< Back

A Delicate Balance
October 6, 2009 10:00 AM

Health information privacy and patient safety

By Barry Burk, Christine Callahan
Barry Burk
Vice-President, Healthcare Industry
IBM Corporation

Christine Callahan
Manager, Corporate Relations

By 2010, half of all Canadians will have an electronic health record (EHR), and by 2015, that number is expected to be 100 per cent.  That means paper medical records, lab tests, diagnostic imaging results and medication history currently residing at doctors’ offices and hospitals will be available electronically to caregivers.  

EHRs bring important, positive changes to healthcare, but also lead to privacy concerns for both patients and care providers. 

The benefits are many: fewer medical errors; less chance of adverse drug interactions; less duplication of medical tests; more accurate diagnoses; improved chronic care; billions of dollars in cost savings to the healthcare industry. 

And because doctors, nurses and other care providers will have immediate access to important medical information, they can provide better care.  If a patient is traveling out of province and is admitted into the ER but cannot communicate, the care team can look for drug allergies and other potential health issues with the click of a mouse.

But even with the benefits, digitizing personal health information (PHI) raises important issues: if PHI is “out there” in cyberspace rather than in a folder in the doctor’s office, who can access it, and who controls access to it?  And what would be the impact on patient safety if PHI is blocked for privacy reasons?

According to some provincial privacy laws, once a patient has gone to a care provider for treatment, that patient has, essentially, given consent for his or her PHI – electronic or otherwise – to be used and shared with other healthcare professionals.  But this may not be completely in keeping with the patient’s wishes.  Although some patients want all doctors and nurses to have access to their entire medical record, others have sensitive PHI that they would like to keep private. 

It’s a little-known fact patients can actually control the privacy of their health information.  In several regions in Canada, health privacy law – or hospital privacy policy – permits patients to limit access to sensitive health information.  And for good reason, as few types of information are more personal than PHI. 

The reasons for restricting access to PHI may be as personal as the PHI itself.  Does a radiologist need to know his patient is taking antidepressants?  Does a dermatologist need to know her patient had an abortion 15 years ago?  Or, if a hospital nurse is admitted to her workplace for treatment, should curious coworkers have access to her PHI?

Healthcare providers are required by law to meet certain privacy requirements.  But for medical staff, the privacy issue also raises safety concerns.  If a patient can limit access to PHI, will the care team be able to get the information they need to properly treat the patient?  And if not, will the patient’s health be at risk?

The key is to balance patient information privacy with caregivers’ need to access PHI in critical situations.  This is now achievable with technology.  HIPAAT, an Ontario-based health-privacy software company, has teamed with IBM to address the issue locally, regionally and nationally. 

HIPAAT’s consent software, Privacy eSuite, enables patients to restrict access to sensitive health information.  IBM’s SOA Foundation software provides additional identity and access management capabilities to ensure when PHI is accessed – in any healthcare setting, such as a hospital, clinic or health information network – it is done securely.

To decrease the patient safety risk, the software is able to quickly provide caregivers with “break the glass” access to restricted PHI in emergency situations, when permitted by law and by the patient. 

HIPAAT and IBM technologies let patients decide:
  • who can access their PHI (e.g. do not allow Dr. Jon Smith to access my PHI)
  • what PHI can be accessed (e.g. do not allow anyone to access my HIV-related medical files), and
  • when (e.g. do not allow anyone to access PHI related to my visits from October 15 – 21, 2007).
Privacy eSuite and the SOA Foundation work together “in the background” on computer networks to help doctors, nurses and other healthcare providers meet patient and legal privacy requirements.  And patients are kept in the loop.  All access to PHI is recorded in an audit trail so when required, patients can be advised who looked at – or tried to look at – their information.

Health information privacy and patient safety do not need to be mutually exclusive.  With a Pan-Canadian EHR on the horizon, it’s a delicate but important balance.

To find out about health information privacy rights, visit the Office of the Privacy Commissioner of Canada’s Web site and link to the appropriate provincial or territorial contact information.

Barry Burk
Vice-President, Healthcare Industry
IBM Corporation
Barry Burk is the Senior IBM Executive responsible for all aspects of IBM’s business in the healthcare and life sciences sector in Canada.  Managing a nationwide team of industry specialists, Barry is responsible for developing the strategy, solutions, services and partnerships to optimize IBM's opportunity in the rapidly changing healthcare industry in Canada. Over his twenty-year career, Barry has held a number of key strategy, sales and management positions. During his tenure with IBM, he has successfully consulted with Canadian organizations in leveraging their business strategies through the alignment of information technology strategies with the goals of their enterprise.

Christine Callahan
Manager, Corporate Relations

Christine Callahan is responsible for activities related to communications, marketing, business strategy and alliance relationships at HIPAAT.  She works closely with internal and external stakeholders to build HIPAAT’s profile in the healthcare IT space.  Christine has spent seven years in healthcare IT, with over five of those at HIPAAT. 

A member of the International Association of Business Communicators, Christine holds a Bachelor of Arts in English and Anthropology from the University of Toronto, and a Postgraduate Certificate in Public Relations from Humber College.

IBM PartnerWorld
About Us Subscribe Editorial Register

© 2014 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY