HO-002 is a spy story. Instead of 007’s Casino Royale, the setting is the Ottawa Hospital and the plot involves the aftermath of a failed marriage rather than international espionage. But the lessons it holds for public sector security managers may be much more relevant.
The story, documented in the Ontario Privacy Commissioner’s report, “HO-002,” began when a female in-patient at the Ottawa Hospital told staff she did not want two hospital employees, her estranged husband and his girlfriend, to know she had been admitted or to see her personal health information. The security office was notified. The privacy office was not.
After she left the hospital, the patient’s husband revealed to her that he had knowledge of her hospital stay and details of her treatment. Not surprisingly, the patient complained to the hospital. The hospital’s privacy office immediately audited the records to confirm that the estranged husband’s girlfriend, a nurse, had indeed looked at the record without permission.
The privacy office then tagged the patient’s Electronic Health Record (EHR) so it would be informed every time the record was accessed. Anyone attempting to look at the record from then on saw a warning screen that said the information had been deemed “highly sensitive” and would be “closely monitored for potential violations of patient privacy.”
At this point, the spies either did or should have known that they were being watched. As Glen Geiger, the Ottawa Hospital’s medical director of clinical information systems, said: “Only a true bumbler would keep doing it, after having seen the VIP flag had now been set, and have read that warning, and still not suspect that somebody was on to them.”
Keep on doing it they did, three more times. Finally, the hospital stepped in and did the job of protecting patient privacy that it was supposed to do. The nurse who accessed the records received a four-week suspension without pay, and the estranged husband was suspended without pay for 10 days. And the woman whose privacy was so egregiously violated will probably receive a substantial amount of taxpayers’ money in an out-of-court settlement.
In its report, the Ontario Privacy Commission concludes: “The ultimate responsibility, of course, lies in the actions of the two offending parties,” and, “The negative consequences flowing from the unauthorized access and use of a patient’s health information are extensive and far-ranging. Patients have enough to deal with — any additional stress arising from an unauthorized party peering into their health records is completely unacceptable.”
In other words, the failure had an impact on an individual and people caused the failure. The answer is not increased electronic security measures around personal information, but a culture of respect for privacy. That cultural change can only begin at the institutional level. Unfortunately, there is evidence that there is a massive failure of respect for privacy there as well.
Research is at the heart of medical innovation and its lifeblood is data. Medical researchers believe they have a right, if not an obligation, to acquire patient information. After all, the goal of their research is better health. As Geiger said, “Any suggestion to the contrary produces apoplexy and warnings that the health system will crumble, or their careers will crumble, if they can’t have this data.”
When he asks the researchers if the patients mind having their information used for research, they often answer that the patients don’t know anything about it. Shouldn’t they know about it? Geiger says the researchers respond with: “Well, if they did know about it, things might not go well.”
In other words, patients might withhold permission and that would bring research projects, and their enabling grants, to a standstill.
In a recent meeting, says Geiger, a researcher simply admitted: “I’ve got a friend in the lab who gets me data.”
“It’s not like it’s unique,” adds Geiger. “We knew. It’s just funny being in a meeting where somebody actually says this, and doesn’t think about the implications of what they have just said. ‘I’m stealing data from the lab.’”
Stopping the practice would not only halt research projects, it would seriously compromise the operations of the hospital, Geiger says. “So it is not possible to confront these people at this time. But this has got to stop. I am sure it is the same at most healthcare institutions. This sort of stuff is going on all the time.”
Electronic health records are quickly becoming an urgent national priority. The Canadian Institute for Health Information has estimated that as many as 65 people die needlessly in our hospitals every day, and many of these deaths can be attributed to missing information.
According to Canada Health Infoway, a nation-wide EHR system could save $6.1 billion a year, or almost five per cent of total healthcare spending.
The collective benefits may be impressive, but the privacy risk Canadians and their physicians face is individual. If they do not believe that people with access to an EHR system will respect their privacy, they will withhold their support and their information. Without those, there will be no system and no benefits.
Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. He can be contacted at [email protected]