Senior consultant - Privacy Bell
Table of Contents
- About the author
- Executive summary
- 1.0 Introduction
- 2.0 Privacy and trust – an intimate relationship
- 3.0 The context of privacy
- 4.0 Privacy and Canadian Healthcare
- 5.0 Why an economic analysis is useful
- 6.0 The value of privacy in healthcare
- 7.0 Costs and benefits – striking a balance
- 7.1 More or Less Privacy? Ask the individual
- 8.0 Getting it right – towards an enterprise privacy framework
- 8.1 The four modalities
- 8.2 Tools for privacy solutions
- 9.0 Conclusion
About the author
Howard Simkevitz is a Senior Privacy and Information Technology Counsel at Bell Canada where he provides privacy consulting services in the areas of: enterprise privacy strategies and frameworks, web-based privacy risk and assessment tools and gap analysis against best practices and legislation. Prior to joining Bell, Howard was in private practice with a focus on privacy, technology, intellectual property and e-commerce law. Howard is the author of several papers and serves as a trusted advisor to the Bell Privacy Centre of Excellence. Additionally, Howard remains a frequent speaker on a wide range of topics including privacy, information technology and Internet regulation.
Effective and efficient healthcare delivery relies on the ability to gather and communicate accurate, complete information while maintaining the appropriate privacy and security levels. Any breaches in privacy can diminish patient trust, compromise information and, ultimately, patient care. When efficiency and trust are compromised, the costs to the individual, the health service provider and to the healthcare system as a whole increase.
Therefore, privacy is not just a necessary process driven by compliance requirements. It is also a cornerstone in achieving cost-effective, efficient and successful healthcare delivery.
In today's economy, most businesses are facing budget constraints, lack of funding and limited resources. This is especially true in the context of healthcare delivery in Canada. When it comes to budgetary planning, it is only natural that funds are allocated to items that are considered to be key to successful business operations and deliver a strong return on investment. As a result, privacy may fall lower down the priority list, simply because its value is not readily definable and the return on investment is unclear.
However, privacy is critically important from both a legislative and a business perspective. Effective and efficient healthcare delivery is about gathering and communicating accurate, complete and, for the most part, sensitive information. Any breach in privacy can diminish patient trust, compromise the integrity of the information and ultimately have a negative effect on patient care. Once efficiency and trust are compromised, the costs to the individual, to the provider and to the healthcare system as a whole increase.
A number of unexpected costs can arise when proper privacy practices are not in place. First and foremost, there are tangible costs associated with delayed care, misdiagnosis or errors in care (e.g., prescribing the wrong medications). The economic repercussions can extend beyond the issue of care itself; there are also the quantifiable costs associated with privacy breaches. Canadian Hospital Chief Privacy Officers have reported that the cost of a breach per individual record is approximately $2001.
When privacy is not managed proactively, problems can often come to light. These problems tend to have considerable costs associated, especially when considering the costs of retrofitting existing systems. Intangible costs, such as those associated with injury to reputation, can also be quantified. By way of example, if patients stop going to a particular hospital or clinic because of deficient privacy practices, the resulting lower patient numbers could have an impact on funding levels.
Privacy should therefore be seen as a cornerstone of successful business operations in healthcare, and not simply a compliance-driven process that dictates specific norms for the protection of personal health information (PHI). This white paper discusses the value and economics of privacy in healthcare delivery and provides a framework for building and promoting a culture of privacy within healthcare operations.
2.0 Privacy and trust – an intimate relationship
In healthcare as a whole, privacy is rooted in a belief that the data holder will only collect, use and disclose the information in ways for which the individual consents. This is an important thing to consider, especially when evaluating the importance of PHI in the doctor-patient relationship where full disclosure is essential to effective care.
Studies show that the majority of Canadians trust their doctors. It is interesting to note, however, that the farther one strays from the frontline caregiver (i.e., the primary data collector), the weaker the trust the individual has in the entity handling his/her personal health information.2
It is unfortunate to note that decision makers often focus on only one aspect of privacy; that is, data protection and the considerable technological challenges of securing networks and devising privacy policies. While these efforts are critical, the fact remains that trust, privacy and security would be even better served if system designs also systematically addressed the relationships between individuals and institutions. In other words, systems need to include the "human factor" within their privacy frameworks. That means expanding the focus beyond data control to fostering trust in the system.
3.0 The context of privacy
Privacy in the healthcare industry can be considered in the light of four activities: information collection, information processing, information dissemination, and invasion. Information collection refers to how patient or other healthcare data is gathered.
Information processing refers to the various ways of linking data with the individual; as well as aggregation, identification and secondary uses. This includes the consolidation of various record systems to create associations. Depending on those links, there is a risk that information may be used without informed consent; or that there may be a failure to disclose how data might be used in the future.3
Information dissemination can trigger a broad range of privacy problems relating to behaviours aimed at revealing personal information or threatening to reveal such information including: breach of confidentiality (disclosure of confidential information), exposure, and unauthorized disclosure, among others.
Invasions or incursions into an individual's privacy can be closely related to disclosure, since the latter is often triggered by intrusive information-gathering activities. No matter what the mechanism, invasion into personal health information may be regarded as the most significant form of interference because of the sensitivity of the information involved.
Once these privacy problems are articulated, it is then possible to estimate the associated costs. Of course, in order to truly advance an argument that investments in privacy are of value, one need only turn to the market constituents – Canadian patients.
4.0 Privacy and Canadian healthcare
Studies tell us that privacy is important to Canadians, but only to a certain degree. A recent report by Industry Canada revealed that 82% of Canadians expressed concern about privacy and security issues while using the Internet. However, the majority of those surveyed also said the convenience of the Internet outweighs concerns about security and privacy issues (only about a third reported that privacy issues should be the primary concern).4 On the other hand, privacy can take on an entirely different meaning in the context of healthcare.
Canada has 23 privacy acts that are predicated on factors such as sector and jurisdiction. The premise underlying privacy in healthcare is the collection, use and disclosure of personal health information (PHI), which could be considered a subset of personal information. A joint study by Canada Health Infoway, Health Canada and the Office of the Privacy Commissioner of Canada indicate that Canadians regard the privacy of their PHI as somehow "different" than personal information generally.
In fact, Canadians consider PHI to be one of the most important types of personal information to protect. At the same time, most respondents in the study reported having "reasonable confidence" in those storing and holding personal health data and in the mechanisms used to safeguard such data.5 This confidence was significantly higher than the reported confidence level in the protection of personal information in general.6 Yet the confidence that PHI will be protected was not derived from patients' confidence in legislative or regulatory instruments. In fact, very few Canadians were aware of laws or protective agencies with oversight responsibilities.7
So where does this confidence that PHI will be protected come from? It could simply be the assumption that PHI is well protected. The study noted that reported incidents of breaches of PHI were low – only 4% of respondents reported knowing that their health information was used inappropriately or without their consent. Of those however, 33% attributed such breaches to a failure to hold information in confidence and inappropriate disclosure to family members or others. For example, the report included anecdotes such as: "[A] receptionist was talking about me to a mutual friend", and "I was sent a letter for a fundraiser for a specific disease which I had and it came [from] the hospital I was treated, so someone used the information to see if I would donate money." This means that many of the breaches they did report emanated from those in positions of trust, and from internal sources rather than external threats.8 Yet it is important to note that Canadians also reported having the most confidence in their family doctor, followed by nurses and pharmacists.
5.0 Why an economic analysis is useful
There is always an underlying assumption that the healthcare provider's collection, use and disclosure of PHI is for the purpose of effective treatment. Whether this purpose raises a privacy concern depends on its impact on the patient. In some cases, the patient impact is positive (e.g., when an emergency medical practitioner obtains life-saving information) or negative (e.g., when it results in unwanted solicitation).
What tends to be less understood are the more subtle benefits or less obvious cost or risk factors. Every time a patient is engaged by the healthcare provider, they must weigh the potential "costs" and benefits of revealing their PHI against those of keeping it private. Such a thought process, whether based on real or perceived concerns, is in effect an economic analysis.
In his white paper on the economics of privacy, Hal Varian provides an example of individual and institutional privacy decision making. Suppose a potential buyer of insurance is a smoker. This individual knows smoker premiums are higher and does not want this personal information disclosed. Since the information here concerns the price at which the insurance is offered, there are two opposing forces at work: the buyer would not want to reveal the information that he is a smoker, while the seller would want to know this information.9 Therefore it is in the interests of the seller (i.e., the insurance company) to construct the transaction in a way that the information is revealed.
To the average individual however, the economic analysis of privacy is less than clear. Yet they make decisions about privacy without complete information all the time. Furthermore, decisions about privacy do not occur at the individual level only. Institutions too must weigh costs and benefits when developing systems around PHI.
6.0 The value of privacy in healthcare
Incentives to provide personal information are important because healthcare providers spend a good portion of their time trying to collect such information and rely on its completeness and accuracy of such information. Without full and unrestricted channels of communication between patient and healthcare provider, there is an increased risk of misdiagnosis, inappropriate treatment, compliance and clinical inefficiency, malpractice injury and death.10 Therefore, there is an expectation that when the individual engages with the healthcare provider, they will provide complete and accurate information without question.
If privacy builds trust, and trust in turn facilitates the free flow of information from the patient to the healthcare provider, then it is only logical to conclude that we should be building privacy into healthcare systems. However, how this can be achieved is unclear. This lack of clarity hampers decision making about privacy because those involved cannot easily articulate privacy issues, so decision makers often default to efficient delivery of patient care since those metrics are more readily understood. In order to make meaningful decisions about privacy, one has to take a holistic approach to identifying privacy issues and addressing them in a meaningful way.
7.0 Costs and benefits – striking a balance
Perceptions of privacy and security within the context of IT are changing dramatically. A recent IDC Canada survey of Canadian IT managers found that privacy is replacing security as the top governance, risk, and compliance focus of Canadian organizations with a cumulative spend of over $700 million.11 The business of healthcare is no exception. While information technology is a driver behind enabling and securing privacy, it also has the power to amplify privacy problems.
Online tools allow an unprecedented level of traceability of a user's activities. While profiling could benefit users by assisting in pinpointing preferences, it can also be used to effectively exclude individuals with less attractive characteristics.12 Furthermore, such practices can lead to invasive downstream uses including identity theft. Therefore, implementing systems without considering the privacy implications has associated costs that can increase in magnitude over time. This potential amplification of privacy problems through technology has driven a compelling need to evaluate how data subjects (individuals) and data collectors (institutions) make decisions about privacy.
7.1 More or Less Privacy? Ask the individual
A good barometer of how individuals and institutions make decisions about privacy is consent. Consent is the primary means by which the data subject makes his/her preferences known about collection, use and disclosure to the data holder. Studies on consent provide important insight into the value individuals place on personal information and how institutions manage individual expectations.
Electronic health records (EHR) provide a good test case for evaluating how decisions about consent are made. Ontario's own e-Health Program has indicated that the ultimate goal of its strategy is to create an electronic health record (EHR) for all Ontarians by 2015.13 But EHR use and the potential it has to facilitate data linkages, necessarily raises privacy and trust issues. If given the option, to what types of uses would Canadians consent?
Most Canadians claim they would be comfortable with EHRs being used to anticipate health crises, or to monitor or prevent improper uses of the healthcare system. Where consent is obtained, health researchers can link personal health information to other records that may be related to health outcomes. However, while most Canadians support the use of EHRs in research, support for such research drops dramatically if their personal information is not removed.14
While patients see value in disclosing the information, they also want to have choice before a disclosure is made. How best to elicit those choices and ensure that they are up-to-date remains in question.15 Institutions however need to be aware of individual decision-making criteria to build systems that will result in the most efficient way of capturing and communicating EHR information.
Consent also provides a useful metric for gauging how institutions make decisions about privacy. One study examined the approach of Research Ethics Boards (REB) in assessing the need for individual consent to research involving access to medical records. Most REBs indicated that, in principle, consent is required if identifiable information is being abstracted from the records. However, there were a number of REBs which reported not requiring consent.
Like individuals, institutions may use similar factors such as internal definitions of trust to make decisions about privacy. And, like individuals, there may be operational definitions and external considerations which factor into privacy decision making.
8.0 Getting it right – towards an enterprise privacy framework
Mechanisms governing privacy need to be flexible and able to adapt to both privacy and its context. In the same manner as one might weigh costs and benefits, there is a similar balancing act going on in privacy between too much control and not enough control. The challenge lies in calibrating it correctly. Therefore, for an enterprise-wide solution to be effective, it would:
- Need to be comprehensive and yet adaptable as requirements shift
- Account for variation in privacy problems and the context in which such problems occur
- Be capable of supporting a culture of privacy and promotes trust
8.1 The four modalities
In order to provide an adaptive structure able to accommodate the multi-faceted nature of privacy, a comprehensive framework should contain four broadly-based modalities, each of which has its own privacy sensitivities:
- Privacy leadership
The holistic approach demanded by an enterprise framework will lead to a significant degree of overlap and feedback between the groups. These overlapping modalities are displayed in Figure 1 below, with a culture of privacy forming the heart of the diagram.
Figure 1: An Enterprise Privacy Framework
The following is a description of how these modalities work within an enterprise framework:
- Actions – This modality represents the proactive steps an organization takes in order to initiate privacy. Actions transpire as individuals function within the system. For example, a nurse that sees a red flag on a patient file that indicates specific privacy properties would take steps to ensure it received the appropriate handling based on its status. However, actions cannot be carried out without the appropriate infrastructure to stop a rogue employee from accessing PHI already flagged.
- Infrastructure – This modality includes the fundamental facilities and systems serving the enterprise which supports privacy. This includes the communications system which attaches the red flag to the patient file, as well as the database that enforces different access rights and permissions depending on need and status. In addition, the infrastructure authenticates those permissions and offers the ability to limit the collection of personal information and to de-identify that information where possible. The consent management system also allows the patient to place restrictions on access.
- Knowledge – This modality is the cumulative or collective organizational understanding of the privacy landscape and how this translates into business practices. It consists of knowledge of privacy issues and context, as well as familiarity with legislative and regulatory requirements. Knowledge means understanding privacy costs and benefits and how these relate to individual and institutional decision making.
- Privacy Leadership – For a framework to be effective it needs dedicated leadership with a real grasp of privacy issues and how to address them. Privacy leadership is an individual or a core team of individuals who really "get" privacy, understand the interplay of the modalities in the framework and are positioned to provide strategic insight into business requirements based on a holistic approach.
8.2 Tools for privacy solutions
One cannot build a framework without tools. To that extent, there are several tools which may be beneficial. These include:
- Privacy policies and procedures – These need to be comprehensive, clear, concise and relevant for the particular audience, whether internal or external.
- Ongoing privacy training – Organizations may have a comprehensive set of policies and procedures, but if its staff does not read them nor receive the corresponding instruction, they are rendered useless. Training is a key way to ensure staff knows how to conduct themselves.
- Privacy communications – Much like policies and procedures, communications need to be clear and appropriately directed. Their effectiveness depends as much on the message as it does on identification of the appropriate channels of communication. They also need to be broadly based and reach out to all parts of the organization, and individuals need to know who to contact when there are questions about privacy. The necessity for effective communications becomes very clear in the context of privacy incident management. There needs to be a mechanism in place that addresses all relevant processes from containment to notification (if necessary).
- Privacy impact assessments (PIAs) – The PIA helps institutions to develop a plan to avoid or mitigate any adverse effects regarding the collection, use and disclosure of personal information. It helps elucidate gaps in current practices and develop strategies to address them. With some preliminary guidance and a PIA toolset geared toward the particular line(s) of business and the appropriate jurisdiction(s), institutions should be able to develop their own internal resources to conduct their PIAs.
Healthcare providers should recognize that privacy is not an impediment but an enabler of effective and efficient healthcare delivery. Privacy promotes data use and effective management. This is why healthcare provider decision makers need to consider privacy as more than something driven by legislative compliance. Rather, it needs to be part of an operational strategy that delivers economic value.
Without privacy there can be no trust, and without trust, personal health information is either falsified, incomplete or withheld. This leads to deficiencies that translate into real costs. With this in mind, organizations need to build a culture that recognizes the value of privacy and take steps to implement a balanced approach. This will ensure that patients can maintain their privacy while enabling their ability to share information with their providers. To that end, organizations need to take the time to identify privacy problems and their context in order to produce meaningful and targeted privacy practices.
Sensitivity to notions of trust must inform privacy decision making based on a clear understanding of economics. An economic analysis can facilitate assessments of both the need and the approach to privacy problems and corresponding solutions.
If one considers privacy to be part of a business strategy, it cannot be treated in isolation. An enterprise privacy framework therefore needs to encompass an integrated and holistic approach which touches upon all aspects of the organization. Whether such a framework is effective depends on the interplay of all modalities of the framework; as well as their ability to adapt as new information comes in, contexts change and costs and benefits shift. This approach will provide the right formula for instilling a culture of privacy16.
Talk to Bell
Bell combines extensive clinical best practice knowledge with innovation, business sense, technological expertise and a thorough knowledge of the healthcare industry to help you optimize your healthcare services. The foundation of our world-class ICT infrastructure is a high-powered, reliable network backed by multidisciplinary experts. Our highly-skilled professionals offer diverse expertise in ehealth solutions, from initial assessment of your needs through design, implementation and support.
Learn more by contacting your Bell representative, or click here to have a Bell representative contact you.
1 Andy Greenberg, "MetaData: The Rising Price of Data Breaches" Forbes.com (2 February 2009), online: Business and Financial News at Forbes.com < http://www.forbes.com/2009/01/30/security-hacking-enterprise-technology-security_0202_data_breach.html >.
2 EKOS Research Associates, "Electronic Health Information and Privacy Survey: What Canadians Think – 2007" (August 2007) at 26-7.
4 The Digital Economy in Canada, "Public Views of Privacy and Security on the Internet" online: Industry Canada < http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00394.html#Usage >.
5 Ibid. at 2. For example, 79% considered their PHI to be at least moderately safe and/or secure.
6 37% of respondents reported having less protection of their health information than five years ago, while 53% felt this way about their personal information.
7 Supra note 5
8 Ibid. at 28
9 Hal Varian, "Economic Aspects of Privacy" (6 December 1996) online: UC Berkeley School of Information < http://people.ischool.berkeley.edu/~hal/Papers/privacy/ >.
10 Health Canada, Health Care System, "Certain Circumstances: Issues in Equity and Responsiveness in Access to Health Care in Canada", online : < http://www.hc-sc.gc.ca/hcs-sss/pubs/acces/2001-certain-equit-acces/part1-doc1-sec2-eng.php >.
11 Filing Information: January 2008, IDC #CA8AS7, Volume: 1, Tab: Users
12 John Schwartz, "Giving the Web a Memory Cost Its Users Privacy," (The New York Times, 4 September 4, 2001) online: The New York Times < http://query.nytimes.com/gst/fullpage.html?res=9B0DE1D61639F937A3575AC0A9679C8B63 >
13 "Ontario Integrates e-Health Activities Under One Agency" (Press release, 29 September 2008) online: Ministry of Health and Long-Term Care < http://www.health.gov.on.ca/english/media/news_releases/archives/nr_08/sep/nr_20080929.html >.
14 Supra note 5
15 Donald J. Willison, Lisa Schwartz, Julia Abelson, Cathy Charles, Marilyn Swinton, David Northrup and Lehana Thabane, "Alternatives to Project-specific Consent for Access to Personal Information for Health Research: What Is the Opinion of the Canadian Public?" (2007) J Am Med Inform Assoc. 14:706 –712.
16 This white paper has been adapted from, "Why Privacy Matters in Health Care Delivery: a Value Proposition" as published in 2009 World Congress on Privacy, Security, Trust and the Management of e-Business. Proceedings of a Conference Held August 25 -27, 2009 (Los Alamitos, CA: IEEE Computer Society, 2009), ISBN: 978-0-7695-3805-1.
Additional sources used in the development of the original paper:
- Daniel J. Solove, Understanding Privacy, (Cambridge: Harvard University Press, 2008) at 79.
- EKOS Research Associates, "Electronic Health Information and Privacy Survey: What Canadians Think – 2007" (August 2007) at 26-7.
- Paul Farrow, "Shredders fly off the shelves as identity theft rises." The Sunday Telegraph (February 12, 2006) (Lexis Nexis).
- Wally Hill, "Telemarketing and Consumer Choice" (Speaker, OBA Institute 2 February 2009) [unpublished].
- Acquisiti, A. Grossklags, J. : Privacy and rationality in decision making. IEEE Security & Privacy, January-February (2005) 24-30.
- Warren and Brandeis. "The Right to Privacy" (1890) IV Harvard Law Review 5.
- Treasury Board of Canada, "So, What Exactly is Privacy?" < http://www.tbs-sct.gc.ca/pgol-pged/piatppfefvp/course1/mod1/mod1-2_eng.asp >.
- Alan Westin, "Opinion surveys: What consumers have to say about privacy" (Prepared witness Testimony, The House Committee on Energy and Commerce, 8 May, 2001) online: < http://bulk.resource.org/gpo.gov/hearings/107h/72825.pdf >.
- Adam Shostack and Paul Syverson "What Price Privacy (and why identity theft is about neither identity nor theft)" in L. Jean Camp and S. Lewis, eds., Economics of Information Security, (Boston: Kluwer, 2004) at 132-134.
- Bernardo A. Huberman, Eytan Adar and Leslie R. Fine "Valuating Privacy" online HP Labs < http://www.hpl.hp.com/research/idl/papers/deviance/ > at 2.
- Health Canada, Health Care System, "Certain Circumstances: Issues in Equity and Responsiveness in Access to Health Care in Canada", online : < http://www.hc-sc.gc.ca/hcs-sss/pubs/acces/2001-certain-equit-acces/part1-doc1-sec2-eng.php >.
- John Schwartz, "Giving the Web a Memory Cost Its Users Privacy," (The New York Times, 4 September 4, 2001) online: The New Your Times < http://query.nytimes.com/gst/fullpage.html?res=9B0DE1D61639F937A3575AC0A9679C8B63 >.
- Report on Organized Crime, Criminal Intelligence Service Canada, online: < http://www.cisc.gc.ca/annual_reports/annual_report_2008/document/report_oc_2008_e.pdf > at 39.
- "You can build a new identity: Medical data theft; Sensitive material stored in records, experts warn" Calgary Herald (12 March 2009). See also 2008 Breach List and Statistics - Identity Theft Resource Center, online: NYMITY, < http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=ca535416-555f-413a-9645-66a0f04ecac0 >. For an overview of identity theft in healthcare, Gordon Atherley, Identity theft in Healthcare A White Paper (January 2006) online: < http://www.teranet.ca/corporate/publications/Identity_Theft_In_Healthcare.pdf >.
- "Ontario Integrates e-Health Activities Under One Agency" (Press release, 29 September 2008) online: Ministry of Health and Long-Term Care < http://www.health.gov.on.ca/english/media/news_releases/archives/nr_08/sep/nr_20080929.html >.
- D. J. Willison, C. Emerson, K. V. Szala-Meneok, E. Gibson, L. Schwartz, K. M. Weisbaum, F. Fournier, K. Brazil and M. D. Coughlin "Access to medical records for research purposes: varying perceptions across research ethics boards" (2008) J Med Ethics; 34:308–314.