Health Privacy: A Need for Dialogue
When you consider the vast pool of personal health information that exists in electronic health record databases as well as the growing number of registries (both public and private) a large number of unanswered questions exist as to just what people, as patients and stakeholders, should accept as the “rules” surrounding such data.
What kind of questions? For a start: Do patients have any say in what secondary uses their personal health information can be put to? Should patients have to accept that their health information that is given by emergency doctor which will readily available for research forever? Should physicians connect their electronic medical records to such databases? If government officials have an enforcement role under legislation, should governments even hold personal health information?
I raise these questions because of a blog report on an extraordinary colloquy at this year’s HIMSS conference between Dr. John Mattison, chief medical information officer and assistant medical director of the Southern California Permanente Medical Group and Dr. Christopher Chute, a professor of medical informatics at the Mayo Clinic. I say “extraordinary” because of two statements that caught my eye:
“I actually believe that the value of the electronic health record has started to shift,” Chute said. “The value to society is greater than it is for the patient.”(Emphasis added)
and
“The discussion with the consumer advocate community has not been had,” Mattison said. “I’m just advocating for a more open and candid dialogue on just what the risks are.” (Emphasis added.)
The full blog post is here.
As referenced in a recent post, Professor Donald Willison has noted a shift to registries and biobanks as platforms for future health research and raises the issue of information governance – a theme that appears in this paper from two members of the Faculty of Law at the University of Toronto. Discussing biobanking in particular and in a paper funded, at least in part, by the federal Privacy Commissioner’s Office, Lisa M. Austin and Trudo Lemmens, argue that:
“…specific research uses of research samples and associated data in the biobank do not necessarily require informed consent but do require a governance structure that can regulate privacy risks such as the risk of re-identification… In our conclusion we suggest that the legal and ethical debates regarding biobanking must shift from an obsession with consent and focus more closely on the elements of good governance in order to move away from compromises and back to the principled protection of research subjects.”
Perhaps an inappropriate choice of language, but there’s something both chilling and dismissive about the words: “an obsession with consent”. One may consider biobanks and the data they hold to be a deserved exception to a general rule but it forms a dangerous precedent. Everyone presumes de-identification will serve as a bulwark against inappropriate use but security in health research is not fully realized and even as Austin and Lemmens note there is a need for a robust governance framework. And this assumes secondary uses will involve de-identified personal information – a presumption that may not be the case in all instances.
Some, including researchers and healthcare system managers, will argue that the societal benefits of cost reduction, improved public health and better quality health care outweigh privacy concerns. But privacy cannot be divorced from the more general societal context. To say otherwise would defeat the general argument in favour of the use of personal information in medical research: it’s better for society if we treat it as a resource to be used.
In that societal context, the moral questions haven’t really been addressed. The prevention of harm, equality, fairness and justice can all enter into the equation when you have secondary uses of information – especially when not all secondary uses are beneficial or benign to individuals. Secondary uses, however well intentioned, pale in comparison to such universal values.
Registries, databases, EHRs — they all form pools of health data and are slowly being built up to the “tipping point” that forms the basis for Dr. Chute’s comment above. To resolve conflicting interests between privacy, research and other secondary uses requires, as Dr. Mattison notes, the need for dialogue. Privacy laws help but are not a panecea for resolving such conflicts. Remarks last November by Giovanni Buttarelli, Assistant European Data Protection Supervisor, shows that this need for dialogue is also recognized in Europe. A similar comment this week by the Australian Privacy Foundation about the lack of consumer consultation in Australian EHR developments is also telling.
For once, I’d like to see someone organize that dialogue in Canada and bring researchers, privacy officials and advocates and especially patients to have a very serious discussion about secondary uses for health information. In Canada, the accepted norm is a degree of balance between competing interests when it comes to privacy and data protection. Getting the balance “right” without having that dialogue first is a hard thing to do.
Who should lead this discussion to resolve the conflicting interests between privacy, research and other secondary uses? There are several groups looking at the issue now including CIHI, Infoway and CIHR but is this a matter of the fox watching the hen house? Are these groups open to a new way of working or finding a solution that works within their current mandates?