Health Information Privacy - When Rights Conflict

Tom Fuller writing in the respectable Blindside Blog presents a simple dilemma on the conflicting "rights" to have and to conceal information about a health issue.

As part of your treatment you need genetic analysis of predisposition towards several disease pathways. You are frightened that exposure of the results will a) reveal your mixed race heritage and b) prejudice your employability, insurability and sociability. So you agree with your consultant to test under an alias. And your treatment proceeds and you get on with your life.

Unbeknownst to you (does Beyonce have an evil twin called UnBeyonce?), your consultant also treats your child/children from a previous relationship, and recognizes that your genetic results are relevant to them. Your consultant knows that you would refuse to release your information, but their continued good health is dependent on having this information available. Just for the sake of preserving the moral dilemma, getting the genetic information from the children is not adequate, sufficient or practical (they live now in a foreign country, or something like that).

1. Is your right to control of information regarding your genetic history absolute?
2. Does your consultant have ethical responsibilities to act despite your desire for secrecy?
3. If sperm donors are required to disclose identity to their children, is a precedent established for requiring you to yield your genetic information?
4. Who should make the final decision?

With local health authorities taking a generous approach to information sharing citing "common good" but more likely for administrative convenience (see Patients' privacy could be compromised by health b...), the opportunity to consider cases like the one presented will be swept aside.

My view ... 1. Yes ; 2. No, not outside the individual patient - carer relationship ; 3. Probably, in a legal sense. This is a bad thing! Genetic information is probably the ultimate in "identity" information; 4. The patient fully informed by consultant.

Patients' privacy could be compromised by health board action

RUTH HILL in The Dominion Post on Wednesday, 25 July 2007 reports that "Patients' privacy could be compromised by a Hutt Valley initiative allowing GPs and hospital clinicians to exchange clinical information, medical ethics experts and patient advocates warn. "
It is good to see the concerns are being discussed within health circles but a wider public debate should be encouraged before this significant erosion of personal privacy becomes more than an exploration of technical capability.

There are two separate issues touched on in the article. Firstly that "A lot of problems in the health sector come about when patients are wrongly identified." and secondly that "Sharing information (between providers in the health sector) closes the loops."
There is an implication here that sharing all information enhances the identification process and, that a common information pool is a necessary requirement for the exchange of clinical information.
Identification of the individual is critical where information flows and the individual become separated. A simple example can be seen in blood testing where the results may be routed through a complex process to ultimate information users and may result in life or death decisions impacting on the subject person. However, there is no indication that the proposed sharing of information would address the issues of identification.

There can be no doubt that there should be a flow of information amongst health providers. However, there has been little or no public debate about what information should be contained in the flows and what rights over the information are retained by the patient.

General Practitioner Access to Hospital Data

From the description of the pilot, the flow of information to GPs from hospitals is to be achieved by allowing GPs to access the internal hospital information systems.

Four GPs also have direct access to the hospital's electronic database, allowing them to access the records of all patients registered with their primary health organisation, or any other patient for whom they have a National Health Index number.

Implicit in this is:

1. It is OK for GPs to access information held in the hospital's electronic database for any patient; not just those registered with their PHO. Hypothetically, a fishing expedition could be mounted using the 12,567,273 valid NHIs.
   
2. A GP would have legitimate access to the records of any hospital by having a single patient in common between PHO and Hospital. Given the concentrations of population and specialist medical services in NZ, the health records of a large proportion of people will be open to many GPs.
   
3. If a patient is referred to a hospital by a GP, the GP's within the PHO have access to that patient's information from the hospital's electronic database regardless of the patient's wishes.

There is a clear risk arising from this. Information that might reasonably be expected to be a matter between the patient and someone with a direct clinical responsibility of care of the patient, will be available to a wider audience which degrades the privacy of the individuals involved.


Potentially, well defined electronic information systems and data-interchange services can enhance privacy and security.

Mr Cook [CIO] said electronic patient information systems were "more secure" than paper-based ones because access could be controlled and audited.

Those of us with even limited contact with public/civil service or legal organisations will have come across "the Registry" where access to paper based records are managed according to right or need to know. Electronic systems may be more cost-effective but they are not inherently more or less secure than the paper-based ones that they replace. Note also use the term "could" in the quotation. Actual control and audit of information retrieval is often omitted from electronic retrieval systems perhaps because IT people focus on the every part of the system be used in the intended fashion. An assertion, from the CIO, that the access to information "will be controlled and audited" would be more comforting.

The privacy requirements do not seem to have been sufficiently addressed.

However, Otago University's bioethics centre director, Donald Evans, said ....

"My concern is, if patients become aware that information given on a confidential basis to their GP is likely to be shared with other people, it destroys the relationship of trust; people will be reluctant to be honest with their doctors; and quality of care will be compromised."

I suggest that the patients' concerns may be associated with any consultation not just with the GP. It may not be good thing medically, but there will be reasons for not sharing information of a specialist consultation with a particular GP. We can debate whether the information belongs to the clinician or the patient, but passing the information about the patient to third parties should generally be controlled by the patient.

Are you the same Richard Gray?

Kim Cameron summarises some thoughtful comments from Richard Gray on identity and authorisation spread over Jon Udell's blog and Kim's own. Richard notes on Jon Udell's blog:

As you don’t have CardSpace enabled here, you can’t actually verify that I am the said same Richard from Kim’s blog.

But without Kim's co-operation Jon could not verify that the same Richard, presented the same or equivalent credentials using Cardspace. A third party would require co-operation from both Jon and Kim to verify that it was the same Mr Gray. This appears to be the case even if he used the same managed card from an Id Provider trusted by all the parties.
I think we need to explore this use-case further.

Biometric Identification

Kim Cameron is doing a nice job of keeping both the technical and social implications of fingerprinting or other biometric identification visible so that we do not get led astray by the relative ease of delivering a biometric identification system. Way back when I was designing systems for IBM360s and the like, identification of people for the systems was always a significant part of the work and often we would call for everybody to be tattooed with a bar code at birth. Somehow this never caught on... damn liberals! Now we have extremists in governments of significance who have brought gunboat diplomacy to new levels and who view state collection of information about the individual as a natural part of keeping the world safe.
It may not be clear what the issue is ... why shouldn't governments, law enforcement, and lunch monitors require you to be registered on a database of good guys (or bad guys) in order for you to receive your rights or go about your lawful business? Even if the systems were 100% trustworthy and secure, governments; law enforcement officers; and lunch monitors certainly are not.
In The Honest Truth on Biometrics in Schools (but not the whole truth), Mitch Johns states:

How do school lunch biometric systems work and do they protect privacy?

In most school lunch biometric systems, students place a forefinger on a small fingerprint reader by the register. In seconds, the system translates the electronic print into a mathematical pattern, discards the fingerprint image, and matches the pattern to the student’s meal account information. Food Service Solutions (FSS) biometric software, for example, plots 27 points on a grid that correspond with the fingerprint's ridges to achieve positive identification, but saves no actual fingerprint image.

When school lunch biometric systems like FSS's are numerically-based and discard the actual fingerprint image, they cannot be used for any purpose other than recognizing a student within a registered group of students. Since there's no stored fingerprint image, the data is useless to law enforcement, which requires actual fingerprint images. As there’s no way for any fingerprint or computer expert to extract a record and reconstruct a person's fingerprint image from purely numerical data, privacy is protected.

Kim gives him the benefit of the doubt

I hope your statement is the product of not having thought through the potential uses ...

I think it is straightforward marketing obfuscation. A concern is admitted and addressed, as though it is the only possible concern (in this case that someone will reconstruct a fingerprint from the stored data). This distracts from the other issues that cannot be so easily dealt with.

Strictly the fingerprint expert compares an unknown fingerprint with a known and states that they are the same on the basis of similarity across a number of points. The more points of similarity, the more likely the identification. Where the bulk of the population is fingerprinted conventionally or through DNA, a system could be devised to provide a subset that includes the target of an investigation to a very high degree of probability. The size of the subset is determined by the confidence that you wish to have in stating that the target is inside. In the fictional world of CSI, we would see this happening in the twinkling of an eye with only a few false arrests but in the real world, we can expect some serious cock-ups as police, security, librarians and lunch monitors react to False Rejects or False Accepts of the identity.

The use of an encrypted biometric does address the issue of law enforcement scooping up large sections of the population on the basis that there is a 50% chance that the bad guy is in the scoop but encrypted biometric systems must be implemented with a very high level of integrity and trust. Certainly relying on a school to manage the acquisition and storage of such sensitive data as identity is not sensible. We barely trust schools to do their core business of teaching.

Data Protection Rules (no more)

Alan Travis in the Guardian, reports on a disturbing change in the handling of information in the UK .

The change is to allow widespread data sharing between public and private sectors for the first time in the name of tackling fraud.

The serious crime bill, which also proposes so-called "super Asbos" to target criminal masterminds, will allow public and private sector anti-fraud agencies to access personal financial information, including pay, tax, pension and benefit records held across the public sector.

The legislation follows a decision by the cabinet last summer to overturn the basic data protection principle that personal information provided to a government department for one purpose should in general not be used for another. Instead ministers have reversed the principle so "information will normally be shared in the public sector, provided it is in the public interest".

As we, in New Zealand, have the same underlying principles enshrined in our data protection provisions that the UK have overturned, we may see some opportunist shifting of the rules here. It is difficult to argue against any measure labeled as anti-crime, anti-terror or anti-rape but much intellectual effort went into the framing of the Privacy Act and associated regulations and practices, serious consideration of the issues and public debate should take place before any similar action takes place in NZ.