Joint expression of concern to privacy commissioner over potential breach of patients’ privacy

A concern has today been raised with the Office of the Privacy Commissioner about a potential privacy breach involving a large number of identifiable medical records.

Four key New Zealand and Australasian healthcare IT players – HealthLink, Medtech Global, My Practice and Best Practice Software New Zealand Ltd – are concerned that patients don’t appear to be aware their medical records are being copied into new electronic databases.

At least one PHO is extracting into a large database private medical information including patient name, age, address and all financial, demographic and clinical information.

The IT companies are unsure how widespread this method of data collection is in New Zealand.

They were prompted to contact the privacy commissioner after receiving proof about one of the PHOs, ProCare Health, creating a single database containing the identifiable medical records of up to 800,000 Auckland patients.

It appears most patients are unaware of this and potentially some GPs are also unaware. 

ProCare’s move comes at a time when the world is looking intently at the individual’s right to privacy with respect to personal information.

The IT companies have a legal opinion that states the law firm is “not able to conclude that the data sharing creating this extensive database is in accordance with the New Zealand Health Information Privacy Code”.

The companies are not alone in their concerns – GPs, too, have rung alarm bells.

In a ProCare commissioned Privacy Impact Assessment of its new database, called the Clinical Intelligence System, it says the assessment was undertaken in response to concerns from its own GP members about the data collection.

The IT companies have also obtained a legal review of the assessment that states there are still privacy concerns that need investigation, and it appears many of the privacy risk mitigations recommended have not been carried out.

“We are concerned that ProCare is extracting patient data, including name, age, address and all financial, demographic and clinical information (minus consult notes) from GP practices and storing it in a single electronic data warehouse,” the companies’ submission to the OPC says.

The companies also note they have documentation stating that for medical practices to receive a taxpayer-funded patient subsidy payment from ProCare they must agree to the extraction of all identifiable clinical, financial and demographic information for its enrolled patients.

“At a time when attitudes towards patient privacy are shifting in favor of giving greater protections to the individual, here is an organisation that has no direct patient relationship asking doctors to help it amass all the patient records it can gain access to,” the submission says.

The companies hope the privacy commissioner will look into ProCare’s actions to decide whether or not it is in breach of the New Zealand Health Information Privacy Code, and to direct ProCare, and any other PHO engaged in this activity, to be more transparent with GPs and patients.

They are seriously concerned that such actions will undermine New Zealanders’ confidence in public health IT systems, and their GPs, to protect their privacy.

Any plan to create a patient database is a hugely important issue; it needs careful consideration and the appropriate level of public consultation.

The companies have also sent a letter to the Royal New Zealand College of General Practitioners (RNZCGP) – the professional body that sets standards for quality systems in general practice – asking that it work with GPs to ensure they are aware of what is happening to patient information and to protect themselves and their patients.