Protecting Privacy with NO Privacy

A concerning CBC news report suggests that there is a spike of health care privacy breaches in Alberta:
As the text of the article clarifies, the spike is actually of reports of possible issues that are submitted to the Office of the Information and Privacy Commissioner (OIPC). New legislation mandates reporting all incidents to the OIPC. This, understandably, has increased the number of events that get reported this way (most are already managed). Not all events turn out to be genuine breaches.

This article, like others, can raise public concern about the Connect Care clinical information system (CIS). The CIS will have provincial spread. Are we exposing patients to greater privacy or security risks? 

The evidence says "No". Responsibly managed health information systems dramatically decrease privacy risks over the paper-based systems they replace. Access is more difficult. Audit trails record all chart openings, user activity and attempts to alter the record. Data backups are more robust. Data exchanges are monitored. The encryption and communication tools are vastly more secure than the telephone, fax and printed materials replaced. What does increase is visibility... giving the false impression that privacy threats increase. In fact, true breaches decrease.

What are we doing to ensure the very best protections for our Connect Care patients? 

First, we are making sure that we leverage everything technology can do for us. Connect Care manages security right down to individual chart elements, with more protections, more validations and more accountability than any prior system. 

Second, we are being realistic about technology. The greatest threat to privacy is the grey stuff between two ears... neurons, not networks. No existing technology can fully compensate for privacy illiteracy, negligence or willful access misuse. We have implemented a privacy awareness program that is about understanding, behavior and personal accountability. Everyone must complete this. And we continually reinforce.

Third, we protect patient privacy with lack of physician privacy. Everything physicians do is monitored in Connect Care. The fidelity of auditing is far greater than before. Our capacity to rapidly detect potential problems is enhanced with software that continually monitors patterns and behaviors. This is reasonable. As practitioners, we've never been entitled to hide within legal records of care. 

Again, the evidence is clear. Effective education combined with surveillance, feedback and action has the greatest impact on privacy protection.