Claim of huge privacy breach risk
IT companies say private information of up to 800,000 Auckland patients is being put into a large database
Astoush has erupted over medical records, with a claim the privacy of up to 800,000 Auckland patients has been put at risk. Four New Zealand and Australasian healthcare IT companies, Healthlink, Medtech Global, My Practice, and Best Practice Software New Zealand, have jointly contacted the Privacy Commissioner to flag the issue.
They said primary health organisation (PHO) ProCare Health was putting private information of up to 800,000 Auckland patients into a large database, including patients’ name, age, address, and all financial, demographic, and clinical information.
ProCare Health runs a network of community-based healthcare services, including GPs, throughout Auckland. It strongly denies patient privacy is being compromised.
The IT companies said they didn’t know how widespread the data collection was in New Zealand, but it wasn’t acceptable to hold so much identifiable information in one place.
In a joint letter to the Privacy Commissioner, the companies said most patients seemed unaware of the ProCare database, as well as potentially some GPs.
It said it could be in breach of the NZ Health Information Privacy Code.
“At a time when attitudes towards patient privacy are shifting in favour of giving greater protections to the individual, here is an organisation that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to,” the letter said.
The companies said they were “seriously concerned” the database would undermine New Zealanders’ confidence in public health IT systems and their GPs. But ProCare is hitting back, saying it collected information only with patient consent, and it had “robust” frameworks to ensure it met legal obligations.
Clinical director Dr Allan Moffitt said they were obligated to collect data to comply with data-sharing and reporting requirements.
They had commissioned a full Privacy Impact Assessment to check how personal information was collected and stored, and then had the assessment reviewed by the Privacy Commissioner’s office.
“As a PHO ProCare could not function without collecting this data and as an organisation owned and governed by clinicians, we take very seriously our obligations to privacy and security of information.
“Patients should understand from the enrolment form that identifiable information is shared with the PHO for the purposes stated.
“The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning.”
Dr Moffitt said the four companies should have had a better understanding of the regulatory and contractual environment which they were delivering software in.
“It could be considered irresponsible to be raising these concerns publicly, particularly when we have not been consulted by those raising the concerns.”
It could be considered irresponsible to be raising these concerns publicly.
The Office of the Privacy Commissioner confirmed it had received the complaint, and documents related to the claims.
A spokesperson said it wouldn’t be correct to say an investigation was under way, but they were looking at the information to see if further action was required.
Ministry of Health acting chief technology and digital services officer Michael Dreyer said they were aware of a potential privacy concern, and still considering the next steps.
“We understand it has been raised with the Privacy Commissioner, which is the appropriate agency to consider any potential privacy issues,” he said.
“The ministry works across the health sector to ensure organisations comply with the health information security framework, which aims to ensure people’s personal medical data is properly protected.”
Dr Allan Moffitt, ProCare