Health-care providers around the world are undergoing a digital transformation, harnessing information communication technologies such as Radio Frequency Identification (RFID) and applying it in innovative ways to increase operational efficiencies, improve services and save lives.
In the U.S., health-care providers are already using RFID chips to track surgical instruments and sponges to ensure that nothing is left behind inside a patient. If anyone doubts the value of this service, take note of an Australian woman who continued to suffer intense pain for months after her surgery. Doctors eventually discovered a 6.7-inch pair of surgical scissors that were left behind in her abdomen.
Other health-care providers are using RFID chips to trace pharmaceutical products to ensure that the correct medication and dosage is being administered to patients. A 1999 study of 1,116 hospitals by the United States Institute of Medicine suggests that more than 44,000 deaths occur each year in the United States as a result of in-hospital medication errors. Yet, while there are many benefits in using RFID technology in the health-care sector, concerns arise regarding the protection of personal information and the tracking of individuals.
Yesterday, in collaboration with Hewlett Packard (HP) Canada, I released a joint publication entitled, RFID and Privacy: Guidance for Health-Care Providers, at a special RFID health-care conference in the U.S.
This research paper reviews a wide range of RFID-enabled health-care uses – from tagging hospital supplies to embedding a chip into a person – noting not just the potential benefits, but also the privacy risks. This is because RFID tags contain a microchip and radio antennas that transmit a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. And, while RFID tags are primarily designed to be attached to products, they nevertheless still pose potential risks to privacy if attached to objects than can be linked to people, if not directly attached to people.
The paper further organizes RFID health-care applications into three broad categories. The first category, tagging things, raises few privacy concerns as it refers to keeping track of objects such as inventory, supplies, mobile hospital devices, bulk pharmaceuticals, dossiers and files.
The second category is tagging people. Here, benefits and privacy concerns need to be balanced. For instance, despite being a Privacy Commissioner and a privacy professional, I nonetheless support the use of RFID tags for tracking newborns. In a complex hospital environment, strong patient identification is a desirable benefit, as long as the privacy questions have been addressed and the benefits are demonstrable.
The third category, tagging things linked to people, has to be addressed very carefully. As I already have pointed out, while objects can be tagged and tracked, the question remains whether those objects, such as hospital access cards or blood samples, can be used to identify individuals, who may not even know they are being tracked.
So, what can those in the health-care sector do to ensure that privacy is protected when employing potentially life-saving RFID technology? First, get a copy of our paper. Then, think about something I call “privacy by design,” which essentially means that privacy needs to be built in early, at the design stage, before a system is in place where there is the potential for a privacy breach.
Everyone, from health-care providers, to patients, to privacy advocates, want the best technology possible in the health sector, without needless invasion of privacy. While I, as a patient, would welcome RFID technology improving my health care, as a Privacy Commissioner, I firmly believe that we must also ensure that the deployment of this technology does not infringe upon our privacy. RFIDs can improve key segments of health-care services while protecting patient privacy. It’s all a matter of changing the paradigm from a zero-sum game to a positive-sum model.
Ann Cavoukian is the Information and Privacy Commissioner of Ontario. The paper cited in this column, RFID and Privacy: Guidance for Health-Care Providers, is available at www.ipc.on.ca