Ontario’s Diabetes Initiative, Part 2
This post was co-written by Michael Power and Anita Fineberg.
Ontario’s Diabetes Initiative raises more troubling questions than could be addressed in one posting, so here’s Part 2.
The Relationships: MOHLTC and eHealth Ontario
eHealth Ontario’s press release of 16 November had an interesting choice of words in a couple of places:
“eHealth Ontario was the driving force behind the work..”. and “Through this innovative mining of data, eHealth Ontario has also identified…” (Emphasis added).
The same message is presented in an article in February’s Hospital News.
These statements appear to confirm that the raw data from the Ministry of Health and Long Term Care (“MOHLTC”) database(s) was provided to eHealth Ontario, which then mined the data to identify Ontarians living with diabetes. The MOHLTC is a “health information custodian” under the Personal Health Information Protection Act (“PHIPA”). What was its authority under PHIPA to disclose the raw data to the Agency? Conversely, in what capacity under PHIPA did eHealth Ontario receive the data and undertake this analysis?
PHIPA does contemplate roles for “agents” and “service providers” of health information custodians. The limited authorized activities of “service providers” do not appear to accommodate all of eHealth Ontario’s interactions with the data for the Diabetes Initiative. If the Agency was acting as the agent of the MOHLTC, one would expect that the nature of the relationship would be explicitly delineated in a contractual agreement and that the functioning of the initiative would be transparent to all of those patients whose personal health information was being used without their consent.
The much-maligned Smart Systems for Health Agency and, arguably, its successor, eHealth Ontario, were created, in part because of public concerns about government access to personal health information, to serve as “a trusted third party to protect the patient information of health care providers” (language used by SSHA to describe itself and quoted in the 2007 IPC audit). This is understandable because one might argue that while government does need information in managing the health care system, there should some buffer preventing direct access to individual health information – in other words a mechanism to de-identify personal health information prior to its use by the MOHLTC. As the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, herself has noted in her 2004 guide to PHIPA:
“It is generally understood that the government needs information to plan and manage our publicly funded health care system. However, many people would be concerned if the government had unchecked access to their personal health information.” (Emphasis added)
Has the MOHLTC adopted a strategy to more actively “datamine” the OHIP billing database? Is it going the way of British Columbia in being more aggressive in data sharing? The data mining that has occurred suggests the line between eHealth Ontario and the MOHLTC has become blurred these days and, based on the press materials, it would seem that “ownership” of the Diabetes Initiative has shifted from eHealth Ontario to MOHLTC.
The Relationships: MOHLTC and Service Ontario
The Public Notice indicates that people may “opt out” by contacting Service Ontario (“SO”). This would seem a new role for that arm of the Ministry of Government Services but has that role been properly defined? What exactly is the relationship between MOHLTC and Service Ontario under PHIPA? An agent?
It appears that individuals who want to opt-out cannot yet do so on-line. Therefore, one has to call or visit Service Ontario and interact with a live person. What if an individual wants to discuss the implications of opting out? Has staff been trained to address situations beyond a simple statement of “I want to opt out”? Does Service Ontario get a copy of the patient list to confirm that the individual who wants to opt-out is on the list in the first place?
Diabetes, as a medical condition, is a matter between the patient and his/her healthcare provider; now one has to go and share that fact with Service Ontario – something quite different from simply applying for a health card or changing one’s address. Having diabetes may not have a social stigma attached to it but this is precedent-setting territory and one can’t help but wonder how this would go over with the voting public in the case of HIV-positive individuals?
Privacy Impact Assessment
Part 1 noted that there was no evidence that a privacy impact assessment (“PIA”) was completed. It is hard to believe that a PIA was not conducted (and it has been suggested that one has been done), however, the point stands. In her review of SSHA in 2007, Dr. Cavoukian recommended:
Some PIA summaries are posted on the eHealth Ontario site but only ones prepared by SSHA after the IPC audit. To the extent that eHealth Ontario conducts privacy impact assessments, it appears the agency has adopted a policy not to publish anything related to them.
There are rumours that eHealth Ontario will release PIA results but only under a written non-disclosure agreement (“NDA”). If true, what is it in a PIA that would require an NDA? A threat risk assessment might contain sensitive security-related information and could arguably be withheld, perhaps in part, from publication but a PIA? We wonder what would happen if a request under the Freedom of Information and Protection of Privacy Act (“FIPPA”) request were made for eHealth Ontario’s PIAs?
Assuming a PIA was done by eHealth Ontario, how did it address the PHIPA aspects in light of the many questions raised in this and the previous post? If the Diabetes Initiative “went back” to the MOHLTC, did they do a PIA? (And before anyone comments on the expense of that – one could easily take the eHealth Ontario PIA, copy all the relevant portions, and then simply address the distinctive MOHLTC aspects.) What were the views of the IPC about the PIA?
Too many questions and not enough answers.