Breach of patient privacy alleged against ProCare Health
Auckland, July 19, 2018
A concern has been raised with the Office of the Privacy Commissioner about a potential privacy breach involving a large number of identifiable medical records.
Four key New Zealand and Australasian healthcare IT players – HealthLink, Medtech Global Limited, My Practice and Best Practice Software New Zealand Ltd – are concerned that patients do not appear to be aware their medical records are being copied into new electronic databases.
At least one PHO is extracting into a large database private medical information including patient name, age, address and all financial, demographic and clinical information.
The IT companies are unsure how widespread this method of data collection is in New Zealand.
ProCare Health’s move
They were prompted to contact the Privacy Commissioner after receiving proof about one of the PHOs, ProCare Health, creating a single database containing the identifiable medical records of up to 800,000 Auckland patients.
It appears that most patients are unaware of this and potentially some GPs are also unaware.
ProCare’s move comes at a time when the world is looking intently at the individual’s right to privacy with respect to personal information.
The IT companies have a legal opinion that states the law firm is “not able to conclude that the data sharing creating this extensive database is in accordance with the New Zealand Health Information Privacy Code.”
Other Alarm bells
The companies are not alone in their concerns – GPs, too, have rung alarm bells.
In a ProCare commissioned Privacy Impact Assessment of its new database, called the Clinical Intelligence System, it says the assessment was undertaken in response to concerns from its own GP members about the data collection.
The IT companies have also obtained a legal review of the assessment that states there are still privacy concerns that need investigation, and it appears many of the privacy risk mitigations recommended have not been carried out.
Petition to Privacy Commissioner
“We are concerned that ProCare is extracting patient data, including name, age, address and all financial, demographic and clinical information (minus consult notes) from GP practices and storing it in a single electronic data warehouse,” the companies’ submission to the Privacy Commissioner said.
The companies also note that they have documentation stating that for medical practices to receive a taxpayer-funded patient subsidy payment from ProCare, they must agree to the extraction of all identifiable clinical, financial and demographic information for its enrolled patients.
“At a time when attitudes towards patient privacy are shifting in favour of giving greater protections to the individual, here is an organisation that has no direct patient relationship asking doctors to help it amass all the patient records it can gain access to,” the submission said. The companies hope that the Privacy Commissioner will look into ProCare’s actions to decide whether or not it is in breach of the New Zealand Health Information Privacy Code, and to direct ProCare, and any other PHO engaged in this activity, to be more transparent with GPs and patients.
They are seriously concerned that such actions will undermine New Zealanders’ confidence in public health IT systems, and their GPs, to protect their privacy.
Any plan to create a patient database is a hugely important issue; it needs careful consideration and the appropriate level of public consultation.
The companies have also sent a letter to the Royal New Zealand College of General Practitioners (RNZCGP) – the professional body that sets standards for quality systems in general practice – asking that it work with GPs to ensure they are aware of what is happening to patient information and to protect themselves and their patients.
Logo of Privacy Commissioner from Website