APPENDIX D

Confidentiality of Health Information: International Comparative Approaches

Bartha Maria Knoppers, J.D.

Although the concept of the confidentiality of personal medical data is well accepted by the general public and by health professionals, the detailed practice is under potentially serious attack by governments that want access in order to combat fraud or serious crime or to improve efficiency of services, by big business that wishes to improve its competitive edge or reduce its costs by utilizing detailed personal data in order to focus the promotion of its products and services, and by health care organizations that do not keep their security measures up to the state of the art required by the information processing facilities available and the attacks on personal medical data.1

A brief comparative overview of international and national developments on the confidentiality of health information over the last half century must of needs cover (1) the right of privacy, (2) medical confidentiality per se, and (3) the protection of personal data. Together they overlap and sometimes commingle. Whether understood as a property or liberty interest,2 privacy continues to develop the zone of personal intimacy free from public scrutiny. Medical confidentiality arises from both the nature of the information concerned and the fiduciary character of the physician/patient relationship. It has seen a movement towards greater patient as opposed to professional control of health information. Finally, the recent appearance of personal data protection laws not only shields the individual from the powers of informatics but also provides a measure of security and personal control. Privacy, confidentiality, and personal data protection are inseparable when touching upon health information.

INTERNATIONAL

In 1948, the United Nations adopted article 12 of the Universal Declaration, which upholds the protection against “arbitrary interference with [one's] privacy, family, home or correspondence” and “attacks upon [one's] honor and

1  

Barber, B., “Patient Data and Security: An Overview” (1998) 49 International Journal of Medical Informatics, 19 at 25.

2  

Le Bris, S., and B.M. Knoppers, “International and Comparative Concepts of Privacy” in Rothstein, M. (ed.) Genetic Secrets New Haven: Yale University Press, (1997) 418–448.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 173
Protecting Data Privacy in Health Services Research APPENDIX D Confidentiality of Health Information: International Comparative Approaches Bartha Maria Knoppers, J.D. Although the concept of the confidentiality of personal medical data is well accepted by the general public and by health professionals, the detailed practice is under potentially serious attack by governments that want access in order to combat fraud or serious crime or to improve efficiency of services, by big business that wishes to improve its competitive edge or reduce its costs by utilizing detailed personal data in order to focus the promotion of its products and services, and by health care organizations that do not keep their security measures up to the state of the art required by the information processing facilities available and the attacks on personal medical data.1 A brief comparative overview of international and national developments on the confidentiality of health information over the last half century must of needs cover (1) the right of privacy, (2) medical confidentiality per se, and (3) the protection of personal data. Together they overlap and sometimes commingle. Whether understood as a property or liberty interest,2 privacy continues to develop the zone of personal intimacy free from public scrutiny. Medical confidentiality arises from both the nature of the information concerned and the fiduciary character of the physician/patient relationship. It has seen a movement towards greater patient as opposed to professional control of health information. Finally, the recent appearance of personal data protection laws not only shields the individual from the powers of informatics but also provides a measure of security and personal control. Privacy, confidentiality, and personal data protection are inseparable when touching upon health information. INTERNATIONAL In 1948, the United Nations adopted article 12 of the Universal Declaration, which upholds the protection against “arbitrary interference with [one's] privacy, family, home or correspondence” and “attacks upon [one's] honor and 1   Barber, B., “Patient Data and Security: An Overview” (1998) 49 International Journal of Medical Informatics, 19 at 25. 2   Le Bris, S., and B.M. Knoppers, “International and Comparative Concepts of Privacy” in Rothstein, M. (ed.) Genetic Secrets New Haven: Yale University Press, (1997) 418–448.

OCR for page 173
Protecting Data Privacy in Health Services Research reputation.” This same right is also found in the 1955 European Convention on Human Rights, although the possibility of State “interference”... ”for the protection of health” was specifically foreseen as a possible exception. Although the right to privacy was further strengthened by its inclusion in the 1976 United Nations International Covenant on Civil and Political Rights, it was both the Council of Europe's 1981 Convention for the Protection of Individuals with Regard to the Automatic Processing of Data which considered health data as “special”, and the Organization for Economic Cooperation and Development (OECD's) 1989 Guidelines for the Protection of Privacy and Transborder Flows that established the modern parameters for the principled regulation and security of medical data. The eight OECD principles are: (1) collection limitation; (2) data quality; (3) purpose specification; (4) use limitation; (5) security safeguards; (6) openness; (7) individual participation; and (8) accountability. The 1981 Convention, in particular, established exceptions for data banks for statistics or scientific research purposes as well as the rules for record linkage. The last decade has also witnessed an increasing emphasis on patient autonomy and patient's rights. Thus, according to the World Health Organization, all health status information should remain confidential even after death (art. 4.1), Declaration on the Promotion of Patient's Rights in Europe). Concurrent with this expanding ambit of confidentiality is that of the notion of identifiability through personal data. The 1995 European Community Directive on the Protection of Individuals (with regard to the processing of personal data and on the free movement of such data) defines personal data as “any information relating to an individual or identifiable natural person “(data subject); an identifiable person is one who can be “identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” (art. 2.a). It was however, the 1997 Council of Europe's Convention on Human Rights and Biomedicine that included a new corollary right: “the right not to be informed about health information ” within the concept of respect for private life and the right to information. In a sense, privacy in the health sector once associated with the property of medical records, then as a right of “secrecy ” (i.e., not to be personally identified or “processed” without consent), has now been extended to cover the sphere of personal intimacy through not being informed of one's own health data. In that same year, the Council of Europe also adopted Recommendation R97 (5) on the Protection of Medical Data. Three articles bear mention here: Article 1. An individual shall not be regarded as ‘identifiable' if identification requires an unreasonable amount of time and manpower. Article 3.1. The respect of rights and fundamental freedoms, and in particular of the right to privacy, shall be guaranteed during the collection and processing of medical data.

OCR for page 173
Protecting Data Privacy in Health Services Research Article 7.2. In particular, unless other appropriate safeguards are provided by domestic law, medical data may only be communicated to a person who is subject to the rules of confidentiality incumbent upon a health care professional, or to comparable rules of confidentiality, and who complies with the provisions of this recommendation. The status of a Council of Europe's convention is that of an international treaty, and it is binding on signatory states. The first article cited above again takes up the challenge of defining identifiability in a computerized society, thus adding the proviso “requiring an unreasonable amount of time and manpower.” The second makes explicit the link between privacy and medical data (which according to another article includes genetic data). The third limits the persons who can receive such data to health professionals or those “with comparable rules of confidentiality. ” This latter requirement resonates with the “extraterritoriality” approach of the 1995 European Community Directive mentioned earlier, which is binding on countries within the European Union (EU). According to the Directive, not only must all 15 member States establish legislation that conforms with its standards, but personal data cannot be transferred from an EU country to a non-EU recipient country unless the protections in the recipient country are deemed to afford “adequate levels of protection” (art. 25.1). The processing of health data is not distinguished from that of other personal data but the exemptions provided for under article 8 are certainly relevant: Where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies subject to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy. Finally in 1999, the European Group on Ethics in Science and New Technologies issued an opinion “Ethical Issues of Health Care in the Information Society.”3 Not only are the eight principles broader than the OECD data principles, but participation and education have been added to the traditional list. The group calls for a clear statement on rights and duties related to personal health data in the information society at a European level. Indeed, the opinion asserts that A directive on medical data protection is desirable within the framework of the current Data Protection Directive to address particular issues arising from the use of health data; A European patient's charter covering the above aspects, possibly by means of a recommendation, should be adopted. 3   The principles are (1) privacy, (20) Confidentiality, (3) Principle of “legitimate purpose,”(4) consent, (5) security, (6) transparency, (7) participation, and (8) education.

OCR for page 173
Protecting Data Privacy in Health Services Research In short, there are four well-established core information principles concerning personal data protection in Europe: 1) statutory protection; 2) transparent processing; 3) special protection for sensitive data, and, 4) enforcement rights for individuals. Nevertheless, a recent study for the OECD on “Data Protection in Trans-Border Flows of Health Research Data,” while supportive of self-regulatory codes of conduct (especially where there is scrutiny by a data protection authority and eligibility for funding), emphasizes the need for more consolidation. 4 Within the area of sensitive data, health information is increasingly being singled out as being in need of specific statutory protection in spite of the application of the four core principles through a web of legal instruments. Nowhere is this trend more evident however than in national legislation. NATIONAL United Kingdom In the United Kingdom (UK), confidentiality is afforded both Common Law and statutory protection. Beginning with the Common Law, “[i]t is generally thought that the action of breach of confidence is now a sui generis action finding its roots in principle of equity, contract, property and tort” Kennedy and Grubb, 1998; (p. 497),). The obligation of confidence arises both from the context in which the information is communicated to the doctor and from the nature of that relationship. Furthermore, “important public interests favor confidentiality where personal information is communicated in circumstances in which it is clear that the recipient is expected to respect the privacy of that information” (p. 502). In order to succeed in an action for breach of confidentiality, a plaintiff would have to show some form of injury (including mental distress) or economic loss (p. 514). Finally, contrary to Civil Law, a physician may disclose confidential information in the courtroom due to the public interest in the administration of justice, with the possibility that refusal could be considered contempt of court. Common Law may be modified by statute. For example, the Data Protection Act of 1998 includes in its core principles the duty to process fairly and lawfully personal data. Sensitive data, defined as including health data, cannot be processed in the absence of explicit consent unless they are necessary for medical purposes or “undertaken by a professional who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional” (Schedule 3, sec. 8). It should be noted that the Human Rights Act (1998) incorporates the European Convention on Human Rights into UK law. This guarantees the right to 4   Organization for Economic Cooperation and Development, Data Protection in Transborder Flows of Health Research Data (STI: Health Policy Brief) 1999, at p.23; See also Schwartz, P. “European Data Protection Law and Medical Privacy” in Rothstein, M. (ed.), supra, note 2, 392–417.

OCR for page 173
Protecting Data Privacy in Health Services Research respect for privacy and family life. Superimposed on this, the previously mentioned Data Protection Act of 1998 provides a framework of rights and principles governing the use of electronic or structured paper records, including fair processing. Nevertheless, in spite of the core principles found therein, the law does not specify when confidential information should and should not be disclosed to others, in research or most other activities. Thus, decisions must be made according to Common Law on a case-by-case basis even when a research project has been approved by a Research ethics committee and authorized by a health authority.5 It also bears noting that in 1999, the British Medical Association (BMA) reiterated its request for statutory intervention to clarify the law in respect of the confidentiality of medical information in both the private and the state sector.6 The general principles put forward by the BMA follow: Information disclosed should be the minimum necessary to achieve the objective and, whenever possible, anonymous. Patients should be made aware of the potential uses of their information and be given an opportunity to object. Use of information for research is currently accepted as long as it is carried out within the guidelines and subject to monitoring by appropriately constituted research ethics committees. The BMA strongly recommends that patients be made aware that research is carried out and that it may involve the use of their records unless they object. Generally, the association maintains that although research constitutes a justifiable use of personal health information, ideally it should use anonymized data wherever possible. The information disclosed should be the minimum necessary to achieve the objective. It may be possible to use pseudonyms or other tracking mechanisms for information, which cannot be anonymized, thus ensuring accuracy and minimizing the use of personal identifiers. Health professionals must make reasonable efforts to ensure patients understand that their data may be used in research unless they exercise their right to object. Identifiable information should not be used for research purposes if the individual has 5   Medical Research Council, Personal Information in Medical Research (Guidelines), 1999, (s.2.2.5). 6   British Medical Association, Confidentiality and Disclosure of Health Information, Oct. 14, 1999: Confidentiality: The principle of keeping secure and secret from others, information given by or about an individual in the course of a professional relationship. Disclosure: The revealing of identifiable health information to anyone other than the subject. Personal health information: Any personal information relating to the physical or mental health of any person from which that person can be identified. Anonymized information: Information, which does not, directly or indirectly, identify the person to whom it relates.

OCR for page 173
Protecting Data Privacy in Health Services Research registered an objection. Nor should the contact details of potential participants in research be passed to researchers without consent. Moreover, in these recent guidelines, the BMA has taken the explicit position that “it is not ethically necessary to seek consent to the use of anonymous information.” It also maintained the position that in addition to the traditional duty of medical secrecy, “there is also strong public interest in maintaining confidentiality so that individuals will be encouraged to seek appropriate treatment and share information relevant to it.” These recent guidelines repeated the concern already addressed in the 1997 Caldicott Report over the management and security of flows of information through new communication technologies. In short, the BMA maintains that the Data Protection Act of 1998 cannot adequately protect medical information. Recently, the Medical Research Council Key Principle B maintained: When consent is impracticable, confidential information can be disclosed for medical research without consent if it is justified by the importance of the study; if there is no intention to contact individuals (except to seek consent) or reveal findings to them, if there are no practicable alternatives of equal effectiveness; and if the infringement of confidentiality is kept to a minimum7 With regard to this principle, the document notes that the “decision about whether a study is sufficiently important is not for the investigator alone, but must also be referred to a Local Research Ethics Committee for independent assessment.” The techniques required for the use of personal health information in research are encoding or anonymization “so far as is reasonably possible.” Anonymized data is understood as the equivalent of unidentifiable data, that are, all information that could directly identify individuals has been irreversibly removed. A recent case of the Court of Appeal (December 21,1999)8 reversed a High Court ruling9 that the collection and sale of data on doctors' prescribing habits breached confidentiality even when the data are anonymized. The case hinged on the issue of implied consent to the use of anonymized data “not only by commercial companies but for public interest purposes, including medical research and statistics. ”10 The Court of Appeal held that for breach of confidence to occur the information must have: “the necessary quality of confidence about it; be imparted in circumstances imparting an obligation of confidence; and, be an unauthorized used of that information to the detriment of the party communicating it.” The Court of Appeal held that due to anonymization “[t]he patient's privacy will have been safeguarded, not invaded. The pharmacist's duty of confidence will 7   Supra, note 5. 8   Source Informatics Limited, http://wood.ccta.gov.uk/courtser/judgeme. 9   R and the Department of Health (ex parte) v. Source Informatics [1999] All E R 185. 10   Dyer, C., “BMA's Patient Confidentiality Rules are Deemed Unlawful” (1999) 319 BMJ 1221.

OCR for page 173
Protecting Data Privacy in Health Services Research not have been breached.” It is interesting to note that albeit in obiter, the Court of Appeal suggested that such anonymized data would also not run afoul of articles 2(b) and 8 of the European Directive of 1995. Australia “The law relating to privacy in Australia is unsatisfactory. There is no general common law or statutory right to privacy. Such general privacy laws as exist have developed in a piecemeal fashion.”11 In Australia, as in the United Kingdom, medical practitioners have no professional privilege.12 Furthermore, any breach of confidence by a general practitioner may lead to disciplinary offenses or to civil actions rising out of tort, contract, or equity. There are also statutory provisions and guidelines imposing the requirements of confidentiality, including circumstances that constitute exceptions to confidentiality. An interesting position is that medical records are the property of the private medical practitioner who can allow or deny access (except for the Australian Capitol Territory).13 The same does not hold for public health facilities. The Commonwealth Privacy Act 1988 applies to research on personal information held by a Commonwealth agency. It establishes the fundamental principle related to data protection, including special provisions related to the use of identifiable personal information in medical research.14 The Guidelines for the Protection of Privacy in the Conduct of Medical Research of the National Health and Medical Research Council (1998) not only require that each research project be approved by an institutional ethics committee but also require the following: 2.3 The written protocol for the conduct of each medical research project should state: (d) the reasons why personal rather than de-identified information is needed; (e) why consent to the use of personal information cannot be obtained from the individuals involved; (j) the safeguards that will be applied to protect personal information that will be made available to other researchers or third parties. 11   Chalmers, D., “Australia,” in Nys Herman, (ed.) International Encyclopedia of Laws: Medical Law, Vol. 1 (Boston: Kluwer Law International, 1998) 1 at p. 79. 12   Ibid. at p. 77: “ in Victoria, Tasmania and the Northern Territory there is a privilege contained in the relevant state legislation which allows a doctor to refuse to divulge confidential information in Court proceedings unless the patient consents to the disclosure.” 13   Breen v. Williams (1996) 70 ALJR 772. 14   Excludes states and local government, as well as private agencies.

OCR for page 173
Protecting Data Privacy in Health Services Research Furthermore, the institutional ethics committee must weigh the public interest in medical research against the public interest in privacy (art. 3.2). If public interest in research substantially outweighs its interest in privacy, then the research will not be considered a breach of the Privacy Act. France Article 9 of the French Civil Code proclaims the right to privacy. Protection of health information, however, stems chiefly from the Penal Code (art. 226-13 and 14). This means that the sanction for breach is a criminal one, the information transmitted by the patient being of a highly personal nature (intuitu personae). Furthermore, whereas most obligations of a physician are what are known as “an obligation of means”, medical secrecy is one of result. This is important since the ambit of the medical secret extends beyond what is heard, observed, or confided to what is understood. Thus, simple proof of breach is sufficient to constitute a fault.15 According to the 1978 Law on Informatics, Records and Freedoms every person has the right to object to the collection and storage of personal data and to access to such data. In a major statutory amendment in 1994 to the French omnibus data protection law,16 French legislators set out restrictions on the automatic treatment of personal information for the purpose of health care research. This statute sets up a new body of data protection oversight, establishes substantive principles for data protection in medical research, and specifies important individual interests that must be respected before personal information can be used in a health care research project. ” Each request to process information for medical research is to be submitted first to the Consultative Committee on the Treatment of Information in Research Health Care sector of experts, who are then to notify the National Commission on Information and Liberties (CNIL). 17 In 1995, the revised Code of Ethics for physicians increased the number of articles treating medical secrecy with reference to the additional conditions established by law for the protection of personal information. Disciplinary sanctions are independent of any civil or penal ones. Finally, specific laws govern not only the computerization of medical data, but also the gradual introduction of the smart card in the healthcare system. In addition to setting up a new body of oversight, the 1994 amendment establishes important individual interests. Most important is a general requirement that personal medical information that permits the identification of individuals be encoded before transmission to a research project. Although there are excep- 15   See generally, Gérard M., in International Encyclopedia of Laws: Medical Law, “France,” supra, note 11, pp. 1–160, at 138–146. 16   Computerized Processing of Name-Linked Data for the Purpose of Research in the Health Sector. Law No. 94-548. 17   Schwartz P. M., “European Data Protection Law and Medical Privacy” at pp. 403–404 in Genetic Secrets, Rothstein, M., (ed.), supra, note 2, 1997.

OCR for page 173
Protecting Data Privacy in Health Services Research tions, the law forbids the reporting of research results that permit the direct or indirect identification of concerned parties. The law also grants individuals a right to object to use of their data in any medical research project. Finally, treatment of one's health care information in a research project generally requires the individual to be personally informed of the nature of the transmitted data and his or her right to access and correct the information the intended recipient of the information and the end use (finalité) of the information. 18 In France, the Consultative Committee on the Treatment of Information in Research and Health Care is empowered by CNIL to receive requests from researchers to use nominative information without consent, firstly, if notification of the change of recipient of nominative information would be impracticable; second, if the information is unknown to the person, and third, where the information concerns a required notifiable condition. The only restriction is that the data be coded. 19 In 1997, the CNIL adopted Recommendation 97-008 on the treatment of personal health data. This recommendation reiterates the obligation to maintain confidentiality, and to inform the person of any transmission of information with the possibility of objection and, finally, requires the anonymization of data for any secondary uses. Where information systems involve ongoing follow-up and updating, coding, encryption, or scrambling of the information is recommended. In addition, adopting heightened security measures for medical data, the CNIL can at any time verify the respect of these conditions. Yet, the commission affirmed that in conformity with article 5 of the 1981 Convention on the Automatic Processing of Data access to nominative medical data for proper followup and the inclusion of such data for purposes of state social security programs, for prevention strategies, or for statistics or research were not precluded provided there is coding or anonymization. Canada Most Canadian jurisdictions have some form of privacy legislation in place, either as part of freedom-of-information and protection-of-privacy legislation or as a separate statute. However, in response to international developments (e.g., the 1995 European Directive) and to increasing public awareness and concern, there have been recent developments in two main areas: the expansion of legislative protection of personal information to include the private sector and the development of comprehensive legislation specific to health information. The federal Bill C-6 (formerly C-54)20 is an example of the first; new health information legislation in Manitoba, Saskatchewan, and Alberta, and draft legislation in Ontario, are examples of the second. 18   Schwartz, ibid. at p. 404. 19   Art. 40-3, al. 2 of D. no. 95-682, 9 mai 1995, JO 11 mai. 20   Bill C-6, Personal Information Protection and Electronic Documents Act, 2nd Sess., 36th Parl., 1999, Part 1.

OCR for page 173
Protecting Data Privacy in Health Services Research The success of the Canada Health Infoway and similar projects under way at the national and provincial levels will depend on the development of a comprehensive and consistent legislative framework for the protection of personal health information. The Final Report of the Advisory Council on Health Infrastructure noted that ”a real danger exists that Canada could end up with many different approaches to privacy and the protection of personal health information“ and recommended that harmonization of provincial and federal approaches be encouraged and that ”all governments in Canada should ensure that they have legislation to address privacy protection specifically aimed at protecting personal health information through explicit and transparent mechanisms. ”21 In addition, it recommended that privacy legislation applicable to health information bind the public and private sectors.22 The legislative renewal program within Health Protection Branch Transition is another relevant part of the current legal context. The review and proposed new legislation include delineation of roles and responsibilities, division of powers, risk management, scientific freedom, and safeguards for confidentiality and privacy.23 There is no discrete Common Law action for breach of privacy in Canada. 24 Privacy is protected by a network of legislation, constitutional provisions, and various aspects of Common Law. Health care providers have an obligation to maintain the confidentiality of patient information as part of their duties of care and fiduciary duties.25 A breach of privacy may also be grounds for other types of tort actions such as nuisance, trespass, libel, slander, defamation, assault, or battery.26 If there is a contractual relationship between the provider and the patient, a duty of confidence may be considered to be implied in the contract. In a recent case involving counselling records, the Supreme Court of Canada confirmed that section 8 of the Canadian Charter of Rights and Freedoms provides protection for such confidential information and indirectly for the therapeutic relationship.27 In another case under the Charter, where a body sample taken without consent or for medical purposes was used in criminal pro- 21   Advisory Council on Health Infrastructure, Canada Health Infoway: Paths to Better Health, Final Report (Health Canada Reports, February 1999), Chapter 1 at 5.2, 5.3. 22   Ibid. at 5-3. 23   Health Canada, Shared Responsibilities, Shared Vision: Renewing the Federal Health Protection Legislation (Discussion Paper) (Ottawa: Health Canada, 1998) at 35–36; Health Canada, National Consultations Summary Report: Renewal of the Federal Health Protection Legislation (Ottawa: Health Canada, 1999). 24   For a review of Canadian law relating to health information and privacy, see Marshall M. and B. Von Tigerstrom, “Confidentiality and Disclosure of Health Information” in Downie J. and Caulfield T. (eds.), Canadian Health Law and Policy (Toronto: Butterworths, 1999) 143. 25   McInerney v. MacDonald, [1992] 2 S.C.R. 138. 26   Fridman, G.H.L., The Law of Torts in Canada, vol. 2 (Toronto: Carswell, 1990) at 192ff; Klar, L.N., Tort Law, 2d ed. (Toronto: Carswell, 1996) at 66–67. 27   R. v. Mills [1999] S.C.J. No. 68 (QL) at para. 79–82. 28   R. v. Dyment, [1988] 2 S.C.R. 417; R. v. Dersch, [1993] 3 S.C.R. 768.

OCR for page 173
Protecting Data Privacy in Health Services Research ceedings, the Court held that the individual had a reasonable expectation of privacy in part because of the relationship of confidence with the health care provider.28 Quebec Although not a legally recognized “state,” the province of Quebec was chosen as an example of a comprehensive multilayered approach to the confidentiality of medical data within Canada. Examining the normative instruments according to their legal hierarchy, we have seen that the Canadian Charter of Rights and Freedoms contains no explicit right to privacy but has been interpreted as both a liberty interest (art. 7) and a right to be free from “unreasonable search and seizure” (art. 8). In addition to the Canadian Charter, which serves as the ultimate filter of the constitutionality of all provincial and federal legislation, Quebec has its own charter. This Charter of Human Rights and Freedoms, which is of a quasi-constitutional nature, contains a right to respect for private life (art. 5) and more importantly the “right to nondisclosure of confidential information” even in a court of law, absent patient or statutory authorization (art. 9). These provisions are buttressed by the Civil Code of Quebec, which since 1994 had a whole chapter with explicit provisions on the right to privacy as a right of personality. Both the Charter and the Civil Code cover governmental as well as private action. The protection of personal information as well as access by the person is further enshrined not only in two statutes covering personal data in both the public and the private sectors29 but also by the Act Respecting Health Services and Social Services. 30 The latter further buttresses the confidentiality of health information by requiring an explicit consent from the patient for access (art. 19). In addition, the Code of Ethics of Physicians governs the physician whether in hospital or private office and is a regulation pursuant to the act with force of law. Finally, a 1992 decision of the Supreme Court of Canada maintained that the right to information in the medical record was a personal right of the patient, although the file remained the property of the hospital.31 Medical files in the office of the private physician are subject to the Professions Code,32 which requires all professional corporations to adopt a code of ethics. As mentioned, the Code of Ethics of Physicians was adopted as a regula- 29   Act Respecting Access to Documents Held by Public Bodies and the Protection of personal information, R.S.Q., c A. 2.1; Act respecting the Protection of Personal Information in the Private Sector, R.S.Q., cp. 39.1. 30   Act Respecting Health Services and Social Services, R.S.Q., c. S. 4.2. 31   McInervey v. MacDonald [1992] 2 R.S.Q. 138. 32   Professions Code, R.S.Q. c. C.-26.

OCR for page 173
Protecting Data Privacy in Health Services Research tion pursuant to law (art. 3.01) together with the Medical Act.33 These reinforce article 9 of the Quebec Charter concerning the quasi-constitutional duty of professional secrecy. Finally, article 35 of the Civil Code of Quebec, adopted in 1994, enunciates the right to privacy of the person and also provides recourse to an aggrieved patient in the case of treatment outside the public hospital. As concerns research, consent (including record searches) must be free, informed, and given in writing.34 Such consent is valid only for the period of time approved by the ethics committee (art. 19.1). An exception to this would be situations in which the director of professional services authorizes access without patient consent, according to the legislation governing access to documents held by public bodies. The researcher would have to demonstrate that the following:35 the intended use is not frivolous and the ends contemplated cannot be achieved otherwise, and such nominative information will be used in a manner that ensures confidentiality. These additional conditions of ethics approval and a determined period of time for access for research were adopted into law in January 2000 following a recent case in which access to the medical records was provided and several years later the researcher wished to continue working with patient records. Due to the merger of two hospitals, the records had been moved and the new director of professional services considered that the consent was no longer valid. The Court of Appeal however maintained that medical confidentiality was “relative” and existed primarily to benefit the patient. Since one of the aims of the research in question was to find the cause of susceptibility to manic depression and schizophrenia, the researcher needed access to the records for the purposes of familial recruitment.35 Iceland On December 17, 1998, the Icelandic Parliament adopted an Act on a Health Sector Database, (Act 139/1998).36 This act foresees the creation and operation of a centralized database containing nonpersonally identifiable clinical data. Companies can apply for a license to have access. Article 7 of the act states that with the consent of health institutions or self-employed health care workers, data derived from medical records may be deliv- 33   Medical Act R.S.Q. c. M.-9, art. 42. 34   Civil Code, arts. 23, 24; Act to Amend the Act Respecting Health Services and Social Services as Regards Access to Uses of Records, art. 19.1, adopted, January 2000. 35   Parent c. Maziade [1998] RJQ 1444–1457. 36   Act on a Health Sector Database, Act 139/1998, Iceland, 1998–1999, http://brunnur.stjr.is/interpro/htr/htr.nsf/pages/gagngr-log-ensk

OCR for page 173
Protecting Data Privacy in Health Services Research ered to the holder of the operating License (the “Licensee”) for transfer into the Health Sector Database. The same article provides that the process shall be subject to conditions regarded as necessary by the Data Protection Commission at any time and that personal identifiers shall be encrypted before transfer to the database so that employees of the licensee work only with nonpersonally identifiable data. Personal identifiers shall be encrypted by one-way encryption, which cannot be traced back by using a cipher. The Data Protection Commission shall carry out further encryption of personal identifiers using the methods that the commission deems to ensure confidentiality best. It is important here to underline the fact that it is employees of the health institutions in question or self-employed health workers who prepare the data for transfer to the database and not employees of the licensee. Article 10 of the act states that the licensee is permitted to process the clinical data in the Health Sector Database derived from medical records, provided the data are processed and connected in such a way that they cannot be linked to identifiable individuals. The article provides, furthermore, that the licensee shall develop methods and protocols that meet the requirements of the Data Protection Commission in order to ensure confidentiality in connecting data from the Health Sector Database with data from a genealogical database and a genetic database. The article furthermore provides that the licensee is not permitted to provide information on individuals and that this should be ensured (e.g., by limitation of access). The act contains detailed provisions on monitoring, which is entrusted to three parties: (1) the Operating Committee, which shall monitor the creation and operation of the database; (2) the Data Protection Commission, which is subject to the Ministry of Justice and responsible for general surveillance of personal privacy in Iceland; and (3) an Interdisciplinary Ethics Committee, which monitors queries and research conducted using data from the Health Sector Database. Finally, it is interesting to note that according to article 1.8, all data entering the Health Sector Database are the common property of the Icelandic nation and in the care and under the responsibility of the Minister for Health and Social Security, acting for the Icelandic government. This applies both during the time that the operating license is in effect and after its expiration. It has been argued that this law is (not) in conformity not only with domestic law (A Special Act on the Rights of Patients, [Act 74/1997; Reg. No. 227/1991 on Medical Records and Compilation of Reports in Health Matters] pursuant to the Act on Physicians and the Act on Health Service) but also with European standards of data protection and with scientific freedom generally.37 On January 22 the Ministry of Health and Social Security prepared the issue of an Operating License for the Creation and Operation of a Health Sector Data- 37   Arnardóttir, O.M. et al., “The Icelandic Health Sector Database” (1999) 6 European Journal Health Law, 307–362. For a critique of the database, see Roscam Abbing, H., “Central Health Database in Iceland and Patient's Rights,” (1999) 6 European Journal of Health Law, 363–371.

OCR for page 173
Protecting Data Privacy in Health Services Research base of nonidentifiable health information. The licensee is authorized to convert information in the Health Sector Database with a genetic database with the approval of the Data Protection Commission. No genetic information or samples can be obtained for research purposes without specific patient consent. It goes without saying, however, that any such information found in the medical record would automatically be in the Health Sector Database unless the patient has exercised the opting-out provision. CONCLUSION Given the often eclectic if not confusing state of the law due to the combined effect of privacy, medical confidentiality, and personal data protection, it is difficult to draw any conclusions except perhaps to argue for the consolidation and harmonization of health data protection. This situation occurs because although the trends in all three sectors are welcome, their combined effect creates uncertainty since it is not always clear which rules apply. Moreover, most countries also provide for recourse to overarching constitutional protection, or in the absence of such, to human rights legislation be it national or regional as in Europe. Such consolidation and clarification including the ambit of legitimate exceptions would not only be welcome but perhaps serve as a first step towards an international “charter” on health information. Furthermore, we are now witnessing a further expansion of health information protection and promotion in the emergence of the right not to know and in the area of research in the move from coding or encryption to anonymization. Both of these recent developments are not without implications, the individual having been effectively removed from ongoing communication of health information. Four questions remain: (1) What degree of informed consent is required for the valid exercise of the “right not to know.” (2) Will anonymization although legally and ethically expedient, ultimately harm good science? (3) In the long run, will both impede identification for follow-up for proper medical treatment? (4) If so, have we unwittingly created a system of overprotection of the individual to the detriment of population health through prevention? Moreover, in this search for guidance and clarity, health information should be distinguished from the sometimes-draconian overreach of personal data protection often aimed at thwarting access by commercial bodies. The indiscriminate application of this legislation when combined with the moral or legal force of medical codes of ethics can indirectly harm individual health to say nothing of blocking the state's legitimate role in health systems planning. The majority of countries studied here cannot properly fulfill this latter obligation. In the rush to promote individual privacy and autonomy with regard to health information, we may have lost sight of the larger picture of the health of society and that of future generations.