Faster, Easier, Better Privacy

As more of our health information is saved, stored and transmitted online, how can doctor-patient confidentialitybe maintained?

“Health workers prosecuted for snooping”

“Government vows to change health privacy law”

“Data breach exposes information”

A quick scan of the headlines in Canada’s major newspapers reveals some alarming news: our health records aren’t always as private as we would like them to be.

In October 2014, two staff nurses leaked information about former Toronto mayor Rob Ford’s cancer treatments. As of June 2015, charges have been laid against staff from the Rouge Valley Centenary hospital in east Toronto who allegedly leaked information about new mothers to a company that sells RESPs.

These are just two examples of the many privacy related breaches that have occurred recently in Ontario. In 2014, 400 health care privacy violations were reported to Ontario’s Office of the Information and Privacy Commissioner. Because reporting privacy breaches is not required in Ontario, reports suggest that this estimate may not actually reflect the true number of privacy breaches, which can include anything from malicious hacker attacks against a large database to careless record keeping in a small doctor’s office.

The proposed updates to the Personal Health Information Protection Act, announced by the Ontario government in June 2015, promises to establish better privacy and security requirements in the health sector and will require thatall privacy breaches be reported.

Protecting privacy is important. In the case of your digital medical records, it is also a complex process that requires a sophisticated system to protect it from unauthorized use.

At Mohawk College, Alex Unruh and David Kirkley are working to protect you from privacy breaches before the data is even inputted into the system.

They’ve just spent the first few months of their co-op work term in Mohawk’s mHealth & eHealth Development and Innovation Centre (MEDIC) examining Canada and Ontario’s privacy laws. They are working on a privacy assessment tool that is more than just a Band-Aid for breaches. It’s a comprehensive privacy checklist that can be used to make sure that any new eHealth or mHealth product can easily check for compliance and ensure that collected data is safe and secure.

Paul Brown, Research Project Manager (Software) of iDeaWORKS and supervisor of the co-op students, believes that the privacy assessment tool is a smart solution that will answer a common question.

“Many of the clients that came to us had no idea about how to handle privacy and security,” says Brown. “Or they came to us and said: ‘We want to be HIPAA or PHIPAA compliant, where do we start?”

“We want our clients to understand the privacy process so we created our own tool,” Brown explains.

“No one has ever created an automated tool to make privacy and security this accessible and understandable.”

And the tool isn’t just comprehensive -it is fast. MEDIC’s efforts have made it possible for a digital health company to understand their privacy requirements in just a few days.

While reading political legislation may sound like something more suited to a political science student instead of a developer, Unruh and Kirkley appreciated having the opportunity to tackle privacyhead-on.

“When you are working in eHealth, privacy is huge,” says Unruh. “You need to be compliant with all the legislation. A lot of the time you need to have an auditor come in before you even release your application to make sure it is airtight and in line with the legislation.”

Kirkley praises the tool for its ability to make the privacy audit process more straightforward.

“For custodians and other general users within the different companies, just reading the legislation would be very difficult for them to understand unless they had a background in law or had a lot of time,” says Kirkley. “By posing questions in plain English, it is a lot easier for them to understand.”

Brown sees additional value in offering the tool on an a-la-carte basis - one that allows MEDICclients, depending on which stage of the process they are currently at, to understand whatis needed as they move through their development.

“The timeline depends on where the company is at in their process. Reading through all ofthe information can be onerous. We want to give them the opportunity to say: ‘I’m interested in this component, so I can work on this now.’ “

This article was originally published in the 2015 volume of Quanta, Mohawk College’s annual celebration of research and innovation.

Author Andrea Johnson is Promotions and Industry Liaison Officer for iDeaWORKS and the editor of Quanta.