does turn the heat up in the kitchen."

Members of the Opt Out coalition are less optimistic about the privacy policies that have been announced.

"What we've got is the indication that it's as disappointing as we feared," said Vonn.

Apart from the lack of details, Vonn said she is dissatisfied that the disclosure directive will take an all-or-nothing approach. This means that patients will not be able to apply the directive to certain kinds of information -- for example drugs or lab results concerning sexual health -- while still allowing providers access to other information they want made available.

Easy to revoke

And Vonn cautioned that privacy measures that have been announced can easily be revoked.

"Whatever the legislated provisions are, they can change in the blink of an eye," she said.

She points to other jurisdictions as proof, including other Canadian provinces with more advanced eHealth systems.

"Alberta started out saying you're going to be able to do these things with your healthcare records, so that you will have the privacy protections that you want," she said.

"Then they rescinded the whole batch. It is not a consent-based system," she said. "That is very unsurprisingly the trend in eHealth in other jurisdictions."

'Are we building the right system?'

Rights groups such as the BCCLA are not naïve about the realities of the value of technology to healthcare.

"All kinds of medical health information is clearly going to be on a computer in the 21st century," said Vonn. "That is certainly not a bad thing."

"The question is, 'Are we building the right system?'" she said.

To this, Vonn answers "No." Apart from the extensive privacy and security concerns, she said the stated cost-saving and improved healthcare promises have yet to be demonstrated in other jurisdictions that use similar systems.

Nonetheless, the Opt Out coalition will continue its fight to bring substantive privacy measures to whatever electronic health program the province introduces.

The College of Physicians and Surgeons will also continue to press for meaningful consent-based measures to ensure security and confidentiality.

"It gets back to the fundamentals of an ethical obligation of physicians and that is to maintain patient privacy," said Oetter.

And as eHealth continues to be developed and implemented, the privacy commissioner's office will be keeping a close eye on the program.

"We certainly continue to push for meaningful patient control," said Tully.

The commissioner will have the ability to conduct audits and investigations and develop standards for future eHealth systems.

"It's a huge project, but it's very high on our list of priorities to watch and comment on and we do it regularly," said Tully.

In the meantime, the Opt Out coalition is calling on the ministry to do a widespread communications campaign about eHealth to ensure the public is aware of its privacy implications, including options such as the disclosure directives.

"To have no awareness of your rights is de facto the same as having no rights," said Vonn.

And she is ultimately optimistic that there is still time for the public to get involved and assert their privacy rights over their medical records.

"We are still not too far gone in British Columbia to make meaningful changes," she said.

Related stories:

• Company Caught in Ontario Scandal Also Had BC Contracts
• Gov't Payments to Maximus Balloon
  Up 60 per cent since province outsourced health records to contractor in 2004.