Dear McGill University Health Center…About Your PHR.
North Americans appear ready to interact electronically with their healthcare providers and take a more active role in managing their own health care. A much-talked about tool in this regard is the Personal Health Record (“PHR”). While there is considerable debate about what constitutes a PHR and how best to capture public interest in using a PHR, there seems to be a growing consensus that the privacy of personal health information is a key concern that must be addressed if PHRs are to gain widespread adoption. “Whether PHRs are developed by the private or public sector, the Commissioners call on all developers to ensure that the applications meet the relevant laws and reflect privacy best practices.”
Dear McGill University Health Centre,
We see you’ve begun to offer “Unani” to the world. At this point it appears to be offered to people in Canada and the United States. This web-based “Personal Health Record” is an interesting development and McGill University Health Centre is to be commended for offering it. But, since you’re asking us to store our families’ personal health information “in the cloud”, we’re sure you can appreciate our interest in understanding what you do to protect the privacy and security of that information.
You were kind enough to tell us the “purposes of collection”:
“Information will generally be collected from Individuals through the various forms such as enrolment or account opening forms which, when produced by the Company, shall indicate the purposes of the information collection. The sole objective of the information collected from the Individuals will be to provide the products or services requested and to respond to their needs or the Company’s needs for the duration of their relation with the Company.”
We didn’t see any other purposes disclosed to us. We would have thought you might use the information to operate and improve the site. Maybe there aren’t any other purposes but we would have liked you to say something to that effect. And what exactly are the “Company’s “needs” in that last sentence there?
Speaking of which, who really is accountable for the protection of our health data? Is it McGill or your IT partners? Is it stored only in Quebec or are the servers located somewhere else? Is there a backup somewhere else? Your privacy statement doesn’t really tell us that.
To be fair, you do say our information will be held “only as long as necessary for the fulfillment of the purposes for which it was collected” and that it will “be destroyed in accordance with the law and Company’s guidelines with respect to the retention of files.” By the way, could you give us a sense of what those Company’s Guidelines are?
And about security – all we got was a statement of “appropriate safeguards”. Now we’re not looking for specific information – the bad guys read these statements too – but a little more detail would be nice. For example, do you restrict access to the information to individuals for particular purposes (e.g. future site development, support) and are those individuals subject to confidentiality obligations? Also, how do you secure our communication with you? Do you protect it through the use of encryption, such as the Secure Sockets Layer (SSL) protocol?
Now access is an important privacy principle and we see you talk about it:
“The Company shall respond to an Individual’s request for information within a reasonable time. In addition, the fee charge for processing the request shall also be reasonable.”
Wait a minute, here. It’s our data! What other data do you have that we might want to access? And you’re going to charge us a fee for it?
We see that you do address complaints and we appreciate you having that section. You say if we want to make a complaint concerning Unani’s protection of our personal health information, we can contact your Privacy Officer. That’s ok, but what if we’re not satisfied with the outcome of that conversation? Who can we go to? People like us, who aren’t from Quebec, might not know. It would be nice if you could, at least, point us to the web site of the Commission d’accès à l’information du Quebec.
In short, your privacy statement looks like something generic that could be used by any business in Quebec and wasn’t written specifically with your site or our personal health information in mind. That really doesn’t give us any confidence in sharing our health data with you. If PHRs are really going to work we’d appreciate a little more evidence of some thought put into the privacy management of your site.
 “The Promise of Personal Health Records”, Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials, September 9-10, 2009, St. John’s, Newfoundland and Labrador