1 / 49

Privacy Electronic Health Records: a match made in Heaven

Learning Objectives. Identify and understand the impact of privacy legislation on the development of the electronic health recordComprehend privacy principles surrounding the collection, use and disclosure of health information via electronic health information systems . Learning Objectives. Describe the benefits and challenges of implementing the electronic health record in a privacy environmentApply lessons learned in a health privacy case study .

liana
Download Presentation

Privacy Electronic Health Records: a match made in Heaven

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Privacy & Electronic Health Records: a match made in Heaven McMaster University Lecture January 24, 2006 By: Sylvia Klasovec Mike Gurski, Bell Security Solutions Inc

    2. Learning Objectives Identify and understand the impact of privacy legislation on the development of the electronic health record Comprehend privacy principles surrounding the collection, use and disclosure of health information via electronic health information systems

    3. Learning Objectives Describe the benefits and challenges of implementing the electronic health record in a privacy environment Apply lessons learned in a health privacy case study

    4. What is Privacy? “Privacy is the most comprehensive of all rights…the right to one's personality.” Samuel Warren and Louis Brandeis “Privacy is the right to be let alone.” Judge Thomas Cooley “Privacy, including informational privacy, is grounded in man’s physical and moral autonomy and is essential for the well-being of the individual.” La Forest J. The two most often quoted definitions from American caselaw. Privacy law began as a way to control excesses of the press. The SCC in R. v. Dyment [1988] 2 SCR 417 has recognized privacy as an important value in Canadian society. The two most often quoted definitions from American caselaw. Privacy law began as a way to control excesses of the press. The SCC in R. v. Dyment [1988] 2 SCR 417 has recognized privacy as an important value in Canadian society.

    5. Hippocratic Oath, 4th Century B.C. “Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be raised abroad, I will keep silence thereon, counting such thing to be as sacred secrets.” As quoted by McLachlin J. Norberg v. Wynrib (1992) Privacy in the health sector is not a new concept Hippocratic Oath, professional codes of ethics always protected the confidentiality of medical information In the case of McInerney v. MacDonald, the SCC affirmed the right of access by patients to medical records held in trust by their health care professionals (now codified in health privacy statutes in a number of provinces). In the case of Norberg v. Wynrib, Justice McLachlin stated that the most fundamental characteristic of the doctor-patient relationship is its fiduciary nature. Privacy in the health sector is not a new concept Hippocratic Oath, professional codes of ethics always protected the confidentiality of medical information In the case of McInerney v. MacDonald, the SCC affirmed the right of access by patients to medical records held in trust by their health care professionals (now codified in health privacy statutes in a number of provinces). In the case of Norberg v. Wynrib, Justice McLachlin stated that the most fundamental characteristic of the doctor-patient relationship is its fiduciary nature.

    6. Health Information Privacy Defined Right of a patient to exercise choice and control about the collection, use and disclosure of his/her health information Patients always had a reasonable expectation that their medical records be kept confidential and secure

    7. Privacy & Security Privacy: relates to people, process and accountability. It gives individuals control over their personal information Confidentiality: addresses only the disclosure of information Security: organizational control of data; essential component to prevent inadvertent release of information Privacy relates to people and accountability and gives individuals control over their information whereas Confidentiality addresses the disclosure of information. The right to control the manner in which health information is collected, used or disclosed (the right to informational privacy) and to expect that their records be protected which is a broader obligation than just the duty to keep records confidential. Privacy relates to people and accountability and gives individuals control over their information whereas Confidentiality addresses the disclosure of information. The right to control the manner in which health information is collected, used or disclosed (the right to informational privacy) and to expect that their records be protected which is a broader obligation than just the duty to keep records confidential.

    8. Privacy Interests in Health Information Extreme sensitivity of personal health information Computerization of health records; scale of compromise Electronic health data exchanges Unauthorized disclosures threaten integrity of health system and hinder adoption of province wide electronic health records Health information privacy is critical because medical info is the most sensitive of all types of PHI Health information privacy has become a critical issue among Canadians Surveys have shown that Canadians are increasingly concerned about privacy generally, and health information privacy specifically Health information privacy is critical because medical info is the most sensitive of all types of PHI Health information privacy has become a critical issue among Canadians Surveys have shown that Canadians are increasingly concerned about privacy generally, and health information privacy specifically

    9. Electronic Health Information Context Digital imaging technologies (picture archiving and communication system) to capture x-Rays, MRIs and CT-scans Automated physician offices E-prescribing Provincial and local health integration networks (LHINs) Across Canada, health information systems are being developed to facilitate electronic health data sharing National efforts are being made to integrate health information systems for the sharing of information This health information context is also characterized by new developments in health information legislation and information/privacy laws generally The implementation of privacy rules will encourage pubic trust and foster adoption of EHRAcross Canada, health information systems are being developed to facilitate electronic health data sharing National efforts are being made to integrate health information systems for the sharing of information This health information context is also characterized by new developments in health information legislation and information/privacy laws generally The implementation of privacy rules will encourage pubic trust and foster adoption of EHR

    10. Romanow Commission Investigated modernization of health system with recommendations for establishing electronic heath records “If we are to build a better health system, we need a better information sharing system so that all governments and all providers can be accountable to Canadians.” The Future of Health Care in Canada, 2002 Over the years a number of reports have been commissioned to investigate aspects of the Canadian health system: Krever Report (1980) - The Report called for comprehensive health privacy legislation at that time Romanov Report (2002) Kirby Report (2002) The first two focused on the confidentiality of health information, the Romanov Commission evaluated the development of EHRs The issue of accountability has many layers. For privacy it is the organization’s accountability for its management of personal health information within legislated frameworks, plus ‘Canadian’ privacy expectations for regarding their PHI.Over the years a number of reports have been commissioned to investigate aspects of the Canadian health system: Krever Report (1980) - The Report called for comprehensive health privacy legislation at that time Romanov Report (2002) Kirby Report (2002) The first two focused on the confidentiality of health information, the Romanov Commission evaluated the development of EHRs The issue of accountability has many layers. For privacy it is the organization’s accountability for its management of personal health information within legislated frameworks, plus ‘Canadian’ privacy expectations for regarding their PHI.

    11. Health Council Report The Health Council of Canada was established by First Ministers to monitor and report on the 2003 Accord on Health Care Renewal Recommendations: Acknowledge the value of electronic health records and telehealth technologies to improve access quality and of care Encourage rapid adoption of these tools so that interdisciplinary team members can readily share patient information Health Care Renewal in Canada, January 2005 In Ontario, Primary Care Reform is an important health care initiative Renewals depend on rapid transmission of accurate patient information among providers in different locations Teams or networks of primary care providers will deliver health services This reform is dependent on information sharing and technological innovation – electronic patient records will be an important elementIn Ontario, Primary Care Reform is an important health care initiative Renewals depend on rapid transmission of accurate patient information among providers in different locations Teams or networks of primary care providers will deliver health services This reform is dependent on information sharing and technological innovation – electronic patient records will be an important element

    12. Canada’s Health Infostructure Advisory Committee on Information and Emerging Technologies (ACIET) Canada Health Infoway (CHI) Canadian Health Network (CHN) Provincial health information networks Alberta Wellnet Saskatchewan Health Information Network B.C. HealthNet ACIET: ACIET has a Federal and Provincial co-chair and is comprised of representatives from the federal, provincial and territorial governments as well as external members from Canada Health Infoway and CIHI. Five initiatives were identified by Deputies: Emerging Technologies Assessment Genomics Pharmaceuticals Strategic Advances Strategic Directions for a pan-Canadian Health Infostructure Privacy Included privacy protection as one of the key objectives of a Canada Health Info-way Recommended harmonization of privacy protections for health information across Canada ACIET: ACIET has a Federal and Provincial co-chair and is comprised of representatives from the federal, provincial and territorial governments as well as external members from Canada Health Infoway and CIHI. Five initiatives were identified by Deputies: Emerging Technologies Assessment Genomics Pharmaceuticals Strategic Advances Strategic Directions for a pan-Canadian Health Infostructure Privacy Included privacy protection as one of the key objectives of a Canada Health Info-way Recommended harmonization of privacy protections for health information across Canada

    13. Canada Health Infoway Mandate to work with provinces and territories towards development and adoption of pan-Canadian interoperable electronic health information systems Invests with public sector partners in health IT initiatives Goal is to ensure 50% of Canadians benefit from EHR by 2009 CHI: established to foster and accelerate the development and adoption of pan-Canadian interoperable electronic health information systems (i.e. - the PACS (picture archiving and communication system) captures, stores and sends images using digital technology - considered to be a key building block for the EHR by CHI and therefore is a substantial funding investment) The challenge of creating a pan-Canadian framework to invest 1B without going down technical dead ends. E.g., reliance on central server models, as opposed to P2P solutions CHI: established to foster and accelerate the development and adoption of pan-Canadian interoperable electronic health information systems (i.e. - the PACS (picture archiving and communication system) captures, stores and sends images using digital technology - considered to be a key building block for the EHR by CHI and therefore is a substantial funding investment) The challenge of creating a pan-Canadian framework to invest 1B without going down technical dead ends. E.g., reliance on central server models, as opposed to P2P solutions

    14. Promised Advantages of Electronic Health Records Reducing medical errors Increasing patient safety Better access to care Improving efficiency and quality of care Reducing health care costs These are inculcated given truths. A counter argument could be that electronic health records could create unintended effects that reverse these advantages dependent on design and deployment. See: Techgnosis for the arguments to this, plus When Things Bite Back, and The Human FactorThese are inculcated given truths. A counter argument could be that electronic health records could create unintended effects that reverse these advantages dependent on design and deployment. See: Techgnosis for the arguments to this, plus When Things Bite Back, and The Human Factor

    15. Challenges Accountability Custody and control issues Decentralization of patient information Multiple users and greater access points Consent management Change management Interoperability of electronic health records Inter-jurisdictional use/disclosure issues

    16. Catalysts for Change International developments (European Union Data Protection Directive) Public awareness and concern about secondary uses of health data New patient expectations High profile privacy breaches In response to international developments and increasing public concern and other factors has resulted in the expansion of legislative protection of personal information to the private sector (federal PIPEDA) and the development of comprehensive legislation in the health sector based on 10 principles – the foundation for all privacy statutes and for Canadian health privacy legislation (including Ontario) It all comes down to our increasing dis-ease with IT and IM developments, foremost: Internet and Data Mining and ID Theft In response to international developments and increasing public concern and other factors has resulted in the expansion of legislative protection of personal information to the private sector (federal PIPEDA) and the development of comprehensive legislation in the health sector based on 10 principles – the foundation for all privacy statutes and for Canadian health privacy legislation (including Ontario) It all comes down to our increasing dis-ease with IT and IM developments, foremost: Internet and Data Mining and ID Theft

    17. Public Fears about Electronic Health Records Health campaigners in UK fear switch from paper to electronic health records compromises patient confidentiality The Guardian (2005) Patients are worried about who has access to their electronic health record and find lack of privacy “horrifying” E-Health Insider (2004) Heightened public fears about electronic health information stem from privacy breaches: A database upgrade of one of Calgary’s Laboratory Services computer program last year caused the mix up of 2,000 patient lab results forcing the region to shut down its database On a positive note, Calgary Health region has rolled out a patient identification system across its 8 health care facilities to help physicians and health staff to spot errors in their patient’s health records (master enterprise patient index) Heightened public fears about electronic health information stem from privacy breaches: A database upgrade of one of Calgary’s Laboratory Services computer program last year caused the mix up of 2,000 patient lab results forcing the region to shut down its database On a positive note, Calgary Health region has rolled out a patient identification system across its 8 health care facilities to help physicians and health staff to spot errors in their patient’s health records (master enterprise patient index)

    18. More on Patient Attitudes… 9 in 10 Canadians support information and communications technologies in the health sector, provided privacy and autonomy are protected Office of Health and the Information Highway, Health Canada (2002) Over 80% strongly believe electronic health records improve ability of health care provider to improve care Health Care Renewal Report (2005) Trust in practitioners is high – 63% of Canadians have confidence in their doctors to respect patient confidentiality; secondary use of data is the key issue yet 80% are in favour of the benefits of EHRs How will these attitudes affect the deployment of EHRs? EKOS Research: Longitudinal Privacy Survey shows an upswing of privacy concerns by the Canadian Public.Trust in practitioners is high – 63% of Canadians have confidence in their doctors to respect patient confidentiality; secondary use of data is the key issue yet 80% are in favour of the benefits of EHRs How will these attitudes affect the deployment of EHRs? EKOS Research: Longitudinal Privacy Survey shows an upswing of privacy concerns by the Canadian Public.

    19. Health Care Goals Consistent privacy rules across the health care sector Encourage public trust Pave the way for integration in the delivery of health care Adoption of new technologies to support national and provincial EHRs An examination of this set of accepted goals shows an underlying tension: Technologies are not neutral: especially when it comes to privacy. See: Code and other Laws of Cyberspace, Ben Franklin’s Website. A challenge is that the privacy technologies are underdeveloped: e.g., consent management tools to capture patient consent in health care systems.An examination of this set of accepted goals shows an underlying tension: Technologies are not neutral: especially when it comes to privacy. See: Code and other Laws of Cyberspace, Ben Franklin’s Website. A challenge is that the privacy technologies are underdeveloped: e.g., consent management tools to capture patient consent in health care systems.

    20. Current Legislative Framework Manitoba Personal Health Information Act Saskatchewan Health Information Protection Act Alberta Health Information Act Ontario Personal Health Information Protection Act Patchwork of privacy laws with only four health specific privacy laws enacted to date Health sector provincially regulated and funded Provincial public sector legislation (applies to ministries, hospitals, in some jurisdictions) Provincial health sector legislation (Alberta, Saskatchewan, Manitoba, Ontario) Federal private sector (commercial health sector) Provincial private sector (Quebec, B.C., Alberta) Patchwork of privacy laws with only four health specific privacy laws enacted to date Health sector provincially regulated and funded Provincial public sector legislation (applies to ministries, hospitals, in some jurisdictions) Provincial health sector legislation (Alberta, Saskatchewan, Manitoba, Ontario) Federal private sector (commercial health sector) Provincial private sector (Quebec, B.C., Alberta)

    21. Ontario’s Personal Health Information Protection Act (PHIPA) Creates comprehensive, uniform rules for collecting, using, disclosing and disposing of personal health information (PHI) Permits free flow of health information for health care purposes within health care team (implied consent) Ensures that personal health information is kept confidential and secure in a manner that facilitates health care

    22. PHIPA (cont’d..) Gives patient right to restrict sharing of health records with other health care providers (lock-box) Sets guidelines for fundraising and research Expands and codifies existing right of access Provides remedies for privacy breaches Creates oversight body

    23. Scope and Application Health information custodians (HICs) that collect, use and disclose personal health information (PHI) Agents who use PHI (where authorized) Recipients (non-health information custodians) where they receive PHI from a HIC HICs include health care practitioners, hospitals, long-term care facilities, pharmacies and laboratories, ambulance Services and other health care organizations within Ontario Agents include medical assistants and support staff at hospitals Recipients include insurance companies, schools and other entities outside of a patient’s health team HICs include health care practitioners, hospitals, long-term care facilities, pharmacies and laboratories, ambulance Services and other health care organizations within Ontario Agents include medical assistants and support staff at hospitals Recipients include insurance companies, schools and other entities outside of a patient’s health team

    24. Health Information Service Providers PHIPA regulation limits the use of PHI by IT service providers except as necessary for providing its services to HICs and prohibits any disclosures Sets out specific requirements for “health information network providers” to enable two or more custodians to disclose PHI electronically to each other

    25. What is “PHI”? PHI means “identifying information” that: Relates to physical/mental health information Relates to provision of health care Identifies a provider of health care Identifies a substitute decision-maker Is a plan of service under Long-Term Care Act Relates to payments or eligibility for health care Is his or her health card number A record mixed with any of the information above is deemed to be a record of PHI PHI does not include employment-related recordsPHI does not include employment-related records

    26. Key Principles Privacy is fundamental to good information management practices & patient care (complementary) Balance the need to protect privacy of individual against seamless sharing of PHI for best treatment Obligation to patients is now codified (privacy was always a consideration) PHIPA codifies and builds upon many of the existing practices and codes of conduct of health care providers. It is not meant to interfere with existing patient-provider relationship. PHIPA codifies and builds upon many of the existing practices and codes of conduct of health care providers. It is not meant to interfere with existing patient-provider relationship.

    27. PHIPA – Based on Fair Information Practices Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy PHIPA is based on universally accepted principles known as the fair information practices. You must be accountable for the information you hold, you must identify why you are collecting information, you must limit your collection to what is reasonable, individuals must have the right to obtain access to their personal information, etc. PHIPA is based on universally accepted principles known as the fair information practices. You must be accountable for the information you hold, you must identify why you are collecting information, you must limit your collection to what is reasonable, individuals must have the right to obtain access to their personal information, etc.

    28. Principle 1: Accountability Designate a contact person to: ensure overall PHIPA compliance educate agents of custodian respond to access/correction requests handle inquiries and complaints from public develop a publicly available written statement describing your information practices (privacy policy) Who is responsible for privacy in your organization? Can that person be readily identified upon request? Do you have a privacy policy? Is the privacy policy readily available to clients/patients? Who is responsible for privacy in your organization? Can that person be readily identified upon request? Do you have a privacy policy? Is the privacy policy readily available to clients/patients?

    29. Accountability for PHI PHIPA holds agents (employees, service providers, suppliers) directly accountable Must have permission of HIC to collect, use or disclose, retain or dispose of PHI on behalf of a HIC HIC must ensure that agents are educated and informed of their duties

    30. Holding Service Providers Accountable Health information network providers must comply with prescribed requirements, for example: Conduct a privacy risk assessment Provide an assessment of threats, risks, and vulnerabilities to the security and integrity of personal health information (threat risk assessment) Provide an electronic record of all accesses and transfers Notify every custodian of any breach relating to the unauthorized access, use, disclosure or disposal of personal health information Enter into a written agreement with HIC concerning services to be provided Health Information Network Providers is a person who provides services to two or more custodians (as defined in PHIPA) to allow for the electronic collection, use, disclosure retention or disposal of personal health informationHealth Information Network Providers is a person who provides services to two or more custodians (as defined in PHIPA) to allow for the electronic collection, use, disclosure retention or disposal of personal health information

    31. Principle 2: Identifying Purposes Policy must include: how and for what purpose PHI is collected, used, disclosed, retained, disposed procedures relating to the physical, administrative and technical safeguards in place to maintain confidentiality/security of records Inform patients up front about the purpose of your collection, use or disclosure of their personal health information Inform patients up front about the purpose of your collection, use or disclosure of their personal health information

    32. Principle 3: Consent Need consent (express or implied) for the collection, use or disclosure of personal health information Implied consent permitted within “circle of care” Otherwise express consent required (unless permitted without consent) PHIPA is a consent-based statute (general rule) - Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions Consent may be express or implied, except where it must be express PHIPA is a consent-based statute (general rule) - Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions Consent may be express or implied, except where it must be express

    33. Implied Consent HICs may imply consent when sharing PHI with other HICs for the purpose of providing or assisting in providing health care (circle of care) Exception – if the individual expressly withholds or withdraws consent (lock-box)

    34. Checks on the Lock Box Notification – HIC must advise recipient HIC that there is incomplete but relevant information that was locked by the patient Override – HIC may disclose if disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or a group of persons

    35. Lockbox Functionality Legal perspective: lockbox functions can exist both at the chart level and record level and must include consent revocation, reinstatement and data-masking or blocking capabilities Technical perspective: most health information systems cannot support data locking at field level PHIPA does not comment on level of granularity for locking health information Organizations with a paper-based record system must manually “block” or segregate parts of an individual’s record when responding to a “lock box” requests Organizations that rely primarily on electronic medical record systems can use other methods for dealing with “lock box” requests, such as flagging certain records as “sensitive” or adding in comments about a specific “lock box” request in a free-text comments fieldPHIPA does not comment on level of granularity for locking health information Organizations with a paper-based record system must manually “block” or segregate parts of an individual’s record when responding to a “lock box” requests Organizations that rely primarily on electronic medical record systems can use other methods for dealing with “lock box” requests, such as flagging certain records as “sensitive” or adding in comments about a specific “lock box” request in a free-text comments field

    36. There are a number of circumstances where express consent is required. Any disclosure of PHI that is outside the circle of care and that is for a purpose other than to provide health care will require express consent.There are a number of circumstances where express consent is required. Any disclosure of PHI that is outside the circle of care and that is for a purpose other than to provide health care will require express consent.

    37. Express Consent Required for disclosures outside the circle of care (employer, insurer, marketer) Where a HIC discloses to another HIC for a non-health care purpose Research purposes unless specific requirements are met (REB approved research plan) fundraising (when using more than name and specified contact information)

    38. Derogations from Consent Derogations from the consent principle are allowed in limited circumstances: As required by law To protect the health or safety of the individual or others To identify a deceased person or provide reasonable notice of a person’s death For OHIP payments or processing health plan claims

    39. Principle 4: Limiting Collection No more than needed to meet identified purpose Collected directly whenever possible Collected indirectly if: cannot get consent in a timely manner (emergencies) cannot rely on information from individual (dementia) Better security through more effective access controls and audit trails Improved privacy protection by limiting access to need-to-know Multiple users and multiple access points raises accountability issues and increase vulnerability Better security through more effective access controls and audit trails Improved privacy protection by limiting access to need-to-know Multiple users and multiple access points raises accountability issues and increase vulnerability

    40. Principle 5: Limiting Use, Disclosure, Retention Use ‘Lock-Box’ protection allows individuals to determine what PHI cannot be shared within the ‘circle of care’ Disclosure HIC can disclose PHI where permitted or required under PHIPA Retention PHI must be securely retained, transferred and disposed

    41. Principle 6: Accuracy Must take REASONABLE STEPS to ensure PHI is as accurate, complete and up-to-date as necessary for particular use or disclosure; and Protect PHI from loss, theft or unauthorized access, copying, modification or disposal

    42. Principle 7: Safeguards Must ensure PHI is retained, transferred and disposed in secure manner and in accordance with professional standards Technical – firewalls, virus protection, passwords and usernames Administrative - release of information policies (e.g. media, police); use of email for sharing PHI Physical – locked doors, file cabinets, building access control There are three categories of safeguards There are three categories of safeguards

    43. Principle 8: Openness HIC must make publicly available its Privacy Policy: access/correction/complaints procedures how to reach contact person Patients must be aware of their rights and your information practices Health information network providers must provide its PIA to HICs and make it available to the public upon request

    44. Principle 9: Individual Access Right of access & copy to all records for a reasonable fee (30 days) with exceptions: Legal privilege Risk of significant harm Request is frivolous or vexatious Records must be maintained until procedural matters relating to access request exhausted The right of access was confirmed in 1997 by the SCC in McInerney v. McDonald but it did not provide a formal access procedure for patients with timeframes and a right to complain where access was denied The right of access was confirmed in 1997 by the SCC in McInerney v. McDonald but it did not provide a formal access procedure for patients with timeframes and a right to complain where access was denied

    45. Principle 10: Challenging Compliance IPC is the oversight body Investigate complaints and conduct Commissioner-initiated reviews of alleged breaches of PHIPA Complaints can be filed based on access or correction decision of a HIC or if a person believes the HIC has or is about to contravene PHIPA or its regulations

    46. Bottom Line Health information privacy is a complex issue of the decade It is defined by legislation Threatened and enhanced by technology Privacy is essential to ensuring public buy-in to the EHR

    47. Case Scenario A new medical clinic would like to share discharge summaries, lab and medical imaging test results with other physicians at hospitals by interfacing its information system with other hospital information systems. Physicians would be able to access such information remotely. A software vendor would provide the software application and network connection. Now it is time to see what you learned from the presentation.Now it is time to see what you learned from the presentation.

    48. Questions What type of consent (if any) is required for the collection, use and disclosure of PHI via these interfaced IT systems? Who is responsible for obtaining the requisite consent for such data sharing and can patients opt out of providing consent? Who is responsible for building a consent management framework and complying with patient consent directives? What type of technical privacy and security features should be built into the system (if any) to achieve privacy and security compliance? What other privacy principles must be followed and by whom?

    49. Final Thoughts “...unless the privacy and data security aspects of this transforming shift are addressed now, at the “front end”, this entire venture could be compromised - if not stillborn – because of potential public resistance to computerization without adequate privacy safeguards…” Dr. Alan Westin, Building Privacy by Design in Health Data Systems, August 2005

    50. Contact information Mike Gurski 905-751-4310 Mike.gurski@bell.ca Sylvia Klasovec 416-506-1695 Sklasovec@sympatico.ca

More Related