Ontario’s new diabetes registry – the end of patient privacy?

More and more doctors across Canada are using electronic medical records to keep track of their patients’ health information.  Finding a patient’s information record in most electronic medical databases involves entering the first few letters of each name, hitting <Enter> and choosing the appropriate person from the resulting drop-down list.

Recently while looking up one of my patients, I found his granddaughter, with dates and reasons for her visits, on the list.  She’s no longer in my practice and I didn’t click on her name, but I inadvertently learned more about her recent medical history than I had a right to know.

Which got me thinking.  Will the (yet to be rolled out) provincial diabetes registry operate this way? Will Rosalita Fortuna’s (invented name) health care providers be able to see if a certain large municipal politician has diabetes when they’re querying the database?

Secure repositories protect privacy only as well as does their sloppiest/nosiest/least scrupulous user. Tens of thousands of health care providers (and IT support staff) are going to have access to millions of records. Already we’ve heard stories of disks and USB drives going missing, of ex-partners mining health records to bolster custody battles etc etc.

Worse still is that consent for enrollment in  these large, accessible databases is assumed. A person with diabetes, for example, would have had to seen, been able to read, understand, and have acted upon the “Important Notice Regarding Your Personal Health Information” posted by the government in order to restrict sharing of their data. Even when someone withdraws consent, their  personal information remains in the registry, only access is limited. As far as I can determine,  patients are not notified when their data is viewed.

In 1999 chief executive officer of Sun Microsystems, Scott MacNealy, said “You have zero privacy anyway. Get over it.” Will that be true for our health care information?

The comments section is closed.

  • Mark MacLeod says:

    I’m not sure why we are so hung up on medical privacy. We live in a world where we voluntarily and involutarily give up privacy all of the time, continuously, every day.

    Does anybody really care if someone is a diabetic? Really? I can see the argument if an employer or insurer obtained information about workers or clients. OK. However I think the right approach is not to build a system that is so cumbersome that it is unusable but make the penalites for accessing patient information significant and severe.

    Privacy concerns can be met. The banks have done it, So let’s not pretend that it can’t be. If we want a system we need to be able to understand how the system works – and we can’t do that with paper and pencil, not anymore.

    • Andrew Holt says:

      I agree with you Mark – this can and will eventually be resolved – in the interim the people working at and receiving health care each day continue to struggle with a patchwork of paper and pencil based systems and processes with a fragmented overlay of e-Health methods, tools and policies. No wonder there are many disagreements and breaches in privacy and security. ATMs work internationally due to strict adherence to international banking standards. This is still sorting itself out in health care where more subtle information exchange occurs.

  • T. M. says:

    I’m actually quite interested to know how you could have possibly “unintentionally” obtained knowledge of her health without consciously going into her file. of the system I’ve worked with, each requires you to actually click on the person in order to see any information. All that is provided without doing so is name, an identification number, and maybe a date. Nothing else. Activities are monitored, so it’s a big no-no to look in a patient’s e-chart if they are not your own. Seems like a good way to protect privacy to me…

    • Andrew Holt says:

      One of the primary stumbling blocks that has slowed the adoption of electronic health records in Canada is being played out in this exchange. All sides are frustrated – government/ministry of health, doctors, patients/tax payers …. some countries have close to 100% adoption of electronic medical records in general medical practices … although much debate still circles about their actual use in day to day decision making by patients and doctors.

      A clear policy and operating standards for security and privacy that have face validity (i.e. are acceptable and make sense) to the average person would go a long way to accelerate the rate of adoption. What are generally acceptable levels of security and privacy protection the people of Ontario and Canada can accept in 2012 and going forward? Right now we are stymied by polarized views on this issue and would greatly benefit from a non-partisan airing of alternatives with the goal of establishing an acceptable middle position that serves to provided reasonable protections for the privacy and security of individuals personal information while also allowing for the efficient and appropriate exchange/access to this information by the individuals or their delegates and care giving teams. Given the sensitivities of the topic there is no place for personal attacks or cheap derogatory comments – these only block honest debate and resolving differences of opinion.

  • James Elliott says:

    This is an sensationally titled, poorly thought out article, that for some reason seems to imply that diabetes, or at least being known as a diabetic, is cause for stigmatization. Let discuss the actual diabetes registry that will be rolled out in this province, not some imaginary database you have invented to scare the public. That is unless intellectually dishonest physician-based opposition such as what is displayed in this article successfully kills it.

    The Ontario Diabetes Registry would allow myself, a type 1 diabetic, to have access to all of my previous HbA1c results, lipids, my recent eye and foot screens. This is information I need to tailor my diet, see if my exercise regime is sufficient, if any changes I have made to my treatment profile have been helpful or harmful. This is information needed for successful patient self-management and by any reasoning, be it ethical, logical and biomedical, is information that I should have access to. Indeed, by law it is my right to. However in actual fact in this province, obtaining such results from physicians is a tooth-pulling process.

    Case in point, last week I saw my HbA1c result for the first time in two years, from a pharmacy student with a portable tester. Two years ago I went to a walk-in clinic for a prescription renewal for insulin (which itself is patient-unfriendly policy, NS itself has allowed pharmacists to renew insulin). The MD suggested I do an HbA1c, and she would call me “if the results are weird”. Went to a lab, did the test, got no call, when I phoned the clinic was told I needed to schedule an appointment to hear the number myself (another OHIP billing).

    Later I enrolled at an FHT (2 hours by public transit from my house), had another HbA1c req, later that week had blood drawn. In between the months of waiting for my next appointment I was given a job opportunity in Toronto. So I phoned up my FHT and asked for my labs, which I can read myself as I have a background in biomedical science. Was told, “we cannot give that information over the phone”. No problem, I have a fax, send it to my number. Was told “no, we cannot fax to non-physicians”. Was told to email it to me instead and… you guessed it.

    Now living in Toronto, my endocrinologist ordered another HbA1c in the fall. However it will be another few weeks before I get to see that, if I get to see that.

    You want to talk about privacy? How about ensuring proper data handling practices in all healthcare facilities?. How about supporting the Privacy Commissioners efforts for privacy in healthcare? How about eliminating loose talk between providers in hospital and clinic hallways? How about ensuring consultation offices are designed so there is no audio leak into the wait room? How about switching your own EMR system? Which sounds unsecure it should never have been legal for you to use in the first place.

    I content that the following is the cause for the real opposition to the Ontario Diabetes Registry:

    1. It would empower patients and lead to push back on the MD-patient relationship.
    2. It would cut down on OHIP billings as patients could learn to successfully tailor their treatment regimes independent of physician based advice.
    3. It would force physicians to eliminate dreadfully insecure EMR systems they have put in some of their practices, perhaps such as your own Dr. McRae.
    4. It would cut down on needless repeated diagnostic tests such as my own, which would hurt private lab companies, of which physicians often have a financial stake in or direct ownership of.
    5. It provides leverage for the OMA during the upcoming negotiations, all under the banner of patient privacy.

    And by the way, my latest HbA1c was 6.7… I don’t care if the entire world knows it so long as I know it!

    • Shelagh McRae says:

      I’m sympathetic about the frustration that you’ve experienced trying to learn your own numbers to participate fully in your diabetes control. I agree that people with diabetes should have timely access to their A1c and other results. It remains to be seen however if the Diabetes Registry will do this in an prompt, cost effective and secure way. As others have noted, it is a difficult patchwork of EMRs, providers, hospitals, labs and communication systems that have to be accurately and firmly stitched together.

      Further information about the registry can be viewed at http://www.ehealthontario.on.ca/programs/index.asp and http://www.health.gov.on.ca/en/ms/diabetes/en/registry_qa.html. Neither page clearly says that patients will be given direct access to their data. I did call Service Ontario (1-800-387-5559), and was told that people would be allowed to look up their own information, but the worker wasn’t able to tell me when this would happen or how. He did not think there would be a log of who had viewed the records available to the user.

      I would be more comfortable with the Diabetes Registry if a patient could log on, check their results and also knew and had control over who saw their data. You have every reason to be proud of the A1c result you shared with us. But if your result had been well above the desirable range (say 9.7) might you then be more concerned about sharing it with “the entire world”?

      • James Elliott says:

        Hello and thank you for replying to me directly. Much appreciated.

        The Ontario Diabetes Registry will allow patients to see their own data through what is called a “Patient Portal”. This was how it was explained and demoed by eHealth at a major Ontario hospital presentation this summer. You can also search online for documents stating information will be available to patients, such as here:

        If Disease Registries have proven effective in Singapore http://www.annals.edu.sg/pdf/38volno6jun2009/v38n6p546.pdf ,the US and even in some “developing” countries, why would it not be successful in Ontario? If it requires replacing certain clunky, vulnerable and incompatible EMR systems already in place, so be it. Your patients don’t care about what it takes or how fee-codes are altered – just so long as they have the information they need to live their lives.

        Furthermore, your comment that if I had a high A1c I would/should be somehow embarrassed is simply the wrong mindset to have. If I had an A1C of 9.7 or even 13.7, all the better people know about it – it would be a sign that I need more help than I am getting to manage my disease. There should be no shame in that. Your patients should always feel they will be free of judgment, otherwise when you ask them “what are your morning sugars like?” they will mentally subtract 3 points before they tell you.

        Let me ask – have you seen a credit report? Private companies routinely collect and sell information on your employment history, place of residence, debts, and purchases. Yet there is no uproar, such as we see about the often counterproductive arguments surrounding medical records. Have you ever ‘Googled’ someone? People’s life stories are already accessible if one knows how to look (my own LinkedIn Profile was bombarded after I posted my reply). I am far less concerned about the possibility of a renegade data entry clerk somewhere learning about my latest LDL result.

        What frustrates me is not simply waiting a few weeks/years to see an A1c result. It is a larger issue of how we treatment diabetes and chronic diseases at large. Good ideas being implemented in settings with much greater challenges and fewer resources are being rejected because of a lack of ambition, a lack of technical expertise and a desire to maintain the status quo here in Ontario. When projects like the Diabetes Registry, are launched they stall for a number of reasons, including the spread of disinformation.

        I think you had good intentions, but you obviously have not done your research on this topic. Again, I do appreciate the reply and also that you looked further into the matter.

      • James Elliott says:

        Sorry, here is the missing link: http://www.itac.ca/uploads/pdf/Presentation081009ITAC.pdf

  • Jeff Johnson says:

    Like so many things in health care (and in life), it is probably best to view the issue of a diabetes registry in terms of the risks and benefits. Privacy considerations are a real concern and these should be considered. But likewise, the potential benefits should also be considered, and when they are, I think these far outweigh the risks.

    Sensitive information on our annual income is submitted through tax returns, a system that provides a strong foundation for our social programs. Accessing our personal savings accounts through ATMs throughout the world makes our lives more convenient. Both of those information systems carry similar privacy concerns, yet we are generally comfortable with them. Stewards of private health information need to be aware that transgressions of private information are possible. At the same time, critics need to recognize the probability is limited, while the benefits are great.

    Once such registries are in place, they increase our ability to improve outcomes for people living with this disease and improve the quality of our over-burdened health care system. Further, if we are interested in the government ensuring the most efficient allocation of our tax dollars, we should be much more supportive of such efforts.

    There is a strong body of evidence for the value of disease registries, and the threats that result from over-attention to privacy concerns. A few years ago the editors of the New England Journal of Medicine wrote “public health is threatened by incomplete data more than individual privacy is threatened by disease registries” (http://bit.ly/zVaJCa). This editorial accompanied a paper published by prominent Canadian researchers (including one of the founders of HealthyDebate.ca) who demonstrated the impracticalities that arise when privacy concerns are allowed to overshadow the benefits (http://bit.ly/yQZgNS).

    Other health care systems have successfully managed the consent process through ‘opt-out’ programs (http://bit.ly/AzC6iH). That, perhaps coupled with a system that attaches specific patients, and their health information, to specific health care providers, would go a long way to ensure individual privacy concerns are addressed, while allowing society to realize the benefits of registries for successful disease management programs.


Shelagh McRae


Republish this article

Republish this article on your website under the creative commons licence.

Learn more