Privacy in the digital age

1 January 2014

By the end of 2014, the aim is for every New Zealander to be able to electronically access their core personal health information. This prompts new challenges and new privacy issues. FIONA CASSIE talks to nursing leaders about increasing moves to shared electronic health information, about protecting privacy and why it is important for nurses – even the IT shy – to be involved every step of the way.By the end of 2014, the aim is for every New Zealander to be able to electronically access their core personal health information. This prompts new challenges and new privacy issues. FIONA CASSIE talks to nursing leaders about increasing moves to shared electronic health information, about protecting privacy and why it is important for nurses – even the IT shy – to be involved every step of the way.

It’s an age like no other for sharing intimate aspects of your life.

Five hundred ‘friends’ can read how hung-over a guy is after a night on the town. A mother can tweet pictures of her child’s chickenpox to the masses.

But if your district nurse wants to see your latest test results, the ED nurse your current medications, or your pharmacist double-check your GP’s prescription, the information can often be a frustrating series of phone calls and faxes away.

Consumers used to getting information at just a click of the mouse or slide of the finger are perplexed that basic information isn’t already being electronically shared between general practice, hospitals, and other health providers. In an age of Facebook, Twitter, and Instagram, there are still electronic and privacy barriers standing in the way of sharing basic health information electronically.

The slow and steady arrival of shared electronic health information is changing this in pockets all over the country as pilots in eReferrals to ePrescribing and other broader initiatives, like Canterbury’s electronic shared care record view (eSCRV) and electronic shared care plan pilots in Auckland and Christchurch, are tested and rolled out. Walking the tightrope between providing ease of access to shared clinical information and protecting the privacy of health consumers is the difficult balancing job the health sector is currently working through.

High profile cases have shown that maintaining privacy is a real issue, with some nurses and doctors not immune from exploiting electronic access to take a nosey at records they have no reason to see. In the past health professionals might have got away with a gossipy huddle around an x-ray or taking a peek at a file in the cabinet. And it may be that those involved in the recent cases were unaware that nowadays such privacy breaches leave digital footprints that lead investigators right to them.

Sue Wood (pictured) for one is a nurse leader who believes ignorance or uncomfortableness with IT is no excuse for the nursing profession not to take a lead role in eHealth developments like shared electronic health records.

The former director of nursing at MidCentral District Health Board is a bit of a nursing IT pioneer having brought the acuity software TrendCare to New Zealand. She is also the nursing representative on the IT Health Board which has set the eHealth vision of all

New Zealanders and their health providers having electronic access to a core set of personal health information by 2014.

Wood, now quality and patient safety director at Canterbury DHB, says patient portals, to electronic health information and incident management systems, are the way of the future. “And from the Minister (Health Minister Tony Ryall) it is an area that needs more emphasis.” Portals are also an area that still needs some work if the eVision goal is to be met by the end of 2014.

Wood is clear what should be core and common across any electronic shared health record or care plan development.

“As a nurse on the board I’ve been arguing for two years that assessment data needs to be core and that assessment isn’t biomedical examination (though I value that and it is a component of assessment),” says Wood. “We are looking for the psychosocial history, the context and how people learn … we are looking at those sorts of things to be included in (nursing) assessment.”

Wood says nurses’ psychosocial care of patients is core ‘bread and butter’ to nursing but it is totally invisible to others who do perceive nursing as an holistic profession. “We are perceived as biomedical.”

So nurses needed to be in at the beginning of system development and clearly articulate what they need so the IT teams can deliver software and eHealth tools that recognise what nurses “bring to the party” of patient care, like holistic assessment, supporting self-management and the “invisible” coaching of families.

Wood says nurses also need to leap forward and envisage future models of care ­­­– and the electronic systems needed to support them – as systems take time to be developed and are usually difficult to change. So nurses need to think where care will be in a decade, ensure to use a common universal language (like Snomed clinical terms) and avoid just turning existing paperwork into an electronic form.

IT security: most definitely a nursing role

Nurses also need to play an active part in IT security and privacy, says Brenda Hynes (pictured), project leader for PlunketPlus – the well child provider’s new electronic health record as well as the “Plunket book” of the future.

“But often when I talk to people about information security they say ‘that’s not nursing, we don’t need to worry about that,” says the nurse who is also Plunket’s general manager of service delivery.

Hynes challenges this, pointing out decisions about security directly impact on what happens in the field when a nurse picks up their tablet and tries to login to PlunketPlus.

“If you lock everything down …and you have to go through streams of passwords … that affects the performance that the nurse can do,” says Hynes. That’s why she believes nurses should be in on security decisions and examine the risks against the advantages of different levels of electronic security.

“An example of this is for us being able to access a whole spreadsheet of all client contacts and be able to email that. We could have locked that completely down and then our business analysts wouldn’t have been able to do their work or we could have opened it right up so nurses could access such spreadsheets.”

The decision was made that only business analysts could view such data to reduce the risk of a nurse accidentally emailing out all their contacts, a la ACC or EQC.

Hynes points out you can’t eliminate or control every risk – some you have to accept so nurses can do their work; with trust and staff education also key to preventing privacy breaches.

And ensuring notes are kept secure and private is a long given for nursing, says Hynes, with Plunket nurses locking them up every night in a filing cabinet and hospital nurses challenging any stranger hovering beside the notes trolley.

The ‘key’ to the ‘filing cabinet’ is now an electronic password – which has to be a complex one, requiring a mix of nine letters, symbols and numerals that has to be changed every 90 days.

Hynes shares an anecdote on why it’s probably best to have complex passwords based on her experience of asking a gathering of Plunket area managers last year how many of them used ‘Plunket’ backwards as their password. “All these hands shot up … and I said ‘oh dear you’ve just told me your password!’”

It was no small feat to introduce complex passwords for Plunket’s 1500 staff and 5000 volunteers. They were given three months notice of the changeover to the tighter password system. A series of meetings outlined why the new password system was needed and giving hints on how to make a memorable but secure password, like using a code built on the lyrics of your favourite song.

“So when you come in in the morning you do see people at their computers tapping away and nodding their head as if they are singing a song.” Hynes adds with pride only one person, of the 6500 or so involved, failed to register a new password prior to the changeover date.

Work began on PlunketPlus back in 2010 and it went live for the first time in September this year with ten nurses in Auckland, with 4000 clients between them, testing it in the field using electronic tablets.

Hynes admits it hasn’t been a fast process but prompting Plunket to take their time was the number of privacy breaches hitting the headlines last year. “That’s when we said hold on a minute we need to just review all our information security.” As a trusted organisation seeing more than 90 per cent of all new babies they wanted to ensure their system was secure – including paying for penetrating (PEN) testing to see whether people could hack into the tablets nurses use or Plunket’s server.

It has also developed a new incident management system that covers security breaches as well as privacy breaches.

So if somebody loses their smartphone – it’s an information security breach and needs to be reported straight away. It is Plunket policy that no client information is held on phones but the IT department would still promptly “kill” the phone to ensure numbers cannot be accessed.

Plunket’s policy is that client information is not emailed through non-encrypted platforms like Microsoft Outlook. Instead it uses several encrypted systems if it needs to report client information, for example SEEmail (Secure Electronic Environment Mail) to send encrypted sensitive information to Child, Youth and Family. Information held on PlunketPlus tablets is also encrypted and while nurses are encouraged to take their tablets home, so they become familiar with them as an IT tool, there is a hands-off policy from any family members keen to play games on them or take ‘selfies’.

In the future clients will also be able to access their child’s PlunketPlus record through a secure patient portal, similar to internet banking. But as that is the final stage of PlunketPlus work is yet to begin, says Hynes. But the vision is that parents will be able to read their child’s record, except for child safety information, and will also be able to contribute to the record, just like an electronic Plunket book, and record their child’s development milestones from rolling to first steps.

Meanwhile evaluation is ongoing during the live testing in readiness to refine and make PlunketPlus work as well as possible for nurses and their clients. Once that stage is completed Hynes expects it will take between 12 and 18 months to roll out across the country

With that roll out and the future patient portal will come the need to decide when and if information is withheld from clients. Hynes says the health privacy code means nurses already need to be clear with clients about the information they are gathering and why, and now will need add how it is being recorded and who will be able to see it.

IT road map not roadblock for privacyGetting the fundamentals right from the start when it comes to privacy and electronic health records is probably not a bad idea.

Katrine Evans (pictured), the assistant Privacy Commissioner, points to the UK’s scrapped £12.7 billion health IT project as a cautionary tale of getting the fundamentals of sharing electronic health information all wrong.

Reasons for pulling the plug on the NHS project in 2011, after investing nearly a decade’s work, included health providers not having confidence the system would work properly and health professionals concerned there wasn’t adequate privacy protection.

Evans says people often expect the Privacy Commissioner’s office to be anti-IT but that is not at all the case. “Sometimes IT can actually significantly improve your privacy situation and it can be a road map rather than a roadblock.”

Retaining patient privacy is also more challenging today as the increasing complexity of health care means the average number of people involved in a person’s health care is estimated to have risen hugely from 2.5 people to 15.

“Managing the complexity of care is something that information sharing can help you to do but in the health relationship trust is absolutely central. This is not about the IT, this is about the people.”

Evans says also the fundamental privacy rules and rights of patients don’t change whether the information is being recorded with pen and paper or electronically.

“That’s the beauty of a principles-based system – it doesn’t matter what technology you use.”

She says her colleagues across the Tasman in Privacy Victoria summarised the health privacy relationship as: “the right information to the right people, for the right reason, in the right way and at the right time”. So privacy was not about blocking information but facilitating the right use of that information.

The key for health practitioners like nurses was to be transparent and communicate clearly to consumers why they are collecting the information, how it will be used and that it won’t be disclosed other than for reasons they have been informed about.

Accuracy was always important but what was different under shared electronic health records was if there was an error there was a need to have a system in place to ensure that any correction gets to all those who may have shared the record.

The increasingly mobile health workforce going out into the community with tablets, smartphones and mobiles also creates the potential for privacy breaches.

Evans says encryption is an increasingly available and easy way to ensure the loss of a work laptop is inconvenient but will not result in a breach of patient privacy.

But with health staff also bringing their own electronic devices to work employers had to have clear policies about ensuring sensitive information was not being carried on emails or texts on staff smartphones.

Evans adds that it is also important that any electronic security systems or policies are workable. “It needs to be a system that people can use and will use.” Make it too tough to do their jobs and you will force “workarounds” which can create security nightmares.

“People will take the path of least resistance, particularly very, very busy people like health professionals, so make it easy for people to do it right and it will also help to protect patient privacy.”

Again trust is key to the health practitioner/patient relationship and surveys in New Zealand continue to show, deservedly says Evans, very high levels of trust in our health system and health professionals.

“But all you need is a couple of big incidents and that trust can be damaged and it takes a very long time to rebuild it.”

Quake drives shared electronic health record

Christchurch is home to the country’s most extensive electronic shared care record known as eSCRV.

It was lessons learnt from the quakes that drove the development of eSCRV which district nurses for one are describing as “revolutionising” their work.

In post-quake Christchurch with hospital services stretched, some general practices and pharmacies closed (or their computer systems down), sharing health information was more important than ever but there was no simple mechanism to do so.

Sheree East (left), director of nursing for Christchurch community health service Nurse Maude, says post-quake there were not only particular concerns about the vulnerable elderly falling through the gaps but also valuable resources being wasted by double and even triple-up visits by services working in an information vacuum.

So that was a driver for Canterbury District Health Board to start work in 2011 on a shared health record with general practices, Nurse Maude and community pharmacies that evolved into eSCRV (electronic shared care record view – see box below).

East says creating a privacy framework was the first task in creating eSCRV including developing a matrix of which health professionals could access which parts of the shared records and when and why. Nurse Maude at present only contributes its care coordination data and not its nursing data but in return for being a contributing partner its nurses can access eSCRV. The first handful of Nurse Maude nurses started accessing the pilot shared record from late 2011 with all its district nurses coming on stream at the start of 2013 when the record went live.

“Nurses are telling me it has revolutionised their practice,” says East. “One told me it has added an hour a day back into her life. Which is huge when you look at productivity.”

That hour was largely saved by not having to chase up referrals to and from other providers for her clients.

East says consumers are often surprised to find their health professionals don’t already share health records and don’t realise that it just isn’t that easy to share information for privacy as well as IT reasons. “But they expect us to have a seamless service and to protect their physical health safety by having the relevant information.”

Instead most health professionals are still reliant on phone calls, faxes, and letters for sharing patient information. “When you are chasing pieces of paper around the system it makes you look really inefficient.”

This is all changing with eSCRV. District nurses are telling East they can be more clinically accurate when they can have a patient’s recent clinical record up on a screen in front of them while taking a patient history.

Likewise it saves on the patient’s time not having to repeat their entire health story and saves nurses time on the phone checking up on missing patient information or forgotten details. Test results now can also be quickly viewed and acted on. Also nurses can be proactive and stop unnecessary repeat testing or prompt testing if they see that health screening tests have been missed or lapsed.

East says one nurse pointed out that she believes an electronic system is more secure as she doesn’t have to rely on referrals by fax that could be lost or seen by people who shouldn’t. Or having to phone somebody to get information, with the risk they could misinterpret what they are reading, whereas now she can read it for herself. Nurse Maude district nurses are also part of the Canterbury pilot of working at a higher level of multidisciplinary collaboration with long-term condition consumers to develop electronic shared care plans.

East says the new ease of access to patient information also comes with responsibilities with a lot of time being into training into privacy plus how and when nurses can access eSCRV. Nurse Maude nurses ask permission of each patient to access their eSCRV and usually do so when the patient is present. Nursing notes are yet to be shared electronically but when they do if a nurse reviews and changes their notes the original notes are only “greyed out” so while not readable they are not lost from the system

Each nurse also has to sign an access deed that outlines their obligations to only access a patient’s shared care record to support direct patient care, to maintain confidentiality and not share their access code or password with anyone.

The need to do this was highlighted by an investigation finding seven breaches of cricketer Jesse Ryder’s files while in Christchurch Hospital with two staff identified as having accessed the record via another staff member’s log-on (see on-line only sidebar story).

The one positive of electronic records is, unlike the paper files of yesteryear, a snooper can now be traced.

“We are always going to have to rely on ethical practice of health practitioners and people working in the health sector that they have that respect for people’s information but we will also now have the digital footprint as well,” says East.

“At the end of the day we have to ensure we have informed everybody of their responsibility and they are committed to acting ethically and managing privacy as they should.”

Because while the world may be sharing like never before the patient’s right to privacy remains sacrosanct and unchanged.

Eels and cricketers: high profile privacy breaches

Nurses are not immune from breaching patient privacy as shown by two high profile cases in the past 18 months.

EEL CASE: Auckland District Health Board investigated 49 potential breaches of privacy by staff after news went round the world last year about a patient who had an eel stuck up his bottom. Twenty nurses and midwives were initially investigated, along with 21 junior doctors, six medical officers and two allied health/scientific and technical staff, for mostly looking at the patient’s x-ray record. Disciplinary action was finally taken against 33 clinical staff members, all found to have no legitimate reason to access the patient’s record, ranging from verbal warnings to being sacked. The board wouldn’t disclose which actions were taken against the staff involved in case it identified them and “breached their rights to privacy” but said the affected patient knew. As a result of the leak all Auckland DHB employees were required to re-sign a confidentiality agreement this year.

“We need to put ourselves in our patients’ shoes each and every day when we make decisions that could undermine their entitlement to privacy,” said the DHB’s CEO Ailsa Claire. “I’m sure none of us would be happy if our own clinical records – or those of our close family members – were widely and inappropriately-shared for purely vicarious reasons.”

JESSE RYDER CASE: end bold Alerts of inappropriate access to cricket star Jesse Ryder’s patient record, after he was attacked outside a Christchurch bar, lead to an investigation by Canterbury District Health Board which found 85 staff members accessed his file during his time at Christchurch Hospital.

Sixty-six of those were deemed to have legitimate access but the rest were interviewed including two staff identified as having accessed the record via another staff member’s log-on. Four CDHB staff found not to have a “legitimate” reason for accessing the records, but also not to have passed on any information, were disciplined. Two staff at the West Coast DHB and one in South Canterbury were also found to have breached Ryder’s privacy.

 

Shared electronic health record at work in post-quake Christchurch

Out of the Canterbury quakes has arisen the country’s first shared electronic health record that can be viewed by community nurses, GPs, practice nurses, pharmacists and hospital doctors and nurses.

Recent and relevant information from a patient’s general practice, community care, pharmacy and hospital files, including diagnosis, prescribed medications and test results, is now shared through a common portal - the eSCRV (electronic shared care record review) that is accessible by the health professionals caring for them.

More than 400,000 people enrolled with a primary health organisation in the Canterbury DHB area now have their essential health information available and accessible through eSCRV on a need to know basis by their health professionals. So a practice nurse can see current diagnosis, medications, a discharge report and upcoming appointments but not anaesthetic assessment.

Before going live the DHB promoted the opportunity for people to “opt” out of being part of Shared Care View and to date 207 people have opted not to have any of their information shared. People can also opt to screen off aspects of their health history from being available on Shared Care View for example their sexual health history.

More than 115 of the region’s 134 general practices are now contributing and accessing data via Shared Care View along with 106 of the 109 community pharmacies.

Nearly 500 practice nurses, 102 Nurse Maude community nurses and Canterbury DHB nurses can also access relevant patient information via the portal.

Audit processes are built into the system to signal if somebody has been accessing records of a non-patient and patients can ask who has viewed their record. If a health professional is found to inappropriately access information action could include being reported to the privacy commissioner or their professional registration authority.

Canterbury DHB says the next priority for the scheme is to refine it for possible roll out to more South Island DHBs and then to look at patient access to eSCRV.

 

US RESEARCH

Two US research studies* on patients accessing their eRecord

The My HealtheVet Pilot allowed patients and delegated family members to view and download content from their electronic personal health records held by the US Department of Veteran Affairs. The qualitative study involved five focus group sessions with 30 patients and six family members enrolled in the pilot in an Oregon medical centre for war vets. It found that patients and family had “predominantly positive” experiences with health record transparency and the open sharing of notes and test results.

“While some patients felt that seeing previously undisclosed information, derogatory language, or inconsistencies in their notes caused challenges, they overwhelmingly felt that having more, rather than less, of their health record information provided benefits,” says study lead author Susan Woods.

“Viewing their records appears to empower patients and enhance their contributions to care, calling into question common provider concerns about the effect of full record access on patient well-being. While shared records may or may not impact overall clinic workload, it is likely to change providers’ work, necessitating new types of skills to communicate and partner with patients.”

The OpenNotes study surveyed 3874 patients before and then a year after getting online access to their primary care doctors’ notes in three medical centres across the USA. It found that 33% of patients were concerned about privacy before gaining access and that increased slightly to 36% a year after gaining access. But that didn’t mean they were against online access with nearly all patients with online notes available to them choosing to read the notes and wanting continued access.

*Both articles published in 2013 on the website of the Journal of Medical Internet Research

NEW TERMINOLOGY WITH ELECTRONIC SHARED RECORDS

Break glass

The term draws its name from the action of breaking the glass to pull a fire alarm in an emergency. It enables somebody – like a nurse – in a health emergency to override electronic security and access health records they don’t have permission to access. Is set up so system administrator is alerted to “broken glass” and checks out whether it was a legitimate reason.

Digital footprint

A digital footprint (or possibly fingerprint when it comes to electronic files) is the data trail left in a digital environment. Meaning IT staff can detect who has accessed and searched a patient’s electronic record.

Proximity audit

System administrators can also audit access to a clinic record to see whether it was accessed by a health professional directly and currently involved in the patient’s care.

Relevant legislation, codes and standards:

  • Privacy Act (1993)
  • The Health Information Privacy Code (1994)
  • Health Information Security Framework (2012)
  • Nursing Council of New Zealand’s Code of Conduct (2012)

Further reading and information:

National Health IT Plan Update 2013/14

www.ithealthboard.health.nz/national-health-it-plan

Health privacy tool kit

http://privacy.org.nz/how-to-comply/health-privacy-toolkit/

Voluntary privacy breach guidelines:

http://privacy.org.nz/news-and-publications/guidance-notes/privacy-breach-guidelines-2/