"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be sacred secrets."

Introduction

In the 80's, E-Medicine (Electronic Medicine) mainly referred to the use of technology in isolated and non-integrated areas in the practice of medicine, from the computerized storage of patients' information and drug inventory, to diagnostic equipment like CAT scanners and laser devices.

From the mid 90's, with the ever-increasing pervasiveness of Internet, and the cost effectiveness of high speed telecommunications, multi-media technology and wireless access to electronic databases through mobile devices including mobile phones, E-medicine (as in E-commerce) is traversing space and time, and taking on new dimensions in consultation, diagnosis and remedial actions involving multiple parties.

The key to the effectiveness of E-medicine, supported by these enabling technologies, is the ready access to and availability of the patients' clinical information in a medical record database to all parties concerned.  While no doubt E-medicine would bring unprecedented benefits to the community, there are increasing and real concerns of information privacy risks to patients' records which are regarded by all as highly sensitive and personal.

Medical information privacy is not just about security.  It is about trust, which is an integral part of a therapeutic relationship.  Loss of confidentiality and trust would seriously erode the effectiveness of medical care.

To overcome such concerns, medical record databases should be designed and implemented with a set of data protection principles and fair information practice which govern the collection, access, use, disclosure and security of these sensitive records.

Benefits of a Medical Record Database

Safe, comprehensive, and cost-effective patient care depends on the provider's ability to obtain an accurate record of the patient's previous health care, including treatments and testing.  Without this information, tests may be repeated or previous results ignored, allergies may not be known, and information about drug regimens maybe miscommunicated.  Never is the need for rapid access to information more apparent than when a patient seeks emergency care.  When patients who are usually cared for at one institution go to the emergency department of another institution, there is reason to be concerned that missing information may result in less than optimal care.  Inappropriate care caused by lack of access to information may delay diagnosis and result in improper therapy and increased health care costs.  In the emergency care of an unconscious patient lifesaving information may be unavailable.

The creation of a large database would also allow researchers to track certain diseases as well as to patients' responses to certain drugs.  This information could be valuable to advance public health and effective research for new drugs.

The creation of these databases would allow for better organization and more legibility of medical files.  Since elaborate security systems can be developed to monitor these medical databases, electronic records may actually be more secure than paper records.

Privacy Risks of a Medical Record Database

Besides information the individual's physical health, a medical record may include information about family relationships, sexual behavior, substance abuse, and even the private thoughts and feelings that come with psychotherapy. 

Information from a medical record may influence an individual's credit, admission to educational institutions, and employment.  It may also affect the ability to get health insurance, or the rates for coverage.

With the creation of Medical databases many individuals have expressed some apprehension as these and other information begin to become computerized.  There is a fear that computerized records will allow many more people legitimately accessing medical records.  The tendency for "function creep" could lead to authorized users to use the data for unauthorized purposes.

Recent US Surveys Reveal Serious Privacy Concerns

Sponsored by California HealthCare Foundation, a survey conducted by Princeton Survey Research Associates, January 1999 revealed:
 

• One in five American adults believes that a health care provider, insurance plan, government agency or employer has improperly disclosed personal medical information.  Half of these people believe that it resulted in personal embarrassment or harm.

• One in six Americans has done something out of the ordinary to keep personal medical information confidential.  To protect their privacy and avoid embarrassment, stigma, and discrimination, people withhold information from their health care providers or provide inaccurate information.

• Two out of three U.S. adults say they don't trust health plans and government programs, such as Medicare, to maintain confidentially all or most of the time.

Another California HealthCare Foundation survey conducted by Cyber Dialogue, January 2000 showed that:
 

• Seventy-five percent of people are concerned about health Web sites sharing information without their permission.

• A significant percentage of people do not and will not engage in certain health-related activities online because of their concerns about privacy and security.  Forty percent of people will not give a doctor online access to their medical records; twenty-five percent will not buy or refill prescriptions; and sixteen percent will not register at sites.

• Seventeen percent of people don't even go online merely to seek health information due to their concerns over privacy.

The Hong Kong Personal Data (Privacy) Ordinance

In Hong Kong, personal data are legally protected by the introduction of the Personal Data (Privacy) Ordinance (PD(P)O) in 1995.  Its objectives are two-fold:

- to protect the individual's right to privacy with respect to personal data; and

- to safeguard the free flow of personal data to Hong Kong from restrictions by countries that already have data protection laws.

The second objective, interestingly, relates to our economy.  Given the momentum of globalized trade and services, the European Union, comprising 15 European nations, decreed in 1998 that, unless there is adequate protection for personal data in third countries with which the European Union trades, cross-border transfer of personal data could be interfered with or even stopped between the European Union and other countries.  Hong Kong, given that our economic life-blood is our international trade and services, we cannot afford to be competitively disadvantaged if we do not have a legal data protection regime adequate to meet this European Union directive.

To fully understand and comprehend the essence of the Ordinance, it is essential to be acquainted with the data protection principles as stipulated in the Ordinance.  These data protection principles are the cornerstone of all similar data protection laws in different countries.  Universal in nature and recognition, these principles are generally based on a set of OECD guidelines promulgated in 1981 to provide a framework for the protection of the collection and use of personal data.

Six data protection principles are enshrined in the PD(P)O:

Principle 1 - Purpose and manner of collection

•  this provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from the subject.

Principle 2 - Accuracy and duration of retention

• this provides that personal data should be accurate, up-to-date and kept no longer than necessary.

Principle 3 - Use of personal data

• this provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.

Principle 4 - Security of personal data

•  this requires appropriate security measures to be applied to personal data.

Principle 5 - Information to be generally available

•  this provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.  In other words, there should be a data privacy policy.

Principle 6 - Access to personal data

•  this provides for individuals to have rights of access to and correction of their personal data.

Safeguarding Privacy with a Medical Record Database

Given the significant privacy concerns associated with medical data, the planning, development, implementation and operation of a medical record database should have the following considerations:

1. Privacy Impact Assessment (PIA)

 A Privacy Impact Assessment study should be conducted in the planning stage.  PIA is an assessment of any actual or potential effects that the activity or proposal may have an individual's privacy and the ways in which any adverse effects may be mitigated.  Such studies should also be conducted at different stages of the implementation of a medical record database, e.g. the detailed design of a web-enabled system, the introduction of new applications which access the database.

2. A Code of Practice

 While the PD(P)O provides for the legal protection of personal data in a medical record database, it is relevant to develop a code of practice with specific guidelines to the operations of such a database.  These specific guidelines incorporate the data protection principles stipulated in the Ordinance as well as fair information practice principles in view of the sensitivity of medical data.  These principles should include:

 Openness The individual should know their inherent rights with regard to their medical data, what information the database contains, and how it will be used.

 Informed Consent Apart from the primary use of the medical data for the purpose of clinical benefits, all other and additional uses and disclosure of data should be subject to the prior and informed consent of the individual.

 Security Adequate security features including appropriate hardware, software, data encryption and administrative measures are required to prevent unauthorized or accidental access to and disclosure of data in the database, to preserve data confidentiality, integrity and accuracy.

 Right of Access The individual must be provided with the means to access and 
 and Correction interpret his or her data in the database, as well as up-to-date information of the identity of third parties who have accessed his or her data and for what purposes.

 Sensitivity Some severely sensitive medical data, e.g. the psychotherapeutic relationship is of such severe sensitivity as to require special recognition as a domain of absolute privacy.

 Accountability Non-compliance to the Code of Practice should be accompanied by appropriate sanctions and penalties.

 Public Responsibility Exemption to the Code should be provided as the right to privacy is not absolute and should be balanced with the collective right of a society, viz public interest.  These exemptions, usually related to disclosure of data to support public health and research, and fight against healthcare fraud and abuse, should be stated clearly and precisely.

3. Independent Overseeing Mechanism

 An entity, independent from the organizations operating and accessing the medical record database, should have the responsibility to monitor compliance with the Code of Practice.  It should have the power to investigate complaints and enforce corrective actions.

References

1. Personal Data (Privacy) Ordinance, http://www.pcpd.org.hk
2. Electronic Privacy Information Center, http://www.epic.org
3. Model State Public Health Privacy Project, http://www.critpath.org
4. National Coalition for Patient Right, http://www.nationalcpr.org