patients privacy could be compromised

"Patients' privacy could be compromised by a Hutt Valley initiative

allowing GPs and hospital clinicians to exchange clinical information,

medical ethics experts and patient advocates warn. "

It is good to see the concerns are being discussed within health

circles but a wider public debate should be encouraged before this

significant erosion of personal privacy becomes more than an

exploration of technical capability.

There are two separate issues touched on in the article. Firstly that

"A lot of problems in the health sector come about when patients are

wrongly identified." and secondly that "Sharing information (between

providers in the health sector) closes the loops."

There is an implication here that sharing all information enhances the

identification process and, that a common information pool is a

necessary requirement for the exchange of clinical information.

Identification of the individual is critical where information flows

and the individual become separated. A simple example can be seen in

blood testing where the results may be routed through a complex

process to ultimate information users and may result in life or death

decisions impacting on the subject person. However, there is no

indication that the proposed sharing of information would address the

issues of identification.

There can be no doubt that there should be a flow of information

amongst health providers. However, there has been little or no public

debate about what information should be contained in the flows and

what rights over the information are retained by the patient.

General Practitioner Access to Hospital Data

From the description of the pilot, the flow of information to GPs from

hospitals is to be achieved by allowing GPs to access the internal

hospital information systems.

Four GPs also have direct access to the hospital's electronic

database, allowing them to access the records of all patients

registered with their primary health organisation, or any other

patient for whom they have a National Health Index number.

Implicit in this is:

1. It is OK for GPs to access information held in the hospital's

electronic database for any patient; not just those registered

with their PHO. Hypothetically, a fishing expedition could be

mounted using the 12,567,273 valid NHIs.

2. A GP would have legitimate access to the records of any hospital

by having a single patient in common between PHO and Hospital.

Given the concentrations of population and specialist medical

services in NZ, the health records of a large proportion of people

will be open to many GPs.

3. If a patient is referred to a hospital by a GP, the GP's within

the PHO have access to that patient's information from the

hospital's electronic database regardless of the patient's wishes.

There is a clear risk arising from this. Information that might

reasonably be expected to be a matter between the patient and someone

with a direct clinical responsibility of care of the patient, will be

available to a wider audience which degrades the privacy of the

individuals involved.

Potentially, well defined electronic information systems and

data-interchange services can enhance privacy and security.

Mr Cook [CIO] said electronic patient information systems were

"more secure" than paper-based ones because access could be

controlled and audited.

Those of us with even limited contact with public/civil service or

legal organisations will have come across "the Registry" where access

to paper based records are managed according to right or need to know.

Electronic systems may be more cost-effective but they are not

inherently more or less secure than the paper-based ones that they

replace. Note also use the term "could" in the quotation. Actual

control and audit of information retrieval is often omitted from

electronic retrieval systems perhaps because IT people focus on the

every part of the system be used in the intended fashion. An

assertion, from the CIO, that the access to information "will be

controlled and audited" would be more comforting.

The privacy requirements do not seem to have been sufficiently

addressed.

However, Otago University's bioethics centre director, Donald

Evans, said ....

"My concern is, if patients become aware that information given on

a confidential basis to their GP is likely to be shared with other

people, it destroys the relationship of trust; people will be

reluctant to be honest with their doctors; and quality of care will

be compromised."

I suggest that the patients' concerns may be associated with any

consultation not just with the GP. It may not be good thing medically,

but there will be reasons for not sharing information of a specialist

consultation with a particular GP. We can debate whether the

information belongs to the clinician or the patient, but passing the

information about the patient to third parties should generally be

controlled by the patient.