Michael Martineau, an eHealth consultant and commentator, and Michael Power, a Toronto-based lawyer and noted privacy expert, teamed to write this joint blog post.
North Americans appear ready to interact electronically with their healthcare providers and take a more active role in managing their own health care. A much talked about tool in this regard is the Personal Health Record (“PHR”). While there is considerable debate about what constitutes a PHR and how best to capture public interest in using a PHR, there seems to be a growing consensus that the privacy of personal health information is a key concern that must be addressed if PHRs are to gain widespread adoption. “Whether PHRs are developed by the private or public sector, the Commissioners call on all developers to ensure that the applications meet the relevant laws and reflect privacy best practices.”[1]
After months of testing, the McGill University Health Centre recently announced the public launch of unani, “an integrated Wellness Platform” that provides users with the means to “manage and store your personal health information in complete security, from anywhere in the world.” Given our respective areas of expertise and interests, we were interested to hear about this new, Canadian-based service, and immediately went to unani.ca to check out this new service, including their privacy policy. After discussing what we found, at Michael Power’s suggestion, we decided to present our initial reaction in the form of a letter.
Dear McGill University Health Centre,
We see you’ve begun to offer unani to the world. At this point it appears to be offered to people in Canada and the United States. This web-based “Personal Health Record” is an interesting development and McGill University Health Centre is to be commended for offering it. But, since you’re asking us to store our families' personal health information “in the cloud”, we’re sure you can appreciate our interest in understanding what you do to protect the privacy and security of that information.
We were interested in the fact that we had to start the registration process in order to view your privacy policy – we would have expected to see a public link to it readily available on your home page. Oh well. We started to register and found it in a corner on your Terms of Use page. Now in keeping with the concepts of openness and transparency, we would have expected a fairly comprehensive statement. Boy, were we surprised.
You were kind enough to tell us the “purposes of collection”:
Information will generally be collected from Individuals through the various forms such as enrolment or account opening forms which, when produced by the Company, shall indicate the purposes of the information collection. The sole objective of the information collected from the Individuals will be to provide the products or services requested and to respond to their needs or the Company’s needs for the duration of their relation with the Company.
We didn’t see any other purposes disclosed to us. We would have thought you might use the information to operate and improve the site. Maybe there aren’t any other purposes but we would have liked you to say something to that effect. And what exactly are the “Company’s “needs” in that last sentence there?
We would have liked some statement as to who actually owns the information we put into your system. In Canada, from case law in the 1990s, the provider owns the record and the patient owns the information. We would have liked some statement that the user, and the user alone, controls the data; that Unani won’t sell, rent or otherwise share the data, even in de-identified form (since re-identification seems to be happening more and more these days) and that the user can delete their information at any time and it will be removed from your servers. We didn’t see anything like that in your Terms of Use or Privacy Statement. If Google Health can put a statement somewhat like that in their Privacy Policy, why can’t you?
Speaking of which, who really is accountable for the protection of our health data? Is it McGill or your IT partners? Is it stored only in Quebec or are the servers located somewhere else? Is there a backup somewhere else? Your privacy statement doesn’t really tell us that.
To be fair, you do say our information will be held “only as long as necessary for the fulfillment of the purposes for which it was collected” and that it will “be destroyed in accordance with the law and Company’s guidelines with respect to the retention of files.” By the way, could you give us a sense of what those Company’s Guidelines are?
And about security – all we got was a statement of “appropriate safeguards”. Now we’re not looking for specific information – the bad guys read these statements too – but a little more detail would be nice. For example, do you restrict access to the information to individuals for particular purposes (e.g. future site development, support) and are those individuals subject to confidentiality obligations? Also, how do you secure our communication with you? Do you protect it through the use of encryption, such as the Secure Sockets Layer (SSL) protocol?
Now access is an important privacy principle and we see you talk about it:
The Company shall respond to an Individual’s request for information within a reasonable time. In addition, the fee charge for processing the request shall also be reasonable.
Wait a minute, here. It’s our data! What other data do you have that we might want to access? And you’re going to charge us a fee for it?
We see that you do address complaints and we appreciate you having that section. You say if we want to make a complaint concerning Unani’s protection of our personal health information, we can contact your Privacy Officer. That’s ok, but what if we’re not satisfied with the outcome of that conversation? Who can we go to? People like us, who aren’t from Quebec, might not know. It would be nice if you could, at least, point us to the web site of the Commission d’accès à l’information du Quebec.
In short, your privacy statement looks like something generic that could be used by any business in Quebec and wasn’t written specifically with your site or our personal health information in mind. That really doesn’t give us any confidence in sharing our health data with you. If PHRs are really going to work we’d appreciate a little more evidence of some thought put into the privacy management of your site.
Yours sincerely,
Michael Martineau – eHealthMusings
Michael Power – dot-indicia
[1] “The Promise of Personal Health Records”, Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials, September 9-10, 2009, St. John’s, Newfoundland and Labrador