|
|
SUMMER 2008 |
 |
|
Online Only
P R I V A C Y
Protection of
personal health information: A balancing "act"
|
|
|
Stock Photo |
|
|
|
|
The Protection of
Personal Health Information Act has been described by
government as "...[clarifying] the appropriate balance between
protecting individual privacy and using personal health information for
legitimate reasons.'
|
|
|
|
By Ed Brown |
|
The May 21 issue of The Telegram
quotes Health Minister Ross Wiseman discussing the Protection of
Personal Health Information Act (PPHIA), which has since had
third reading in the House. It is described as creating an onus on
those that deal with personal health information “to ensure that
there are protocols and procedures in place to ensure that there are
no breaches.” This sentiment is well intended but a little
overstated. No legislation, procedures, protocols or technologies
will ensure there are absolutely no breaches. Data security
professionals don’t talk in terms of completely eliminating
breaches, but rather about risk and responses to threats.
Government’s news release has a more qualified quote from Minister
Wiseman: “This legislation clarifies the appropriate balance between
protecting individual privacy and using personal health information for
legitimate reasons.” This balance is nothing new. Health care involves
ongoing intrusion into the patient’s privacy to provide the appropriate
care. Standardizing rules about who is an “information custodian” (and
what their responsibilities are) should take away a lot of the
uncertainty related to what sharing of information is legally
permissible. In other words, those that deal with personal information
will be protected (including a liability shield in section 87) if they
adhere to the rules.
It is not clear that this kind of
legislation inevitably increases privacy protection of patients.
Independent industry standards, such as
ISO 27799, already exist for health information security, and
are likely to comprise protection mechanisms that are referenced but not
described in the new Act. In other words, the quality of security
industry standards is not addressed by the PPHIA. It does contain
numerous exceptions to the requirement of explicit patient consent to
handling of information, which on their face lower the patient’s
privacy. The auditing, reporting and complaints provisions can be seen
as privacy enhancing, but only if you already accept the premise that
the permitted privacy intrusions are justified by the requirements of
patient care – that the balance has been fairly struck.
It’s simpler to talk about protecting
privacy or preventing breaches than balancing considerations, but this
can also create false expectations. The system may correctly respond to
the next well publicized breach, without making such a breach publicly
palatable. That's the kind of outcome that requires a good balancing
“act”.
Ed Brown
is an associate professor in Computer Science at Memorial University and
a lawyer with interests in intellectual property, software and privacy.
|
