Valedictory: Commanding the Tide
King Canute, as everyone knows, was a fool. He ordered the tide to stop rising, got his feet wet and lost his dignity trying to stop something that couldn’t be stopped. The onrush of information technology can seem tidal at times, with no likelihood that it will ever stop rising. A new service or gadget is always around the corner, offering ever more elaborate ways for us to share our lives with the world.
Of course, what “everyone knows” about King Canute is completely wrong. In fact, he was no fool; when he ordered the sea to advance no further he was instead teaching his courtiers a sly lesson about the limits of political power. And I think there’s a lesson for us in that. We can’t stop the tide from rushing in by shouting at it, but there is a lot we can do to deal with it when it does.
Luckily in New Zealand this lesson got learnt early on; the Health Information Privacy Code has proved to be a strong and flexible set of guidelines to give people some control over their own health information. Strong because it is technology-neutral and principle-based, and flexible because Privacy Commissioners can amend it as needed to meet the changing world.
I have amended the HIPC twice in the last ten years, most recently to make it easier for clinicians to make decisions about disclosing information about serious threats to safety and to regulate our vast collection of Guthrie Cards. As new waves of change come rolling in, my successors can make further amendments to accommodate them.
The health sector is awash with innovation right now and I think it is, by and large, a good thing. We all benefit when patients are engaged with their own care. If they can earn and maintain the trust of patients and clinicians I think information sharing initiatives like Whanau Ora, and technical innovations like patient portals, have every chance of improving our health as a nation.
Speaking of patient portals, the National Health IT Board’s goal of having a portal for everyone by the end of 2014 has been in the news. At first glance it seems an obvious step to take. We have become accustomed to doing our banking online, after all, and our financial information is of a similar sensitivity to our health information. Why shouldn’t we be able to view our health records online?
Of course it’s more complicated than that. A bank is a single organisation, and one with a potent vested interest in not losing its customers’ trust. The health sector is a many-headed beast by contrast, and even getting the different heads to talk to each other is a job of work.
Still, I’m seeing encouraging signs around the country that an online shared care record with a patient portal attached can provide health benefits and protect patient privacy at the same time. There are challenges, to be sure, but many of them can be surmounted by the reliable method of asking permission before you look at a patient’s online record. And patients being able to ask that a sensitive record be marked as ‘confidential’, and to see a detailed list of who has accessed their records, are both privacy benefits that are difficult to achieve with paper records.
However there is a risk behind all of this; and, as always, it comes back to trust. Surveys tell us that people trust their health practitioners implicitly. But we are, I surmise, only a couple of badly-handled privacy scandals away from that trust evaporating. Because when someone you trust does something to make you think that trust was misplaced, the most common emotion to feel is betrayal. And that feeling of betrayal can have very serious consequences indeed; the cost of the failed United Kingdom Summary Care Record has been estimated as 12.7 billion pounds.
Nonetheless I am cautiously optimistic. Not least because in the past six or so years I have seen a significant shift from a heavily technological focus to one that starts with the consumers, the clinicians, the people. Even when people are being difficult there is always something they can teach you.
For instance in my time dealing with complaints I particularly remember a fiery and feisty GP, (who will of course remain nameless). I had determined that he breached the HIPC in some of the decisions he’d made around providing information to his patients, and he was not best pleased. He pronounced in firm tones that privacy was nonsense and he intended to put a poster in his waiting room stating IF YOU COME TO MY PRACTICE, THIS IS HOW THINGS ARE GOING TO BE, with a list of his information handling practices underneath.
I hope he went on to do that; because simply saying how you are going to handle your patients’ health information, clearly and firmly, is absolutely the best way to avoid all unwanted entanglements with privacy law.
I started this series of articles back in 2007. In one of my early pieces I cited the Hippocratic Oath’s admonition about confidentiality; in my final one I will instead say “first, do no harm”. Looking back on the last decade in health privacy I believe that I have managed this, and even done some good. In my considered view privacy is one of the things that will help us keep our footing even as we splash through the rising tide of progress; I enjoin you to guard it well.
I wish you all the best.
E noho ra.
 Marie Shroff finished her second term as Privacy Commissioner on 16 February 2014. The new Privacy Commissioner is Wellington privacy lawyer John Edwards.