Home / Privacy Resources / Article Search / PrivaTalk - September 2002

PrivaTalk - September 2002

PrivaTalk

September 2002
Volume 2
Issue 9

Montreux Court Documents a Clear Invasion of Privacy

When the Vancouver Island Health Authority (“VIHA”) decided last month to take Montreux Counselling Clinic to court on allegations of violating community care regulations, the information VIHA had collected over the past four years about the Rockland Avenue eating-disorder clinic became public. Anyone with $8.00 for a document search and some time on their hands can browse through the three binders at the Victoria, B.C. courthouse.

Medical records and notes on patients, earnings and home addresses of careworkers, and e-mail exchanges with former patients are now public knowledge. And those are just the documents tabled by the health authority. Further releases of personal information are likely to occur by the time Montreux lawyers have compiled their evidence for the court case.

Willfully violating the privacy of another person in the context of a court or quasi-judicial proceeding is not against B.C. law. The difficulty from a privacy perspective is that court records are public records, and the even bigger concern now is that court and human rights judgments are on the Internet, providing even easier public access to the intimate details of individuals’ personal lives.

Public bodies and the judiciary need to be encouraged to anonymize some of the information available in cases where the identity of the person isn’t a key factor. In the case of Montreux, a few names did end up blacked out on some of the court records. And because Montreux refers to its patients by number only in its extensive daily record-keeping, patient identity is shielded in those particular documents. Unfortunately, that doesn't matter much when the records are in the middle of a mass of documentation detailing every aspect of the place.

The issue becomes one of balancing the right to access public records with the right to privacy. Achieving the right balance is critical to preserving the value of public court documents while still protecting personal information.

Internet Service Providers may be Forced to Archive User Data

Canadian Internet service providers (ISPs) face the possibility of significant infrastructure upgrades under a government proposal that would make them store customer data and disclose it to police and intelligence agencies.

According to a 21-page discussion paper posted on the Department of Justice Canada’s Web site (http://www.canada.justice.gc.ca/en/cons/la_al/), the government may try to introduce a law next year that could require ISPs to keep all traffic logs for six months, while allowing authorities to more closely monitor suspected criminals. It also raises the notion of a national database of every Canadian with an Internet account. The government will take comments on the proposal until November 15th.

In the discussion paper, the government insists that it will continue to maintain rights protected by the Canadian Charter of Rights and Freedoms, such as protection to individuals against self-incrimination.

Even if ISPs are required to retain data logs, legislation may be necessary to help law enforcement officials conduct proper investigations of ISPs. While providers of certain wireless services have since 1996 been required to have facilities capable of lawful access pursuant to a licensing obligation under the Radiocommunications Act, there are currently no similar obligations for other providers.

ISPs have largely maintained a cooperative relationship with law enforcement, particularly when the police ask for help in monitoring a customer suspected of running a child pornography site, for example. However, the Department of Justice proposal takes police rights a step further – the ISPs wouldn't necessarily have control over what was looked at or when, since the law enforcement agencies could monitor Internet traffic and Internet use, without discrimination.

The discussion paper does not make clear whether the law would apply to existing services or whether it would only kick in once an ISP introduces new services. There is also the question of compliance – how the regulations will deal with ISPs that don’t follow the law.

There are big questions around costs as well, that is, whether upgrades necessary to comply with the law would be paid for immediately by the ISP or subsidized by the government. Right now, every ISP logs its customers’ IP address and the “start” and “stop” time of their Internet use in order to bill for the service. A much greater storage capacity would be required to log every customer’s activities for six months. Maintaining that information would probably require multiple servers and increased server capacity to store all the data without slowing down the network.

Being forced to retain records is also of grave concern to many ISPs because it could create a breach of trust between ISPs and their customers. This is also a perfect example of how privacy and security legislative initiatives can clash. If ISPs are storing every single user’s traffic for an extended period of time, that potentially leads to some very powerful misuses. Anybody who works at that ISP could see that data. Also, if you have a big database that collects that kind of information – to suggest that it’s only going to be available to law enforcement agencies is impractical. There are people out there that are going to find access to it.

The federal Personal Information Protection and Electronic Documents Act currently applies to telecommunications companies, and there has been case law in the past suggesting that this includes ISPs. If not, ISPs will definitely be governed by privacy legislation in 2004. According to such legislation, information must only be retained as long as necessary for the fulfillment of identified purposes for which the information was collected, or as long as necessary to comply with applicable laws, such as the one being contemplated.

Western Provinces Health Network Puts Health Records On-Line

Western Canada’s largest health regions are pooling their knowledge, experience and other resources to implement an integrated, effective electronic health record (EHR) system. The Calgary and Edmonton health regions, the Regina and Saskatoon health districts, Winnipeg’s regional health authority, and the Vancouver coastal and Vancouver Island health authorities are involved in the partnership.

The partnership will be known as the Western Electronic Health Record Regional Collaboration (WERC). Each of the health regions participating in WERC have been working on developing their own EHR. There have been many pilot projects to this end already. The electronic health record will definitely benefit physicians by making their practices more efficient. Patients will also benefit from shared records – the greatest benefit being that combining patient information with access to clinical reference knowledge and clinical decision support tools improve quality of care and patient safety. However, as with any sensitive information that is shared electronically, privacy and security concerns come to the forefront, and have made some patient groups and privacy activists leery of the project.

The WERC group says it hopes another advantage of collaborating will be that they stand a better chance of receiving local, regional, provincial and federal funding to implement an EHR. They estimate hundreds of millions of dollars in investment will be needed over the next five to seven years to fund the development of an EHR system in Western Canada.

WERC will develop an EHR for use in an integrated model. It will be implemented in the community (in family doctors’ offices and in long-term care), and in secondary and tertiary care facilities (including specialist offices, acute and ambulatory clinics).

The WERC EHR will also be implemented in each of the participating health regions. If a patient should move from one WERC region to another, their electronic record will follow them. WERC is collaborating with the Canadian Health Infoway Inc., the Western Health Information Collaborative (WHIC) that looks at policy issues, provincial health ministries and provincial health information groups, such as Alberta Wellnet and the Saskatchewan Health Information Network.

Given the long history of clinical information systems in urban centres, it’s surprising the electronic health record hasn’t been implemented more widely and more quickly across Canada. Privacy concerns may be overstated, particularly because paper medical records are often times less secure and more susceptible to getting into the wrong hands if they are left in plain view at doctors’ offices, stored insecurely or shared by hand between health care providers and facilities.

New HIPAA Privacy Implementation Rules Released

Signed into U.S. law in 1996, HIPAA, the Health Insurance Portability and Accountability Act basically expands the traditional rules of patient confidentiality to the physical office environment, computer systems and the work of clinical staff such as nurses. The legislation was motivated in part by the increasing exchange of medical information on the Internet, and aims to establish national standards for electronic health care transactions. HIPAA applies to almost every type of health care organization, including health plans and health plan clearinghouses, hospitals, physician practices, dentist offices, medical equipment suppliers, nursing homes and pharmacies. These are known as covered entities under the legislation.

The Bush administration has formally modified medical privacy rules adopted by President Bill Clinton, and these can be found at http://www.hhs.gov/ocr/hipaa/. But at the same time, it also set new standards for the use of personal information to market prescription drugs and other health care products. The new rules, the first comprehensive federal standards for medical privacy, will affect virtually every doctor, patient, hospital, drugstore and health insurance company in the United States. The rules are the final version of changes proposed in March, embody more than five years of work and have the force of law.

Most health care providers and insurers have to comply by April 14, 2003 or face civil and criminal penalties, including a $250,000 fine and 10 years in prison for the most serious violations.

The administration decided to abandon the core of the Clinton rules, a requirement that doctors, hospitals and other health care providers obtain written consent from patients before using or disclosing personal medical information for treatment or paying claims. Instead, providers will have to notify patients of their remaining rights and have to make “a good-faith effort to obtain a written acknowledgment of receipt of the notice”. Administration officials made the change despite opposition from consumer advocates, patients’ rights groups and psychiatrists. The prior regulation, while well intentioned, would have forced sick or injured patients to sign multiple consent forms before they could get care or medicine.

A specific goal is to safeguard the electronic transfer of claims information. Ultimately the desire is to improve patient control and access to medical information. Implementation is being handled by the federal Center for Medicaid and Medicare Services (CMS), a unit of the U.S. Department of Health and Human Services.

The new HIPAA rules focus on a specific kind of information known as protected information. Protected information is information in any form (paper, electronic or verbal) that specifically identifies a patient or consumer of health care services. For example, any health information which includes a patient’s name, Social Security number, or address, etc. would be protected information under HIPPA. This protected information could exist in paper medical records, in a computer database, or even in a telephone conversation.

HIPAA requires that all protected patient information be safeguarded in specific ways to prevent accidental or purposeful disclosure, loss or misuse. Covered entities must establish security practices to ensure that only authorized persons have access to protected information, wherever it exists. A security officer must be identified in the organization. There must be procedures for storage, retrieval and backup of protected data in computers. Contingency planning is necessary in the event of emergency, disaster or theft. Training must be provided for all staff who access protected information.

Given the numerous obligations that the privacy rules place on health care organizations, it is clearly not too early to begin compliance initiatives, and for some larger organizations, there isn’t a lot of time left to become compliant.

Employee Screening – What’s Acceptable and What’s Not

Employee screening is nothing new, but many employers have greatly intensified their scrutiny of the backgrounds of both current workers and job applicants. Some workers and prospective hires have claimed that firms are going too far, invading their privacy by digging up information with no real bearing on security, then using it as grounds for dismissal, discipline, or rejection.

A great majority of American workers favour some type of background checks, but have misgivings about others, according to a recent survey by Privacy & American Business magazine. Among its findings:

- 92 percent favour checking whether job applicants’ resumes contain false information.

- 91 percent approve of background checks for sexual offences and criminal records.

- 33 percent support checking whether job applicants were party to a civil lawsuit.

- 28 percent approve of checking credit histories of job applicants.

- 24 percent favour checking job applicants for bankruptcy filings.

The result of the study are also important for Canadian employers because this is likely indicative of what Canadian employees would find acceptable. Regardless of whether employees find particular screening activities to be acceptable, consent should be obtained directly from the employee to snoop into their background. In fact, the law currently requires this of federally regulated employers in Canada. If the employee refuses to provide consent, the employer could state that the screening is a condition of employment, as long at it is reasonable for the position being filled. For example, as was reported in the Newsflash article of last month’s issue of PrivaTalk, drug testing may be acceptable in certain limited circumstances due to the nature of the work.

E-mail Encryption Technology Still not Widely Used

Most people do not know that e-mail messages are archived, and that any hacker with moderate expertise can read, copy and store e-mail sent months, or even years, earlier. Even worse, e-mail can be intercepted by hackers without too much difficulty and sent to thousands of other people. Since most people believe that e-mail is generally secure, even the most sensitive messages containing confidential information, for example, from a doctor to a patient or a lawyer to a client, are floating around in cyberspace like open postcards.

There are plenty of e-mail encryption services available, some of them free. Yet most people don't seem to want to go to the trouble of using them.

A company called McAfee offers a pretty simple product that can be installed, whereby a button appears in the user’s e-mail program that just has to be clicked to encrypt a message. Now, McAfee has put its e-mail encryption service for individuals into “maintenance mode”, meaning that it is not being updated or improved, because it is extremely difficult to sell the product. Customers do not want to pay for it because they don’t know if their end users are going to use it, which they must do in order to decrypt the messages. The company still offers corporate e-mail encryption through its e-business server, with 128 bit PGP encryption and data authentication.

There are still plenty of companies that offer individual users secure e-mail. The Electronic Privacy Information Center (EPIC), for one, lists companies that offer Web-based services that encrypt e-mail, send it via protected Internet routes and verify receipt. For example, Certified Mail offers free personal accounts and charges $100 per year for business accounts, adding a technology called Secure Socket Layer (SSL) for additional protection. HushMail also uses SSL, and users get free openPGP encrypted e-mail, 2 MB of storage and free digital signing. Paid upgrades are available. Finally, PrivacyX uses anonymous digital certificates, small files that guarantee authenticity by containing information about the mailbox for which the certificate was issued.

While the technology is clearly available, the question of how to induce Internet users to take even the most rudimentary steps to preserve their privacy is what most companies offering the technology struggle with. As long as there are a large number of individuals and companies that think unencrypted e-mail is secure, or just couldn’t bother to make it more secure because they haven’t had any problems in the past, we won’t see wide usage of the technology, regardless of how convenient it may be to implement.